Make BucketPolicy strictly typed

2025-11-07 21:02:58 -05:00 · 2015-03-08 15:57:18 -07:00
parent 7b57797455
commit 01e98eb326
6 changed files with 19 additions and 22 deletions
--- a/pkg/storage/fs/fs.go
+++ b/pkg/storage/fs/fs.go
@@ -33,7 +33,6 @@ import (
 	"sync"

 	mstorage "github.com/minio-io/minio/pkg/storage"
-	"github.com/minio-io/minio/pkg/utils/policy"
 )

 // Storage - fs local variables
@@ -130,44 +129,44 @@ func (storage *Storage) StoreBucket(bucket string) error {
 }

 // GetBucketPolicy - GET bucket policy
-func (storage *Storage) GetBucketPolicy(bucket string) (interface{}, error) {
+func (storage *Storage) GetBucketPolicy(bucket string) (mstorage.BucketPolicy, error) {
 	storage.lock.Lock()
 	defer storage.lock.Unlock()

-	var p policy.BucketPolicy
+	var p mstorage.BucketPolicy
 	// verify bucket path legal
 	if mstorage.IsValidBucket(bucket) == false {
-		return policy.BucketPolicy{}, mstorage.BucketNameInvalid{Bucket: bucket}
+		return mstorage.BucketPolicy{}, mstorage.BucketNameInvalid{Bucket: bucket}
 	}

 	// get bucket path
 	bucketDir := path.Join(storage.root, bucket)
 	// check if bucket exists
 	if _, err := os.Stat(bucketDir); err != nil {
-		return policy.BucketPolicy{}, mstorage.BucketNotFound{Bucket: bucket}
+		return mstorage.BucketPolicy{}, mstorage.BucketNotFound{Bucket: bucket}
 	}

 	// get policy path
-	bucketPolicy := path.Join(storage.root, bucket+"_policy.json")
+	bucketPolicy := path.Join(storage.root, bucket+"_mstoragejson")
 	filestat, err := os.Stat(bucketPolicy)

 	if os.IsNotExist(err) {
-		return policy.BucketPolicy{}, mstorage.BucketPolicyNotFound{Bucket: bucket}
+		return mstorage.BucketPolicy{}, mstorage.BucketPolicyNotFound{Bucket: bucket}
 	}

 	if filestat.IsDir() {
-		return policy.BucketPolicy{}, mstorage.BackendCorrupted{Path: bucketPolicy}
+		return mstorage.BucketPolicy{}, mstorage.BackendCorrupted{Path: bucketPolicy}
 	}

 	file, err := os.OpenFile(bucketPolicy, os.O_RDONLY, 0666)
 	defer file.Close()
 	if err != nil {
-		return policy.BucketPolicy{}, mstorage.EmbedError(bucket, "", err)
+		return mstorage.BucketPolicy{}, mstorage.EmbedError(bucket, "", err)
 	}
 	encoder := json.NewDecoder(file)
 	err = encoder.Decode(&p)
 	if err != nil {
-		return policy.BucketPolicy{}, mstorage.EmbedError(bucket, "", err)
+		return mstorage.BucketPolicy{}, mstorage.EmbedError(bucket, "", err)
 	}

 	return p, nil
@@ -175,7 +174,7 @@ func (storage *Storage) GetBucketPolicy(bucket string) (interface{}, error) {
 }

 // StoreBucketPolicy - PUT bucket policy
-func (storage *Storage) StoreBucketPolicy(bucket string, policy interface{}) error {
+func (storage *Storage) StoreBucketPolicy(bucket string, p mstorage.BucketPolicy) error {
 	storage.lock.Lock()
 	defer storage.lock.Unlock()

@@ -208,7 +207,7 @@ func (storage *Storage) StoreBucketPolicy(bucket string, policy interface{}) err
 		return mstorage.EmbedError(bucket, "", err)
 	}
 	encoder := json.NewEncoder(file)
-	err = encoder.Encode(policy)
+	err = encoder.Encode(p)
 	if err != nil {
 		return mstorage.EmbedError(bucket, "", err)
 	}
--- a/pkg/storage/inmemory/inmemory.go
+++ b/pkg/storage/inmemory/inmemory.go
@@ -28,7 +28,6 @@ import (
 	"time"

 	mstorage "github.com/minio-io/minio/pkg/storage"
-	"github.com/minio-io/minio/pkg/utils/policy"
 )

 // Storage - local variables
@@ -78,13 +77,13 @@ func (storage *Storage) CopyObjectToWriter(w io.Writer, bucket string, object st
 }

 // StoreBucketPolicy - Not implemented
-func (storage *Storage) StoreBucketPolicy(bucket string, policy interface{}) error {
+func (storage *Storage) StoreBucketPolicy(bucket string, policy mstorage.BucketPolicy) error {
 	return mstorage.APINotImplemented{API: "PutBucketPolicy"}
 }

 // GetBucketPolicy - Not implemented
-func (storage *Storage) GetBucketPolicy(bucket string) (interface{}, error) {
-	return policy.BucketPolicy{}, mstorage.APINotImplemented{API: "GetBucketPolicy"}
+func (storage *Storage) GetBucketPolicy(bucket string) (mstorage.BucketPolicy, error) {
+	return mstorage.BucketPolicy{}, mstorage.APINotImplemented{API: "GetBucketPolicy"}
 }

 // StoreObject - PUT object to memory buffer
--- a/pkg/storage/storage.go
+++ b/pkg/storage/storage.go
@@ -28,8 +28,8 @@ type Storage interface {
 	// Bucket Operations
 	ListBuckets() ([]BucketMetadata, error)
 	StoreBucket(bucket string) error
-	StoreBucketPolicy(bucket string, policy interface{}) error
-	GetBucketPolicy(bucket string) (interface{}, error)
+	StoreBucketPolicy(bucket string, p BucketPolicy) error
+	GetBucketPolicy(bucket string) (BucketPolicy, error)

 	// Object Operations
 	CopyObjectToWriter(w io.Writer, bucket string, object string) (int64, error)
--- a/pkg/storage/storage_bucket_date.go
+++ b/pkg/storage/storage_bucket_date.go
@@ -0,0 +1,61 @@
+package storage
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+// Date - [0000-00-00]
+type Date struct {
+	Year  int16
+	Month byte
+	Day   byte
+}
+
+// String output in yyyy-mm-dd format
+func (d Date) String() string {
+	return fmt.Sprintf("%04d-%02d-%02d", d.Year, d.Month, d.Day)
+}
+
+// IsZero true if date is 0000-00-00
+func (d Date) IsZero() bool {
+	return d.Day == 0 && d.Month == 0 && d.Year == 0
+}
+
+// Convert string date in format YYYY-MM-DD to Date.
+// Leading and trailing spaces are ignored. If format is invalid returns zero.
+func parseDate(str string) (d Date, err error) {
+	str = strings.TrimSpace(str)
+	if str == "0000-00-00" {
+		return
+	}
+	var (
+		y, m, n int
+	)
+	if len(str) != 10 || str[4] != '-' || str[7] != '-' {
+		err = fmt.Errorf("Invalid 0000-00-000 style DATE string: " + str)
+		return
+	}
+	if y, err = strconv.Atoi(str[0:4]); err != nil {
+		return
+	}
+	if m, err = strconv.Atoi(str[5:7]); err != nil {
+		return
+	}
+	if m < 1 || m > 12 {
+		err = fmt.Errorf("Invalid 0000-00-000 style DATE string: " + str)
+		return
+	}
+	if n, err = strconv.Atoi(str[8:10]); err != nil {
+		return
+	}
+	if n < 1 || n > 31 {
+		err = fmt.Errorf("Invalid 0000-00-000 style DATE string: " + str)
+		return
+	}
+	d.Year = int16(y)
+	d.Month = byte(m)
+	d.Day = byte(n)
+	return
+}
--- a/pkg/storage/storage_bucket_policy.go
+++ b/pkg/storage/storage_bucket_policy.go
@@ -0,0 +1,179 @@
+package storage
+
+import (
+	"encoding/json"
+	"io"
+	"strings"
+)
+
+// User - AWS canonical
+type User struct {
+	AWS string
+}
+
+// Statement - AWS policy statement
+type Statement struct {
+	Sid       string
+	Effect    string
+	Principal User
+	Action    []string
+	Resource  []string
+	// TODO fix it in future if necessary - Condition {}
+}
+
+// BucketPolicy - AWS policy collection
+type BucketPolicy struct {
+	Version   string // date in 0000-00-00 format
+	Statement []Statement
+}
+
+// Resource delimiter
+const (
+	AwsResource   = "arn:aws:s3:::"
+	MinioResource = "minio:::"
+)
+
+// TODO support canonical user
+// Principal delimiter
+const (
+	AwsPrincipal   = "arn:aws:iam::"
+	MinioPrincipal = "minio::"
+)
+
+// Action map
+var SupportedActionMap = map[string]bool{
+	"*":                     true,
+	"s3:GetObject":          true,
+	"s3:ListBucket":         true,
+	"s3:PutObject":          true,
+	"s3:CreateBucket":       true,
+	"s3:GetBucketPolicy":    true,
+	"s3:DeleteBucketPolicy": true,
+	"s3:ListAllMyBuckets":   true,
+	"s3:PutBucketPolicy":    true,
+}
+
+// Effect map
+var SupportedEffectMap = map[string]bool{
+	"Allow": true,
+	"Deny":  true,
+}
+
+func isValidAction(action []string) bool {
+	for _, a := range action {
+		if !SupportedActionMap[a] {
+			return false
+		}
+	}
+	return true
+}
+
+func isValidEffect(effect string) bool {
+	if SupportedEffectMap[effect] {
+		return true
+	}
+	return false
+}
+
+func isValidResource(resources []string) bool {
+	var ok bool
+	for _, resource := range resources {
+		switch true {
+		case strings.HasPrefix(resource, AwsResource):
+			bucket := strings.SplitAfter(resource, AwsResource)[1]
+			ok = true
+			if len(bucket) == 0 {
+				ok = false
+			}
+		case strings.HasPrefix(resource, MinioResource):
+			bucket := strings.SplitAfter(resource, MinioResource)[1]
+			ok = true
+			if len(bucket) == 0 {
+				ok = false
+			}
+		default:
+			ok = false
+		}
+	}
+	return ok
+}
+
+func isValidPrincipal(principal string) bool {
+	var ok bool
+	if principal == "*" {
+		return true
+	}
+	switch true {
+	case strings.HasPrefix(principal, AwsPrincipal):
+		username := strings.SplitAfter(principal, AwsPrincipal)[1]
+		ok = true
+		if len(username) == 0 {
+			ok = false
+		}
+
+	case strings.HasPrefix(principal, MinioPrincipal):
+		username := strings.SplitAfter(principal, MinioPrincipal)[1]
+		ok = true
+		if len(username) == 0 {
+			ok = false
+		}
+	default:
+		ok = false
+	}
+	return ok
+}
+
+// Parsepolicy - validate request body is proper JSON and in accordance with policy standards
+func Parsepolicy(data io.Reader) (BucketPolicy, bool) {
+	var policy BucketPolicy
+	decoder := json.NewDecoder(data)
+	err := decoder.Decode(&policy)
+	if err != nil {
+		goto error
+	}
+	if len(policy.Version) == 0 {
+		goto error
+	}
+	_, err = parseDate(policy.Version)
+	if err != nil {
+		goto error
+	}
+	if len(policy.Statement) == 0 {
+		goto error
+	}
+
+	for _, statement := range policy.Statement {
+		if len(statement.Sid) == 0 {
+			goto error
+		}
+		if len(statement.Effect) == 0 {
+			goto error
+		}
+		if !isValidEffect(statement.Effect) {
+			goto error
+		}
+		if len(statement.Principal.AWS) == 0 {
+			goto error
+		}
+		if !isValidPrincipal(statement.Principal.AWS) {
+			goto error
+		}
+		if len(statement.Action) == 0 {
+			goto error
+		}
+		if !isValidAction(statement.Action) {
+			goto error
+		}
+		if len(statement.Resource) == 0 {
+			goto error
+		}
+
+		if !isValidResource(statement.Resource) {
+			goto error
+		}
+	}
+	return policy, true
+
+error:
+	return BucketPolicy{}, false
+}