Fix bucketpolicy to handle s3 and minio policy names separately.

Also fix an apparent bug in GetBucketPolicy{}
This commit is contained in:
Harshavardhana 2015-03-19 12:02:39 -07:00
parent 7496d89f8f
commit c3602967ab
3 changed files with 84 additions and 17 deletions

View File

@ -43,7 +43,7 @@ func (storage *Storage) GetBucketPolicy(bucket string) (mstorage.BucketPolicy, e
} }
// get policy path // get policy path
bucketPolicy := path.Join(storage.root, bucket+"_mstoragejson") bucketPolicy := path.Join(storage.root, bucket+"_policy.json")
filestat, err := os.Stat(bucketPolicy) filestat, err := os.Stat(bucketPolicy)
if os.IsNotExist(err) { if os.IsNotExist(err) {

View File

@ -1,3 +1,19 @@
/*
* Mini Object Storage, (C) 2015 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package storage package storage
import ( import (
@ -6,22 +22,22 @@ import (
"strings" "strings"
) )
// User - AWS canonical // User - canonical
type User struct { type User struct {
AWS string AWS string
} }
// Statement - AWS policy statement // Statement - minio policy statement
type Statement struct { type Statement struct {
Sid string Sid string
Effect string Effect string
Principal User Principal User
Action []string Action []string
Resource []string Resource []string
// TODO fix it in future if necessary - Condition {} // add Condition struct/var TODO - fix it in future if necessary
} }
// BucketPolicy - AWS policy collection // BucketPolicy - minio policy collection
type BucketPolicy struct { type BucketPolicy struct {
Version string // date in 0000-00-00 format Version string // date in 0000-00-00 format
Statement []Statement Statement []Statement
@ -29,28 +45,26 @@ type BucketPolicy struct {
// Resource delimiter // Resource delimiter
const ( const (
AwsResource = "arn:aws:s3:::"
MinioResource = "minio:::" MinioResource = "minio:::"
) )
// TODO support canonical user // TODO support canonical user
// Principal delimiter // Principal delimiter
const ( const (
AwsPrincipal = "arn:aws:iam::"
MinioPrincipal = "minio::" MinioPrincipal = "minio::"
) )
// Action map // Action map
var SupportedActionMap = map[string]bool{ var SupportedActionMap = map[string]bool{
"*": true, "*": true,
"s3:GetObject": true, "minio:GetObject": true,
"s3:ListBucket": true, "minio:ListBucket": true,
"s3:PutObject": true, "minio:PutObject": true,
"s3:CreateBucket": true, "minio:CreateBucket": true,
"s3:GetBucketPolicy": true, "minio:GetBucketPolicy": true,
"s3:DeleteBucketPolicy": true, "minio:DeleteBucketPolicy": true,
"s3:ListAllMyBuckets": true, "minio:ListAllMyBuckets": true,
"s3:PutBucketPolicy": true, "minio:PutBucketPolicy": true,
} }
// Effect map // Effect map
@ -152,6 +166,7 @@ func Parsepolicy(data io.Reader) (BucketPolicy, bool) {
if !isValidEffect(statement.Effect) { if !isValidEffect(statement.Effect) {
goto error goto error
} }
if len(statement.Principal.AWS) == 0 { if len(statement.Principal.AWS) == 0 {
goto error goto error
} }
@ -161,7 +176,7 @@ func Parsepolicy(data io.Reader) (BucketPolicy, bool) {
if len(statement.Action) == 0 { if len(statement.Action) == 0 {
goto error goto error
} }
if !isValidAction(statement.Action) { if !isValidAction(statement.Action) && !isValidActionS3(statement.Action) {
goto error goto error
} }
if len(statement.Resource) == 0 { if len(statement.Resource) == 0 {

View File

@ -0,0 +1,52 @@
/*
* Mini Object Storage, (C) 2015 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package storage
// This file implements compatability layer for AWS clients
// Resource delimiter
const (
AwsResource = "arn:aws:s3:::"
)
// TODO support canonical user
// Principal delimiter
const (
AwsPrincipal = "arn:aws:iam::"
)
// Action map
var SupportedActionMapCompat = map[string]bool{
"*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketPolicy": true,
"s3:DeleteBucketPolicy": true,
"s3:ListAllMyBuckets": true,
"s3:PutBucketPolicy": true,
}
func isValidActionS3(action []string) bool {
for _, a := range action {
if !SupportedActionMapCompat[a] {
return false
}
}
return true
}