Rename pkg/{tagging,lifecycle} to pkg/bucket sub-directory (#8892)

Rename to allow for more such features to come in a more proper hierarchical manner.
2025-11-25 03:56:17 -05:00 · 2020-01-28 03:42:34 +05:30
parent 4cb6ebcfa2
commit 0cbebf0f57
109 changed files with 102 additions and 101 deletions
--- a/pkg/bucket/policy/policy.go
+++ b/pkg/bucket/policy/policy.go
@@ -0,0 +1,178 @@
+/*
+ * MinIO Cloud Storage, (C) 2018 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package policy
+
+import (
+	"encoding/json"
+	"io"
+)
+
+// DefaultVersion - default policy version as per AWS S3 specification.
+const DefaultVersion = "2012-10-17"
+
+// Args - arguments to policy to check whether it is allowed
+type Args struct {
+	AccountName     string              `json:"account"`
+	Action          Action              `json:"action"`
+	BucketName      string              `json:"bucket"`
+	ConditionValues map[string][]string `json:"conditions"`
+	IsOwner         bool                `json:"owner"`
+	ObjectName      string              `json:"object"`
+}
+
+// Policy - bucket policy.
+type Policy struct {
+	ID         ID `json:"ID,omitempty"`
+	Version    string
+	Statements []Statement `json:"Statement"`
+}
+
+// IsAllowed - checks given policy args is allowed to continue the Rest API.
+func (policy Policy) IsAllowed(args Args) bool {
+	// Check all deny statements. If any one statement denies, return false.
+	for _, statement := range policy.Statements {
+		if statement.Effect == Deny {
+			if !statement.IsAllowed(args) {
+				return false
+			}
+		}
+	}
+
+	// For owner, its allowed by default.
+	if args.IsOwner {
+		return true
+	}
+
+	// Check all allow statements. If any one statement allows, return true.
+	for _, statement := range policy.Statements {
+		if statement.Effect == Allow {
+			if statement.IsAllowed(args) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+// IsEmpty - returns whether policy is empty or not.
+func (policy Policy) IsEmpty() bool {
+	return len(policy.Statements) == 0
+}
+
+// isValid - checks if Policy is valid or not.
+func (policy Policy) isValid() error {
+	if policy.Version != DefaultVersion && policy.Version != "" {
+		return Errorf("invalid version '%v'", policy.Version)
+	}
+
+	for _, statement := range policy.Statements {
+		if err := statement.isValid(); err != nil {
+			return err
+		}
+	}
+
+	for i := range policy.Statements {
+		for _, statement := range policy.Statements[i+1:] {
+			if policy.Statements[i].Effect != statement.Effect {
+				continue
+			}
+
+			if !policy.Statements[i].Principal.Equals(statement.Principal) {
+				continue
+			}
+
+			if !policy.Statements[i].Actions.Equals(statement.Actions) {
+				continue
+			}
+
+			if !policy.Statements[i].Resources.Equals(statement.Resources) {
+				continue
+			}
+
+			if policy.Statements[i].Conditions.String() != statement.Conditions.String() {
+				continue
+			}
+
+			return Errorf("duplicate principal %v, actions %v, resouces %v found in statements %v, %v",
+				statement.Principal, statement.Actions,
+				statement.Resources, policy.Statements[i],
+				statement)
+		}
+	}
+
+	return nil
+}
+
+// MarshalJSON - encodes Policy to JSON data.
+func (policy Policy) MarshalJSON() ([]byte, error) {
+	if err := policy.isValid(); err != nil {
+		return nil, err
+	}
+
+	// subtype to avoid recursive call to MarshalJSON()
+	type subPolicy Policy
+	return json.Marshal(subPolicy(policy))
+}
+
+// UnmarshalJSON - decodes JSON data to Policy.
+func (policy *Policy) UnmarshalJSON(data []byte) error {
+	// subtype to avoid recursive call to UnmarshalJSON()
+	type subPolicy Policy
+	var sp subPolicy
+	if err := json.Unmarshal(data, &sp); err != nil {
+		return err
+	}
+
+	p := Policy(sp)
+	if err := p.isValid(); err != nil {
+		return err
+	}
+
+	*policy = p
+
+	return nil
+}
+
+// Validate - validates all statements are for given bucket or not.
+func (policy Policy) Validate(bucketName string) error {
+	if err := policy.isValid(); err != nil {
+		return err
+	}
+
+	for _, statement := range policy.Statements {
+		if err := statement.Validate(bucketName); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ParseConfig - parses data in given reader to Policy.
+func ParseConfig(reader io.Reader, bucketName string) (*Policy, error) {
+	var policy Policy
+
+	decoder := json.NewDecoder(reader)
+	decoder.DisallowUnknownFields()
+	if err := decoder.Decode(&policy); err != nil {
+		return nil, Errorf("%w", err)
+	}
+
+	err := policy.Validate(bucketName)
+	return &policy, err
+}