Skip to content

fix: correctly handle aws:SourceIp in policy evaluation (#1301) #1306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
loverustfs merged 6 commits into from
Dec 30, 2025
Merged

fix: correctly handle aws:SourceIp in policy evaluation (#1301) #1306

loverustfs merged 6 commits into from
Dec 30, 2025

Conversation

@loverustfs
Copy link
Contributor

@loverustfs loverustfs commented Dec 30, 2025

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other:

Related Issues

#1301

Summary of Changes

This PR fixes an issue where the aws:SourceIp condition key in IAM and Bucket policies was not being evaluated correctly.

Key changes include:

  1. IP Propagation: Threaded the client's SocketAddr through the request handling layers (server -> handlers -> auth) to ensure the actual remote address is available during authentication.
  2. Correct IP Extraction: Updated auth.rs to use rustfs_utils::http::ip::get_source_ip_raw. This ensures that we correctly identify the client IP, respecting standard headers like X-Forwarded-For when behind a proxy, aligning behavior with MinIO.
  3. Policy Evaluation: Updated get_condition_values to populate the SourceIp key in the condition context, enabling the policy engine to validate IP address restrictions.
  4. Testing: Added comprehensive unit/integration tests in rustfs/src/auth.rs covering:
    • IAM User Policy evaluation with aws:SourceIp.
    • Bucket Policy evaluation with aws:SourceIp.
    • Verification of both allowed (matching IP) and denied (non-matching IP) scenarios.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CI/CD passed (if applicable)

Impact

  • Breaking change (compatibility)
  • Requires doc/config/deployment update
  • Other impact:

Additional Notes

The fix ensures that security policies relying on IP restrictions function as expected. Code formatting has been applied to all modified files.

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

@github-actions
Copy link

github-actions bot commented Dec 30, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@loverustfs loverustfs requested a review from Copilot December 30, 2025 07:41
Copilot AI reviewed Dec 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where the aws:SourceIp condition key in IAM and Bucket policies was not being evaluated correctly during authorization. The fix ensures that the client's actual IP address is properly propagated through the request handling layers and used for policy evaluation.

Key Changes:

  • Introduced RemoteAddr wrapper type to carry the client's socket address through request extensions
  • Updated all get_condition_values and validate_admin_request call sites to accept and pass the remote address
  • Modified IP extraction logic to use the actual socket address instead of only relying on headers
  • Added comprehensive tests for IAM and Bucket policy evaluation with aws:SourceIp conditions

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
rustfs/src/server/mod.rs Introduced RemoteAddr struct to wrap socket addresses
rustfs/src/server/http.rs Added layer to capture and inject remote address into request extensions
rustfs/src/auth.rs Updated get_condition_values to accept remote address parameter and use it for SourceIp; added tests
rustfs/src/storage/access.rs Threaded remote address through authorization calls
rustfs/src/storage/ecfs.rs Passed remote address to get_condition_values
rustfs/src/admin/auth.rs Updated admin request validation to accept remote address
rustfs/src/admin/handlers/*.rs Updated all admin handler call sites to extract and pass remote address
rustfs/Cargo.toml Added add-extension feature to tower-http dependency

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

rustfs/src/auth.rs Outdated
Comment on lines 302 to 304
let remote_addr_s = remote_addr
.map(|a| a.ip().to_string())
.unwrap_or_else(|| "127.0.0.1".to_string());
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defaulting to '127.0.0.1' when remote_addr is None could bypass IP-based restrictions in policies. This represents a potential security issue where failed socket address extraction silently falls back to localhost, which may be implicitly trusted. Consider whether this default is appropriate or if the request should be rejected when the remote address cannot be determined.

Copilot uses AI. Check for mistakes.
loverustfs and others added 2 commits December 30, 2025 15:50
@loverustfs
Update rustfs/src/server/http.rs
c48f3b6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: loverustfs <github@rustfs.com>
@loverustfs
fix: use empty string as default source IP instead of 127.0.0.1
e3b1bee
@loverustfs loverustfs mentioned this pull request Dec 30, 2025
Open
@loverustfs loverustfs merged commit b4ba62f into main Dec 30, 2025
14 checks passed
@loverustfs loverustfs deleted the fix/issue-1301 branch December 30, 2025 08:54
lgpseu pushed a commit to lgpseu/rustfs that referenced this pull request Dec 31, 2025
@loverustfs @lgpseu
fix: correctly handle aws:SourceIp in policy evaluation (rustfs#1301) (
42e3594 
…rustfs#1306)

Signed-off-by: loverustfs <github@rustfs.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
houseme added a commit that referenced this pull request Jan 7, 2026
@houseme
Merge branch 'main' of github.com:rustfs/rustfs into fix/fix-audit-1222
c48d9fd 
* 'main' of github.com:rustfs/rustfs:
  fix:correct RemoteAddr extension type to enable IP-based policy evaluation (#1356)
  Add workflow to mark stale issues automatically
  fix: remove nginx-ingress default body size limit (#1335)
  feat:Permission verification for deleting versions (#1341)
  chore: upgrade GitHub Actions artifact actions (#1339)
  chore: replace native-tls with pure rustls for FTPS/SFTP e2e tests (#1334)
  chore: upgrade dependencies and migrate to aws-lc-rs (#1333)
  fix: s3 list object versions next marker (#1328)
  fix(tagging): fix e2e test_object_tagging failure (#1327)
  Feat/ftps&sftp (#1308)
  fix(iam): preserve decrypt-failed credentials instead of deleting them (#1312)
  Restore globals and add unified TLS/mTLS loading from RUSTFS_TLS_PATH (#1309)
  fix: correctly handle aws:SourceIp in policy evaluation (#1301) (#1306)
  Add trendshift
  feat: add local s3-tests script with configurable options and improvements (#1300)
reatang pushed a commit that referenced this pull request Jan 11, 2026
@loverustfs @reatang
fix: correctly handle aws:SourceIp in policy evaluation (#1301) (#1306)
a59094c 
Signed-off-by: loverustfs <github@rustfs.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loverustfs