forked from minio/minio
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpolicy.go
More file actions
200 lines (175 loc) · 5.19 KB
/
policy.go
File metadata and controls
200 lines (175 loc) · 5.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
/*
* MinIO Cloud Storage, (C) 2018 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package iampolicy
import (
"encoding/json"
"io"
"strings"
"github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/minio/pkg/bucket/policy"
)
// DefaultVersion - default policy version as per AWS S3 specification.
const DefaultVersion = "2012-10-17"
// Args - arguments to policy to check whether it is allowed
type Args struct {
AccountName string `json:"account"`
Action Action `json:"action"`
BucketName string `json:"bucket"`
ConditionValues map[string][]string `json:"conditions"`
IsOwner bool `json:"owner"`
ObjectName string `json:"object"`
Claims map[string]interface{} `json:"claims"`
}
// GetPoliciesFromClaims returns the list of policies to be applied for this
// incoming request, extracting the information from input JWT claims.
func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string) (set.StringSet, bool) {
s := set.NewStringSet()
pname, ok := claims[policyClaimName]
if !ok {
return s, false
}
pnames, ok := pname.([]interface{})
if !ok {
pnameStr, ok := pname.(string)
if ok {
for _, pname := range strings.Split(pnameStr, ",") {
pname = strings.TrimSpace(pname)
if pname == "" {
// ignore any empty strings, considerate
// towards some user errors.
continue
}
s.Add(pname)
}
return s, true
}
return s, false
}
for _, pname := range pnames {
pnameStr, ok := pname.(string)
if ok {
for _, pnameStr := range strings.Split(pnameStr, ",") {
pnameStr = strings.TrimSpace(pnameStr)
if pnameStr == "" {
// ignore any empty strings, considerate
// towards some user errors.
continue
}
s.Add(pnameStr)
}
}
}
return s, true
}
// GetPolicies returns the list of policies to be applied for this
// incoming request, extracting the information from JWT claims.
func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool) {
return GetPoliciesFromClaims(a.Claims, policyClaimName)
}
// Policy - iam bucket iamp.
type Policy struct {
ID policy.ID `json:"ID,omitempty"`
Version string
Statements []Statement `json:"Statement"`
}
// IsAllowed - checks given policy args is allowed to continue the Rest API.
func (iamp Policy) IsAllowed(args Args) bool {
// Check all deny statements. If any one statement denies, return false.
for _, statement := range iamp.Statements {
if statement.Effect == policy.Deny {
if !statement.IsAllowed(args) {
return false
}
}
}
// For owner, its allowed by default.
if args.IsOwner {
return true
}
// Check all allow statements. If any one statement allows, return true.
for _, statement := range iamp.Statements {
if statement.Effect == policy.Allow {
if statement.IsAllowed(args) {
return true
}
}
}
return false
}
// IsEmpty - returns whether policy is empty or not.
func (iamp Policy) IsEmpty() bool {
return len(iamp.Statements) == 0
}
// isValid - checks if Policy is valid or not.
func (iamp Policy) isValid() error {
if iamp.Version != DefaultVersion && iamp.Version != "" {
return Errorf("invalid version '%v'", iamp.Version)
}
for _, statement := range iamp.Statements {
if err := statement.isValid(); err != nil {
return err
}
}
return nil
}
func (iamp *Policy) dropDuplicateStatements() {
redo:
for i := range iamp.Statements {
for j, statement := range iamp.Statements[i+1:] {
if iamp.Statements[i].Effect != statement.Effect {
continue
}
if !iamp.Statements[i].Actions.Equals(statement.Actions) {
continue
}
if !iamp.Statements[i].Resources.Equals(statement.Resources) {
continue
}
if iamp.Statements[i].Conditions.String() != statement.Conditions.String() {
continue
}
iamp.Statements = append(iamp.Statements[:j], iamp.Statements[j+1:]...)
goto redo
}
}
}
// UnmarshalJSON - decodes JSON data to Iamp.
func (iamp *Policy) UnmarshalJSON(data []byte) error {
// subtype to avoid recursive call to UnmarshalJSON()
type subPolicy Policy
var sp subPolicy
if err := json.Unmarshal(data, &sp); err != nil {
return err
}
p := Policy(sp)
p.dropDuplicateStatements()
*iamp = p
return nil
}
// Validate - validates all statements are for given bucket or not.
func (iamp Policy) Validate() error {
return iamp.isValid()
}
// ParseConfig - parses data in given reader to Iamp.
func ParseConfig(reader io.Reader) (*Policy, error) {
var iamp Policy
decoder := json.NewDecoder(reader)
decoder.DisallowUnknownFields()
if err := decoder.Decode(&iamp); err != nil {
return nil, Errorf("%w", err)
}
return &iamp, iamp.Validate()
}