Skip to content

fix(s3): map ListDirectoryBuckets to s3express, not s3:ListBuckets#1929

Merged
vieiralucas merged 1 commit into
mainfrom
fix/s3-policy-validation-directory-buckets
Jun 25, 2026
Merged

fix(s3): map ListDirectoryBuckets to s3express, not s3:ListBuckets#1929
vieiralucas merged 1 commit into
mainfrom
fix/s3-policy-validation-directory-buckets

Conversation

@vieiralucas

@vieiralucas vieiralucas commented Jun 24, 2026

Copy link
Copy Markdown
Member

Summary (5.5, auth-when-enabled)

A directory-bucket listing (GET /?x-id=ListDirectoryBuckets) was detected by the auth action mapper as s3:ListBuckets. Under --iam that meant a policy granting s3:ListBuckets wrongly permitted directory-bucket enumeration, and a policy granting only s3express:ListAllMyDirectoryBuckets was wrongly denied. (The router already dispatched the request correctly to list_directory_buckets; only the auth action string was wrong.)

s3_detect_action now returns ListAllMyDirectoryBuckets for that request, and iam_action_for maps it to the s3express service prefix.

Non-code surface

Auth action-mapping correctness; no new API surface. No SDK/docs/metadata change applies (checked).

Test plan

  • Unit test list_directory_buckets_is_distinct_from_list_buckets (directory listing → ListAllMyDirectoryBuckets; plain GET /ListBuckets).
  • cargo test -p fakecloud-s3 --lib passes; clippy clean.

Summary by cubic

Fixes S3 auth mapping for directory-bucket listings. GET /?x-id=ListDirectoryBuckets now maps to s3express:ListAllMyDirectoryBuckets instead of s3:ListBuckets, correcting allow/deny behavior under --iam.

  • Bug Fixes
    • Map detected action to ListAllMyDirectoryBuckets with the s3express prefix.
    • Add unit test to keep ListDirectoryBuckets distinct from ListBuckets.

Written for commit ae1933f. Summary will update on new commits.

Review in cubic

A directory-bucket listing (GET /?x-id=ListDirectoryBuckets) was detected by
the auth action mapper as s3:ListBuckets, so under --iam a policy granting
s3:ListBuckets wrongly permitted directory-bucket enumeration, and a policy
granting only s3express:ListAllMyDirectoryBuckets was wrongly denied (the router
already dispatched the request correctly; only the auth action string was
wrong). s3_detect_action now returns ListAllMyDirectoryBuckets for that request
and iam_action_for maps it to the s3express service prefix (bug-hunt
2026-06-24, 5.5).
@vieiralucas vieiralucas merged commit 870d488 into main Jun 25, 2026
116 of 117 checks passed
@vieiralucas vieiralucas deleted the fix/s3-policy-validation-directory-buckets branch June 25, 2026 03:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant