CLDSRV-755: support flexible ARN matching for service user authorization

anurag4DSB · anurag4DSB · commit b5484269a2fa · 2025-11-09T02:07:08.000+01:00
Add support for partial ARN prefix matching in isRateLimitServiceUser to
allow more flexible configuration options:

- Full ARN match: Exact user verification
- Account-only match: Any user from management account
- Path prefix match: Any user under specific path

This allows operators to configure rate limiting with different levels
of specificity while maintaining security through timing-safe comparisons.

Example configurations:
  serviceUserArn: "arn:aws:iam::000000000000" (account only)
  serviceUserArn: "arn:aws:iam::000000000000:user/scality-internal/service-s3-ratelimit" (specific user)
diff --git a/lib/api/apiUtils/authorization/serviceUser.js b/lib/api/apiUtils/authorization/serviceUser.js
@@ -2,10 +2,34 @@ const { timingSafeEqual } = require('crypto');
 
 const { config } = require('../../../Config');
 
-function isRateLimitServiceUser(authInfo) {
+function isRateLimitServiceUser(authInfo, log) {
     try {
-        return timingSafeEqual(Buffer.from(authInfo.getArn()), Buffer.from(config.rateLimiting.serviceUserArn));
-    } catch {
+        const requestArn = authInfo.getArn();
+        const configuredArn = config.rateLimiting?.serviceUserArn;
+
+        if (!configuredArn) {
+            log.warn('Access denied - no configured ARN under rateLimiting.serviceUserArn', { requestArn });
+            return false;
+        }
+
+        // Support partial ARN matching (e.g., match by account only)
+        // If configuredArn is shorter, do prefix match; otherwise exact match
+        let match;
+        if (requestArn.length >= configuredArn.length) {
+            // Extract prefix from requestArn to match configuredArn length
+            const requestPrefix = requestArn.substring(0, configuredArn.length);
+            match = timingSafeEqual(
+                Buffer.from(requestPrefix),
+                Buffer.from(configuredArn)
+            );
+        } else {
+            // requestArn is shorter than configured - no match
+            log.warn('Access denied - request ARN is shorter than configured ARN', { requestArn, configuredArn });
+            match = false;
+        }
+        return match;
+    } catch (err) {
+        log.error('Error checking if request is rate limit service user', { error: err });
         return false;
     }
 }
