Support policy variable replacement (#7085)

This PR supports iam and bucket policies to have policy variable replacements in resource and condition key values. For example - ${aws:username} - ${aws:userid}
2025-10-29 15:55:00 -04:00 · 2019-01-21 10:27:14 +05:30 · 2019-01-21 10:27:14 +05:30 · 5353edcc38
commit 5353edcc38
parent 3265112d04
19 changed files with 125 additions and 56 deletions
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@ -283,7 +283,7 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 			AccountName:     cred.AccessKey,
 			Action:          action,
 			BucketName:      bucketName,
-			ConditionValues: getConditionValues(r, locationConstraint),
+			ConditionValues: getConditionValues(r, locationConstraint, ""),
 			IsOwner:         false,
 			ObjectName:      objectName,
 		}) {
@ -296,7 +296,7 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 		AccountName:     cred.AccessKey,
 		Action:          iampolicy.Action(action),
 		BucketName:      bucketName,
-		ConditionValues: getConditionValues(r, ""),
+		ConditionValues: getConditionValues(r, "", cred.AccessKey),
 		ObjectName:      objectName,
 		IsOwner:         owner,
 		Claims:          claims,
@ -448,7 +448,7 @@ func isPutAllowed(atype authType, bucketName, objectName string, r *http.Request
 			AccountName:     cred.AccessKey,
 			Action:          policy.PutObjectAction,
 			BucketName:      bucketName,
-			ConditionValues: getConditionValues(r, ""),
+			ConditionValues: getConditionValues(r, "", ""),
 			IsOwner:         false,
 			ObjectName:      objectName,
 		}) {
@ -461,7 +461,7 @@ func isPutAllowed(atype authType, bucketName, objectName string, r *http.Request
 		AccountName:     cred.AccessKey,
 		Action:          policy.PutObjectAction,
 		BucketName:      bucketName,
-		ConditionValues: getConditionValues(r, ""),
+		ConditionValues: getConditionValues(r, "", cred.AccessKey),
 		ObjectName:      objectName,
 		IsOwner:         owner,
 		Claims:          claims,
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@ -131,7 +131,7 @@ func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r
 			if globalPolicySys.IsAllowed(policy.Args{
 				Action:          policy.ListBucketAction,
 				BucketName:      bucket,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", ""),
 				IsOwner:         false,
 			}) {
 				_, err = getObjectInfo(ctx, bucket, object, opts)
@ -281,7 +281,7 @@ func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Req
 			if globalPolicySys.IsAllowed(policy.Args{
 				Action:          policy.ListBucketAction,
 				BucketName:      bucket,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", ""),
 				IsOwner:         false,
 			}) {
 				getObjectInfo := objectAPI.GetObjectInfo
@ -463,7 +463,7 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re
 			if globalPolicySys.IsAllowed(policy.Args{
 				Action:          policy.ListBucketAction,
 				BucketName:      bucket,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", ""),
 				IsOwner:         false,
 			}) {
 				_, err = getObjectInfo(ctx, bucket, object, opts)
--- a/cmd/policy.go
+++ b/cmd/policy.go
@ -30,6 +30,7 @@ import (
 	miniogopolicy "github.com/minio/minio-go/pkg/policy"
 	"github.com/minio/minio-go/pkg/set"
 	"github.com/minio/minio/cmd/logger"
+	"github.com/minio/minio/pkg/event"
 	"github.com/minio/minio/pkg/handlers"
 	"github.com/minio/minio/pkg/policy"
 )
@ -183,12 +184,24 @@ func NewPolicySys() *PolicySys {
 	}
 }

-func getConditionValues(request *http.Request, locationConstraint string) map[string][]string {
+func getConditionValues(request *http.Request, locationConstraint string, username string) map[string][]string {
+	currTime := UTCNow()
+	principalType := func() string {
+		if username != "" {
+			return "User"
+		}
+		return "Anonymous"
+	}()
 	args := map[string][]string{
-		"SourceIp":        {handlers.GetSourceIP(request)},
+		"CurrenTime":      {currTime.Format(event.AMZTimeFormat)},
+		"EpochTime":       {fmt.Sprintf("%d", currTime.Unix())},
+		"principaltype":   {principalType},
 		"SecureTransport": {fmt.Sprintf("%t", request.TLS != nil)},
+		"SourceIp":        {handlers.GetSourceIP(request)},
 		"UserAgent":       {request.UserAgent()},
 		"Referer":         {request.Referer()},
+		"userid":          {username},
+		"username":        {username},
 	}

 	for key, values := range request.Header {
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@ -306,7 +306,7 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re
 				AccountName:     claims.Subject,
 				Action:          iampolicy.ListBucketAction,
 				BucketName:      bucketName,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", claims.Subject),
 				IsOwner:         owner,
 				ObjectName:      "",
 			}) {
@ -326,7 +326,7 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re
 				AccountName:     claims.Subject,
 				Action:          iampolicy.ListBucketAction,
 				BucketName:      bucket.Name,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", claims.Subject),
 				IsOwner:         owner,
 				ObjectName:      "",
 			}) {
@ -432,7 +432,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
 			readable := globalPolicySys.IsAllowed(policy.Args{
 				Action:          policy.ListBucketAction,
 				BucketName:      args.BucketName,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", ""),
 				IsOwner:         false,
 			})

@ -440,7 +440,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
 			writable := globalPolicySys.IsAllowed(policy.Args{
 				Action:          policy.PutObjectAction,
 				BucketName:      args.BucketName,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", ""),
 				IsOwner:         false,
 				ObjectName:      args.Prefix + "/",
 			})
@ -471,7 +471,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
 			AccountName:     claims.Subject,
 			Action:          iampolicy.ListBucketAction,
 			BucketName:      args.BucketName,
-			ConditionValues: getConditionValues(r, ""),
+			ConditionValues: getConditionValues(r, "", ""),
 			IsOwner:         owner,
 		})

@ -479,7 +479,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
 			AccountName:     claims.Subject,
 			Action:          iampolicy.PutObjectAction,
 			BucketName:      args.BucketName,
-			ConditionValues: getConditionValues(r, ""),
+			ConditionValues: getConditionValues(r, "", ""),
 			IsOwner:         owner,
 			ObjectName:      args.Prefix + "/",
 		})
@ -611,7 +611,7 @@ next:
 				AccountName:     claims.Subject,
 				Action:          iampolicy.DeleteObjectAction,
 				BucketName:      args.BucketName,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", claims.Subject),
 				IsOwner:         owner,
 				ObjectName:      objectName,
 			}) {
@ -628,7 +628,7 @@ next:
 			AccountName:     claims.Subject,
 			Action:          iampolicy.DeleteObjectAction,
 			BucketName:      args.BucketName,
-			ConditionValues: getConditionValues(r, ""),
+			ConditionValues: getConditionValues(r, "", claims.Subject),
 			IsOwner:         owner,
 			ObjectName:      objectName,
 		}) {
@ -853,7 +853,7 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
 			if !globalPolicySys.IsAllowed(policy.Args{
 				Action:          policy.PutObjectAction,
 				BucketName:      bucket,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", ""),
 				IsOwner:         false,
 				ObjectName:      object,
 			}) {
@ -872,7 +872,7 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
 			AccountName:     claims.Subject,
 			Action:          iampolicy.PutObjectAction,
 			BucketName:      bucket,
-			ConditionValues: getConditionValues(r, ""),
+			ConditionValues: getConditionValues(r, "", claims.Subject),
 			IsOwner:         owner,
 			ObjectName:      object,
 		}) {
@ -1040,7 +1040,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
 			if !globalPolicySys.IsAllowed(policy.Args{
 				Action:          policy.GetObjectAction,
 				BucketName:      bucket,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", ""),
 				IsOwner:         false,
 				ObjectName:      object,
 			}) {
@ -1059,7 +1059,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
 			AccountName:     claims.Subject,
 			Action:          iampolicy.GetObjectAction,
 			BucketName:      bucket,
-			ConditionValues: getConditionValues(r, ""),
+			ConditionValues: getConditionValues(r, "", claims.Subject),
 			IsOwner:         owner,
 			ObjectName:      object,
 		}) {
@ -1195,7 +1195,7 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
 				if !globalPolicySys.IsAllowed(policy.Args{
 					Action:          policy.GetObjectAction,
 					BucketName:      args.BucketName,
-					ConditionValues: getConditionValues(r, ""),
+					ConditionValues: getConditionValues(r, "", ""),
 					IsOwner:         false,
 					ObjectName:      pathJoin(args.Prefix, object),
 				}) {
@ -1216,7 +1216,7 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
 				AccountName:     claims.Subject,
 				Action:          iampolicy.GetObjectAction,
 				BucketName:      args.BucketName,
-				ConditionValues: getConditionValues(r, ""),
+				ConditionValues: getConditionValues(r, "", claims.Subject),
 				IsOwner:         owner,
 				ObjectName:      pathJoin(args.Prefix, object),
 			}) {
--- a/pkg/iam/policy/resource.go
+++ b/pkg/iam/policy/resource.go
@ -21,6 +21,7 @@ import (
 	"fmt"
 	"strings"

+	"github.com/minio/minio/pkg/policy/condition"
 	"github.com/minio/minio/pkg/wildcard"
 )

@ -47,11 +48,18 @@ func (r Resource) IsValid() bool {
 }

 // Match - matches object name with resource pattern.
-func (r Resource) Match(resource string) bool {
-	if strings.HasPrefix(resource, r.Pattern) {
+func (r Resource) Match(resource string, conditionValues map[string][]string) bool {
+	pattern := r.Pattern
+	for _, key := range condition.CommonKeys {
+		// Empty values are not supported for policy variables.
+		if rvalues, ok := conditionValues[key.Name()]; ok && rvalues[0] != "" {
+			pattern = strings.Replace(pattern, key.VarName(), rvalues[0], -1)
+		}
+	}
+	if strings.HasPrefix(resource, pattern) {
 		return true
 	}
-	return wildcard.Match(r.Pattern, resource)
+	return wildcard.Match(pattern, resource)
 }

 // MarshalJSON - encodes Resource to JSON data.
--- a/pkg/iam/policy/resource_test.go
+++ b/pkg/iam/policy/resource_test.go
@ -124,7 +124,7 @@ func TestResourceMatch(t *testing.T) {
 	}

 	for i, testCase := range testCases {
-		result := testCase.resource.Match(testCase.objectName)
+		result := testCase.resource.Match(testCase.objectName, nil)

 		if result != testCase.expectedResult {
 			t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result)
--- a/pkg/iam/policy/resourceset.go
+++ b/pkg/iam/policy/resourceset.go
@ -81,9 +81,9 @@ func (resourceSet ResourceSet) MarshalJSON() ([]byte, error) {
 }

 // Match - matches object name with anyone of resource pattern in resource set.
-func (resourceSet ResourceSet) Match(resource string) bool {
+func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool {
 	for r := range resourceSet {
-		if r.Match(resource) {
+		if r.Match(resource, conditionValues) {
 			return true
 		}
 	}
--- a/pkg/iam/policy/resourceset_test.go
+++ b/pkg/iam/policy/resourceset_test.go
@ -179,7 +179,7 @@ func TestResourceSetMatch(t *testing.T) {
 	}

 	for i, testCase := range testCases {
-		result := testCase.resourceSet.Match(testCase.resource)
+		result := testCase.resourceSet.Match(testCase.resource, nil)

 		if result != testCase.expectedResult {
 			t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result)
--- a/pkg/iam/policy/statement.go
+++ b/pkg/iam/policy/statement.go
@ -52,7 +52,7 @@ func (statement Statement) IsAllowed(args Args) bool {
 			resource += "/"
 		}

-		if !statement.Resources.Match(resource) {
+		if !statement.Resources.Match(resource, args.ConditionValues) {
 			return false
 		}

--- a/pkg/policy/condition/binaryequalsfunc.go
+++ b/pkg/policy/condition/binaryequalsfunc.go
@ -51,7 +51,8 @@ func (f binaryEqualsFunc) evaluate(values map[string][]string) bool {
 		requestValue = values[f.k.Name()]
 	}

-	return !f.values.Intersection(set.CreateStringSet(requestValue...)).IsEmpty()
+	fvalues := f.values.ApplyFunc(substFuncFromValues(values))
+	return !fvalues.Intersection(set.CreateStringSet(requestValue...)).IsEmpty()
 }

 // key() - returns condition key which is used by this condition function.
--- a/pkg/policy/condition/key.go
+++ b/pkg/policy/condition/key.go
@ -33,49 +33,58 @@ const (

 	// S3XAmzServerSideEncryption - key representing x-amz-server-side-encryption HTTP header applicable
 	// to PutObject API only.
-	S3XAmzServerSideEncryption = "s3:x-amz-server-side-encryption"
+	S3XAmzServerSideEncryption Key = "s3:x-amz-server-side-encryption"

 	// S3XAmzServerSideEncryptionCustomerAlgorithm - key representing
 	// x-amz-server-side-encryption-customer-algorithm HTTP header applicable to PutObject API only.
-	S3XAmzServerSideEncryptionCustomerAlgorithm = "s3:x-amz-server-side-encryption-customer-algorithm"
+	S3XAmzServerSideEncryptionCustomerAlgorithm Key = "s3:x-amz-server-side-encryption-customer-algorithm"

 	// S3XAmzMetadataDirective - key representing x-amz-metadata-directive HTTP header applicable to
 	// PutObject API only.
-	S3XAmzMetadataDirective = "s3:x-amz-metadata-directive"
+	S3XAmzMetadataDirective Key = "s3:x-amz-metadata-directive"

 	// S3XAmzStorageClass - key representing x-amz-storage-class HTTP header applicable to PutObject API
 	// only.
-	S3XAmzStorageClass = "s3:x-amz-storage-class"
+	S3XAmzStorageClass Key = "s3:x-amz-storage-class"

 	// S3LocationConstraint - key representing LocationConstraint XML tag of CreateBucket API only.
-	S3LocationConstraint = "s3:LocationConstraint"
+	S3LocationConstraint Key = "s3:LocationConstraint"

 	// S3Prefix - key representing prefix query parameter of ListBucket API only.
-	S3Prefix = "s3:prefix"
+	S3Prefix Key = "s3:prefix"

 	// S3Delimiter - key representing delimiter query parameter of ListBucket API only.
-	S3Delimiter = "s3:delimiter"
+	S3Delimiter Key = "s3:delimiter"

 	// S3MaxKeys - key representing max-keys query parameter of ListBucket API only.
-	S3MaxKeys = "s3:max-keys"
+	S3MaxKeys Key = "s3:max-keys"

 	// AWSReferer - key representing Referer header of any API.
-	AWSReferer = "aws:Referer"
+	AWSReferer Key = "aws:Referer"

 	// AWSSourceIP - key representing client's IP address (not intermittent proxies) of any API.
-	AWSSourceIP = "aws:SourceIp"
+	AWSSourceIP Key = "aws:SourceIp"

 	// AWSUserAgent - key representing UserAgent header for any API.
-	AWSUserAgent = "aws:UserAgent"
+	AWSUserAgent Key = "aws:UserAgent"

 	// AWSSecureTransport - key representing if the clients request is authenticated or not.
-	AWSSecureTransport = "aws:SecureTransport"
+	AWSSecureTransport Key = "aws:SecureTransport"

 	// AWSCurrentTime - key representing the current time.
-	AWSCurrentTime = "aws:CurrentTime"
+	AWSCurrentTime Key = "aws:CurrentTime"

 	// AWSEpochTime - key representing the current epoch time.
-	AWSEpochTime = "aws:EpochTime"
+	AWSEpochTime Key = "aws:EpochTime"
+
+	// AWSPrincipalType - user principal type currently supported values are "User" and "Anonymous".
+	AWSPrincipalType Key = "aws:principaltype"
+
+	// AWSUserID - user unique ID, in Minio this value is same as your user Access Key.
+	AWSUserID Key = "aws:userid"
+
+	// AWSUsername - user friendly name, in Minio this value is same as your user Access Key.
+	AWSUsername Key = "aws:username"
 )

 // AllSupportedKeys - is list of all all supported keys.
@ -95,6 +104,9 @@ var AllSupportedKeys = []Key{
 	AWSSecureTransport,
 	AWSCurrentTime,
 	AWSEpochTime,
+	AWSPrincipalType,
+	AWSUserID,
+	AWSUsername,
 	// Add new supported condition keys.
 }

@ -106,6 +118,21 @@ var CommonKeys = []Key{
 	AWSSecureTransport,
 	AWSCurrentTime,
 	AWSEpochTime,
+	AWSPrincipalType,
+	AWSUserID,
+	AWSUsername,
+}
+
+func substFuncFromValues(values map[string][]string) func(string) string {
+	return func(v string) string {
+		for _, key := range CommonKeys {
+			// Empty values are not supported for policy variables.
+			if rvalues, ok := values[key.Name()]; ok && rvalues[0] != "" {
+				v = strings.Replace(v, key.VarName(), rvalues[0], -1)
+			}
+		}
+		return v
+	}
 }

 // IsValid - checks if key is valid or not.
@ -128,6 +155,11 @@ func (key Key) MarshalJSON() ([]byte, error) {
 	return json.Marshal(string(key))
 }

+// VarName - returns variable key name, such as "${aws:username}"
+func (key Key) VarName() string {
+	return fmt.Sprintf("${%s}", key)
+}
+
 // Name - returns key name which is stripped value of prefixes "aws:" and "s3:"
 func (key Key) Name() string {
 	keyString := string(key)
--- a/pkg/policy/condition/stringequalsfunc.go
+++ b/pkg/policy/condition/stringequalsfunc.go
@ -50,7 +50,8 @@ func (f stringEqualsFunc) evaluate(values map[string][]string) bool {
 		requestValue = values[f.k.Name()]
 	}

-	return !f.values.Intersection(set.CreateStringSet(requestValue...)).IsEmpty()
+	fvalues := f.values.ApplyFunc(substFuncFromValues(values))
+	return !fvalues.Intersection(set.CreateStringSet(requestValue...)).IsEmpty()
 }

 // key() - returns condition key which is used by this condition function.
--- a/pkg/policy/condition/stringequalsignorecasefunc.go
+++ b/pkg/policy/condition/stringequalsignorecasefunc.go
@ -50,11 +50,14 @@ func (f stringEqualsIgnoreCaseFunc) evaluate(values map[string][]string) bool {
 		requestValue = values[f.k.Name()]
 	}

+	fvalues := f.values.ApplyFunc(substFuncFromValues(values))
+
 	for _, v := range requestValue {
-		if !f.values.FuncMatch(strings.EqualFold, v).IsEmpty() {
+		if !fvalues.FuncMatch(strings.EqualFold, v).IsEmpty() {
 			return true
 		}
 	}
+
 	return false
 }

--- a/pkg/policy/condition/stringlikefunc.go
+++ b/pkg/policy/condition/stringlikefunc.go
@ -51,8 +51,10 @@ func (f stringLikeFunc) evaluate(values map[string][]string) bool {
 		requestValue = values[f.k.Name()]
 	}

+	fvalues := f.values.ApplyFunc(substFuncFromValues(values))
+
 	for _, v := range requestValue {
-		if !f.values.FuncMatch(wildcard.Match, v).IsEmpty() {
+		if !fvalues.FuncMatch(wildcard.Match, v).IsEmpty() {
 			return true
 		}
 	}
--- a/pkg/policy/resource.go
+++ b/pkg/policy/resource.go
@ -21,6 +21,7 @@ import (
 	"fmt"
 	"strings"

+	"github.com/minio/minio/pkg/policy/condition"
 	"github.com/minio/minio/pkg/wildcard"
 )

@ -47,8 +48,16 @@ func (r Resource) IsValid() bool {
 }

 // Match - matches object name with resource pattern.
-func (r Resource) Match(resource string) bool {
-	return wildcard.Match(r.Pattern, resource)
+func (r Resource) Match(resource string, conditionValues map[string][]string) bool {
+	pattern := r.Pattern
+	for _, key := range condition.CommonKeys {
+		// Empty values are not supported for policy variables.
+		if rvalues, ok := conditionValues[key.Name()]; ok && rvalues[0] != "" {
+			pattern = strings.Replace(pattern, key.VarName(), rvalues[0], -1)
+		}
+	}
+
+	return wildcard.Match(pattern, resource)
 }

 // MarshalJSON - encodes Resource to JSON data.
--- a/pkg/policy/resource_test.go
+++ b/pkg/policy/resource_test.go
@ -124,7 +124,7 @@ func TestResourceMatch(t *testing.T) {
 	}

 	for i, testCase := range testCases {
-		result := testCase.resource.Match(testCase.objectName)
+		result := testCase.resource.Match(testCase.objectName, nil)

 		if result != testCase.expectedResult {
 			t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result)
--- a/pkg/policy/resourceset.go
+++ b/pkg/policy/resourceset.go
@ -81,9 +81,9 @@ func (resourceSet ResourceSet) MarshalJSON() ([]byte, error) {
 }

 // Match - matches object name with anyone of resource pattern in resource set.
-func (resourceSet ResourceSet) Match(resource string) bool {
+func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool {
 	for r := range resourceSet {
-		if r.Match(resource) {
+		if r.Match(resource, conditionValues) {
 			return true
 		}
 	}
--- a/pkg/policy/resourceset_test.go
+++ b/pkg/policy/resourceset_test.go
@ -179,7 +179,7 @@ func TestResourceSetMatch(t *testing.T) {
 	}

 	for i, testCase := range testCases {
-		result := testCase.resourceSet.Match(testCase.resource)
+		result := testCase.resourceSet.Match(testCase.resource, nil)

 		if result != testCase.expectedResult {
 			t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result)
--- a/pkg/policy/statement.go
+++ b/pkg/policy/statement.go
@ -54,7 +54,7 @@ func (statement Statement) IsAllowed(args Args) bool {
 			resource += args.ObjectName
 		}

-		if !statement.Resources.Match(resource) {
+		if !statement.Resources.Match(resource, args.ConditionValues) {
 			return false
 		}