mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
Add boolean function condition support (#7027)
This commit is contained in:
parent
1898961ce3
commit
2a0e4b6f58
@ -176,133 +176,54 @@ func parseAction(s string) (Action, error) {
|
|||||||
var actionConditionKeyMap = map[Action]condition.KeySet{
|
var actionConditionKeyMap = map[Action]condition.KeySet{
|
||||||
AllActions: condition.NewKeySet(condition.AllSupportedKeys...),
|
AllActions: condition.NewKeySet(condition.AllSupportedKeys...),
|
||||||
|
|
||||||
AbortMultipartUploadAction: condition.NewKeySet(
|
AbortMultipartUploadAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
CreateBucketAction: condition.NewKeySet(
|
CreateBucketAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
DeleteBucketPolicyAction: condition.NewKeySet(
|
DeleteBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
DeleteObjectAction: condition.NewKeySet(
|
DeleteObjectAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
GetBucketLocationAction: condition.NewKeySet(
|
GetBucketLocationAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
GetBucketNotificationAction: condition.NewKeySet(
|
GetBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
GetBucketPolicyAction: condition.NewKeySet(
|
GetBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
GetObjectAction: condition.NewKeySet(
|
GetObjectAction: condition.NewKeySet(
|
||||||
condition.S3XAmzServerSideEncryption,
|
append([]condition.Key{
|
||||||
condition.S3XAmzServerSideEncryptionAwsKMSKeyID,
|
condition.S3XAmzServerSideEncryption,
|
||||||
condition.S3XAmzStorageClass,
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
||||||
condition.AWSReferer,
|
condition.S3XAmzStorageClass,
|
||||||
condition.AWSSourceIP,
|
}, condition.CommonKeys...)...),
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
HeadBucketAction: condition.NewKeySet(
|
HeadBucketAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListAllMyBucketsAction: condition.NewKeySet(
|
ListAllMyBucketsAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListBucketAction: condition.NewKeySet(
|
ListBucketAction: condition.NewKeySet(
|
||||||
condition.S3Prefix,
|
append([]condition.Key{
|
||||||
condition.S3Delimiter,
|
condition.S3Prefix,
|
||||||
condition.S3MaxKeys,
|
condition.S3Delimiter,
|
||||||
condition.AWSReferer,
|
condition.S3MaxKeys,
|
||||||
condition.AWSSourceIP,
|
}, condition.CommonKeys...)...),
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListBucketMultipartUploadsAction: condition.NewKeySet(
|
ListBucketMultipartUploadsAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListenBucketNotificationAction: condition.NewKeySet(
|
ListenBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListMultipartUploadPartsAction: condition.NewKeySet(
|
ListMultipartUploadPartsAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
PutBucketNotificationAction: condition.NewKeySet(
|
PutBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
PutBucketPolicyAction: condition.NewKeySet(
|
PutBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
PutObjectAction: condition.NewKeySet(
|
PutObjectAction: condition.NewKeySet(
|
||||||
condition.S3XAmzCopySource,
|
append([]condition.Key{
|
||||||
condition.S3XAmzServerSideEncryption,
|
condition.S3XAmzCopySource,
|
||||||
condition.S3XAmzServerSideEncryptionAwsKMSKeyID,
|
condition.S3XAmzServerSideEncryption,
|
||||||
condition.S3XAmzMetadataDirective,
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
||||||
condition.S3XAmzStorageClass,
|
condition.S3XAmzMetadataDirective,
|
||||||
condition.AWSReferer,
|
condition.S3XAmzStorageClass,
|
||||||
condition.AWSSourceIP,
|
}, condition.CommonKeys...)...),
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
}
|
}
|
||||||
|
@ -158,133 +158,42 @@ func parseAction(s string) (Action, error) {
|
|||||||
|
|
||||||
// actionConditionKeyMap - holds mapping of supported condition key for an action.
|
// actionConditionKeyMap - holds mapping of supported condition key for an action.
|
||||||
var actionConditionKeyMap = map[Action]condition.KeySet{
|
var actionConditionKeyMap = map[Action]condition.KeySet{
|
||||||
AbortMultipartUploadAction: condition.NewKeySet(
|
AbortMultipartUploadAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
CreateBucketAction: condition.NewKeySet(
|
CreateBucketAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
DeleteBucketPolicyAction: condition.NewKeySet(
|
DeleteObjectAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
DeleteObjectAction: condition.NewKeySet(
|
GetBucketLocationAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
GetBucketLocationAction: condition.NewKeySet(
|
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
GetBucketNotificationAction: condition.NewKeySet(
|
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
GetBucketPolicyAction: condition.NewKeySet(
|
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
GetObjectAction: condition.NewKeySet(
|
GetObjectAction: condition.NewKeySet(
|
||||||
condition.S3XAmzServerSideEncryption,
|
append([]condition.Key{
|
||||||
condition.S3XAmzServerSideEncryptionAwsKMSKeyID,
|
condition.S3XAmzServerSideEncryption,
|
||||||
condition.S3XAmzStorageClass,
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
||||||
condition.AWSReferer,
|
condition.S3XAmzStorageClass,
|
||||||
condition.AWSSourceIP,
|
}, condition.CommonKeys...)...),
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
HeadBucketAction: condition.NewKeySet(
|
HeadBucketAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListAllMyBucketsAction: condition.NewKeySet(
|
ListAllMyBucketsAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListBucketAction: condition.NewKeySet(
|
ListBucketAction: condition.NewKeySet(
|
||||||
condition.S3Prefix,
|
append([]condition.Key{
|
||||||
condition.S3Delimiter,
|
condition.S3Prefix,
|
||||||
condition.S3MaxKeys,
|
condition.S3Delimiter,
|
||||||
condition.AWSReferer,
|
condition.S3MaxKeys,
|
||||||
condition.AWSSourceIP,
|
}, condition.CommonKeys...)...),
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListBucketMultipartUploadsAction: condition.NewKeySet(
|
ListBucketMultipartUploadsAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListenBucketNotificationAction: condition.NewKeySet(
|
ListMultipartUploadPartsAction: condition.NewKeySet(condition.CommonKeys...),
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
ListMultipartUploadPartsAction: condition.NewKeySet(
|
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
PutBucketNotificationAction: condition.NewKeySet(
|
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
PutBucketPolicyAction: condition.NewKeySet(
|
|
||||||
condition.AWSReferer,
|
|
||||||
condition.AWSSourceIP,
|
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
|
|
||||||
PutObjectAction: condition.NewKeySet(
|
PutObjectAction: condition.NewKeySet(
|
||||||
condition.S3XAmzCopySource,
|
append([]condition.Key{
|
||||||
condition.S3XAmzServerSideEncryption,
|
condition.S3XAmzCopySource,
|
||||||
condition.S3XAmzServerSideEncryptionAwsKMSKeyID,
|
condition.S3XAmzServerSideEncryption,
|
||||||
condition.S3XAmzMetadataDirective,
|
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
|
||||||
condition.S3XAmzStorageClass,
|
condition.S3XAmzMetadataDirective,
|
||||||
condition.AWSReferer,
|
condition.S3XAmzStorageClass,
|
||||||
condition.AWSSourceIP,
|
}, condition.CommonKeys...)...),
|
||||||
condition.AWSUserAgent,
|
|
||||||
condition.AWSSecureTransport,
|
|
||||||
),
|
|
||||||
}
|
}
|
||||||
|
@ -102,8 +102,8 @@ func validateBinaryEqualsValues(n name, key Key, values set.StringSet) error {
|
|||||||
if err = s3utils.CheckValidBucketName(bucket); err != nil {
|
if err = s3utils.CheckValidBucketName(bucket); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
case S3XAmzServerSideEncryption:
|
case S3XAmzServerSideEncryption, S3XAmzServerSideEncryptionCustomerAlgorithm:
|
||||||
if s != "aws:kms" && s != "AES256" {
|
if s != "AES256" {
|
||||||
return fmt.Errorf("invalid value '%v' for '%v' for %v condition", s, S3XAmzServerSideEncryption, n)
|
return fmt.Errorf("invalid value '%v' for '%v' for %v condition", s, S3XAmzServerSideEncryption, n)
|
||||||
}
|
}
|
||||||
case S3XAmzMetadataDirective:
|
case S3XAmzMetadataDirective:
|
||||||
|
@ -58,7 +58,6 @@ func TestBinaryEqualsFuncEvaluate(t *testing.T) {
|
|||||||
{case1Function, map[string][]string{"delimiter": {"/"}}, false},
|
{case1Function, map[string][]string{"delimiter": {"/"}}, false},
|
||||||
|
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
|
|
||||||
{case2Function, map[string][]string{}, false},
|
{case2Function, map[string][]string{}, false},
|
||||||
{case2Function, map[string][]string{"delimiter": {"/"}}, false},
|
{case2Function, map[string][]string{"delimiter": {"/"}}, false},
|
||||||
|
|
||||||
@ -167,7 +166,6 @@ func TestBinaryEqualsFuncToMap(t *testing.T) {
|
|||||||
case4Function, err := newBinaryEqualsFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newBinaryEqualsFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
|
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
|
||||||
NewStringValue(base64.StdEncoding.EncodeToString([]byte("aws:kms"))),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -177,7 +175,6 @@ func TestBinaryEqualsFuncToMap(t *testing.T) {
|
|||||||
case4Result := map[Key]ValueSet{
|
case4Result := map[Key]ValueSet{
|
||||||
S3XAmzServerSideEncryption: NewValueSet(
|
S3XAmzServerSideEncryption: NewValueSet(
|
||||||
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
|
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
|
||||||
NewStringValue(base64.StdEncoding.EncodeToString([]byte("aws:kms"))),
|
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -285,7 +282,6 @@ func TestNewBinaryEqualsFunc(t *testing.T) {
|
|||||||
case4Function, err := newBinaryEqualsFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newBinaryEqualsFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
|
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
|
||||||
NewStringValue(base64.StdEncoding.EncodeToString([]byte("aws:kms"))),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -341,7 +337,6 @@ func TestNewBinaryEqualsFunc(t *testing.T) {
|
|||||||
{S3XAmzServerSideEncryption,
|
{S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
|
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
|
||||||
NewStringValue(base64.StdEncoding.EncodeToString([]byte("aws:kms"))),
|
|
||||||
), case4Function, false},
|
), case4Function, false},
|
||||||
|
|
||||||
{S3XAmzMetadataDirective, NewValueSet(NewStringValue(base64.StdEncoding.EncodeToString([]byte("REPLACE")))), case5Function, false},
|
{S3XAmzMetadataDirective, NewValueSet(NewStringValue(base64.StdEncoding.EncodeToString([]byte("REPLACE")))), case5Function, false},
|
||||||
|
105
pkg/policy/condition/boolfunc.go
Normal file
105
pkg/policy/condition/boolfunc.go
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
/*
|
||||||
|
* Minio Cloud Storage, (C) 2018 Minio, Inc.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package condition
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"reflect"
|
||||||
|
"strconv"
|
||||||
|
)
|
||||||
|
|
||||||
|
// booleanFunc - Bool condition function. It checks whether Key is true or false.
|
||||||
|
// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Boolean
|
||||||
|
type booleanFunc struct {
|
||||||
|
k Key
|
||||||
|
value string
|
||||||
|
}
|
||||||
|
|
||||||
|
// evaluate() - evaluates to check whether Key is present in given values or not.
|
||||||
|
// Depending on condition boolean value, this function returns true or false.
|
||||||
|
func (f booleanFunc) evaluate(values map[string][]string) bool {
|
||||||
|
requestValue, ok := values[http.CanonicalHeaderKey(f.k.Name())]
|
||||||
|
if !ok {
|
||||||
|
requestValue = values[f.k.Name()]
|
||||||
|
}
|
||||||
|
|
||||||
|
return f.value == requestValue[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
// key() - returns condition key which is used by this condition function.
|
||||||
|
func (f booleanFunc) key() Key {
|
||||||
|
return f.k
|
||||||
|
}
|
||||||
|
|
||||||
|
// name() - returns "Bool" condition name.
|
||||||
|
func (f booleanFunc) name() name {
|
||||||
|
return boolean
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f booleanFunc) String() string {
|
||||||
|
return fmt.Sprintf("%v:%v:%v", boolean, f.k, f.value)
|
||||||
|
}
|
||||||
|
|
||||||
|
// toMap - returns map representation of this function.
|
||||||
|
func (f booleanFunc) toMap() map[Key]ValueSet {
|
||||||
|
if !f.k.IsValid() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return map[Key]ValueSet{
|
||||||
|
f.k: NewValueSet(NewStringValue(f.value)),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func newBooleanFunc(key Key, values ValueSet) (Function, error) {
|
||||||
|
if key != AWSSecureTransport {
|
||||||
|
return nil, fmt.Errorf("only %v key is allowed for %v condition", AWSSecureTransport, boolean)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(values) != 1 {
|
||||||
|
return nil, fmt.Errorf("only one value is allowed for boolean condition")
|
||||||
|
}
|
||||||
|
|
||||||
|
var value Value
|
||||||
|
for v := range values {
|
||||||
|
value = v
|
||||||
|
switch v.GetType() {
|
||||||
|
case reflect.Bool:
|
||||||
|
if _, err := v.GetBool(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
case reflect.String:
|
||||||
|
s, err := v.GetString()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if _, err = strconv.ParseBool(s); err != nil {
|
||||||
|
return nil, fmt.Errorf("value must be a boolean string for boolean condition")
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("value must be a boolean for boolean condition")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return &booleanFunc{key, value.String()}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewBoolFunc - returns new Bool function.
|
||||||
|
func NewBoolFunc(key Key, value string) (Function, error) {
|
||||||
|
return &booleanFunc{key, value}, nil
|
||||||
|
}
|
152
pkg/policy/condition/boolfunc_test.go
Normal file
152
pkg/policy/condition/boolfunc_test.go
Normal file
@ -0,0 +1,152 @@
|
|||||||
|
/*
|
||||||
|
* Minio Cloud Storage, (C) 2018 Minio, Inc.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package condition
|
||||||
|
|
||||||
|
import (
|
||||||
|
"reflect"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestBooleanFuncEvaluate(t *testing.T) {
|
||||||
|
case1Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(true)))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
case2Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(false)))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
testCases := []struct {
|
||||||
|
function Function
|
||||||
|
values map[string][]string
|
||||||
|
expectedResult bool
|
||||||
|
}{
|
||||||
|
{case1Function, map[string][]string{"SecureTransport": {"true"}}, true},
|
||||||
|
{case2Function, map[string][]string{"SecureTransport": {"false"}}, true},
|
||||||
|
}
|
||||||
|
|
||||||
|
for i, testCase := range testCases {
|
||||||
|
result := testCase.function.evaluate(testCase.values)
|
||||||
|
|
||||||
|
if result != testCase.expectedResult {
|
||||||
|
t.Errorf("case %v: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestBooleanFuncKey(t *testing.T) {
|
||||||
|
case1Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(true)))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
testCases := []struct {
|
||||||
|
function Function
|
||||||
|
expectedResult Key
|
||||||
|
}{
|
||||||
|
{case1Function, AWSSecureTransport},
|
||||||
|
}
|
||||||
|
|
||||||
|
for i, testCase := range testCases {
|
||||||
|
result := testCase.function.key()
|
||||||
|
|
||||||
|
if result != testCase.expectedResult {
|
||||||
|
t.Fatalf("case %v: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestBooleanFuncToMap(t *testing.T) {
|
||||||
|
case1Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(true)))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
case1Result := map[Key]ValueSet{
|
||||||
|
AWSSecureTransport: NewValueSet(NewStringValue("true")),
|
||||||
|
}
|
||||||
|
|
||||||
|
case2Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(false)))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
case2Result := map[Key]ValueSet{
|
||||||
|
AWSSecureTransport: NewValueSet(NewStringValue("false")),
|
||||||
|
}
|
||||||
|
|
||||||
|
testCases := []struct {
|
||||||
|
f Function
|
||||||
|
expectedResult map[Key]ValueSet
|
||||||
|
}{
|
||||||
|
{case1Function, case1Result},
|
||||||
|
{case2Function, case2Result},
|
||||||
|
}
|
||||||
|
|
||||||
|
for i, testCase := range testCases {
|
||||||
|
result := testCase.f.toMap()
|
||||||
|
|
||||||
|
if !reflect.DeepEqual(result, testCase.expectedResult) {
|
||||||
|
t.Fatalf("case %v: result: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestNewBooleanFunc(t *testing.T) {
|
||||||
|
case1Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(true)))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
case2Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(false)))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
testCases := []struct {
|
||||||
|
key Key
|
||||||
|
values ValueSet
|
||||||
|
expectedResult Function
|
||||||
|
expectErr bool
|
||||||
|
}{
|
||||||
|
{AWSSecureTransport, NewValueSet(NewBoolValue(true)), case1Function, false},
|
||||||
|
{AWSSecureTransport, NewValueSet(NewStringValue("false")), case2Function, false},
|
||||||
|
// Multiple values error.
|
||||||
|
{AWSSecureTransport, NewValueSet(NewStringValue("true"), NewStringValue("false")), nil, true},
|
||||||
|
// Invalid boolean string error.
|
||||||
|
{AWSSecureTransport, NewValueSet(NewStringValue("foo")), nil, true},
|
||||||
|
// Invalid value error.
|
||||||
|
{AWSSecureTransport, NewValueSet(NewIntValue(7)), nil, true},
|
||||||
|
}
|
||||||
|
|
||||||
|
for i, testCase := range testCases {
|
||||||
|
result, err := newBooleanFunc(testCase.key, testCase.values)
|
||||||
|
expectErr := (err != nil)
|
||||||
|
|
||||||
|
if expectErr != testCase.expectErr {
|
||||||
|
t.Fatalf("case %v: error: expected: %v, got: %v\n", i+1, testCase.expectErr, expectErr)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !testCase.expectErr {
|
||||||
|
if !reflect.DeepEqual(result, testCase.expectedResult) {
|
||||||
|
t.Fatalf("case %v: result: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -99,6 +99,7 @@ var conditionFuncMap = map[name]func(Key, ValueSet) (Function, error){
|
|||||||
ipAddress: newIPAddressFunc,
|
ipAddress: newIPAddressFunc,
|
||||||
notIPAddress: newNotIPAddressFunc,
|
notIPAddress: newNotIPAddressFunc,
|
||||||
null: newNullFunc,
|
null: newNullFunc,
|
||||||
|
boolean: newBooleanFunc,
|
||||||
// Add new conditions here.
|
// Add new conditions here.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -148,7 +148,7 @@ func TestFunctionsMarshalJSON(t *testing.T) {
|
|||||||
t.Fatalf("unexpected error. %v\n", err)
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func6, err := newNullFunc(S3XAmzServerSideEncryptionAwsKMSKeyID, NewValueSet(NewBoolValue(true)))
|
func6, err := newNullFunc(S3XAmzServerSideEncryptionCustomerAlgorithm, NewValueSet(NewBoolValue(true)))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error. %v\n", err)
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
}
|
}
|
||||||
@ -159,9 +159,9 @@ func TestFunctionsMarshalJSON(t *testing.T) {
|
|||||||
t.Fatalf("unexpected error. %v\n", err)
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
case1Result := []byte(`{"IpAddress":{"aws:SourceIp":["192.168.1.0/24"]},"NotIpAddress":{"aws:SourceIp":["10.1.10.0/24"]},"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":[true]},"StringEquals":{"s3:x-amz-copy-source":["mybucket/myobject"]},"StringLike":{"s3:x-amz-metadata-directive":["REPL*"]},"StringNotEquals":{"s3:x-amz-server-side-encryption":["AES256"]},"StringNotLike":{"s3:x-amz-storage-class":["STANDARD"]}}`)
|
case1Result := []byte(`{"IpAddress":{"aws:SourceIp":["192.168.1.0/24"]},"NotIpAddress":{"aws:SourceIp":["10.1.10.0/24"]},"Null":{"s3:x-amz-server-side-encryption-customer-algorithm":[true]},"StringEquals":{"s3:x-amz-copy-source":["mybucket/myobject"]},"StringLike":{"s3:x-amz-metadata-directive":["REPL*"]},"StringNotEquals":{"s3:x-amz-server-side-encryption":["AES256"]},"StringNotLike":{"s3:x-amz-storage-class":["STANDARD"]}}`)
|
||||||
|
|
||||||
case2Result := []byte(`{"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":[true]}}`)
|
case2Result := []byte(`{"Null":{"s3:x-amz-server-side-encryption-customer-algorithm":[true]}}`)
|
||||||
|
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
functions Functions
|
functions Functions
|
||||||
@ -211,7 +211,7 @@ func TestFunctionsUnmarshalJSON(t *testing.T) {
|
|||||||
"s3:x-amz-storage-class": "STANDARD"
|
"s3:x-amz-storage-class": "STANDARD"
|
||||||
},
|
},
|
||||||
"Null": {
|
"Null": {
|
||||||
"s3:x-amz-server-side-encryption-aws-kms-key-id": true
|
"s3:x-amz-server-side-encryption-customer-algorithm": true
|
||||||
},
|
},
|
||||||
"IpAddress": {
|
"IpAddress": {
|
||||||
"aws:SourceIp": [
|
"aws:SourceIp": [
|
||||||
@ -246,7 +246,7 @@ func TestFunctionsUnmarshalJSON(t *testing.T) {
|
|||||||
t.Fatalf("unexpected error. %v\n", err)
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func6, err := newNullFunc(S3XAmzServerSideEncryptionAwsKMSKeyID, NewValueSet(NewBoolValue(true)))
|
func6, err := newNullFunc(S3XAmzServerSideEncryptionCustomerAlgorithm, NewValueSet(NewBoolValue(true)))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error. %v\n", err)
|
t.Fatalf("unexpected error. %v\n", err)
|
||||||
}
|
}
|
||||||
@ -259,10 +259,10 @@ func TestFunctionsUnmarshalJSON(t *testing.T) {
|
|||||||
|
|
||||||
case2Data := []byte(`{
|
case2Data := []byte(`{
|
||||||
"Null": {
|
"Null": {
|
||||||
"s3:x-amz-server-side-encryption-aws-kms-key-id": true
|
"s3:x-amz-server-side-encryption-customer-algorithm": true
|
||||||
},
|
},
|
||||||
"Null": {
|
"Null": {
|
||||||
"s3:x-amz-server-side-encryption-aws-kms-key-id": "true"
|
"s3:x-amz-server-side-encryption-customer-algorithm": "true"
|
||||||
}
|
}
|
||||||
}`)
|
}`)
|
||||||
|
|
||||||
|
@ -35,10 +35,6 @@ const (
|
|||||||
// to PutObject API only.
|
// to PutObject API only.
|
||||||
S3XAmzServerSideEncryption = "s3:x-amz-server-side-encryption"
|
S3XAmzServerSideEncryption = "s3:x-amz-server-side-encryption"
|
||||||
|
|
||||||
// S3XAmzServerSideEncryptionAwsKMSKeyID - key representing x-amz-server-side-encryption-aws-kms-key-id
|
|
||||||
// HTTP header applicable to PutObject API only.
|
|
||||||
S3XAmzServerSideEncryptionAwsKMSKeyID = "s3:x-amz-server-side-encryption-aws-kms-key-id"
|
|
||||||
|
|
||||||
// S3XAmzServerSideEncryptionCustomerAlgorithm - key representing
|
// S3XAmzServerSideEncryptionCustomerAlgorithm - key representing
|
||||||
// x-amz-server-side-encryption-customer-algorithm HTTP header applicable to PutObject API only.
|
// x-amz-server-side-encryption-customer-algorithm HTTP header applicable to PutObject API only.
|
||||||
S3XAmzServerSideEncryptionCustomerAlgorithm = "s3:x-amz-server-side-encryption-customer-algorithm"
|
S3XAmzServerSideEncryptionCustomerAlgorithm = "s3:x-amz-server-side-encryption-customer-algorithm"
|
||||||
@ -74,13 +70,19 @@ const (
|
|||||||
|
|
||||||
// AWSSecureTransport - key representing if the clients request is authenticated or not.
|
// AWSSecureTransport - key representing if the clients request is authenticated or not.
|
||||||
AWSSecureTransport = "aws:SecureTransport"
|
AWSSecureTransport = "aws:SecureTransport"
|
||||||
|
|
||||||
|
// AWSCurrentTime - key representing the current time.
|
||||||
|
AWSCurrentTime = "aws:CurrentTime"
|
||||||
|
|
||||||
|
// AWSEpochTime - key representing the current epoch time.
|
||||||
|
AWSEpochTime = "aws:EpochTime"
|
||||||
)
|
)
|
||||||
|
|
||||||
// AllSupportedKeys - is list of all all supported keys.
|
// AllSupportedKeys - is list of all all supported keys.
|
||||||
var AllSupportedKeys = []Key{
|
var AllSupportedKeys = []Key{
|
||||||
S3XAmzCopySource,
|
S3XAmzCopySource,
|
||||||
S3XAmzServerSideEncryption,
|
S3XAmzServerSideEncryption,
|
||||||
S3XAmzServerSideEncryptionAwsKMSKeyID,
|
S3XAmzServerSideEncryptionCustomerAlgorithm,
|
||||||
S3XAmzMetadataDirective,
|
S3XAmzMetadataDirective,
|
||||||
S3XAmzStorageClass,
|
S3XAmzStorageClass,
|
||||||
S3LocationConstraint,
|
S3LocationConstraint,
|
||||||
@ -91,9 +93,21 @@ var AllSupportedKeys = []Key{
|
|||||||
AWSSourceIP,
|
AWSSourceIP,
|
||||||
AWSUserAgent,
|
AWSUserAgent,
|
||||||
AWSSecureTransport,
|
AWSSecureTransport,
|
||||||
|
AWSCurrentTime,
|
||||||
|
AWSEpochTime,
|
||||||
// Add new supported condition keys.
|
// Add new supported condition keys.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CommonKeys - is list of all common condition keys.
|
||||||
|
var CommonKeys = []Key{
|
||||||
|
AWSReferer,
|
||||||
|
AWSSourceIP,
|
||||||
|
AWSUserAgent,
|
||||||
|
AWSSecureTransport,
|
||||||
|
AWSCurrentTime,
|
||||||
|
AWSEpochTime,
|
||||||
|
}
|
||||||
|
|
||||||
// IsValid - checks if key is valid or not.
|
// IsValid - checks if key is valid or not.
|
||||||
func (key Key) IsValid() bool {
|
func (key Key) IsValid() bool {
|
||||||
for _, supKey := range AllSupportedKeys {
|
for _, supKey := range AllSupportedKeys {
|
||||||
|
@ -29,7 +29,7 @@ func TestKeyIsValid(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
{S3XAmzCopySource, true},
|
{S3XAmzCopySource, true},
|
||||||
{S3XAmzServerSideEncryption, true},
|
{S3XAmzServerSideEncryption, true},
|
||||||
{S3XAmzServerSideEncryptionAwsKMSKeyID, true},
|
{S3XAmzServerSideEncryptionCustomerAlgorithm, true},
|
||||||
{S3XAmzMetadataDirective, true},
|
{S3XAmzMetadataDirective, true},
|
||||||
{S3XAmzStorageClass, true},
|
{S3XAmzStorageClass, true},
|
||||||
{S3LocationConstraint, true},
|
{S3LocationConstraint, true},
|
||||||
|
@ -34,23 +34,27 @@ const (
|
|||||||
ipAddress = "IpAddress"
|
ipAddress = "IpAddress"
|
||||||
notIPAddress = "NotIpAddress"
|
notIPAddress = "NotIpAddress"
|
||||||
null = "Null"
|
null = "Null"
|
||||||
|
boolean = "Bool"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var supportedConditions = []name{
|
||||||
|
stringEquals,
|
||||||
|
stringNotEquals,
|
||||||
|
stringEqualsIgnoreCase,
|
||||||
|
stringNotEqualsIgnoreCase,
|
||||||
|
binaryEquals,
|
||||||
|
stringLike,
|
||||||
|
stringNotLike,
|
||||||
|
ipAddress,
|
||||||
|
notIPAddress,
|
||||||
|
null,
|
||||||
|
boolean,
|
||||||
|
// Add new conditions here.
|
||||||
|
}
|
||||||
|
|
||||||
// IsValid - checks if name is valid or not.
|
// IsValid - checks if name is valid or not.
|
||||||
func (n name) IsValid() bool {
|
func (n name) IsValid() bool {
|
||||||
for _, supn := range []name{
|
for _, supn := range supportedConditions {
|
||||||
stringEquals,
|
|
||||||
stringNotEquals,
|
|
||||||
stringEqualsIgnoreCase,
|
|
||||||
stringNotEqualsIgnoreCase,
|
|
||||||
binaryEquals,
|
|
||||||
stringLike,
|
|
||||||
stringNotLike,
|
|
||||||
ipAddress,
|
|
||||||
notIPAddress,
|
|
||||||
null,
|
|
||||||
// Add new conditions here.
|
|
||||||
} {
|
|
||||||
if n == supn {
|
if n == supn {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
@ -134,8 +134,8 @@ func validateStringEqualsValues(n name, key Key, values set.StringSet) error {
|
|||||||
if err := s3utils.CheckValidBucketName(bucket); err != nil {
|
if err := s3utils.CheckValidBucketName(bucket); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
case S3XAmzServerSideEncryption:
|
case S3XAmzServerSideEncryption, S3XAmzServerSideEncryptionCustomerAlgorithm:
|
||||||
if s != "aws:kms" && s != "AES256" {
|
if s != "AES256" {
|
||||||
return fmt.Errorf("invalid value '%v' for '%v' for %v condition", s, S3XAmzServerSideEncryption, n)
|
return fmt.Errorf("invalid value '%v' for '%v' for %v condition", s, S3XAmzServerSideEncryption, n)
|
||||||
}
|
}
|
||||||
case S3XAmzMetadataDirective:
|
case S3XAmzMetadataDirective:
|
||||||
|
@ -53,7 +53,6 @@ func TestStringEqualsFuncEvaluate(t *testing.T) {
|
|||||||
{case1Function, map[string][]string{"delimiter": {"/"}}, false},
|
{case1Function, map[string][]string{"delimiter": {"/"}}, false},
|
||||||
|
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
|
|
||||||
{case2Function, map[string][]string{}, false},
|
{case2Function, map[string][]string{}, false},
|
||||||
{case2Function, map[string][]string{"delimiter": {"/"}}, false},
|
{case2Function, map[string][]string{"delimiter": {"/"}}, false},
|
||||||
|
|
||||||
@ -156,7 +155,6 @@ func TestStringEqualsFuncToMap(t *testing.T) {
|
|||||||
case4Function, err := newStringEqualsFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringEqualsFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -166,7 +164,6 @@ func TestStringEqualsFuncToMap(t *testing.T) {
|
|||||||
case4Result := map[Key]ValueSet{
|
case4Result := map[Key]ValueSet{
|
||||||
S3XAmzServerSideEncryption: NewValueSet(
|
S3XAmzServerSideEncryption: NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -278,7 +275,6 @@ func TestStringNotEqualsFuncEvaluate(t *testing.T) {
|
|||||||
{case1Function, map[string][]string{"delimiter": {"/"}}, true},
|
{case1Function, map[string][]string{"delimiter": {"/"}}, true},
|
||||||
|
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
|
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, true},
|
|
||||||
{case2Function, map[string][]string{}, true},
|
{case2Function, map[string][]string{}, true},
|
||||||
{case2Function, map[string][]string{"delimiter": {"/"}}, true},
|
{case2Function, map[string][]string{"delimiter": {"/"}}, true},
|
||||||
|
|
||||||
@ -381,7 +377,6 @@ func TestStringNotEqualsFuncToMap(t *testing.T) {
|
|||||||
case4Function, err := newStringNotEqualsFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringNotEqualsFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -391,7 +386,6 @@ func TestStringNotEqualsFuncToMap(t *testing.T) {
|
|||||||
case4Result := map[Key]ValueSet{
|
case4Result := map[Key]ValueSet{
|
||||||
S3XAmzServerSideEncryption: NewValueSet(
|
S3XAmzServerSideEncryption: NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -495,7 +489,6 @@ func TestNewStringEqualsFunc(t *testing.T) {
|
|||||||
case4Function, err := newStringEqualsFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringEqualsFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -549,7 +542,6 @@ func TestNewStringEqualsFunc(t *testing.T) {
|
|||||||
{S3XAmzServerSideEncryption,
|
{S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
), case4Function, false},
|
), case4Function, false},
|
||||||
|
|
||||||
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
|
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
|
||||||
@ -618,7 +610,6 @@ func TestNewStringNotEqualsFunc(t *testing.T) {
|
|||||||
case4Function, err := newStringNotEqualsFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringNotEqualsFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -672,7 +663,6 @@ func TestNewStringNotEqualsFunc(t *testing.T) {
|
|||||||
{S3XAmzServerSideEncryption,
|
{S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
), case4Function, false},
|
), case4Function, false},
|
||||||
|
|
||||||
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
|
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
|
||||||
|
@ -54,7 +54,6 @@ func TestStringEqualsIgnoreCaseFuncEvaluate(t *testing.T) {
|
|||||||
|
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aes256"}}, true},
|
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aes256"}}, true},
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
|
|
||||||
{case2Function, map[string][]string{}, false},
|
{case2Function, map[string][]string{}, false},
|
||||||
{case2Function, map[string][]string{"delimiter": {"/"}}, false},
|
{case2Function, map[string][]string{"delimiter": {"/"}}, false},
|
||||||
|
|
||||||
@ -158,7 +157,6 @@ func TestStringEqualsIgnoreCaseFuncToMap(t *testing.T) {
|
|||||||
case4Function, err := newStringEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -168,7 +166,6 @@ func TestStringEqualsIgnoreCaseFuncToMap(t *testing.T) {
|
|||||||
case4Result := map[Key]ValueSet{
|
case4Result := map[Key]ValueSet{
|
||||||
S3XAmzServerSideEncryption: NewValueSet(
|
S3XAmzServerSideEncryption: NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -280,7 +277,6 @@ func TestStringNotEqualsIgnoreCaseFuncEvaluate(t *testing.T) {
|
|||||||
{case1Function, map[string][]string{"delimiter": {"/"}}, true},
|
{case1Function, map[string][]string{"delimiter": {"/"}}, true},
|
||||||
|
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
|
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
|
||||||
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, true},
|
|
||||||
{case2Function, map[string][]string{}, true},
|
{case2Function, map[string][]string{}, true},
|
||||||
{case2Function, map[string][]string{"delimiter": {"/"}}, true},
|
{case2Function, map[string][]string{"delimiter": {"/"}}, true},
|
||||||
|
|
||||||
@ -383,7 +379,6 @@ func TestStringNotEqualsIgnoreCaseFuncToMap(t *testing.T) {
|
|||||||
case4Function, err := newStringNotEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringNotEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -393,7 +388,6 @@ func TestStringNotEqualsIgnoreCaseFuncToMap(t *testing.T) {
|
|||||||
case4Result := map[Key]ValueSet{
|
case4Result := map[Key]ValueSet{
|
||||||
S3XAmzServerSideEncryption: NewValueSet(
|
S3XAmzServerSideEncryption: NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -497,7 +491,6 @@ func TestNewStringEqualsIgnoreCaseFunc(t *testing.T) {
|
|||||||
case4Function, err := newStringEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -551,7 +544,6 @@ func TestNewStringEqualsIgnoreCaseFunc(t *testing.T) {
|
|||||||
{S3XAmzServerSideEncryption,
|
{S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
), case4Function, false},
|
), case4Function, false},
|
||||||
|
|
||||||
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
|
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
|
||||||
@ -620,7 +612,6 @@ func TestNewStringNotEqualsIgnoreCaseFunc(t *testing.T) {
|
|||||||
case4Function, err := newStringNotEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringNotEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -674,7 +665,6 @@ func TestNewStringNotEqualsIgnoreCaseFunc(t *testing.T) {
|
|||||||
{S3XAmzServerSideEncryption,
|
{S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES256"),
|
NewStringValue("AES256"),
|
||||||
NewStringValue("aws:kms"),
|
|
||||||
), case4Function, false},
|
), case4Function, false},
|
||||||
|
|
||||||
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
|
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
|
||||||
|
@ -81,13 +81,11 @@ func TestStringLikeFuncEvaluate(t *testing.T) {
|
|||||||
|
|
||||||
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
||||||
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, true},
|
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, true},
|
||||||
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
|
|
||||||
{case3Function, map[string][]string{}, false},
|
{case3Function, map[string][]string{}, false},
|
||||||
{case3Function, map[string][]string{"delimiter": {"/"}}, false},
|
{case3Function, map[string][]string{"delimiter": {"/"}}, false},
|
||||||
|
|
||||||
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
|
||||||
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, false},
|
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, false},
|
||||||
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
|
|
||||||
{case4Function, map[string][]string{}, false},
|
{case4Function, map[string][]string{}, false},
|
||||||
{case4Function, map[string][]string{"delimiter": {"/"}}, false},
|
{case4Function, map[string][]string{"delimiter": {"/"}}, false},
|
||||||
|
|
||||||
@ -204,7 +202,6 @@ func TestStringLikeFuncToMap(t *testing.T) {
|
|||||||
case4Function, err := newStringLikeFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringLikeFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES*"),
|
NewStringValue("AES*"),
|
||||||
NewStringValue("aws:*"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -214,7 +211,6 @@ func TestStringLikeFuncToMap(t *testing.T) {
|
|||||||
case4Result := map[Key]ValueSet{
|
case4Result := map[Key]ValueSet{
|
||||||
S3XAmzServerSideEncryption: NewValueSet(
|
S3XAmzServerSideEncryption: NewValueSet(
|
||||||
NewStringValue("AES*"),
|
NewStringValue("AES*"),
|
||||||
NewStringValue("aws:*"),
|
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -354,13 +350,11 @@ func TestStringNotLikeFuncEvaluate(t *testing.T) {
|
|||||||
|
|
||||||
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
|
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
|
||||||
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, false},
|
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, false},
|
||||||
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, true},
|
|
||||||
{case3Function, map[string][]string{}, true},
|
{case3Function, map[string][]string{}, true},
|
||||||
{case3Function, map[string][]string{"delimiter": {"/"}}, true},
|
{case3Function, map[string][]string{"delimiter": {"/"}}, true},
|
||||||
|
|
||||||
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
|
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
|
||||||
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, true},
|
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, true},
|
||||||
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, true},
|
|
||||||
{case4Function, map[string][]string{}, true},
|
{case4Function, map[string][]string{}, true},
|
||||||
{case4Function, map[string][]string{"delimiter": {"/"}}, true},
|
{case4Function, map[string][]string{"delimiter": {"/"}}, true},
|
||||||
|
|
||||||
@ -477,7 +471,6 @@ func TestStringNotLikeFuncToMap(t *testing.T) {
|
|||||||
case4Function, err := newStringNotLikeFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringNotLikeFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES*"),
|
NewStringValue("AES*"),
|
||||||
NewStringValue("aws:*"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -487,7 +480,6 @@ func TestStringNotLikeFuncToMap(t *testing.T) {
|
|||||||
case4Result := map[Key]ValueSet{
|
case4Result := map[Key]ValueSet{
|
||||||
S3XAmzServerSideEncryption: NewValueSet(
|
S3XAmzServerSideEncryption: NewValueSet(
|
||||||
NewStringValue("AES*"),
|
NewStringValue("AES*"),
|
||||||
NewStringValue("aws:*"),
|
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -591,7 +583,6 @@ func TestNewStringLikeFunc(t *testing.T) {
|
|||||||
case4Function, err := newStringLikeFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringLikeFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES*"),
|
NewStringValue("AES*"),
|
||||||
NewStringValue("aws:*"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -645,7 +636,6 @@ func TestNewStringLikeFunc(t *testing.T) {
|
|||||||
{S3XAmzServerSideEncryption,
|
{S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES*"),
|
NewStringValue("AES*"),
|
||||||
NewStringValue("aws:*"),
|
|
||||||
), case4Function, false},
|
), case4Function, false},
|
||||||
|
|
||||||
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPL*")), case5Function, false},
|
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPL*")), case5Function, false},
|
||||||
@ -712,7 +702,6 @@ func TestNewStringNotLikeFunc(t *testing.T) {
|
|||||||
case4Function, err := newStringNotLikeFunc(S3XAmzServerSideEncryption,
|
case4Function, err := newStringNotLikeFunc(S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES*"),
|
NewStringValue("AES*"),
|
||||||
NewStringValue("aws:*"),
|
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -766,7 +755,6 @@ func TestNewStringNotLikeFunc(t *testing.T) {
|
|||||||
{S3XAmzServerSideEncryption,
|
{S3XAmzServerSideEncryption,
|
||||||
NewValueSet(
|
NewValueSet(
|
||||||
NewStringValue("AES*"),
|
NewStringValue("AES*"),
|
||||||
NewStringValue("aws:*"),
|
|
||||||
), case4Function, false},
|
), case4Function, false},
|
||||||
|
|
||||||
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPL*")), case5Function, false},
|
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPL*")), case5Function, false},
|
||||||
|
@ -305,11 +305,11 @@ func TestStatementMarshalJSON(t *testing.T) {
|
|||||||
case3Statement := NewStatement(
|
case3Statement := NewStatement(
|
||||||
Deny,
|
Deny,
|
||||||
NewPrincipal("*"),
|
NewPrincipal("*"),
|
||||||
NewActionSet(GetObjectAction),
|
NewActionSet(PutObjectAction),
|
||||||
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
||||||
condition.NewFunctions(func2),
|
condition.NewFunctions(func2),
|
||||||
)
|
)
|
||||||
case3Data := []byte(`{"Effect":"Deny","Principal":{"AWS":["*"]},"Action":["s3:GetObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"],"Condition":{"Null":{"s3:x-amz-server-side-encryption":[false]}}}`)
|
case3Data := []byte(`{"Effect":"Deny","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"],"Condition":{"Null":{"s3:x-amz-server-side-encryption":[false]}}}`)
|
||||||
|
|
||||||
case4Statement := NewStatement(
|
case4Statement := NewStatement(
|
||||||
Allow,
|
Allow,
|
||||||
|
Loading…
Reference in New Issue
Block a user