push.rocks/smarts3
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth,policy): add AWS SigV4 authentication and S3 bucket policy support

Browse Source
This commit is contained in:
Jürgen Kunz
2026-02-17 16:28:50 +00:00
parent 0b9d8c4a72
commit eb232b6e8e
18 changed files with 2616 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
readme.hints.md
View File

@@ -7,7 +7,8 @@
- TypeScript is thin IPC wrapper; all HTTP/storage/routing in Rust binary `rusts3`
- Full S3 compatibility: PUT, GET, HEAD, DELETE for objects and buckets
- Multipart upload support (streaming, no OOM)
- Authentication (AWS v2/v4 signature key extraction)
- **Real AWS SigV4 authentication** (cryptographic signature verification)
- **Bucket policies** (AWS/MinIO-compatible JSON policies, public access support)
- CORS support
- ListBuckets, ListObjects (v1/v2), CopyObject
@@ -15,12 +16,15 @@
### Rust Binary (`rust/src/`)
- `main.rs` - Clap CLI, management mode entry
- `config.rs` - Serde config structs matching TS interfaces
- `config.rs` - Serde config structs matching TS interfaces (includes `region`)
- `management.rs` - IPC loop (newline-delimited JSON over stdin/stdout)
- `server.rs` - hyper 1.x HTTP server, routing, CORS, auth, all S3 handlers
- `storage.rs` - FileStore: filesystem-backed storage, multipart manager
- `server.rs` - hyper 1.x HTTP server, routing, CORS, auth+policy pipeline, all S3 handlers
- `storage.rs` - FileStore: filesystem-backed storage, multipart manager, `.policies/` dir
- `xml_response.rs` - S3 XML response builders
- `s3_error.rs` - S3 error codes with HTTP status mapping
- `auth.rs` - AWS SigV4 signature verification (HMAC-SHA256, clock skew, constant-time compare)
- `action.rs` - S3Action enum + request-to-IAM-action resolver + RequestContext
- `policy.rs` - BucketPolicy model, evaluation engine (Deny > Allow > NoOpinion), PolicyStore (RwLock cache + disk)
### TypeScript Bridge (`ts/`)
- `ts/index.ts` - Smarts3 class with RustBridge<TRustS3Commands>
@@ -39,6 +43,7 @@
- Metadata: `{root}/{bucket}/{key}._S3_object.metadata.json`
- MD5: `{root}/{bucket}/{key}._S3_object.md5`
- Multipart: `{root}/.multipart/{upload_id}/part-{N}`
- Policies: `{root}/.policies/{bucket}.policy.json`
## Build
@@ -55,6 +60,10 @@
## Testing
- `test/test.aws-sdk.node.ts` - AWS SDK v3 compatibility (10 tests)
- `test/test.aws-sdk.node.ts` - AWS SDK v3 compatibility (10 tests, auth disabled, port 3337)
- `test/test.auth.node.ts` - Auth + bucket policy integration (20 tests, auth enabled, port 3344)
- `test/test.policy-crud.node.ts` - Policy API CRUD + validation edge cases (17 tests, port 3345)
- `test/test.policy-eval.node.ts` - Policy evaluation: principals, actions, resources, deny-vs-allow (22 tests, port 3346)
- `test/test.policy-actions.node.ts` - Per-action policy enforcement (15 tests, port 3347)
- `test/test.ts` - SmartBucket integration (3 tests)
- Run: `pnpm test` or `tstest test/test.aws-sdk.node.ts --verbose`