d5057b3c51
This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
148 lines
3.8 KiB
Go
148 lines
3.8 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2015, 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/minio/minio/pkg/fs"
|
|
"github.com/minio/minio/pkg/probe"
|
|
)
|
|
|
|
// getBucketsConfigPath - get buckets path.
|
|
func getBucketsConfigPath() (string, *probe.Error) {
|
|
configPath, err := getConfigPath()
|
|
if err != nil {
|
|
return "", err.Trace()
|
|
}
|
|
return filepath.Join(configPath, "buckets"), nil
|
|
}
|
|
|
|
// createBucketsConfigPath - create buckets directory.
|
|
func createBucketsConfigPath() *probe.Error {
|
|
bucketsConfigPath, err := getBucketsConfigPath()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if e := os.MkdirAll(bucketsConfigPath, 0700); e != nil {
|
|
return probe.NewError(e)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// getBucketConfigPath - get bucket path.
|
|
func getBucketConfigPath(bucket string) (string, *probe.Error) {
|
|
bucketsConfigPath, err := getBucketsConfigPath()
|
|
if err != nil {
|
|
return "", err.Trace()
|
|
}
|
|
return filepath.Join(bucketsConfigPath, bucket), nil
|
|
}
|
|
|
|
// createBucketConfigPath - create bucket directory.
|
|
func createBucketConfigPath(bucket string) *probe.Error {
|
|
bucketConfigPath, err := getBucketConfigPath(bucket)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if e := os.MkdirAll(bucketConfigPath, 0700); e != nil {
|
|
return probe.NewError(e)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// readBucketPolicy - read bucket policy.
|
|
func readBucketPolicy(bucket string) ([]byte, *probe.Error) {
|
|
// Verify bucket is valid.
|
|
if !fs.IsValidBucketName(bucket) {
|
|
return nil, probe.NewError(fs.BucketNameInvalid{Bucket: bucket})
|
|
}
|
|
|
|
bucketConfigPath, err := getBucketConfigPath(bucket)
|
|
if err != nil {
|
|
return nil, err.Trace()
|
|
}
|
|
|
|
// Get policy file.
|
|
bucketPolicyFile := filepath.Join(bucketConfigPath, "access-policy.json")
|
|
if _, e := os.Stat(bucketPolicyFile); e != nil {
|
|
if os.IsNotExist(e) {
|
|
return nil, probe.NewError(fs.BucketPolicyNotFound{Bucket: bucket})
|
|
}
|
|
return nil, probe.NewError(e)
|
|
}
|
|
|
|
accessPolicyBytes, e := ioutil.ReadFile(bucketPolicyFile)
|
|
if e != nil {
|
|
return nil, probe.NewError(e)
|
|
}
|
|
return accessPolicyBytes, nil
|
|
}
|
|
|
|
// removeBucketPolicy - remove bucket policy.
|
|
func removeBucketPolicy(bucket string) *probe.Error {
|
|
// Verify bucket is valid.
|
|
if !fs.IsValidBucketName(bucket) {
|
|
return probe.NewError(fs.BucketNameInvalid{Bucket: bucket})
|
|
}
|
|
|
|
bucketConfigPath, err := getBucketConfigPath(bucket)
|
|
if err != nil {
|
|
return err.Trace(bucket)
|
|
}
|
|
|
|
// Get policy file.
|
|
bucketPolicyFile := filepath.Join(bucketConfigPath, "access-policy.json")
|
|
if _, e := os.Stat(bucketPolicyFile); e != nil {
|
|
if os.IsNotExist(e) {
|
|
return probe.NewError(fs.BucketPolicyNotFound{Bucket: bucket})
|
|
}
|
|
return probe.NewError(e)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// writeBucketPolicy - save bucket policy.
|
|
func writeBucketPolicy(bucket string, accessPolicyBytes []byte) *probe.Error {
|
|
// Verify if bucket path legal
|
|
if !fs.IsValidBucketName(bucket) {
|
|
return probe.NewError(fs.BucketNameInvalid{Bucket: bucket})
|
|
}
|
|
|
|
bucketConfigPath, err := getBucketConfigPath(bucket)
|
|
if err != nil {
|
|
return err.Trace()
|
|
}
|
|
|
|
// Get policy file.
|
|
bucketPolicyFile := filepath.Join(bucketConfigPath, "access-policy.json")
|
|
if _, e := os.Stat(bucketPolicyFile); e != nil {
|
|
if !os.IsNotExist(e) {
|
|
return probe.NewError(e)
|
|
}
|
|
}
|
|
|
|
// Write bucket policy.
|
|
if e := ioutil.WriteFile(bucketPolicyFile, accessPolicyBytes, 0600); e != nil {
|
|
return probe.NewError(e)
|
|
}
|
|
|
|
return nil
|
|
}
|