MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-10 05:59:43 -05:00
Code Issues Packages Projects Releases Wiki Activity

Support policy variable replacement (#7085)

Browse Source 
This PR supports iam and bucket policies to have
policy variable replacements in resource and
condition key values.

For example
- ${aws:username}
- ${aws:userid}
This commit is contained in:
Harshavardhana
2019-01-21 10:27:14 +05:30
committed by GitHub
parent 3265112d04
commit 5353edcc38
19 changed files with 125 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/iam/policy/resource.go
View File

@@ -21,6 +21,7 @@ import (
"fmt"
"strings"
"github.com/minio/minio/pkg/policy/condition"
"github.com/minio/minio/pkg/wildcard"
)
@@ -47,11 +48,18 @@ func (r Resource) IsValid() bool {
}
// Match - matches object name with resource pattern.
func (r Resource) Match(resource string) bool {
if strings.HasPrefix(resource, r.Pattern) {
func (r Resource) Match(resource string, conditionValues map[string][]string) bool {
pattern := r.Pattern
for _, key := range condition.CommonKeys {
// Empty values are not supported for policy variables.
if rvalues, ok := conditionValues[key.Name()]; ok && rvalues[0] != "" {
pattern = strings.Replace(pattern, key.VarName(), rvalues[0], -1)
}
}
if strings.HasPrefix(resource, pattern) {
return true
}
return wildcard.Match(r.Pattern, resource)
return wildcard.Match(pattern, resource)
}
// MarshalJSON - encodes Resource to JSON data.

2
pkg/iam/policy/resource_test.go
View File

@@ -124,7 +124,7 @@ func TestResourceMatch(t *testing.T) {
}
for i, testCase := range testCases {
result := testCase.resource.Match(testCase.objectName)
result := testCase.resource.Match(testCase.objectName, nil)
if result != testCase.expectedResult {
t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result)

4
pkg/iam/policy/resourceset.go
View File

@@ -81,9 +81,9 @@ func (resourceSet ResourceSet) MarshalJSON() ([]byte, error) {
}
// Match - matches object name with anyone of resource pattern in resource set.
func (resourceSet ResourceSet) Match(resource string) bool {
func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool {
for r := range resourceSet {
if r.Match(resource) {
if r.Match(resource, conditionValues) {
return true
}
}

2
pkg/iam/policy/resourceset_test.go
View File

@@ -179,7 +179,7 @@ func TestResourceSetMatch(t *testing.T) {
}
for i, testCase := range testCases {
result := testCase.resourceSet.Match(testCase.resource)
result := testCase.resourceSet.Match(testCase.resource, nil)
if result != testCase.expectedResult {
t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result)

2
pkg/iam/policy/statement.go
View File

@@ -52,7 +52,7 @@ func (statement Statement) IsAllowed(args Args) bool {
resource += "/"
}
if !statement.Resources.Match(resource) {
if !statement.Resources.Match(resource, args.ConditionValues) {
return false
}