MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-20 01:50:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add support for {jwt:sub} substitutions for policies (#8393)

Browse Source 
Fixes #8345
This commit is contained in:
Harshavardhana
2019-10-16 08:59:59 -07:00
committed by GitHub
parent f2cc97a44c
commit 5afb1b6747
7 changed files with 83 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
cmd/web-handlers.go
View File

@@ -160,7 +160,7 @@ func (web *webAPIHandlers) MakeBucket(r *http.Request, args *MakeBucketArgs, rep
AccountName: claims.Subject,
Action: iampolicy.CreateBucketAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
}) {
return toJSONError(ctx, errAccessDenied)
@@ -221,7 +221,7 @@ func (web *webAPIHandlers) DeleteBucket(r *http.Request, args *RemoveBucketArgs,
AccountName: claims.Subject,
Action: iampolicy.DeleteBucketAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
}) {
return toJSONError(ctx, errAccessDenied)
@@ -325,7 +325,7 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re
AccountName: claims.Subject,
Action: iampolicy.ListBucketAction,
BucketName: dnsRecord.Key,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
ObjectName: "",
}) {
@@ -347,7 +347,7 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re
AccountName: claims.Subject,
Action: iampolicy.ListBucketAction,
BucketName: bucket.Name,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
ObjectName: "",
}) {
@@ -459,7 +459,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
readable := globalPolicySys.IsAllowed(policy.Args{
Action: policy.ListBucketAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", ""),
ConditionValues: getConditionValues(r, "", "", nil),
IsOwner: false,
})
@@ -467,7 +467,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
writable := globalPolicySys.IsAllowed(policy.Args{
Action: policy.PutObjectAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", ""),
ConditionValues: getConditionValues(r, "", "", nil),
IsOwner: false,
ObjectName: args.Prefix + SlashSeparator,
})
@@ -498,7 +498,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
AccountName: claims.Subject,
Action: iampolicy.ListBucketAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
})
@@ -506,7 +506,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
AccountName: claims.Subject,
Action: iampolicy.PutObjectAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
ObjectName: args.Prefix + SlashSeparator,
})
@@ -598,7 +598,7 @@ func (web *webAPIHandlers) RemoveObject(r *http.Request, args *RemoveObjectArgs,
if !globalPolicySys.IsAllowed(policy.Args{
Action: policy.DeleteObjectAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", ""),
ConditionValues: getConditionValues(r, "", "", nil),
IsOwner: false,
ObjectName: object,
}) {
@@ -672,7 +672,7 @@ next:
AccountName: claims.Subject,
Action: iampolicy.DeleteObjectAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
ObjectName: objectName,
}) {
@@ -690,7 +690,7 @@ next:
AccountName: claims.Subject,
Action: iampolicy.DeleteObjectAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
ObjectName: objectName,
}) {
@@ -930,7 +930,7 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
if !globalPolicySys.IsAllowed(policy.Args{
Action: policy.PutObjectAction,
BucketName: bucket,
ConditionValues: getConditionValues(r, "", ""),
ConditionValues: getConditionValues(r, "", "", nil),
IsOwner: false,
ObjectName: object,
}) {
@@ -949,7 +949,7 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
AccountName: claims.Subject,
Action: iampolicy.PutObjectAction,
BucketName: bucket,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
ObjectName: object,
}) {
@@ -1110,7 +1110,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
if !globalPolicySys.IsAllowed(policy.Args{
Action: policy.GetObjectAction,
BucketName: bucket,
ConditionValues: getConditionValues(r, "", ""),
ConditionValues: getConditionValues(r, "", "", nil),
IsOwner: false,
ObjectName: object,
}) {
@@ -1129,7 +1129,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
AccountName: claims.Subject,
Action: iampolicy.GetObjectAction,
BucketName: bucket,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
ObjectName: object,
}) {
@@ -1259,7 +1259,7 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
if !globalPolicySys.IsAllowed(policy.Args{
Action: policy.GetObjectAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", ""),
ConditionValues: getConditionValues(r, "", "", nil),
IsOwner: false,
ObjectName: pathJoin(args.Prefix, object),
}) {
@@ -1280,7 +1280,7 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
AccountName: claims.Subject,
Action: iampolicy.GetObjectAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
ObjectName: pathJoin(args.Prefix, object),
}) {
@@ -1426,7 +1426,7 @@ func (web *webAPIHandlers) GetBucketPolicy(r *http.Request, args *GetBucketPolic
AccountName: claims.Subject,
Action: iampolicy.GetBucketPolicyAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
}) {
return toJSONError(ctx, errAccessDenied)
@@ -1523,7 +1523,7 @@ func (web *webAPIHandlers) ListAllBucketPolicies(r *http.Request, args *ListAllB
AccountName: claims.Subject,
Action: iampolicy.GetBucketPolicyAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
}) {
return toJSONError(ctx, errAccessDenied)
@@ -1613,7 +1613,7 @@ func (web *webAPIHandlers) SetBucketPolicy(r *http.Request, args *SetBucketPolic
AccountName: claims.Subject,
Action: iampolicy.PutBucketPolicyAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.Subject),
ConditionValues: getConditionValues(r, "", claims.Subject, claims.Map()),
IsOwner: owner,
}) {
return toJSONError(ctx, errAccessDenied)