2021-04-18 15:41:13 -04:00
|
|
|
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
|
|
//
|
|
|
|
// This file is part of MinIO Object Storage stack
|
|
|
|
//
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
// (at your option) any later version.
|
|
|
|
//
|
|
|
|
// This program is distributed in the hope that it will be useful
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
//
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2018-10-09 17:00:01 -04:00
|
|
|
|
|
|
|
package iampolicy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"io"
|
2020-01-08 20:21:58 -05:00
|
|
|
"strings"
|
2018-10-09 17:00:01 -04:00
|
|
|
|
2020-07-14 12:38:05 -04:00
|
|
|
"github.com/minio/minio-go/v7/pkg/set"
|
2020-01-27 17:12:34 -05:00
|
|
|
"github.com/minio/minio/pkg/bucket/policy"
|
2018-10-09 17:00:01 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
// DefaultVersion - default policy version as per AWS S3 specification.
|
|
|
|
const DefaultVersion = "2012-10-17"
|
|
|
|
|
|
|
|
// Args - arguments to policy to check whether it is allowed
|
|
|
|
type Args struct {
|
|
|
|
AccountName string `json:"account"`
|
2021-03-23 18:15:51 -04:00
|
|
|
Groups []string `json:"groups"`
|
2018-10-09 17:00:01 -04:00
|
|
|
Action Action `json:"action"`
|
|
|
|
BucketName string `json:"bucket"`
|
|
|
|
ConditionValues map[string][]string `json:"conditions"`
|
|
|
|
IsOwner bool `json:"owner"`
|
|
|
|
ObjectName string `json:"object"`
|
|
|
|
Claims map[string]interface{} `json:"claims"`
|
2021-03-02 18:35:50 -05:00
|
|
|
DenyOnly bool `json:"denyOnly"` // only applies deny
|
2018-10-09 17:00:01 -04:00
|
|
|
}
|
|
|
|
|
2020-07-10 17:48:44 -04:00
|
|
|
// GetPoliciesFromClaims returns the list of policies to be applied for this
|
|
|
|
// incoming request, extracting the information from input JWT claims.
|
|
|
|
func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string) (set.StringSet, bool) {
|
2020-05-11 16:04:11 -04:00
|
|
|
s := set.NewStringSet()
|
2020-07-10 17:48:44 -04:00
|
|
|
pname, ok := claims[policyClaimName]
|
2020-01-08 20:21:58 -05:00
|
|
|
if !ok {
|
2020-05-11 16:04:11 -04:00
|
|
|
return s, false
|
2020-01-08 20:21:58 -05:00
|
|
|
}
|
2020-07-14 13:26:47 -04:00
|
|
|
pnames, ok := pname.([]interface{})
|
2020-05-11 16:04:11 -04:00
|
|
|
if !ok {
|
|
|
|
pnameStr, ok := pname.(string)
|
|
|
|
if ok {
|
2020-07-14 13:26:47 -04:00
|
|
|
for _, pname := range strings.Split(pnameStr, ",") {
|
|
|
|
pname = strings.TrimSpace(pname)
|
|
|
|
if pname == "" {
|
|
|
|
// ignore any empty strings, considerate
|
|
|
|
// towards some user errors.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
s.Add(pname)
|
|
|
|
}
|
|
|
|
return s, true
|
2020-05-11 16:04:11 -04:00
|
|
|
}
|
2020-07-14 13:26:47 -04:00
|
|
|
return s, false
|
2020-05-11 16:04:11 -04:00
|
|
|
}
|
|
|
|
for _, pname := range pnames {
|
2020-07-14 13:26:47 -04:00
|
|
|
pnameStr, ok := pname.(string)
|
|
|
|
if ok {
|
|
|
|
for _, pnameStr := range strings.Split(pnameStr, ",") {
|
|
|
|
pnameStr = strings.TrimSpace(pnameStr)
|
|
|
|
if pnameStr == "" {
|
|
|
|
// ignore any empty strings, considerate
|
|
|
|
// towards some user errors.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
s.Add(pnameStr)
|
|
|
|
}
|
2020-05-11 16:04:11 -04:00
|
|
|
}
|
2020-01-08 20:21:58 -05:00
|
|
|
}
|
2020-05-11 16:04:11 -04:00
|
|
|
return s, true
|
2020-01-08 20:21:58 -05:00
|
|
|
}
|
|
|
|
|
2020-07-10 17:48:44 -04:00
|
|
|
// GetPolicies returns the list of policies to be applied for this
|
|
|
|
// incoming request, extracting the information from JWT claims.
|
|
|
|
func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool) {
|
|
|
|
return GetPoliciesFromClaims(a.Claims, policyClaimName)
|
|
|
|
}
|
|
|
|
|
2018-10-09 17:00:01 -04:00
|
|
|
// Policy - iam bucket iamp.
|
|
|
|
type Policy struct {
|
|
|
|
ID policy.ID `json:"ID,omitempty"`
|
|
|
|
Version string
|
|
|
|
Statements []Statement `json:"Statement"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsAllowed - checks given policy args is allowed to continue the Rest API.
|
|
|
|
func (iamp Policy) IsAllowed(args Args) bool {
|
|
|
|
// Check all deny statements. If any one statement denies, return false.
|
|
|
|
for _, statement := range iamp.Statements {
|
|
|
|
if statement.Effect == policy.Deny {
|
|
|
|
if !statement.IsAllowed(args) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-02 18:35:50 -05:00
|
|
|
// Applied any 'Deny' only policies, if we have
|
|
|
|
// reached here it means that there were no 'Deny'
|
|
|
|
// policies - this function mainly used for
|
|
|
|
// specific scenarios where we only want to validate
|
|
|
|
// 'Deny' only policies.
|
|
|
|
if args.DenyOnly {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2018-10-09 17:00:01 -04:00
|
|
|
// For owner, its allowed by default.
|
|
|
|
if args.IsOwner {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check all allow statements. If any one statement allows, return true.
|
|
|
|
for _, statement := range iamp.Statements {
|
|
|
|
if statement.Effect == policy.Allow {
|
|
|
|
if statement.IsAllowed(args) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsEmpty - returns whether policy is empty or not.
|
|
|
|
func (iamp Policy) IsEmpty() bool {
|
|
|
|
return len(iamp.Statements) == 0
|
|
|
|
}
|
|
|
|
|
|
|
|
// isValid - checks if Policy is valid or not.
|
|
|
|
func (iamp Policy) isValid() error {
|
|
|
|
if iamp.Version != DefaultVersion && iamp.Version != "" {
|
2020-01-03 14:28:52 -05:00
|
|
|
return Errorf("invalid version '%v'", iamp.Version)
|
2018-10-09 17:00:01 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, statement := range iamp.Statements {
|
|
|
|
if err := statement.isValid(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2020-04-18 00:26:42 -04:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-03-16 11:50:36 -04:00
|
|
|
// Merge merges two policies documents and drop
|
|
|
|
// duplicate statements if any.
|
|
|
|
func (iamp Policy) Merge(input Policy) Policy {
|
|
|
|
var mergedPolicy Policy
|
|
|
|
if iamp.Version != "" {
|
|
|
|
mergedPolicy.Version = iamp.Version
|
|
|
|
} else {
|
|
|
|
mergedPolicy.Version = input.Version
|
|
|
|
}
|
|
|
|
for _, st := range iamp.Statements {
|
|
|
|
mergedPolicy.Statements = append(mergedPolicy.Statements, st.Clone())
|
|
|
|
}
|
|
|
|
for _, st := range input.Statements {
|
|
|
|
mergedPolicy.Statements = append(mergedPolicy.Statements, st.Clone())
|
|
|
|
}
|
|
|
|
mergedPolicy.dropDuplicateStatements()
|
|
|
|
return mergedPolicy
|
|
|
|
}
|
|
|
|
|
2020-04-18 00:26:42 -04:00
|
|
|
func (iamp *Policy) dropDuplicateStatements() {
|
|
|
|
redo:
|
2018-10-09 17:00:01 -04:00
|
|
|
for i := range iamp.Statements {
|
2020-04-18 00:26:42 -04:00
|
|
|
for j, statement := range iamp.Statements[i+1:] {
|
2021-03-16 11:50:36 -04:00
|
|
|
if !iamp.Statements[i].Equals(statement) {
|
2018-10-09 17:00:01 -04:00
|
|
|
continue
|
|
|
|
}
|
2020-04-18 00:26:42 -04:00
|
|
|
iamp.Statements = append(iamp.Statements[:j], iamp.Statements[j+1:]...)
|
|
|
|
goto redo
|
2018-10-09 17:00:01 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// UnmarshalJSON - decodes JSON data to Iamp.
|
|
|
|
func (iamp *Policy) UnmarshalJSON(data []byte) error {
|
|
|
|
// subtype to avoid recursive call to UnmarshalJSON()
|
|
|
|
type subPolicy Policy
|
|
|
|
var sp subPolicy
|
|
|
|
if err := json.Unmarshal(data, &sp); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
p := Policy(sp)
|
2020-04-18 00:26:42 -04:00
|
|
|
p.dropDuplicateStatements()
|
2018-10-09 17:00:01 -04:00
|
|
|
*iamp = p
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Validate - validates all statements are for given bucket or not.
|
|
|
|
func (iamp Policy) Validate() error {
|
2020-05-10 13:55:28 -04:00
|
|
|
return iamp.isValid()
|
2018-10-09 17:00:01 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// ParseConfig - parses data in given reader to Iamp.
|
|
|
|
func ParseConfig(reader io.Reader) (*Policy, error) {
|
|
|
|
var iamp Policy
|
|
|
|
|
|
|
|
decoder := json.NewDecoder(reader)
|
|
|
|
decoder.DisallowUnknownFields()
|
|
|
|
if err := decoder.Decode(&iamp); err != nil {
|
2020-01-06 19:15:22 -05:00
|
|
|
return nil, Errorf("%w", err)
|
2018-10-09 17:00:01 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return &iamp, iamp.Validate()
|
|
|
|
}
|