diff --git a/cmd/admin-handler-utils.go b/cmd/admin-handler-utils.go index 9177a010b..4c4aa707e 100644 --- a/cmd/admin-handler-utils.go +++ b/cmd/admin-handler-utils.go @@ -27,14 +27,14 @@ import ( "github.com/minio/madmin-go/v3" "github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/config" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) // validateAdminReq will validate request against and return whether it is allowed. // If any of the supplied actions are allowed it will be successful. // If nil ObjectLayer is returned, the operation is not permitted. // When nil ObjectLayer has been returned an error has always been sent to w. -func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Request, actions ...iampolicy.AdminAction) (ObjectLayer, auth.Credentials) { +func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Request, actions ...policy.AdminAction) (ObjectLayer, auth.Credentials) { // Get current object layer instance. objectAPI := newObjectLayerFn() if objectAPI == nil || globalNotificationSys == nil { @@ -78,7 +78,7 @@ func toAdminAPIErr(ctx context.Context, err error) APIError { var apiErr APIError switch e := err.(type) { - case iampolicy.Error: + case policy.Error: apiErr = APIError{ Code: "XMinioMalformedIAMPolicy", Description: e.Error(), diff --git a/cmd/admin-handlers-config-kv.go b/cmd/admin-handlers-config-kv.go index ab329fe11..4eecd0058 100644 --- a/cmd/admin-handlers-config-kv.go +++ b/cmd/admin-handlers-config-kv.go @@ -38,14 +38,14 @@ import ( "github.com/minio/minio/internal/config/subnet" "github.com/minio/minio/internal/logger" "github.com/minio/mux" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) // DelConfigKVHandler - DELETE /minio/admin/v3/del-config-kv func (a adminAPIHandlers) DelConfigKVHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -149,7 +149,7 @@ type setConfigResult struct { func (a adminAPIHandlers) SetConfigKVHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -242,7 +242,7 @@ func setConfigKV(ctx context.Context, objectAPI ObjectLayer, kvBytes []byte) (re func (a adminAPIHandlers) GetConfigKVHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -288,7 +288,7 @@ func (a adminAPIHandlers) GetConfigKVHandler(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) ClearConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -321,7 +321,7 @@ func (a adminAPIHandlers) ClearConfigHistoryKVHandler(w http.ResponseWriter, r * func (a adminAPIHandlers) RestoreConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -367,7 +367,7 @@ func (a adminAPIHandlers) RestoreConfigHistoryKVHandler(w http.ResponseWriter, r func (a adminAPIHandlers) ListConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -405,7 +405,7 @@ func (a adminAPIHandlers) ListConfigHistoryKVHandler(w http.ResponseWriter, r *h func (a adminAPIHandlers) HelpConfigKVHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -430,7 +430,7 @@ func (a adminAPIHandlers) HelpConfigKVHandler(w http.ResponseWriter, r *http.Req func (a adminAPIHandlers) SetConfigHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -482,7 +482,7 @@ func (a adminAPIHandlers) SetConfigHandler(w http.ResponseWriter, r *http.Reques func (a adminAPIHandlers) GetConfigHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } diff --git a/cmd/admin-handlers-idp-config.go b/cmd/admin-handlers-idp-config.go index 3df6d8616..a4c32081d 100644 --- a/cmd/admin-handlers-idp-config.go +++ b/cmd/admin-handlers-idp-config.go @@ -34,11 +34,11 @@ import ( "github.com/minio/minio/internal/logger" "github.com/minio/mux" "github.com/minio/pkg/v2/ldap" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) func addOrUpdateIDPHandler(ctx context.Context, w http.ResponseWriter, r *http.Request, isUpdate bool) { - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -220,7 +220,7 @@ func (a adminAPIHandlers) UpdateIdentityProviderCfg(w http.ResponseWriter, r *ht func (a adminAPIHandlers) ListIdentityProviderCfg(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -273,7 +273,7 @@ func (a adminAPIHandlers) ListIdentityProviderCfg(w http.ResponseWriter, r *http func (a adminAPIHandlers) GetIdentityProviderCfg(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -332,7 +332,7 @@ func (a adminAPIHandlers) GetIdentityProviderCfg(w http.ResponseWriter, r *http. func (a adminAPIHandlers) DeleteIdentityProviderCfg(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ConfigUpdateAdminAction) if objectAPI == nil { return } diff --git a/cmd/admin-handlers-idp-ldap.go b/cmd/admin-handlers-idp-ldap.go index 6c2f1d809..72fd4d99c 100644 --- a/cmd/admin-handlers-idp-ldap.go +++ b/cmd/admin-handlers-idp-ldap.go @@ -25,7 +25,7 @@ import ( "github.com/minio/madmin-go/v3" "github.com/minio/minio/internal/logger" "github.com/minio/mux" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) // ListLDAPPolicyMappingEntities lists users/groups mapped to given/all policies. @@ -50,7 +50,7 @@ func (a adminAPIHandlers) ListLDAPPolicyMappingEntities(w http.ResponseWriter, r // Check authorization. objectAPI, cred := validateAdminReq(ctx, w, r, - iampolicy.ListGroupsAdminAction, iampolicy.ListUsersAdminAction, iampolicy.ListUserPoliciesAdminAction) + policy.ListGroupsAdminAction, policy.ListUsersAdminAction, policy.ListUserPoliciesAdminAction) if objectAPI == nil { return } @@ -96,7 +96,7 @@ func (a adminAPIHandlers) AttachDetachPolicyLDAP(w http.ResponseWriter, r *http. // Check authorization. - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.UpdatePolicyAssociationAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.UpdatePolicyAssociationAction) if objectAPI == nil { return } diff --git a/cmd/admin-handlers-pools.go b/cmd/admin-handlers-pools.go index e6e057dac..c2030554c 100644 --- a/cmd/admin-handlers-pools.go +++ b/cmd/admin-handlers-pools.go @@ -26,7 +26,7 @@ import ( "github.com/minio/minio/internal/logger" "github.com/minio/mux" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) var ( @@ -37,7 +37,7 @@ var ( func (a adminAPIHandlers) StartDecommission(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DecommissionAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.DecommissionAdminAction) if objectAPI == nil { return } @@ -113,7 +113,7 @@ func (a adminAPIHandlers) StartDecommission(w http.ResponseWriter, r *http.Reque func (a adminAPIHandlers) CancelDecommission(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DecommissionAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.DecommissionAdminAction) if objectAPI == nil { return } @@ -159,7 +159,7 @@ func (a adminAPIHandlers) CancelDecommission(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) StatusPool(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerInfoAdminAction, iampolicy.DecommissionAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ServerInfoAdminAction, policy.DecommissionAdminAction) if objectAPI == nil { return } @@ -200,7 +200,7 @@ func (a adminAPIHandlers) StatusPool(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) ListPools(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerInfoAdminAction, iampolicy.DecommissionAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ServerInfoAdminAction, policy.DecommissionAdminAction) if objectAPI == nil { return } @@ -233,7 +233,7 @@ func (a adminAPIHandlers) ListPools(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) RebalanceStart(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.RebalanceAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.RebalanceAdminAction) if objectAPI == nil { return } @@ -304,7 +304,7 @@ func (a adminAPIHandlers) RebalanceStart(w http.ResponseWriter, r *http.Request) func (a adminAPIHandlers) RebalanceStatus(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.RebalanceAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.RebalanceAdminAction) if objectAPI == nil { return } @@ -344,7 +344,7 @@ func (a adminAPIHandlers) RebalanceStatus(w http.ResponseWriter, r *http.Request func (a adminAPIHandlers) RebalanceStop(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.RebalanceAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.RebalanceAdminAction) if objectAPI == nil { return } diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 8cf0d1801..79681dcad 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -34,14 +34,14 @@ import ( "github.com/minio/minio/internal/config/dns" "github.com/minio/minio/internal/logger" "github.com/minio/mux" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) // RemoveUser - DELETE /minio/admin/v3/remove-user?accessKey= func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.DeleteUserAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.DeleteUserAdminAction) if objectAPI == nil { return } @@ -85,7 +85,7 @@ func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) ListBucketUsers(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ListUsersAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ListUsersAdminAction) if objectAPI == nil { return } @@ -119,7 +119,7 @@ func (a adminAPIHandlers) ListBucketUsers(w http.ResponseWriter, r *http.Request func (a adminAPIHandlers) ListUsers(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ListUsersAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.ListUsersAdminAction) if objectAPI == nil { return } @@ -186,10 +186,10 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) { checkDenyOnly = true } - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.GetUserAdminAction, + Action: policy.GetUserAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -218,7 +218,7 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.AddUserToGroupAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.AddUserToGroupAdminAction) if objectAPI == nil { return } @@ -288,7 +288,7 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) GetGroup(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetGroupAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.GetGroupAdminAction) if objectAPI == nil { return } @@ -315,7 +315,7 @@ func (a adminAPIHandlers) GetGroup(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListGroupsAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListGroupsAdminAction) if objectAPI == nil { return } @@ -339,7 +339,7 @@ func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.EnableGroupAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.EnableGroupAdminAction) if objectAPI == nil { return } @@ -382,7 +382,7 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, creds := validateAdminReq(ctx, w, r, iampolicy.EnableUserAdminAction) + objectAPI, creds := validateAdminReq(ctx, w, r, policy.EnableUserAdminAction) if objectAPI == nil { return } @@ -470,10 +470,10 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) { checkDenyOnly = true } - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.CreateUserAdminAction, + Action: policy.CreateUserAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -544,10 +544,10 @@ func (a adminAPIHandlers) TemporaryAccountInfo(w http.ResponseWriter, r *http.Re return } - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.ListTemporaryAccountsAdminAction, + Action: policy.ListTemporaryAccountsAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -556,16 +556,16 @@ func (a adminAPIHandlers) TemporaryAccountInfo(w http.ResponseWriter, r *http.Re return } - stsAccount, policy, err := globalIAMSys.GetTemporaryAccount(ctx, accessKey) + stsAccount, sessionPolicy, err := globalIAMSys.GetTemporaryAccount(ctx, accessKey) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - var stsAccountPolicy iampolicy.Policy + var stsAccountPolicy policy.Policy - if policy != nil { - stsAccountPolicy = *policy + if sessionPolicy != nil { + stsAccountPolicy = *sessionPolicy } else { policiesNames, err := globalIAMSys.PolicyDBGet(stsAccount.ParentUser, false) if err != nil { @@ -584,7 +584,7 @@ func (a adminAPIHandlers) TemporaryAccountInfo(w http.ResponseWriter, r *http.Re infoResp := madmin.TemporaryAccountInfoResp{ ParentUser: stsAccount.ParentUser, AccountStatus: stsAccount.Status, - ImpliedPolicy: policy == nil, + ImpliedPolicy: sessionPolicy == nil, Policy: string(policyJSON), Expiration: &stsAccount.Expiration, } @@ -709,10 +709,10 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque // // This allows turning off service accounts for request sender, // if there is no deny statement this call is implicitly enabled. - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: requestorUser, Groups: requestorGroups, - Action: iampolicy.CreateServiceAccountAdminAction, + Action: policy.CreateServiceAccountAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -743,10 +743,10 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque } else { // Need permission if we are creating a service account for a // user <> to the request sender - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: requestorUser, Groups: requestorGroups, - Action: iampolicy.CreateServiceAccountAdminAction, + Action: policy.CreateServiceAccountAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -773,9 +773,9 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque // latter, a group notion is not supported. } - var sp *iampolicy.Policy + var sp *policy.Policy if len(createReq.Policy) > 0 { - sp, err = iampolicy.ParseConfig(bytes.NewReader(createReq.Policy)) + sp, err = policy.ParseConfig(bytes.NewReader(createReq.Policy)) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return @@ -864,10 +864,10 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re return } - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.UpdateServiceAccountAdminAction, + Action: policy.UpdateServiceAccountAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -903,9 +903,9 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re return } - var sp *iampolicy.Policy + var sp *policy.Policy if len(updateReq.NewPolicy) > 0 { - sp, err = iampolicy.ParseConfig(bytes.NewReader(updateReq.NewPolicy)) + sp, err = policy.ParseConfig(bytes.NewReader(updateReq.NewPolicy)) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return @@ -970,16 +970,16 @@ func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Requ return } - svcAccount, policy, err := globalIAMSys.GetServiceAccount(ctx, accessKey) + svcAccount, sessionPolicy, err := globalIAMSys.GetServiceAccount(ctx, accessKey) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.ListServiceAccountsAdminAction, + Action: policy.ListServiceAccountsAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -995,10 +995,10 @@ func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Requ } } - var svcAccountPolicy iampolicy.Policy + var svcAccountPolicy policy.Policy - if policy != nil { - svcAccountPolicy = *policy + if sessionPolicy != nil { + svcAccountPolicy = *sessionPolicy } else { policiesNames, err := globalIAMSys.PolicyDBGet(svcAccount.ParentUser, false) if err != nil { @@ -1024,7 +1024,7 @@ func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Requ Name: svcAccount.Name, Description: svcAccount.Description, AccountStatus: svcAccount.Status, - ImpliedPolicy: policy == nil, + ImpliedPolicy: sessionPolicy == nil, Policy: string(policyJSON), Expiration: expiration, } @@ -1067,10 +1067,10 @@ func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Req // sender), check that the user has permissions. user := r.Form.Get("user") if user != "" && user != cred.AccessKey { - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.ListServiceAccountsAdminAction, + Action: policy.ListServiceAccountsAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -1148,10 +1148,10 @@ func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Re // since this is a delete call we shall allow it to be deleted if possible. svcAccount, _, _ := globalIAMSys.GetServiceAccount(ctx, serviceAccount) - adminPrivilege := globalIAMSys.IsAllowed(iampolicy.Args{ + adminPrivilege := globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.RemoveServiceAccountAdminAction, + Action: policy.RemoveServiceAccountAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -1219,10 +1219,10 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ enablePrefixUsage := r.Form.Get("prefix-usage") == "true" isAllowedAccess := func(bucketName string) (rd, wr bool) { - if globalIAMSys.IsAllowed(iampolicy.Args{ + if globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.ListBucketAction, + Action: policy.ListBucketAction, BucketName: bucketName, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, @@ -1232,10 +1232,10 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ rd = true } - if globalIAMSys.IsAllowed(iampolicy.Args{ + if globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.GetBucketLocationAction, + Action: policy.GetBucketLocationAction, BucketName: bucketName, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, @@ -1245,10 +1245,10 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ rd = true } - if globalIAMSys.IsAllowed(iampolicy.Args{ + if globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.PutObjectAction, + Action: policy.PutObjectAction, BucketName: bucketName, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, @@ -1298,14 +1298,14 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ accountName = cred.ParentUser } - roleArn := iampolicy.Args{Claims: cred.Claims}.GetRoleArn() - policySetFromClaims, hasPolicyClaim := iampolicy.GetPoliciesFromClaims(cred.Claims, iamPolicyClaimNameOpenID()) - var effectivePolicy iampolicy.Policy + roleArn := policy.Args{Claims: cred.Claims}.GetRoleArn() + policySetFromClaims, hasPolicyClaim := policy.GetPoliciesFromClaims(cred.Claims, iamPolicyClaimNameOpenID()) + var effectivePolicy policy.Policy var buf []byte switch { case accountName == globalActiveCred.AccessKey: - for _, policy := range iampolicy.DefaultPolicies { + for _, policy := range policy.DefaultPolicies { if policy.Name == "consoleAdmin" { effectivePolicy = policy.Definition break @@ -1417,7 +1417,7 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) InfoCannedPolicy(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetPolicyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.GetPolicyAdminAction) if objectAPI == nil { return } @@ -1463,7 +1463,7 @@ func (a adminAPIHandlers) InfoCannedPolicy(w http.ResponseWriter, r *http.Reques func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListUserPoliciesAdminAction) if objectAPI == nil { return } @@ -1475,7 +1475,7 @@ func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Requ return } - newPolicies := make(map[string]iampolicy.Policy) + newPolicies := make(map[string]policy.Policy) for name, p := range policies { _, err = json.Marshal(p) if err != nil { @@ -1494,7 +1494,7 @@ func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListUserPoliciesAdminAction) if objectAPI == nil { return } @@ -1505,7 +1505,7 @@ func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Requ return } - newPolicies := make(map[string]iampolicy.Policy) + newPolicies := make(map[string]policy.Policy) for name, p := range policies { _, err = json.Marshal(p) if err != nil { @@ -1524,7 +1524,7 @@ func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DeletePolicyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.DeletePolicyAdminAction) if objectAPI == nil { return } @@ -1550,7 +1550,7 @@ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.CreatePolicyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.CreatePolicyAdminAction) if objectAPI == nil { return } @@ -1582,7 +1582,7 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request return } - iamPolicy, err := iampolicy.ParseConfig(bytes.NewReader(iamPolicyBytes)) + iamPolicy, err := policy.ParseConfig(bytes.NewReader(iamPolicyBytes)) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return @@ -1614,7 +1614,7 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.AttachPolicyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.AttachPolicyAdminAction) if objectAPI == nil { return } @@ -1688,7 +1688,7 @@ func (a adminAPIHandlers) ListPolicyMappingEntities(w http.ResponseWriter, r *ht // Check authorization. objectAPI, cred := validateAdminReq(ctx, w, r, - iampolicy.ListGroupsAdminAction, iampolicy.ListUsersAdminAction, iampolicy.ListUserPoliciesAdminAction) + policy.ListGroupsAdminAction, policy.ListUsersAdminAction, policy.ListUserPoliciesAdminAction) if objectAPI == nil { return } @@ -1726,8 +1726,8 @@ func (a adminAPIHandlers) ListPolicyMappingEntities(w http.ResponseWriter, r *ht func (a adminAPIHandlers) AttachDetachPolicyBuiltin(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.UpdatePolicyAssociationAction, - iampolicy.AttachPolicyAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, policy.UpdatePolicyAssociationAction, + policy.AttachPolicyAdminAction) if objectAPI == nil { return } @@ -1826,7 +1826,7 @@ func (a adminAPIHandlers) ExportIAM(w http.ResponseWriter, r *http.Request) { ctx := r.Context() // Get current object layer instance. - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ExportIAMAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ExportIAMAction) if objectAPI == nil { return } @@ -2096,7 +2096,7 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) { return default: defer f.Close() - var allPolicies map[string]iampolicy.Policy + var allPolicies map[string]policy.Policy data, err = io.ReadAll(f) if err != nil { writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, allPoliciesFile, ""), r.URL) @@ -2177,10 +2177,10 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) { checkDenyOnly = true } - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.CreateUserAdminAction, + Action: policy.CreateUserAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, @@ -2257,10 +2257,10 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) { return } for user, svcAcctReq := range serviceAcctReqs { - var sp *iampolicy.Policy + var sp *policy.Policy var err error if len(svcAcctReq.SessionPolicy) > 0 { - sp, err = iampolicy.ParseConfig(bytes.NewReader(svcAcctReq.SessionPolicy)) + sp, err = policy.ParseConfig(bytes.NewReader(svcAcctReq.SessionPolicy)) if err != nil { writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL) return @@ -2271,10 +2271,10 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL) return } - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.CreateServiceAccountAdminAction, + Action: policy.CreateServiceAccountAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go index 6ca2a2e6b..68f59cba8 100644 --- a/cmd/admin-handlers.go +++ b/cmd/admin-handlers.go @@ -57,7 +57,7 @@ import ( "github.com/minio/mux" "github.com/minio/pkg/v2/logger/message/log" xnet "github.com/minio/pkg/v2/net" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" "github.com/secure-io/sio-go" ) @@ -81,7 +81,7 @@ const ( func (a adminAPIHandlers) ServerUpdateHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerUpdateAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ServerUpdateAdminAction) if objectAPI == nil { return } @@ -252,11 +252,11 @@ func (a adminAPIHandlers) ServiceHandler(w http.ResponseWriter, r *http.Request) var objectAPI ObjectLayer switch serviceSig { case serviceRestart: - objectAPI, _ = validateAdminReq(ctx, w, r, iampolicy.ServiceRestartAdminAction) + objectAPI, _ = validateAdminReq(ctx, w, r, policy.ServiceRestartAdminAction) case serviceStop: - objectAPI, _ = validateAdminReq(ctx, w, r, iampolicy.ServiceStopAdminAction) + objectAPI, _ = validateAdminReq(ctx, w, r, policy.ServiceStopAdminAction) case serviceFreeze, serviceUnFreeze: - objectAPI, _ = validateAdminReq(ctx, w, r, iampolicy.ServiceFreezeAdminAction) + objectAPI, _ = validateAdminReq(ctx, w, r, policy.ServiceFreezeAdminAction) } if objectAPI == nil { return @@ -331,7 +331,7 @@ type ServerHTTPStats struct { func (a adminAPIHandlers) StorageInfoHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.StorageInfoAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.StorageInfoAdminAction) if objectAPI == nil { return } @@ -370,7 +370,7 @@ func (a adminAPIHandlers) StorageInfoHandler(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) MetricsHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerInfoAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ServerInfoAdminAction) if objectAPI == nil { return } @@ -479,7 +479,7 @@ func (a adminAPIHandlers) MetricsHandler(w http.ResponseWriter, r *http.Request) func (a adminAPIHandlers) DataUsageInfoHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DataUsageInfoAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.DataUsageInfoAdminAction) if objectAPI == nil { return } @@ -562,7 +562,7 @@ type PeerLocks struct { func (a adminAPIHandlers) ForceUnlockHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ForceUnlockAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ForceUnlockAdminAction) if objectAPI == nil { return } @@ -597,7 +597,7 @@ func (a adminAPIHandlers) ForceUnlockHandler(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) TopLocksHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.TopLocksAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.TopLocksAdminAction) if objectAPI == nil { return } @@ -648,7 +648,7 @@ func (a adminAPIHandlers) StartProfilingHandler(w http.ResponseWriter, r *http.R ctx := r.Context() // Validate request signature. - _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.ProfilingAdminAction, "") + _, adminAPIErr := checkAdminRequestAuth(ctx, r, policy.ProfilingAdminAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return @@ -733,7 +733,7 @@ func (a adminAPIHandlers) ProfileHandler(w http.ResponseWriter, r *http.Request) ctx := r.Context() // Validate request signature. - _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.ProfilingAdminAction, "") + _, adminAPIErr := checkAdminRequestAuth(ctx, r, policy.ProfilingAdminAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return @@ -828,7 +828,7 @@ func (a adminAPIHandlers) DownloadProfilingHandler(w http.ResponseWriter, r *htt ctx := r.Context() // Validate request signature. - _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.ProfilingAdminAction, "") + _, adminAPIErr := checkAdminRequestAuth(ctx, r, policy.ProfilingAdminAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return @@ -926,7 +926,7 @@ func extractHealInitParams(vars map[string]string, qParms url.Values, r io.Reade func (a adminAPIHandlers) HealHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.HealAdminAction) if objectAPI == nil { return } @@ -1110,7 +1110,7 @@ func getAggregatedBackgroundHealState(ctx context.Context, o ObjectLayer) (madmi func (a adminAPIHandlers) BackgroundHealStatusHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.HealAdminAction) if objectAPI == nil { return } @@ -1131,7 +1131,7 @@ func (a adminAPIHandlers) BackgroundHealStatusHandler(w http.ResponseWriter, r * func (a adminAPIHandlers) SitePerfHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealthInfoAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.HealthInfoAdminAction) if objectAPI == nil { return } @@ -1179,7 +1179,7 @@ func (a adminAPIHandlers) SitePerfHandler(w http.ResponseWriter, r *http.Request func (a adminAPIHandlers) ClientDevNullExtraTime(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.BandwidthMonitorAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.BandwidthMonitorAction) if objectAPI == nil { return } @@ -1196,7 +1196,7 @@ func (a adminAPIHandlers) ClientDevNull(w http.ResponseWriter, r *http.Request) ctx := r.Context() timeStart := time.Now() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.BandwidthMonitorAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.BandwidthMonitorAction) if objectAPI == nil { return } @@ -1238,7 +1238,7 @@ func (a adminAPIHandlers) ClientDevNull(w http.ResponseWriter, r *http.Request) func (a adminAPIHandlers) NetperfHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealthInfoAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.HealthInfoAdminAction) if objectAPI == nil { return } @@ -1284,7 +1284,7 @@ func (a adminAPIHandlers) NetperfHandler(w http.ResponseWriter, r *http.Request) func (a adminAPIHandlers) ObjectSpeedTestHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealthInfoAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.HealthInfoAdminAction) if objectAPI == nil { return } @@ -1445,7 +1445,7 @@ func validateObjPerfOptions(ctx context.Context, storageInfo madmin.StorageInfo, func (a adminAPIHandlers) DriveSpeedtestHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealthInfoAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.HealthInfoAdminAction) if objectAPI == nil { return } @@ -1566,7 +1566,7 @@ func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() // Validate request signature. - _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.TraceAdminAction, "") + _, adminAPIErr := checkAdminRequestAuth(ctx, r, policy.TraceAdminAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return @@ -1637,7 +1637,7 @@ func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConsoleLogAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ConsoleLogAdminAction) if objectAPI == nil { return } @@ -1718,7 +1718,7 @@ func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Reque func (a adminAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSCreateKeyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSCreateKeyAdminAction) if objectAPI == nil { return } @@ -1739,7 +1739,7 @@ func (a adminAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Req func (a adminAPIHandlers) KMSStatusHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSKeyStatusAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSKeyStatusAdminAction) if objectAPI == nil { return } @@ -1776,7 +1776,7 @@ func (a adminAPIHandlers) KMSStatusHandler(w http.ResponseWriter, r *http.Reques func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSKeyStatusAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSKeyStatusAdminAction) if objectAPI == nil { return } @@ -2376,7 +2376,7 @@ func fetchHealthInfo(healthCtx context.Context, objectAPI ObjectLayer, query *ur func (a adminAPIHandlers) HealthInfoHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealthInfoAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.HealthInfoAdminAction) if objectAPI == nil { return } @@ -2483,7 +2483,7 @@ func (a adminAPIHandlers) ServerInfoHandler(w http.ResponseWriter, r *http.Reque ctx := r.Context() // Validate request signature. - _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.ServerInfoAdminAction, "") + _, adminAPIErr := checkAdminRequestAuth(ctx, r, policy.ServerInfoAdminAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return @@ -2735,7 +2735,7 @@ func (a adminAPIHandlers) InspectDataHandler(w http.ResponseWriter, r *http.Requ ctx := r.Context() // Validate request signature. - _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.InspectDataAction, "") + _, adminAPIErr := checkAdminRequestAuth(ctx, r, policy.InspectDataAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return diff --git a/cmd/auth-handler_test.go b/cmd/auth-handler_test.go index 6b736a32c..59ef27449 100644 --- a/cmd/auth-handler_test.go +++ b/cmd/auth-handler_test.go @@ -28,7 +28,7 @@ import ( "time" "github.com/minio/minio/internal/auth" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) type nullReader struct{} @@ -443,7 +443,7 @@ func TestCheckAdminRequestAuthType(t *testing.T) { {Request: mustNewPresignedRequest(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrAccessDenied}, } for i, testCase := range testCases { - if _, s3Error := checkAdminRequestAuth(ctx, testCase.Request, iampolicy.AllAdminActions, globalSite.Region); s3Error != testCase.ErrCode { + if _, s3Error := checkAdminRequestAuth(ctx, testCase.Request, policy.AllAdminActions, globalSite.Region); s3Error != testCase.ErrCode { t.Errorf("Test %d: Unexpected s3error returned wanted %d, got %d", i, testCase.ErrCode, s3Error) } } diff --git a/cmd/batch-handlers.go b/cmd/batch-handlers.go index 869e653c3..55ef8f3f6 100644 --- a/cmd/batch-handlers.go +++ b/cmd/batch-handlers.go @@ -49,7 +49,7 @@ import ( "github.com/minio/minio/internal/logger" "github.com/minio/pkg/v2/console" "github.com/minio/pkg/v2/env" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" "github.com/minio/pkg/v2/workers" "gopkg.in/yaml.v2" ) @@ -1258,7 +1258,7 @@ func batchReplicationOpts(ctx context.Context, sc string, objInfo ObjectInfo) (p func (a adminAPIHandlers) ListBatchJobs(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListBatchJobsAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.ListBatchJobsAction) if objectAPI == nil { return } @@ -1308,7 +1308,7 @@ var errNoSuchJob = errors.New("no such job") func (a adminAPIHandlers) DescribeBatchJob(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DescribeBatchJobAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.DescribeBatchJobAction) if objectAPI == nil { return } @@ -1343,7 +1343,7 @@ func (a adminAPIHandlers) DescribeBatchJob(w http.ResponseWriter, r *http.Reques func (a adminAPIHandlers) StartBatchJob(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, creds := validateAdminReq(ctx, w, r, iampolicy.StartBatchJobAction) + objectAPI, creds := validateAdminReq(ctx, w, r, policy.StartBatchJobAction) if objectAPI == nil { return } @@ -1397,7 +1397,7 @@ func (a adminAPIHandlers) StartBatchJob(w http.ResponseWriter, r *http.Request) func (a adminAPIHandlers) CancelBatchJob(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.CancelBatchJobAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.CancelBatchJobAction) if objectAPI == nil { return } diff --git a/cmd/iam-store.go b/cmd/iam-store.go index d32dce855..35b52a5b0 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -34,7 +34,7 @@ import ( "github.com/minio/minio/internal/config/identity/openid" "github.com/minio/minio/internal/jwt" "github.com/minio/minio/internal/logger" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) const ( @@ -212,12 +212,12 @@ func newMappedPolicy(policy string) MappedPolicy { // PolicyDoc represents an IAM policy with some metadata. type PolicyDoc struct { Version int `json:",omitempty"` - Policy iampolicy.Policy + Policy policy.Policy CreateDate time.Time `json:",omitempty"` UpdateDate time.Time `json:",omitempty"` } -func newPolicyDoc(p iampolicy.Policy) PolicyDoc { +func newPolicyDoc(p policy.Policy) PolicyDoc { now := UTCNow().Round(time.Millisecond) return PolicyDoc{ Version: 1, @@ -228,14 +228,14 @@ func newPolicyDoc(p iampolicy.Policy) PolicyDoc { } // defaultPolicyDoc - used to wrap a default policy as PolicyDoc. -func defaultPolicyDoc(p iampolicy.Policy) PolicyDoc { +func defaultPolicyDoc(p policy.Policy) PolicyDoc { return PolicyDoc{ Version: 1, Policy: p, } } -func (d *PolicyDoc) update(p iampolicy.Policy) { +func (d *PolicyDoc) update(p policy.Policy) { now := UTCNow().Round(time.Millisecond) d.UpdateDate = now if d.CreateDate.IsZero() { @@ -248,7 +248,7 @@ func (d *PolicyDoc) update(p iampolicy.Policy) { // definitions. // // The on-disk format of policy definitions has changed (around early 12/2021) -// from iampolicy.Policy to PolicyDoc. To avoid a migration, loading supports +// from policy.Policy to PolicyDoc. To avoid a migration, loading supports // both the old and the new formats. func (d *PolicyDoc) parseJSON(data []byte) error { json := jsoniter.ConfigCompatibleWithStandardLibrary @@ -474,7 +474,7 @@ type iamStorageWatcher interface { // Set default canned policies only if not already overridden by users. func setDefaultCannedPolicies(policies map[string]PolicyDoc) { - for _, v := range iampolicy.DefaultPolicies { + for _, v := range policy.DefaultPolicies { if _, ok := policies[v.Name]; !ok { policies[v.Name] = defaultPolicyDoc(v.Definition) } @@ -1192,16 +1192,16 @@ func (store *IAMStoreSys) DeletePolicy(ctx context.Context, policy string) error // GetPolicy - gets the policy definition. Allows specifying multiple comma // separated policies - returns a combined policy. -func (store *IAMStoreSys) GetPolicy(name string) (iampolicy.Policy, error) { +func (store *IAMStoreSys) GetPolicy(name string) (policy.Policy, error) { if name == "" { - return iampolicy.Policy{}, errInvalidArgument + return policy.Policy{}, errInvalidArgument } cache := store.rlock() defer store.runlock() policies := newMappedPolicy(name).toSlice() - var toMerge []iampolicy.Policy + var toMerge []policy.Policy for _, policy := range policies { if policy == "" { continue @@ -1212,7 +1212,7 @@ func (store *IAMStoreSys) GetPolicy(name string) (iampolicy.Policy, error) { } toMerge = append(toMerge, v.Policy) } - return iampolicy.MergePolicies(toMerge...), nil + return policy.MergePolicies(toMerge...), nil } // GetPolicyDoc - gets the policy doc which has the policy and some metadata. @@ -1234,7 +1234,7 @@ func (store *IAMStoreSys) GetPolicyDoc(name string) (r PolicyDoc, err error) { } // SetPolicy - creates a policy with name. -func (store *IAMStoreSys) SetPolicy(ctx context.Context, name string, policy iampolicy.Policy) (time.Time, error) { +func (store *IAMStoreSys) SetPolicy(ctx context.Context, name string, policy policy.Policy) (time.Time, error) { if policy.IsEmpty() || name == "" { return time.Time{}, errInvalidArgument } @@ -1264,7 +1264,7 @@ func (store *IAMStoreSys) SetPolicy(ctx context.Context, name string, policy iam // ListPolicies - fetches all policies from storage and updates cache as well. // If bucketName is non-empty, returns policies matching the bucket. -func (store *IAMStoreSys) ListPolicies(ctx context.Context, bucketName string) (map[string]iampolicy.Policy, error) { +func (store *IAMStoreSys) ListPolicies(ctx context.Context, bucketName string) (map[string]policy.Policy, error) { cache := store.lock() defer store.unlock() @@ -1280,7 +1280,7 @@ func (store *IAMStoreSys) ListPolicies(ctx context.Context, bucketName string) ( cache.iamPolicyDocsMap = m cache.updatedAt = time.Now() - ret := map[string]iampolicy.Policy{} + ret := map[string]policy.Policy{} for k, v := range m { if bucketName == "" || v.Policy.MatchResource(bucketName) { ret[k] = v.Policy @@ -1333,10 +1333,10 @@ func (store *IAMStoreSys) listPolicyDocs(ctx context.Context, bucketName string) } // helper function - does not take locks. -func filterPolicies(cache *iamCache, policyName string, bucketName string) (string, iampolicy.Policy) { +func filterPolicies(cache *iamCache, policyName string, bucketName string) (string, policy.Policy) { var policies []string mp := newMappedPolicy(policyName) - var toMerge []iampolicy.Policy + var toMerge []policy.Policy for _, policy := range mp.toSlice() { if policy == "" { continue @@ -1350,7 +1350,7 @@ func filterPolicies(cache *iamCache, policyName string, bucketName string) (stri toMerge = append(toMerge, p.Policy) } } - return strings.Join(policies, ","), iampolicy.MergePolicies(toMerge...) + return strings.Join(policies, ","), policy.MergePolicies(toMerge...) } // FilterPolicies - accepts a comma separated list of policy names as a string @@ -1358,7 +1358,7 @@ func filterPolicies(cache *iamCache, policyName string, bucketName string) (stri // bucketName is non-empty, additionally filters policies matching the bucket. // The first returned value is the list of currently existing policies, and the // second is their combined policy definition. -func (store *IAMStoreSys) FilterPolicies(policyName string, bucketName string) (string, iampolicy.Policy) { +func (store *IAMStoreSys) FilterPolicies(policyName string, bucketName string) (string, policy.Policy) { cache := store.rlock() defer store.runlock() @@ -2151,8 +2151,8 @@ func (store *IAMStoreSys) UpdateServiceAccount(ctx context.Context, accessKey st // sessionPolicy is nil and there is embedded policy attached we remove // embedded policy at that point. - if _, ok := m[iampolicy.SessionPolicyName]; ok && opts.sessionPolicy == nil { - delete(m, iampolicy.SessionPolicyName) + if _, ok := m[policy.SessionPolicyName]; ok && opts.sessionPolicy == nil { + delete(m, policy.SessionPolicyName) m[iamPolicyClaimNameSA()] = inheritedPolicyType } @@ -2171,7 +2171,7 @@ func (store *IAMStoreSys) UpdateServiceAccount(ctx context.Context, accessKey st } // Overwrite session policy claims. - m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString(policyBuf) + m[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString(policyBuf) m[iamPolicyClaimNameSA()] = embeddedPolicyType } diff --git a/cmd/iam.go b/cmd/iam.go index ebc589bfb..54452d42e 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -47,7 +47,7 @@ import ( xhttp "github.com/minio/minio/internal/http" "github.com/minio/minio/internal/jwt" "github.com/minio/minio/internal/logger" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" etcd "go.etcd.io/etcd/client/v3" ) @@ -536,7 +536,7 @@ func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string, notifyPe return errServerNotInitialized } - for _, v := range iampolicy.DefaultPolicies { + for _, v := range policy.DefaultPolicies { if v.Name == policyName { if err := checkConfig(ctx, globalObjectAPI, getPolicyDocPath(policyName)); err != nil && err == errConfigNotFound { return fmt.Errorf("inbuilt policy `%s` not allowed to be deleted", policyName) @@ -589,7 +589,7 @@ func (sys *IAMSys) InfoPolicy(policyName string) (*madmin.PolicyInfo, error) { } // ListPolicies - lists all canned policies. -func (sys *IAMSys) ListPolicies(ctx context.Context, bucketName string) (map[string]iampolicy.Policy, error) { +func (sys *IAMSys) ListPolicies(ctx context.Context, bucketName string) (map[string]policy.Policy, error) { if !sys.Initialized() { return nil, errServerNotInitialized } @@ -607,7 +607,7 @@ func (sys *IAMSys) ListPolicyDocs(ctx context.Context, bucketName string) (map[s } // SetPolicy - sets a new named policy. -func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p iampolicy.Policy) (time.Time, error) { +func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p policy.Policy) (time.Time, error) { if !sys.Initialized() { return time.Time{}, errServerNotInitialized } @@ -922,7 +922,7 @@ func (sys *IAMSys) notifyForServiceAccount(ctx context.Context, accessKey string } type newServiceAccountOpts struct { - sessionPolicy *iampolicy.Policy + sessionPolicy *policy.Policy accessKey string secretKey string name, description string @@ -969,7 +969,7 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro m[parentClaim] = parentUser if len(policyBuf) > 0 { - m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString(policyBuf) + m[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString(policyBuf) m[iamPolicyClaimNameSA()] = embeddedPolicyType } else { m[iamPolicyClaimNameSA()] = inheritedPolicyType @@ -1021,7 +1021,7 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro } type updateServiceAccountOpts struct { - sessionPolicy *iampolicy.Policy + sessionPolicy *policy.Policy secretKey string status string name, description string @@ -1072,7 +1072,7 @@ func (sys *IAMSys) ListTempAccounts(ctx context.Context, accessKey string) ([]Us } // GetServiceAccount - wrapper method to get information about a service account -func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (auth.Credentials, *iampolicy.Policy, error) { +func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (auth.Credentials, *policy.Policy, error) { sa, embeddedPolicy, err := sys.getServiceAccount(ctx, accessKey) if err != nil { return auth.Credentials{}, nil, err @@ -1083,7 +1083,7 @@ func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (aut return sa.Credentials, embeddedPolicy, nil } -func (sys *IAMSys) getServiceAccount(ctx context.Context, accessKey string) (UserIdentity, *iampolicy.Policy, error) { +func (sys *IAMSys) getServiceAccount(ctx context.Context, accessKey string) (UserIdentity, *policy.Policy, error) { sa, jwtClaims, err := sys.getAccountWithClaims(ctx, accessKey) if err != nil { if err == errNoSuchAccount { @@ -1095,16 +1095,16 @@ func (sys *IAMSys) getServiceAccount(ctx context.Context, accessKey string) (Use return UserIdentity{}, nil, errNoSuchServiceAccount } - var embeddedPolicy *iampolicy.Policy + var embeddedPolicy *policy.Policy pt, ptok := jwtClaims.Lookup(iamPolicyClaimNameSA()) - sp, spok := jwtClaims.Lookup(iampolicy.SessionPolicyName) + sp, spok := jwtClaims.Lookup(policy.SessionPolicyName) if ptok && spok && pt == embeddedPolicyType { policyBytes, err := base64.StdEncoding.DecodeString(sp) if err != nil { return UserIdentity{}, nil, err } - embeddedPolicy, err = iampolicy.ParseConfig(bytes.NewReader(policyBytes)) + embeddedPolicy, err = policy.ParseConfig(bytes.NewReader(policyBytes)) if err != nil { return UserIdentity{}, nil, err } @@ -1114,7 +1114,7 @@ func (sys *IAMSys) getServiceAccount(ctx context.Context, accessKey string) (Use } // GetTemporaryAccount - wrapper method to get information about a temporary account -func (sys *IAMSys) GetTemporaryAccount(ctx context.Context, accessKey string) (auth.Credentials, *iampolicy.Policy, error) { +func (sys *IAMSys) GetTemporaryAccount(ctx context.Context, accessKey string) (auth.Credentials, *policy.Policy, error) { tmpAcc, embeddedPolicy, err := sys.getTempAccount(ctx, accessKey) if err != nil { return auth.Credentials{}, nil, err @@ -1125,7 +1125,7 @@ func (sys *IAMSys) GetTemporaryAccount(ctx context.Context, accessKey string) (a return tmpAcc.Credentials, embeddedPolicy, nil } -func (sys *IAMSys) getTempAccount(ctx context.Context, accessKey string) (UserIdentity, *iampolicy.Policy, error) { +func (sys *IAMSys) getTempAccount(ctx context.Context, accessKey string) (UserIdentity, *policy.Policy, error) { tmpAcc, claims, err := sys.getAccountWithClaims(ctx, accessKey) if err != nil { if err == errNoSuchAccount { @@ -1137,15 +1137,15 @@ func (sys *IAMSys) getTempAccount(ctx context.Context, accessKey string) (UserId return UserIdentity{}, nil, errNoSuchTempAccount } - var embeddedPolicy *iampolicy.Policy + var embeddedPolicy *policy.Policy - sp, spok := claims.Lookup(iampolicy.SessionPolicyName) + sp, spok := claims.Lookup(policy.SessionPolicyName) if spok { policyBytes, err := base64.StdEncoding.DecodeString(sp) if err != nil { return UserIdentity{}, nil, err } - embeddedPolicy, err = iampolicy.ParseConfig(bytes.NewReader(policyBytes)) + embeddedPolicy, err = policy.ParseConfig(bytes.NewReader(policyBytes)) if err != nil { return UserIdentity{}, nil, err } @@ -1723,11 +1723,11 @@ func (sys *IAMSys) PolicyDBGet(name string, isGroup bool, groups ...string) ([]s return sys.store.PolicyDBGet(name, isGroup, groups...) } -const sessionPolicyNameExtracted = iampolicy.SessionPolicyName + "-extracted" +const sessionPolicyNameExtracted = policy.SessionPolicyName + "-extracted" // IsAllowedServiceAccount - checks if the given service account is allowed to perform // actions. The permission of the parent user is checked first -func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parentUser string) bool { +func (sys *IAMSys) IsAllowedServiceAccount(args policy.Args, parentUser string) bool { // Verify if the parent claim matches the parentUser. p, ok := args.Claims[parentClaim] if ok { @@ -1778,7 +1778,7 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parentUser strin // Finally, if there is no parent policy, check if a policy claim is // present. if len(svcPolicies) == 0 { - policySet, _ := iampolicy.GetPoliciesFromClaims(args.Claims, iamPolicyClaimNameOpenID()) + policySet, _ := policy.GetPoliciesFromClaims(args.Claims, iamPolicyClaimNameOpenID()) svcPolicies = policySet.ToSlice() } } @@ -1788,7 +1788,7 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parentUser strin return false } - var combinedPolicy iampolicy.Policy + var combinedPolicy policy.Policy // Policies were found, evaluate all of them. if !isOwnerDerived { availablePoliciesStr, c := sys.store.FilterPolicies(strings.Join(svcPolicies, ","), "") @@ -1831,7 +1831,7 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parentUser strin } // Check if policy is parseable. - subPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(spolicyStr))) + subPolicy, err := policy.ParseConfig(bytes.NewReader([]byte(spolicyStr))) if err != nil { // Log any error in input session policy config. logger.LogIf(GlobalContext, err) @@ -1853,7 +1853,7 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parentUser strin // IsAllowedSTS is meant for STS based temporary credentials, // which implements claims validation and verification other than // applying policies. -func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args, parentUser string) bool { +func (sys *IAMSys) IsAllowedSTS(args policy.Args, parentUser string) bool { // 1. Determine mapped policies isOwnerDerived := parentUser == globalActiveCred.AccessKey @@ -1905,7 +1905,7 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args, parentUser string) bool { // 2. Combine the mapped policies into a single combined policy. - var combinedPolicy iampolicy.Policy + var combinedPolicy policy.Policy if !isOwnerDerived { var err error combinedPolicy, err = sys.store.GetPolicy(strings.Join(policies, ",")) @@ -1937,7 +1937,7 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args, parentUser string) bool { return isOwnerDerived || combinedPolicy.IsAllowed(args) } -func isAllowedBySessionPolicy(args iampolicy.Args) (hasSessionPolicy bool, isAllowed bool) { +func isAllowedBySessionPolicy(args policy.Args) (hasSessionPolicy bool, isAllowed bool) { hasSessionPolicy = false isAllowed = false @@ -1957,7 +1957,7 @@ func isAllowedBySessionPolicy(args iampolicy.Args) (hasSessionPolicy bool, isAll } // Check if policy is parseable. - subPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(spolicyStr))) + subPolicy, err := policy.ParseConfig(bytes.NewReader([]byte(spolicyStr))) if err != nil { // Log any error in input session policy config. logger.LogIf(GlobalContext, err) @@ -1974,13 +1974,13 @@ func isAllowedBySessionPolicy(args iampolicy.Args) (hasSessionPolicy bool, isAll } // GetCombinedPolicy returns a combined policy combining all policies -func (sys *IAMSys) GetCombinedPolicy(policies ...string) iampolicy.Policy { +func (sys *IAMSys) GetCombinedPolicy(policies ...string) policy.Policy { _, policy := sys.store.FilterPolicies(strings.Join(policies, ","), "") return policy } // IsAllowed - checks given policy args is allowed to continue the Rest API. -func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool { +func (sys *IAMSys) IsAllowed(args policy.Args) bool { // If opa is configured, use OPA always. if authz := newGlobalAuthZPluginFn(); authz != nil { ok, err := authz.IsAllowed(args) diff --git a/cmd/jwt.go b/cmd/jwt.go index f88a7332e..b5d192963 100644 --- a/cmd/jwt.go +++ b/cmd/jwt.go @@ -28,7 +28,7 @@ import ( "github.com/minio/minio/internal/auth" xjwt "github.com/minio/minio/internal/jwt" "github.com/minio/minio/internal/logger" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) const ( @@ -148,7 +148,7 @@ func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, b } // Now check if we have a sessionPolicy. - if _, ok = eclaims[iampolicy.SessionPolicyName]; ok { + if _, ok = eclaims[policy.SessionPolicyName]; ok { owner = false } else { owner = globalActiveCred.AccessKey == ucred.ParentUser diff --git a/cmd/kms-handlers.go b/cmd/kms-handlers.go index ae4810daa..aee3c3e87 100644 --- a/cmd/kms-handlers.go +++ b/cmd/kms-handlers.go @@ -29,14 +29,14 @@ import ( "github.com/minio/madmin-go/v3" "github.com/minio/minio/internal/kms" "github.com/minio/minio/internal/logger" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) // KMSStatusHandler - GET /minio/kms/v1/status func (a kmsAPIHandlers) KMSStatusHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "KMSStatus") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSStatusAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSStatusAction) if objectAPI == nil { return } @@ -74,7 +74,7 @@ func (a kmsAPIHandlers) KMSMetricsHandler(w http.ResponseWriter, r *http.Request ctx := newContext(r, w, "KMSMetrics") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSMetricsAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSMetricsAction) if objectAPI == nil { return } @@ -106,7 +106,7 @@ func (a kmsAPIHandlers) KMSAPIsHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "KMSAPIs") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSAPIAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSAPIAction) if objectAPI == nil { return } @@ -143,7 +143,7 @@ func (a kmsAPIHandlers) KMSVersionHandler(w http.ResponseWriter, r *http.Request ctx := newContext(r, w, "KMSVersion") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSVersionAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSVersionAction) if objectAPI == nil { return } @@ -183,7 +183,7 @@ func (a kmsAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Reque } defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSCreateKeyAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSCreateKeyAction) if objectAPI == nil { return } @@ -211,7 +211,7 @@ func (a kmsAPIHandlers) KMSDeleteKeyHandler(w http.ResponseWriter, r *http.Reque ctx := newContext(r, w, "KMSDeleteKey") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSDeleteKeyAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSDeleteKeyAction) if objectAPI == nil { return } @@ -246,7 +246,7 @@ func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Reques } defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSListKeysAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSListKeysAction) if objectAPI == nil { return } @@ -297,7 +297,7 @@ func (a kmsAPIHandlers) KMSImportKeyHandler(w http.ResponseWriter, r *http.Reque ctx := newContext(r, w, "KMSImportKey") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSImportKeyAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSImportKeyAction) if objectAPI == nil { return } @@ -328,7 +328,7 @@ func (a kmsAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Reque ctx := newContext(r, w, "KMSKeyStatus") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSKeyStatusAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSKeyStatusAction) if objectAPI == nil { return } @@ -404,7 +404,7 @@ func (a kmsAPIHandlers) KMSDescribePolicyHandler(w http.ResponseWriter, r *http. ctx := newContext(r, w, "KMSDescribePolicy") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSDescribePolicyAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSDescribePolicyAction) if objectAPI == nil { return } @@ -440,7 +440,7 @@ func (a kmsAPIHandlers) KMSAssignPolicyHandler(w http.ResponseWriter, r *http.Re ctx := newContext(r, w, "KMSAssignPolicy") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSAssignPolicyAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSAssignPolicyAction) if objectAPI == nil { return } @@ -472,7 +472,7 @@ func (a kmsAPIHandlers) KMSDeletePolicyHandler(w http.ResponseWriter, r *http.Re ctx := newContext(r, w, "KMSDeletePolicy") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSDeletePolicyAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSDeletePolicyAction) if objectAPI == nil { return } @@ -499,7 +499,7 @@ func (a kmsAPIHandlers) KMSListPoliciesHandler(w http.ResponseWriter, r *http.Re ctx := newContext(r, w, "KMSListPolicies") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSListPoliciesAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSListPoliciesAction) if objectAPI == nil { return } @@ -546,7 +546,7 @@ func (a kmsAPIHandlers) KMSGetPolicyHandler(w http.ResponseWriter, r *http.Reque ctx := newContext(r, w, "KMSGetPolicy") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSGetPolicyAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSGetPolicyAction) if objectAPI == nil { return } @@ -578,7 +578,7 @@ func (a kmsAPIHandlers) KMSDescribeIdentityHandler(w http.ResponseWriter, r *htt ctx := newContext(r, w, "KMSDescribeIdentity") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSDescribeIdentityAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSDescribeIdentityAction) if objectAPI == nil { return } @@ -619,7 +619,7 @@ func (a kmsAPIHandlers) KMSDescribeSelfIdentityHandler(w http.ResponseWriter, r ctx := newContext(r, w, "KMSDescribeSelfIdentity") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSDescribeSelfIdentityAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSDescribeSelfIdentityAction) if objectAPI == nil { return } @@ -659,7 +659,7 @@ func (a kmsAPIHandlers) KMSDeleteIdentityHandler(w http.ResponseWriter, r *http. ctx := newContext(r, w, "KMSDeleteIdentity") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSDeleteIdentityAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSDeleteIdentityAction) if objectAPI == nil { return } @@ -686,7 +686,7 @@ func (a kmsAPIHandlers) KMSListIdentitiesHandler(w http.ResponseWriter, r *http. ctx := newContext(r, w, "KMSListIdentities") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSListIdentitiesAction) + objectAPI, _ := validateAdminReq(ctx, w, r, policy.KMSListIdentitiesAction) if objectAPI == nil { return } diff --git a/cmd/metrics.go b/cmd/metrics.go index 018c35a72..2f45d3d21 100644 --- a/cmd/metrics.go +++ b/cmd/metrics.go @@ -25,7 +25,7 @@ import ( "github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/logger" "github.com/minio/minio/internal/mcontext" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/common/expfmt" ) @@ -633,10 +633,10 @@ func AuthMiddleware(h http.Handler) http.Handler { } // For authenticated users apply IAM policy. - if !globalIAMSys.IsAllowed(iampolicy.Args{ + if !globalIAMSys.IsAllowed(policy.Args{ AccountName: cred.AccessKey, Groups: cred.Groups, - Action: iampolicy.PrometheusAdminAction, + Action: policy.PrometheusAdminAction, ConditionValues: getConditionValues(r, "", cred), IsOwner: owner, Claims: cred.Claims, diff --git a/cmd/signature-v4-utils.go b/cmd/signature-v4-utils.go index 4ba4fbe01..94e879cca 100644 --- a/cmd/signature-v4-utils.go +++ b/cmd/signature-v4-utils.go @@ -30,7 +30,7 @@ import ( "github.com/minio/minio/internal/hash/sha256" xhttp "github.com/minio/minio/internal/http" "github.com/minio/minio/internal/logger" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" "golang.org/x/exp/slices" ) @@ -180,7 +180,7 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A return cred, owner, ErrAccessKeyDisabled } - if _, ok := claims[iampolicy.SessionPolicyName]; ok { + if _, ok := claims[policy.SessionPolicyName]; ok { owner = false } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index c44b2eb6c..beb05370e 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -36,7 +36,7 @@ import ( xhttp "github.com/minio/minio/internal/http" "github.com/minio/minio/internal/logger" "github.com/minio/mux" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" "github.com/minio/pkg/v2/wildcard" ) @@ -243,7 +243,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) { } if len(sessionPolicyStr) > 0 { - sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) + sessionPolicy, err := policy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) if err != nil { writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) return @@ -273,7 +273,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) { } if len(sessionPolicyStr) > 0 { - claims[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr)) + claims[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr)) } secret := globalActiveCred.SecretKey @@ -408,7 +408,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ // JWT. This is a MinIO STS API specific value, this value // should be set and configured on your identity provider as // part of JWT custom claims. - policySet, ok := iampolicy.GetPoliciesFromClaims(claims, iamPolicyClaimNameOpenID()) + policySet, ok := policy.GetPoliciesFromClaims(claims, iamPolicyClaimNameOpenID()) policies := strings.Join(policySet.ToSlice(), ",") if ok { policyName = globalIAMSys.CurrentPolicies(policies) @@ -438,7 +438,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ } if len(sessionPolicyStr) > 0 { - sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) + sessionPolicy, err := policy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) if err != nil { writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) return @@ -450,7 +450,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ return } - claims[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr)) + claims[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr)) } secret := globalActiveCred.SecretKey @@ -604,7 +604,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * } if len(sessionPolicyStr) > 0 { - sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) + sessionPolicy, err := policy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) if err != nil { writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) return @@ -649,7 +649,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * claims[ldapUserN] = ldapUsername if len(sessionPolicyStr) > 0 { - claims[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr)) + claims[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr)) } secret := globalActiveCred.SecretKey diff --git a/cmd/tier-handlers.go b/cmd/tier-handlers.go index cb8386555..856c5ca57 100644 --- a/cmd/tier-handlers.go +++ b/cmd/tier-handlers.go @@ -27,7 +27,7 @@ import ( "github.com/minio/madmin-go/v3" "github.com/minio/minio/internal/config/storageclass" "github.com/minio/mux" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) var ( @@ -72,7 +72,7 @@ var ( func (api adminAPIHandlers) AddTierHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objAPI, cred := validateAdminReq(ctx, w, r, iampolicy.SetTierAction) + objAPI, cred := validateAdminReq(ctx, w, r, policy.SetTierAction) if objAPI == nil { return } @@ -128,7 +128,7 @@ func (api adminAPIHandlers) AddTierHandler(w http.ResponseWriter, r *http.Reques func (api adminAPIHandlers) ListTierHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListTierAction) + objAPI, _ := validateAdminReq(ctx, w, r, policy.ListTierAction) if objAPI == nil { return } @@ -146,7 +146,7 @@ func (api adminAPIHandlers) ListTierHandler(w http.ResponseWriter, r *http.Reque func (api adminAPIHandlers) EditTierHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objAPI, cred := validateAdminReq(ctx, w, r, iampolicy.SetTierAction) + objAPI, cred := validateAdminReq(ctx, w, r, policy.SetTierAction) if objAPI == nil { return } @@ -190,7 +190,7 @@ func (api adminAPIHandlers) EditTierHandler(w http.ResponseWriter, r *http.Reque func (api adminAPIHandlers) RemoveTierHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objAPI, _ := validateAdminReq(ctx, w, r, iampolicy.SetTierAction) + objAPI, _ := validateAdminReq(ctx, w, r, policy.SetTierAction) if objAPI == nil { return } @@ -219,7 +219,7 @@ func (api adminAPIHandlers) RemoveTierHandler(w http.ResponseWriter, r *http.Req func (api adminAPIHandlers) VerifyTierHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListTierAction) + objAPI, _ := validateAdminReq(ctx, w, r, policy.ListTierAction) if objAPI == nil { return } @@ -237,7 +237,7 @@ func (api adminAPIHandlers) VerifyTierHandler(w http.ResponseWriter, r *http.Req func (api adminAPIHandlers) TierStatsHandler(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - objAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListTierAction) + objAPI, _ := validateAdminReq(ctx, w, r, policy.ListTierAction) if objAPI == nil { return } diff --git a/internal/config/identity/openid/jwt.go b/internal/config/identity/openid/jwt.go index 488b34e63..b28eccb81 100644 --- a/internal/config/identity/openid/jwt.go +++ b/internal/config/identity/openid/jwt.go @@ -31,7 +31,7 @@ import ( "github.com/minio/minio/internal/arn" "github.com/minio/minio/internal/auth" xnet "github.com/minio/pkg/v2/net" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) type publicKeys struct { @@ -198,7 +198,7 @@ func (r *Config) Validate(ctx context.Context, arn arn.ARN, token, accessToken, // array of case sensitive strings. In the common special case // when there is one audience, the aud value MAY be a single // case sensitive - audValues, ok := iampolicy.GetValuesFromClaims(claims, audClaim) + audValues, ok := policy.GetValuesFromClaims(claims, audClaim) if !ok { return errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID") } @@ -212,7 +212,7 @@ func (r *Config) Validate(ctx context.Context, arn arn.ARN, token, accessToken, // be included even when the authorized party is the same // as the sole audience. The azp value is a case sensitive // string containing a StringOrURI value - azpValues, ok := iampolicy.GetValuesFromClaims(claims, azpClaim) + azpValues, ok := policy.GetValuesFromClaims(claims, azpClaim) if !ok { return errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID") } diff --git a/internal/config/identity/openid/openid.go b/internal/config/identity/openid/openid.go index 167e60e1c..787eaef33 100644 --- a/internal/config/identity/openid/openid.go +++ b/internal/config/identity/openid/openid.go @@ -37,7 +37,7 @@ import ( "github.com/minio/minio/internal/config/identity/openid/provider" "github.com/minio/minio/internal/hash/sha256" xnet "github.com/minio/pkg/v2/net" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) // OpenID keys and envs. @@ -89,7 +89,7 @@ var ( }, config.KV{ Key: ClaimName, - Value: iampolicy.PolicyName, + Value: policy.PolicyName, }, config.KV{ Key: ClaimUserinfo, @@ -307,9 +307,9 @@ func LookupConfig(s config.Config, transport http.RoundTripper, closeRespFn func } // Check if claim name is the non-default value and role policy is set. - if p.ClaimName != iampolicy.PolicyName && p.RolePolicy != "" { + if p.ClaimName != policy.PolicyName && p.RolePolicy != "" { // In the unlikely event that the user specifies - // `iampolicy.PolicyName` as the claim name explicitly and sets + // `policy.PolicyName` as the claim name explicitly and sets // a role policy, this check is thwarted, but we will be using // the role policy anyway. return c, config.Errorf("Role Policy (=`%s`) and Claim Name (=`%s`) cannot both be set", p.RolePolicy, p.ClaimName) diff --git a/internal/config/policy/opa/config.go b/internal/config/policy/opa/config.go index 89be91b65..bfde1f2a6 100644 --- a/internal/config/policy/opa/config.go +++ b/internal/config/policy/opa/config.go @@ -26,7 +26,7 @@ import ( "github.com/minio/minio/internal/config" "github.com/minio/pkg/v2/env" xnet "github.com/minio/pkg/v2/net" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) // Env IAM OPA URL @@ -162,7 +162,7 @@ func New(args Args) *Opa { } // IsAllowed - checks given policy args is allowed to continue the REST API. -func (o *Opa) IsAllowed(args iampolicy.Args) (bool, error) { +func (o *Opa) IsAllowed(args policy.Args) (bool, error) { if o == nil { return false, nil } diff --git a/internal/config/policy/plugin/config.go b/internal/config/policy/plugin/config.go index 722f92829..da168b530 100644 --- a/internal/config/policy/plugin/config.go +++ b/internal/config/policy/plugin/config.go @@ -27,7 +27,7 @@ import ( "github.com/minio/minio/internal/config" xhttp "github.com/minio/minio/internal/http" xnet "github.com/minio/pkg/v2/net" - iampolicy "github.com/minio/pkg/v2/policy" + "github.com/minio/pkg/v2/policy" ) // Authorization Plugin config and env variables @@ -179,7 +179,7 @@ func New(args Args) *AuthZPlugin { } // IsAllowed - checks given policy args is allowed to continue the REST API. -func (o *AuthZPlugin) IsAllowed(args iampolicy.Args) (bool, error) { +func (o *AuthZPlugin) IsAllowed(args policy.Args) (bool, error) { if o == nil { return false, nil }