Make BucketPolicy strictly typed

2025-11-07 04:42:56 -05:00 · 2015-03-08 15:57:18 -07:00
parent 7b57797455
commit 01e98eb326
6 changed files with 19 additions and 22 deletions
--- a/pkg/utils/policy/date.go
+++ b/pkg/utils/policy/date.go
@@ -1,61 +0,0 @@
-package policy
-
-import (
-	"fmt"
-	"strconv"
-	"strings"
-)
-
-// Date - [0000-00-00]
-type Date struct {
-	Year  int16
-	Month byte
-	Day   byte
-}
-
-// String output in yyyy-mm-dd format
-func (d Date) String() string {
-	return fmt.Sprintf("%04d-%02d-%02d", d.Year, d.Month, d.Day)
-}
-
-// IsZero true if date is 0000-00-00
-func (d Date) IsZero() bool {
-	return d.Day == 0 && d.Month == 0 && d.Year == 0
-}
-
-// Convert string date in format YYYY-MM-DD to Date.
-// Leading and trailing spaces are ignored. If format is invalid returns zero.
-func parseDate(str string) (d Date, err error) {
-	str = strings.TrimSpace(str)
-	if str == "0000-00-00" {
-		return
-	}
-	var (
-		y, m, n int
-	)
-	if len(str) != 10 || str[4] != '-' || str[7] != '-' {
-		err = fmt.Errorf("Invalid 0000-00-000 style DATE string: " + str)
-		return
-	}
-	if y, err = strconv.Atoi(str[0:4]); err != nil {
-		return
-	}
-	if m, err = strconv.Atoi(str[5:7]); err != nil {
-		return
-	}
-	if m < 1 || m > 12 {
-		err = fmt.Errorf("Invalid 0000-00-000 style DATE string: " + str)
-		return
-	}
-	if n, err = strconv.Atoi(str[8:10]); err != nil {
-		return
-	}
-	if n < 1 || n > 31 {
-		err = fmt.Errorf("Invalid 0000-00-000 style DATE string: " + str)
-		return
-	}
-	d.Year = int16(y)
-	d.Month = byte(m)
-	d.Day = byte(n)
-	return
-}
--- a/pkg/utils/policy/policy.go
+++ b/pkg/utils/policy/policy.go
@@ -1,179 +0,0 @@
-package policy
-
-import (
-	"encoding/json"
-	"io"
-	"strings"
-)
-
-// User - AWS canonical
-type User struct {
-	AWS string
-}
-
-// Statement - AWS policy statement
-type Statement struct {
-	Sid       string
-	Effect    string
-	Principal User
-	Action    []string
-	Resource  []string
-	// TODO fix it in future if necessary - Condition {}
-}
-
-// BucketPolicy - AWS policy collection
-type BucketPolicy struct {
-	Version   string // date in 0000-00-00 format
-	Statement []Statement
-}
-
-// Resource delimiter
-const (
-	AwsResource   = "arn:aws:s3:::"
-	MinioResource = "minio:::"
-)
-
-// TODO support canonical user
-// Principal delimiter
-const (
-	AwsPrincipal   = "arn:aws:iam::"
-	MinioPrincipal = "minio::"
-)
-
-// Action map
-var SupportedActionMap = map[string]bool{
-	"*":                     true,
-	"s3:GetObject":          true,
-	"s3:ListBucket":         true,
-	"s3:PutObject":          true,
-	"s3:CreateBucket":       true,
-	"s3:GetBucketPolicy":    true,
-	"s3:DeleteBucketPolicy": true,
-	"s3:ListAllMyBuckets":   true,
-	"s3:PutBucketPolicy":    true,
-}
-
-// Effect map
-var SupportedEffectMap = map[string]bool{
-	"Allow": true,
-	"Deny":  true,
-}
-
-func isValidAction(action []string) bool {
-	for _, a := range action {
-		if !SupportedActionMap[a] {
-			return false
-		}
-	}
-	return true
-}
-
-func isValidEffect(effect string) bool {
-	if SupportedEffectMap[effect] {
-		return true
-	}
-	return false
-}
-
-func isValidResource(resources []string) bool {
-	var ok bool
-	for _, resource := range resources {
-		switch true {
-		case strings.HasPrefix(resource, AwsResource):
-			bucket := strings.SplitAfter(resource, AwsResource)[1]
-			ok = true
-			if len(bucket) == 0 {
-				ok = false
-			}
-		case strings.HasPrefix(resource, MinioResource):
-			bucket := strings.SplitAfter(resource, MinioResource)[1]
-			ok = true
-			if len(bucket) == 0 {
-				ok = false
-			}
-		default:
-			ok = false
-		}
-	}
-	return ok
-}
-
-func isValidPrincipal(principal string) bool {
-	var ok bool
-	if principal == "*" {
-		return true
-	}
-	switch true {
-	case strings.HasPrefix(principal, AwsPrincipal):
-		username := strings.SplitAfter(principal, AwsPrincipal)[1]
-		ok = true
-		if len(username) == 0 {
-			ok = false
-		}
-
-	case strings.HasPrefix(principal, MinioPrincipal):
-		username := strings.SplitAfter(principal, MinioPrincipal)[1]
-		ok = true
-		if len(username) == 0 {
-			ok = false
-		}
-	default:
-		ok = false
-	}
-	return ok
-}
-
-// Parsepolicy - validate request body is proper JSON and in accordance with policy standards
-func Parsepolicy(data io.Reader) (BucketPolicy, bool) {
-	var policy BucketPolicy
-	decoder := json.NewDecoder(data)
-	err := decoder.Decode(&policy)
-	if err != nil {
-		goto error
-	}
-	if len(policy.Version) == 0 {
-		goto error
-	}
-	_, err = parseDate(policy.Version)
-	if err != nil {
-		goto error
-	}
-	if len(policy.Statement) == 0 {
-		goto error
-	}
-
-	for _, statement := range policy.Statement {
-		if len(statement.Sid) == 0 {
-			goto error
-		}
-		if len(statement.Effect) == 0 {
-			goto error
-		}
-		if !isValidEffect(statement.Effect) {
-			goto error
-		}
-		if len(statement.Principal.AWS) == 0 {
-			goto error
-		}
-		if !isValidPrincipal(statement.Principal.AWS) {
-			goto error
-		}
-		if len(statement.Action) == 0 {
-			goto error
-		}
-		if !isValidAction(statement.Action) {
-			goto error
-		}
-		if len(statement.Resource) == 0 {
-			goto error
-		}
-
-		if !isValidResource(statement.Resource) {
-			goto error
-		}
-	}
-	return policy, true
-
-error:
-	return BucketPolicy{}, false
-}