accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
/*
|
|
|
|
* Minio Cloud Storage, (C) 2015, 2016 Minio, Inc.
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2016-08-18 19:23:42 -04:00
|
|
|
package cmd
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
|
|
|
|
import (
|
2016-08-10 23:10:48 -04:00
|
|
|
"fmt"
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
"io"
|
|
|
|
"io/ioutil"
|
2017-08-05 04:00:05 -04:00
|
|
|
"net"
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
"net/http"
|
2017-02-04 02:27:50 -05:00
|
|
|
"runtime"
|
|
|
|
"strings"
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
|
2016-11-22 21:18:22 -05:00
|
|
|
humanize "github.com/dustin/go-humanize"
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
mux "github.com/gorilla/mux"
|
2016-08-20 06:16:38 -04:00
|
|
|
"github.com/minio/minio-go/pkg/set"
|
2016-08-04 03:41:32 -04:00
|
|
|
"github.com/minio/minio/pkg/wildcard"
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
// maximum supported access policy size.
|
2016-11-22 21:18:22 -05:00
|
|
|
const maxAccessPolicySize = 20 * humanize.KiByte
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
|
|
|
|
// Verify if a given action is valid for the url path based on the
|
|
|
|
// existing bucket access policy.
|
2016-08-20 06:16:38 -04:00
|
|
|
func bucketPolicyEvalStatements(action string, resource string, conditions map[string]set.StringSet, statements []policyStatement) bool {
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
for _, statement := range statements {
|
|
|
|
if bucketPolicyMatchStatement(action, resource, conditions, statement) {
|
|
|
|
if statement.Effect == "Allow" {
|
|
|
|
return true
|
|
|
|
}
|
bucketpolicy: Improve bucket policy validation, avoid nested rules.
Bucket policy validation is more stricter now, to avoid nested
rules. The reason to do this is keep the rules simpler and more
meaningful avoiding conflicts.
This patch implements stricter checks.
Example policy to be generally avoided.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::jarjarbing/*"
]
},
{
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::jarjarbing/restic/key/*"
]
}
]
}
```
2016-03-15 13:38:04 -04:00
|
|
|
// Do not uncomment kept here for readability.
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
// else statement.Effect == "Deny"
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// None match so deny.
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify if action, resource and conditions match input policy statement.
|
2016-08-20 06:16:38 -04:00
|
|
|
func bucketPolicyMatchStatement(action string, resource string, conditions map[string]set.StringSet, statement policyStatement) bool {
|
2016-11-21 16:51:05 -05:00
|
|
|
// Verify if action, resource and condition match in given statement.
|
|
|
|
return (bucketPolicyActionMatch(action, statement) &&
|
|
|
|
bucketPolicyResourceMatch(resource, statement) &&
|
|
|
|
bucketPolicyConditionMatch(conditions, statement))
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify if given action matches with policy statement.
|
bucketpolicy: Improve bucket policy validation, avoid nested rules.
Bucket policy validation is more stricter now, to avoid nested
rules. The reason to do this is keep the rules simpler and more
meaningful avoiding conflicts.
This patch implements stricter checks.
Example policy to be generally avoided.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::jarjarbing/*"
]
},
{
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::jarjarbing/restic/key/*"
]
}
]
}
```
2016-03-15 13:38:04 -04:00
|
|
|
func bucketPolicyActionMatch(action string, statement policyStatement) bool {
|
2016-08-20 06:16:38 -04:00
|
|
|
return !statement.Actions.FuncMatch(actionMatch, action).IsEmpty()
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
|
2016-07-01 02:49:59 -04:00
|
|
|
// Match function matches wild cards in 'pattern' for resource.
|
|
|
|
func resourceMatch(pattern, resource string) bool {
|
2017-02-04 02:27:50 -05:00
|
|
|
if runtime.GOOS == "windows" {
|
|
|
|
// For windows specifically make sure we are case insensitive.
|
|
|
|
return wildcard.Match(strings.ToLower(pattern), strings.ToLower(resource))
|
|
|
|
}
|
2016-08-27 03:27:17 -04:00
|
|
|
return wildcard.Match(pattern, resource)
|
2016-07-01 02:49:59 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// Match function matches wild cards in 'pattern' for action.
|
|
|
|
func actionMatch(pattern, action string) bool {
|
2016-08-27 03:27:17 -04:00
|
|
|
return wildcard.MatchSimple(pattern, action)
|
2016-05-05 22:58:48 -04:00
|
|
|
}
|
2016-05-04 19:56:57 -04:00
|
|
|
|
2017-01-29 22:45:11 -05:00
|
|
|
func refererMatch(pattern, referer string) bool {
|
|
|
|
return wildcard.MatchSimple(pattern, referer)
|
|
|
|
}
|
|
|
|
|
2017-08-05 04:00:05 -04:00
|
|
|
// isIPInCIDR - checks if a given a IP address is a member of the given subnet.
|
|
|
|
func isIPInCIDR(cidr, ip string) bool {
|
|
|
|
// AWS S3 spec says IPs must use standard CIDR notation.
|
|
|
|
// http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-3.
|
|
|
|
_, cidrNet, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
return false // If provided CIDR can't be parsed no IP will be in the subnet.
|
|
|
|
}
|
|
|
|
addr := net.ParseIP(ip)
|
|
|
|
return cidrNet.Contains(addr)
|
|
|
|
}
|
|
|
|
|
2016-05-05 22:58:48 -04:00
|
|
|
// Verify if given resource matches with policy statement.
|
|
|
|
func bucketPolicyResourceMatch(resource string, statement policyStatement) bool {
|
2016-08-20 06:16:38 -04:00
|
|
|
// the resource rule for object could contain "*" wild card.
|
|
|
|
// the requested object can be given access based on the already set bucket policy if
|
|
|
|
// the match is successful.
|
|
|
|
// More info: http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html.
|
|
|
|
return !statement.Resources.FuncMatch(resourceMatch, resource).IsEmpty()
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify if given condition matches with policy statement.
|
2016-08-20 06:16:38 -04:00
|
|
|
func bucketPolicyConditionMatch(conditions map[string]set.StringSet, statement policyStatement) bool {
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
// Supports following conditions.
|
|
|
|
// - StringEquals
|
|
|
|
// - StringNotEquals
|
2017-01-29 22:45:11 -05:00
|
|
|
// - StringLike
|
|
|
|
// - StringNotLike
|
2017-08-05 04:00:05 -04:00
|
|
|
// - IpAddress
|
|
|
|
// - NotIpAddress
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
//
|
|
|
|
// Supported applicable condition keys for each conditions.
|
|
|
|
// - s3:prefix
|
|
|
|
// - s3:max-keys
|
2017-01-29 22:45:11 -05:00
|
|
|
// - s3:aws-Referer
|
2017-08-05 04:00:05 -04:00
|
|
|
// - s3:aws-SourceIp
|
2017-01-29 22:45:11 -05:00
|
|
|
|
2017-01-30 12:20:16 -05:00
|
|
|
// The following loop evaluates the logical AND of all the
|
|
|
|
// conditions in the statement. Note: we can break out of the
|
|
|
|
// loop if and only if a condition evaluates to false.
|
2016-08-20 06:16:38 -04:00
|
|
|
for condition, conditionKeyVal := range statement.Conditions {
|
2017-01-30 12:18:10 -05:00
|
|
|
prefixConditon := conditionKeyVal["s3:prefix"]
|
|
|
|
maxKeyCondition := conditionKeyVal["s3:max-keys"]
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
if condition == "StringEquals" {
|
2017-01-30 12:18:10 -05:00
|
|
|
// If there is no condition with "s3:prefix" or "s3:max-keys" condition key
|
|
|
|
// then there is nothing to check condition against.
|
|
|
|
if !prefixConditon.IsEmpty() && !prefixConditon.Equals(conditions["prefix"]) {
|
2017-01-29 22:45:11 -05:00
|
|
|
return false
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
2017-01-30 12:18:10 -05:00
|
|
|
if !maxKeyCondition.IsEmpty() && !maxKeyCondition.Equals(conditions["max-keys"]) {
|
2017-01-29 22:45:11 -05:00
|
|
|
return false
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
} else if condition == "StringNotEquals" {
|
2017-01-30 12:18:10 -05:00
|
|
|
// If there is no condition with "s3:prefix" or "s3:max-keys" condition key
|
|
|
|
// then there is nothing to check condition against.
|
|
|
|
if !prefixConditon.IsEmpty() && prefixConditon.Equals(conditions["prefix"]) {
|
2017-01-29 22:45:11 -05:00
|
|
|
return false
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
2017-01-30 12:18:10 -05:00
|
|
|
if !maxKeyCondition.IsEmpty() && maxKeyCondition.Equals(conditions["max-keys"]) {
|
2017-01-29 22:45:11 -05:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
} else if condition == "StringLike" {
|
|
|
|
awsReferers := conditionKeyVal["aws:Referer"]
|
2017-01-30 12:18:10 -05:00
|
|
|
// Skip empty condition, it is trivially satisfied.
|
|
|
|
if awsReferers.IsEmpty() {
|
|
|
|
continue
|
|
|
|
}
|
2017-01-29 22:45:11 -05:00
|
|
|
// wildcard match of referer in statement was not empty.
|
|
|
|
// StringLike has a match, i.e, condition evaluates to true.
|
2017-01-30 12:20:16 -05:00
|
|
|
refererFound := false
|
2017-01-29 22:45:11 -05:00
|
|
|
for referer := range conditions["referer"] {
|
|
|
|
if !awsReferers.FuncMatch(refererMatch, referer).IsEmpty() {
|
2017-01-30 12:20:16 -05:00
|
|
|
refererFound = true
|
|
|
|
break
|
2017-01-29 22:45:11 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
// No matching referer found, so the condition is false.
|
2017-01-30 12:20:16 -05:00
|
|
|
if !refererFound {
|
|
|
|
return false
|
|
|
|
}
|
2017-01-29 22:45:11 -05:00
|
|
|
} else if condition == "StringNotLike" {
|
|
|
|
awsReferers := conditionKeyVal["aws:Referer"]
|
2017-01-30 12:18:10 -05:00
|
|
|
// Skip empty condition, it is trivially satisfied.
|
|
|
|
if awsReferers.IsEmpty() {
|
|
|
|
continue
|
|
|
|
}
|
2017-01-29 22:45:11 -05:00
|
|
|
// wildcard match of referer in statement was not empty.
|
|
|
|
// StringNotLike has a match, i.e, condition evaluates to false.
|
|
|
|
for referer := range conditions["referer"] {
|
|
|
|
if !awsReferers.FuncMatch(refererMatch, referer).IsEmpty() {
|
|
|
|
return false
|
|
|
|
}
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
2017-08-05 04:00:05 -04:00
|
|
|
} else if condition == "IpAddress" {
|
|
|
|
awsIps := conditionKeyVal["aws:SourceIp"]
|
|
|
|
// Skip empty condition, it is trivially satisfied.
|
|
|
|
if awsIps.IsEmpty() {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
// wildcard match of ip if statement was not empty.
|
|
|
|
// Find a valid ip.
|
|
|
|
ipFound := false
|
|
|
|
for ip := range conditions["ip"] {
|
|
|
|
if !awsIps.FuncMatch(isIPInCIDR, ip).IsEmpty() {
|
|
|
|
ipFound = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !ipFound {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
} else if condition == "NotIpAddress" {
|
|
|
|
awsIps := conditionKeyVal["aws:SourceIp"]
|
|
|
|
// Skip empty condition, it is trivially satisfied.
|
|
|
|
if awsIps.IsEmpty() {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
// wildcard match of ip if statement was not empty.
|
|
|
|
// Find if nothing matches.
|
|
|
|
for ip := range conditions["ip"] {
|
|
|
|
if !awsIps.FuncMatch(isIPInCIDR, ip).IsEmpty() {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
}
|
2017-01-30 12:20:16 -05:00
|
|
|
|
2017-01-29 22:45:11 -05:00
|
|
|
return true
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// PutBucketPolicyHandler - PUT Bucket policy
|
|
|
|
// -----------------
|
|
|
|
// This implementation of the PUT operation uses the policy
|
|
|
|
// subresource to add to or replace a policy on a bucket
|
2016-04-12 15:45:15 -04:00
|
|
|
func (api objectAPIHandlers) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
|
2016-08-10 21:47:49 -04:00
|
|
|
objAPI := api.ObjectAPI()
|
|
|
|
if objAPI == nil {
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, ErrServerNotInitialized, r.URL)
|
2016-08-10 21:47:49 -04:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-11-21 16:51:05 -05:00
|
|
|
if s3Error := checkRequestAuthType(r, "", "", serverConfig.GetRegion()); s3Error != ErrNone {
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, s3Error, r.URL)
|
2016-03-12 19:08:15 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-09-30 17:32:13 -04:00
|
|
|
vars := mux.Vars(r)
|
|
|
|
bucket := vars["bucket"]
|
|
|
|
|
2016-11-14 18:45:00 -05:00
|
|
|
// Before proceeding validate if bucket exists.
|
|
|
|
_, err := objAPI.GetBucketInfo(bucket)
|
|
|
|
if err != nil {
|
|
|
|
errorIf(err, "Unable to find bucket info.")
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, toAPIErrorCode(err), r.URL)
|
2016-11-14 18:45:00 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
// If Content-Length is unknown or zero, deny the
|
2017-01-20 19:33:01 -05:00
|
|
|
// request. PutBucketPolicy always needs a Content-Length.
|
|
|
|
if r.ContentLength == -1 || r.ContentLength == 0 {
|
|
|
|
writeErrorResponse(w, ErrMissingContentLength, r.URL)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
// If Content-Length is greater than maximum allowed policy size.
|
|
|
|
if r.ContentLength > maxAccessPolicySize {
|
|
|
|
writeErrorResponse(w, ErrEntityTooLarge, r.URL)
|
|
|
|
return
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Read access policy up to maxAccessPolicySize.
|
|
|
|
// http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
|
|
|
|
// bucket policies are limited to 20KB in size, using a limit reader.
|
2016-08-10 23:10:48 -04:00
|
|
|
policyBytes, err := ioutil.ReadAll(io.LimitReader(r.Body, maxAccessPolicySize))
|
2016-04-29 17:24:10 -04:00
|
|
|
if err != nil {
|
2016-08-10 23:10:48 -04:00
|
|
|
errorIf(err, "Unable to read from client.")
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, toAPIErrorCode(err), r.URL)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-12-10 19:15:12 -05:00
|
|
|
// Parse validate and save bucket policy.
|
|
|
|
if s3Error := parseAndPersistBucketPolicy(bucket, policyBytes, objAPI); s3Error != ErrNone {
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, s3Error, r.URL)
|
bucketpolicy: Improve bucket policy validation, avoid nested rules.
Bucket policy validation is more stricter now, to avoid nested
rules. The reason to do this is keep the rules simpler and more
meaningful avoiding conflicts.
This patch implements stricter checks.
Example policy to be generally avoided.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::jarjarbing/*"
]
},
{
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::jarjarbing/restic/key/*"
]
}
]
}
```
2016-03-15 13:38:04 -04:00
|
|
|
return
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
|
2016-08-10 23:10:48 -04:00
|
|
|
// Success.
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
writeSuccessNoContent(w)
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteBucketPolicyHandler - DELETE Bucket policy
|
|
|
|
// -----------------
|
|
|
|
// This implementation of the DELETE operation uses the policy
|
|
|
|
// subresource to add to remove a policy on a bucket.
|
2016-04-12 15:45:15 -04:00
|
|
|
func (api objectAPIHandlers) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
|
2016-08-10 21:47:49 -04:00
|
|
|
objAPI := api.ObjectAPI()
|
|
|
|
if objAPI == nil {
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, ErrServerNotInitialized, r.URL)
|
2016-08-10 21:47:49 -04:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-11-21 16:51:05 -05:00
|
|
|
if s3Error := checkRequestAuthType(r, "", "", serverConfig.GetRegion()); s3Error != ErrNone {
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, s3Error, r.URL)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-09-30 17:32:13 -04:00
|
|
|
vars := mux.Vars(r)
|
|
|
|
bucket := vars["bucket"]
|
|
|
|
|
2016-11-14 18:45:00 -05:00
|
|
|
// Before proceeding validate if bucket exists.
|
|
|
|
_, err := objAPI.GetBucketInfo(bucket)
|
|
|
|
if err != nil {
|
|
|
|
errorIf(err, "Unable to find bucket info.")
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, toAPIErrorCode(err), r.URL)
|
2016-11-14 18:45:00 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-10-13 12:19:04 -04:00
|
|
|
// Delete bucket access policy, by passing an empty policy
|
|
|
|
// struct.
|
|
|
|
if err := persistAndNotifyBucketPolicyChange(bucket, policyChange{true, nil}, objAPI); err != nil {
|
2016-04-29 17:24:10 -04:00
|
|
|
switch err.(type) {
|
fs: Break fs package to top-level and introduce ObjectAPI interface.
ObjectAPI interface brings in changes needed for XL ObjectAPI layer.
The new interface for any ObjectAPI layer is as below
```
// ObjectAPI interface.
type ObjectAPI interface {
// Bucket resource API.
DeleteBucket(bucket string) *probe.Error
ListBuckets() ([]BucketInfo, *probe.Error)
MakeBucket(bucket string) *probe.Error
GetBucketInfo(bucket string) (BucketInfo, *probe.Error)
// Bucket query API.
ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error)
ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error)
// Object resource API.
GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error)
GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error)
PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error)
DeleteObject(bucket, object string) *probe.Error
// Object query API.
NewMultipartUpload(bucket, object string) (string, *probe.Error)
PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error)
ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error)
CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error)
AbortMultipartUpload(bucket, object, uploadID string) *probe.Error
}
```
2016-03-30 19:15:28 -04:00
|
|
|
case BucketPolicyNotFound:
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, ErrNoSuchBucketPolicy, r.URL)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
default:
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, ErrInternalError, r.URL)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
2016-08-10 23:10:48 -04:00
|
|
|
|
|
|
|
// Success.
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
writeSuccessNoContent(w)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetBucketPolicyHandler - GET Bucket policy
|
|
|
|
// -----------------
|
|
|
|
// This operation uses the policy
|
|
|
|
// subresource to return the policy of a specified bucket.
|
2016-04-12 15:45:15 -04:00
|
|
|
func (api objectAPIHandlers) GetBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
|
2016-08-10 21:47:49 -04:00
|
|
|
objAPI := api.ObjectAPI()
|
|
|
|
if objAPI == nil {
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, ErrServerNotInitialized, r.URL)
|
2016-08-10 21:47:49 -04:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-11-21 16:51:05 -05:00
|
|
|
if s3Error := checkRequestAuthType(r, "", "", serverConfig.GetRegion()); s3Error != ErrNone {
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, s3Error, r.URL)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-09-30 17:32:13 -04:00
|
|
|
vars := mux.Vars(r)
|
|
|
|
bucket := vars["bucket"]
|
|
|
|
|
2016-11-14 18:45:00 -05:00
|
|
|
// Before proceeding validate if bucket exists.
|
|
|
|
_, err := objAPI.GetBucketInfo(bucket)
|
|
|
|
if err != nil {
|
|
|
|
errorIf(err, "Unable to find bucket info.")
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, toAPIErrorCode(err), r.URL)
|
2016-11-14 18:45:00 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
// Read bucket access policy.
|
2016-08-10 21:47:49 -04:00
|
|
|
policy, err := readBucketPolicy(bucket, objAPI)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
if err != nil {
|
2016-05-16 17:31:28 -04:00
|
|
|
errorIf(err, "Unable to read bucket policy.")
|
2016-04-29 17:24:10 -04:00
|
|
|
switch err.(type) {
|
fs: Break fs package to top-level and introduce ObjectAPI interface.
ObjectAPI interface brings in changes needed for XL ObjectAPI layer.
The new interface for any ObjectAPI layer is as below
```
// ObjectAPI interface.
type ObjectAPI interface {
// Bucket resource API.
DeleteBucket(bucket string) *probe.Error
ListBuckets() ([]BucketInfo, *probe.Error)
MakeBucket(bucket string) *probe.Error
GetBucketInfo(bucket string) (BucketInfo, *probe.Error)
// Bucket query API.
ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsResult, *probe.Error)
ListMultipartUploads(bucket string, resources BucketMultipartResourcesMetadata) (BucketMultipartResourcesMetadata, *probe.Error)
// Object resource API.
GetObject(bucket, object string, startOffset int64) (io.ReadCloser, *probe.Error)
GetObjectInfo(bucket, object string) (ObjectInfo, *probe.Error)
PutObject(bucket string, object string, size int64, data io.Reader, metadata map[string]string) (ObjectInfo, *probe.Error)
DeleteObject(bucket, object string) *probe.Error
// Object query API.
NewMultipartUpload(bucket, object string) (string, *probe.Error)
PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Hex string) (string, *probe.Error)
ListObjectParts(bucket, object string, resources ObjectResourcesMetadata) (ObjectResourcesMetadata, *probe.Error)
CompleteMultipartUpload(bucket string, object string, uploadID string, parts []CompletePart) (ObjectInfo, *probe.Error)
AbortMultipartUpload(bucket, object, uploadID string) *probe.Error
}
```
2016-03-30 19:15:28 -04:00
|
|
|
case BucketPolicyNotFound:
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, ErrNoSuchBucketPolicy, r.URL)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
default:
|
2017-01-06 03:37:00 -05:00
|
|
|
writeErrorResponse(w, ErrInternalError, r.URL)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
2016-08-10 23:10:48 -04:00
|
|
|
|
|
|
|
// Write to client.
|
|
|
|
fmt.Fprint(w, policy)
|
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 19:46:56 -05:00
|
|
|
}
|