440 lines
16 KiB
Go
440 lines
16 KiB
Go
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
//
|
|
// This file is part of MinIO Object Storage stack
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package iampolicy
|
|
|
|
import (
|
|
"github.com/minio/minio/pkg/bucket/policy/condition"
|
|
"github.com/minio/pkg/wildcard"
|
|
)
|
|
|
|
// Action - policy action.
|
|
// Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html
|
|
// for more information about available actions.
|
|
type Action string
|
|
|
|
const (
|
|
// AbortMultipartUploadAction - AbortMultipartUpload Rest API action.
|
|
AbortMultipartUploadAction Action = "s3:AbortMultipartUpload"
|
|
|
|
// CreateBucketAction - CreateBucket Rest API action.
|
|
CreateBucketAction = "s3:CreateBucket"
|
|
|
|
// DeleteBucketAction - DeleteBucket Rest API action.
|
|
DeleteBucketAction = "s3:DeleteBucket"
|
|
|
|
// ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag
|
|
// is specified.
|
|
ForceDeleteBucketAction = "s3:ForceDeleteBucket"
|
|
|
|
// DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action.
|
|
DeleteBucketPolicyAction = "s3:DeleteBucketPolicy"
|
|
|
|
// DeleteObjectAction - DeleteObject Rest API action.
|
|
DeleteObjectAction = "s3:DeleteObject"
|
|
|
|
// GetBucketLocationAction - GetBucketLocation Rest API action.
|
|
GetBucketLocationAction = "s3:GetBucketLocation"
|
|
|
|
// GetBucketNotificationAction - GetBucketNotification Rest API action.
|
|
GetBucketNotificationAction = "s3:GetBucketNotification"
|
|
|
|
// GetBucketPolicyAction - GetBucketPolicy Rest API action.
|
|
GetBucketPolicyAction = "s3:GetBucketPolicy"
|
|
|
|
// GetObjectAction - GetObject Rest API action.
|
|
GetObjectAction = "s3:GetObject"
|
|
|
|
// HeadBucketAction - HeadBucket Rest API action. This action is unused in minio.
|
|
HeadBucketAction = "s3:HeadBucket"
|
|
|
|
// ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action.
|
|
ListAllMyBucketsAction = "s3:ListAllMyBuckets"
|
|
|
|
// ListBucketAction - ListBucket Rest API action.
|
|
ListBucketAction = "s3:ListBucket"
|
|
|
|
// GetBucketPolicyStatusAction - Retrieves the policy status for a bucket.
|
|
GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus"
|
|
|
|
// ListBucketVersionsAction - ListBucketVersions Rest API action.
|
|
ListBucketVersionsAction = "s3:ListBucketVersions"
|
|
|
|
// ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action.
|
|
ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads"
|
|
|
|
// ListenNotificationAction - ListenNotification Rest API action.
|
|
// This is MinIO extension.
|
|
ListenNotificationAction = "s3:ListenNotification"
|
|
|
|
// ListenBucketNotificationAction - ListenBucketNotification Rest API action.
|
|
// This is MinIO extension.
|
|
ListenBucketNotificationAction = "s3:ListenBucketNotification"
|
|
|
|
// ListMultipartUploadPartsAction - ListParts Rest API action.
|
|
ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts"
|
|
|
|
// PutBucketLifecycleAction - PutBucketLifecycle Rest API action.
|
|
PutBucketLifecycleAction = "s3:PutLifecycleConfiguration"
|
|
|
|
// GetBucketLifecycleAction - GetBucketLifecycle Rest API action.
|
|
GetBucketLifecycleAction = "s3:GetLifecycleConfiguration"
|
|
|
|
// PutBucketNotificationAction - PutObjectNotification Rest API action.
|
|
PutBucketNotificationAction = "s3:PutBucketNotification"
|
|
|
|
// PutBucketPolicyAction - PutBucketPolicy Rest API action.
|
|
PutBucketPolicyAction = "s3:PutBucketPolicy"
|
|
|
|
// PutObjectAction - PutObject Rest API action.
|
|
PutObjectAction = "s3:PutObject"
|
|
|
|
// DeleteObjectVersionAction - DeleteObjectVersion Rest API action.
|
|
DeleteObjectVersionAction = "s3:DeleteObjectVersion"
|
|
|
|
// DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action.
|
|
DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging"
|
|
|
|
// GetObjectVersionAction - GetObjectVersionAction Rest API action.
|
|
GetObjectVersionAction = "s3:GetObjectVersion"
|
|
|
|
// GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action.
|
|
GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging"
|
|
|
|
// PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action.
|
|
PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging"
|
|
|
|
// BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action.
|
|
BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention"
|
|
|
|
// PutObjectRetentionAction - PutObjectRetention Rest API action.
|
|
PutObjectRetentionAction = "s3:PutObjectRetention"
|
|
|
|
// GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action.
|
|
GetObjectRetentionAction = "s3:GetObjectRetention"
|
|
|
|
// GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action.
|
|
GetObjectLegalHoldAction = "s3:GetObjectLegalHold"
|
|
|
|
// PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action.
|
|
PutObjectLegalHoldAction = "s3:PutObjectLegalHold"
|
|
|
|
// GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action
|
|
GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration"
|
|
|
|
// PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action
|
|
PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration"
|
|
|
|
// GetBucketTaggingAction - GetBucketTagging Rest API action
|
|
GetBucketTaggingAction = "s3:GetBucketTagging"
|
|
|
|
// PutBucketTaggingAction - PutBucketTagging Rest API action
|
|
PutBucketTaggingAction = "s3:PutBucketTagging"
|
|
|
|
// GetObjectTaggingAction - Get Object Tags API action
|
|
GetObjectTaggingAction = "s3:GetObjectTagging"
|
|
|
|
// PutObjectTaggingAction - Put Object Tags API action
|
|
PutObjectTaggingAction = "s3:PutObjectTagging"
|
|
|
|
// DeleteObjectTaggingAction - Delete Object Tags API action
|
|
DeleteObjectTaggingAction = "s3:DeleteObjectTagging"
|
|
|
|
// PutBucketEncryptionAction - PutBucketEncryption REST API action
|
|
PutBucketEncryptionAction = "s3:PutEncryptionConfiguration"
|
|
|
|
// GetBucketEncryptionAction - GetBucketEncryption REST API action
|
|
GetBucketEncryptionAction = "s3:GetEncryptionConfiguration"
|
|
|
|
// PutBucketVersioningAction - PutBucketVersioning REST API action
|
|
PutBucketVersioningAction = "s3:PutBucketVersioning"
|
|
|
|
// GetBucketVersioningAction - GetBucketVersioning REST API action
|
|
GetBucketVersioningAction = "s3:GetBucketVersioning"
|
|
// GetReplicationConfigurationAction - GetReplicationConfiguration REST API action
|
|
GetReplicationConfigurationAction = "s3:GetReplicationConfiguration"
|
|
// PutReplicationConfigurationAction - PutReplicationConfiguration REST API action
|
|
PutReplicationConfigurationAction = "s3:PutReplicationConfiguration"
|
|
|
|
// ReplicateObjectAction - ReplicateObject REST API action
|
|
ReplicateObjectAction = "s3:ReplicateObject"
|
|
|
|
// ReplicateDeleteAction - ReplicateDelete REST API action
|
|
ReplicateDeleteAction = "s3:ReplicateDelete"
|
|
|
|
// ReplicateTagsAction - ReplicateTags REST API action
|
|
ReplicateTagsAction = "s3:ReplicateTags"
|
|
|
|
// GetObjectVersionForReplicationAction - GetObjectVersionForReplication REST API action
|
|
GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication"
|
|
|
|
// AllActions - all API actions
|
|
AllActions = "s3:*"
|
|
)
|
|
|
|
// List of all supported actions.
|
|
var supportedActions = map[Action]struct{}{
|
|
AbortMultipartUploadAction: {},
|
|
CreateBucketAction: {},
|
|
DeleteBucketAction: {},
|
|
ForceDeleteBucketAction: {},
|
|
DeleteBucketPolicyAction: {},
|
|
DeleteObjectAction: {},
|
|
GetBucketLocationAction: {},
|
|
GetBucketNotificationAction: {},
|
|
GetBucketPolicyAction: {},
|
|
GetObjectAction: {},
|
|
HeadBucketAction: {},
|
|
ListAllMyBucketsAction: {},
|
|
ListBucketAction: {},
|
|
GetBucketPolicyStatusAction: {},
|
|
ListBucketVersionsAction: {},
|
|
ListBucketMultipartUploadsAction: {},
|
|
ListenNotificationAction: {},
|
|
ListenBucketNotificationAction: {},
|
|
ListMultipartUploadPartsAction: {},
|
|
PutBucketLifecycleAction: {},
|
|
GetBucketLifecycleAction: {},
|
|
PutBucketNotificationAction: {},
|
|
PutBucketPolicyAction: {},
|
|
PutObjectAction: {},
|
|
BypassGovernanceRetentionAction: {},
|
|
PutObjectRetentionAction: {},
|
|
GetObjectRetentionAction: {},
|
|
GetObjectLegalHoldAction: {},
|
|
PutObjectLegalHoldAction: {},
|
|
GetBucketObjectLockConfigurationAction: {},
|
|
PutBucketObjectLockConfigurationAction: {},
|
|
GetBucketTaggingAction: {},
|
|
PutBucketTaggingAction: {},
|
|
GetObjectVersionAction: {},
|
|
GetObjectVersionTaggingAction: {},
|
|
DeleteObjectVersionAction: {},
|
|
DeleteObjectVersionTaggingAction: {},
|
|
PutObjectVersionTaggingAction: {},
|
|
GetObjectTaggingAction: {},
|
|
PutObjectTaggingAction: {},
|
|
DeleteObjectTaggingAction: {},
|
|
PutBucketEncryptionAction: {},
|
|
GetBucketEncryptionAction: {},
|
|
PutBucketVersioningAction: {},
|
|
GetBucketVersioningAction: {},
|
|
GetReplicationConfigurationAction: {},
|
|
PutReplicationConfigurationAction: {},
|
|
ReplicateObjectAction: {},
|
|
ReplicateDeleteAction: {},
|
|
ReplicateTagsAction: {},
|
|
GetObjectVersionForReplicationAction: {},
|
|
AllActions: {},
|
|
}
|
|
|
|
// List of all supported object actions.
|
|
var supportedObjectActions = map[Action]struct{}{
|
|
AllActions: {},
|
|
AbortMultipartUploadAction: {},
|
|
DeleteObjectAction: {},
|
|
GetObjectAction: {},
|
|
ListMultipartUploadPartsAction: {},
|
|
PutObjectAction: {},
|
|
BypassGovernanceRetentionAction: {},
|
|
PutObjectRetentionAction: {},
|
|
GetObjectRetentionAction: {},
|
|
PutObjectLegalHoldAction: {},
|
|
GetObjectLegalHoldAction: {},
|
|
GetObjectTaggingAction: {},
|
|
PutObjectTaggingAction: {},
|
|
DeleteObjectTaggingAction: {},
|
|
GetObjectVersionAction: {},
|
|
GetObjectVersionTaggingAction: {},
|
|
DeleteObjectVersionAction: {},
|
|
DeleteObjectVersionTaggingAction: {},
|
|
PutObjectVersionTaggingAction: {},
|
|
ReplicateObjectAction: {},
|
|
ReplicateDeleteAction: {},
|
|
ReplicateTagsAction: {},
|
|
GetObjectVersionForReplicationAction: {},
|
|
}
|
|
|
|
// isObjectAction - returns whether action is object type or not.
|
|
func (action Action) isObjectAction() bool {
|
|
for supAction := range supportedObjectActions {
|
|
if action.Match(supAction) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Match - matches action name with action patter.
|
|
func (action Action) Match(a Action) bool {
|
|
return wildcard.Match(string(action), string(a))
|
|
}
|
|
|
|
// IsValid - checks if action is valid or not.
|
|
func (action Action) IsValid() bool {
|
|
for supAction := range supportedActions {
|
|
if action.Match(supAction) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
type actionConditionKeyMap map[Action]condition.KeySet
|
|
|
|
func (a actionConditionKeyMap) Lookup(action Action) condition.KeySet {
|
|
var ckeysMerged = condition.NewKeySet(condition.CommonKeys...)
|
|
for act, ckey := range a {
|
|
if action.Match(act) {
|
|
ckeysMerged.Merge(ckey)
|
|
}
|
|
}
|
|
return ckeysMerged
|
|
}
|
|
|
|
// iamActionConditionKeyMap - holds mapping of supported condition key for an action.
|
|
var iamActionConditionKeyMap = actionConditionKeyMap{
|
|
AllActions: condition.NewKeySet(condition.AllSupportedKeys...),
|
|
|
|
GetObjectAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3XAmzServerSideEncryption,
|
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
ListBucketAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3Prefix,
|
|
condition.S3Delimiter,
|
|
condition.S3MaxKeys,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
ListBucketVersionsAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3Prefix,
|
|
condition.S3Delimiter,
|
|
condition.S3MaxKeys,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
DeleteObjectAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
PutObjectAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3XAmzCopySource,
|
|
condition.S3XAmzServerSideEncryption,
|
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
|
condition.S3XAmzMetadataDirective,
|
|
condition.S3XAmzStorageClass,
|
|
condition.S3VersionID,
|
|
condition.S3ObjectLockRetainUntilDate,
|
|
condition.S3ObjectLockMode,
|
|
condition.S3ObjectLockLegalHold,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
// https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
|
|
// LockLegalHold is not supported with PutObjectRetentionAction
|
|
PutObjectRetentionAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3XAmzServerSideEncryption,
|
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
|
condition.S3ObjectLockRemainingRetentionDays,
|
|
condition.S3ObjectLockRetainUntilDate,
|
|
condition.S3ObjectLockMode,
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
GetObjectRetentionAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3XAmzServerSideEncryption,
|
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
PutObjectLegalHoldAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3XAmzServerSideEncryption,
|
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
|
condition.S3ObjectLockLegalHold,
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
GetObjectLegalHoldAction: condition.NewKeySet(condition.CommonKeys...),
|
|
|
|
// https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
|
|
BypassGovernanceRetentionAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
condition.S3ObjectLockRemainingRetentionDays,
|
|
condition.S3ObjectLockRetainUntilDate,
|
|
condition.S3ObjectLockMode,
|
|
condition.S3ObjectLockLegalHold,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
PutObjectTaggingAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
GetObjectTaggingAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
DeleteObjectTaggingAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
|
|
PutObjectVersionTaggingAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
GetObjectVersionAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
GetObjectVersionTaggingAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
DeleteObjectVersionAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
DeleteObjectVersionTaggingAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
ReplicateObjectAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
ReplicateDeleteAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
ReplicateTagsAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
GetObjectVersionForReplicationAction: condition.NewKeySet(
|
|
append([]condition.Key{
|
|
condition.S3VersionID,
|
|
}, condition.CommonKeys...)...),
|
|
}
|