fix: support IAM policy handling for wildcard actions (#11530)

This PR fixes - allow 's3:versionid` as a valid conditional for Get,Put,Tags,Object locking APIs - allow additional headers missing for object APIs - allow wildcard based action matching
2025-11-25 12:06:10 -05:00 · 2021-02-12 23:05:09 -08:00
parent 79b6a43467
commit a94a9c37fa
6 changed files with 365 additions and 25 deletions
--- a/pkg/iam/policy/action.go
+++ b/pkg/iam/policy/action.go
@@ -266,23 +266,45 @@ var supportedObjectActions = map[Action]struct{}{

 // isObjectAction - returns whether action is object type or not.
 func (action Action) isObjectAction() bool {
-	_, ok := supportedObjectActions[action]
-	return ok
+	for supAction := range supportedObjectActions {
+		if action.Match(supAction) {
+			return true
+		}
+	}
+	return false
 }

-// Match - matches object name with resource pattern.
+// Match - matches action name with action patter.
 func (action Action) Match(a Action) bool {
 	return wildcard.Match(string(action), string(a))
 }

 // IsValid - checks if action is valid or not.
 func (action Action) IsValid() bool {
-	_, ok := supportedActions[action]
-	return ok
+	for supAction := range supportedActions {
+		if action.Match(supAction) {
+			return true
+		}
+	}
+	return false
 }

-// actionConditionKeyMap - holds mapping of supported condition key for an action.
-var actionConditionKeyMap = map[Action]condition.KeySet{
+type actionConditionKeyMap map[Action]condition.KeySet
+
+func (a actionConditionKeyMap) Lookup(action Action) (condition.KeySet, bool) {
+	var ckeysMerged = condition.KeySet{}
+	var found bool
+	for act, ckey := range a {
+		if action.Match(act) {
+			ckeysMerged.Merge(ckey)
+			found = true
+		}
+	}
+	return ckeysMerged, found
+}
+
+// iamActionConditionKeyMap - holds mapping of supported condition key for an action.
+var iamActionConditionKeyMap = actionConditionKeyMap{
 	AllActions: condition.NewKeySet(condition.AllSupportedKeys...),

 	AbortMultipartUploadAction: condition.NewKeySet(condition.CommonKeys...),
@@ -291,8 +313,6 @@ var actionConditionKeyMap = map[Action]condition.KeySet{

 	DeleteBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),

-	DeleteObjectAction: condition.NewKeySet(condition.CommonKeys...),
-
 	GetBucketLocationAction: condition.NewKeySet(condition.CommonKeys...),

 	GetBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
@@ -303,6 +323,7 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 		append([]condition.Key{
 			condition.S3XAmzServerSideEncryption,
 			condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
+			condition.S3VersionID,
 		}, condition.CommonKeys...)...),

 	HeadBucketAction: condition.NewKeySet(condition.CommonKeys...),
@@ -335,6 +356,11 @@ var actionConditionKeyMap = map[Action]condition.KeySet{

 	PutBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),

+	DeleteObjectAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
+
 	PutObjectAction: condition.NewKeySet(
 		append([]condition.Key{
 			condition.S3XAmzCopySource,
@@ -342,6 +368,7 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 			condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
 			condition.S3XAmzMetadataDirective,
 			condition.S3XAmzStorageClass,
+			condition.S3VersionID,
 			condition.S3ObjectLockRetainUntilDate,
 			condition.S3ObjectLockMode,
 			condition.S3ObjectLockLegalHold,
@@ -351,21 +378,32 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 	// LockLegalHold is not supported with PutObjectRetentionAction
 	PutObjectRetentionAction: condition.NewKeySet(
 		append([]condition.Key{
+			condition.S3XAmzServerSideEncryption,
+			condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
 			condition.S3ObjectLockRemainingRetentionDays,
 			condition.S3ObjectLockRetainUntilDate,
 			condition.S3ObjectLockMode,
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
+	GetObjectRetentionAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3XAmzServerSideEncryption,
+			condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
+			condition.S3VersionID,
 		}, condition.CommonKeys...)...),
-
-	GetObjectRetentionAction: condition.NewKeySet(condition.CommonKeys...),
 	PutObjectLegalHoldAction: condition.NewKeySet(
 		append([]condition.Key{
+			condition.S3XAmzServerSideEncryption,
+			condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
 			condition.S3ObjectLockLegalHold,
+			condition.S3VersionID,
 		}, condition.CommonKeys...)...),
 	GetObjectLegalHoldAction: condition.NewKeySet(condition.CommonKeys...),

 	// https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
 	BypassGovernanceRetentionAction: condition.NewKeySet(
 		append([]condition.Key{
+			condition.S3VersionID,
 			condition.S3ObjectLockRemainingRetentionDays,
 			condition.S3ObjectLockRetainUntilDate,
 			condition.S3ObjectLockMode,
@@ -376,11 +414,24 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 	PutBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
 	GetBucketTaggingAction:                 condition.NewKeySet(condition.CommonKeys...),
 	PutBucketTaggingAction:                 condition.NewKeySet(condition.CommonKeys...),
-	PutObjectTaggingAction:                 condition.NewKeySet(condition.CommonKeys...),
-	GetObjectTaggingAction:                 condition.NewKeySet(condition.CommonKeys...),
-	DeleteObjectTaggingAction:              condition.NewKeySet(condition.CommonKeys...),

-	PutObjectVersionTaggingAction: condition.NewKeySet(condition.CommonKeys...),
+	PutObjectTaggingAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
+	GetObjectTaggingAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
+	DeleteObjectTaggingAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
+
+	PutObjectVersionTaggingAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
 	GetObjectVersionAction: condition.NewKeySet(
 		append([]condition.Key{
 			condition.S3VersionID,
@@ -397,10 +448,22 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 		append([]condition.Key{
 			condition.S3VersionID,
 		}, condition.CommonKeys...)...),
-	GetReplicationConfigurationAction:    condition.NewKeySet(condition.CommonKeys...),
-	PutReplicationConfigurationAction:    condition.NewKeySet(condition.CommonKeys...),
-	ReplicateObjectAction:                condition.NewKeySet(condition.CommonKeys...),
-	ReplicateDeleteAction:                condition.NewKeySet(condition.CommonKeys...),
-	ReplicateTagsAction:                  condition.NewKeySet(condition.CommonKeys...),
-	GetObjectVersionForReplicationAction: condition.NewKeySet(condition.CommonKeys...),
+	GetReplicationConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
+	PutReplicationConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
+	ReplicateObjectAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
+	ReplicateDeleteAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
+	ReplicateTagsAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
+	GetObjectVersionForReplicationAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3VersionID,
+		}, condition.CommonKeys...)...),
 }