Add numeric/date policy conditions (#9233)

add new policy conditions - NumericEquals - NumericNotEquals - NumericLessThan - NumericLessThanEquals - NumericGreaterThan - NumericGreaterThanEquals - DateEquals - DateNotEquals - DateLessThan - DateLessThanEquals - DateGreaterThan - DateGreaterThanEquals
2025-11-10 05:59:43 -05:00 · 2020-04-01 00:04:25 -07:00
parent c8243706b4
commit d8af244708
21 changed files with 1162 additions and 100 deletions
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -491,7 +491,7 @@ func isPutActionAllowed(atype authType, bucketName, objectName string, r *http.R
 	if cred.AccessKey == "" {
 		if globalPolicySys.IsAllowed(policy.Args{
 			AccountName:     cred.AccessKey,
-			Action:          policy.PutObjectAction,
+			Action:          policy.Action(action),
 			BucketName:      bucketName,
 			ConditionValues: getConditionValues(r, "", "", nil),
 			IsOwner:         false,
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1312,7 +1312,6 @@ var iamAccountWriteAccessActions = iampolicy.NewActionSet(
 )

 var iamAccountOtherAccessActions = iampolicy.NewActionSet(
-	iampolicy.BypassGovernanceModeAction,
 	iampolicy.BypassGovernanceRetentionAction,
 	iampolicy.PutObjectRetentionAction,
 	iampolicy.GetObjectRetentionAction,
--- a/cmd/object-lock.go
+++ b/cmd/object-lock.go
@@ -19,6 +19,7 @@ package cmd
 import (
 	"bytes"
 	"context"
+	"errors"
 	"net/http"
 	"path"

@@ -251,7 +252,7 @@ func initBucketObjectLockConfig(buckets []BucketInfo, objAPI ObjectLayer) error
 		configFile := path.Join(bucketConfigPrefix, bucket.Name, bucketObjectLockEnabledConfigFile)
 		bucketObjLockData, err := readConfig(ctx, objAPI, configFile)
 		if err != nil {
-			if err == errConfigNotFound {
+			if errors.Is(err, errConfigNotFound) {
 				continue
 			}
 			return err
@@ -266,7 +267,7 @@ func initBucketObjectLockConfig(buckets []BucketInfo, objAPI ObjectLayer) error
 		configFile = path.Join(bucketConfigPrefix, bucket.Name, objectLockConfig)
 		configData, err := readConfig(ctx, objAPI, configFile)
 		if err != nil {
-			if err == errConfigNotFound {
+			if errors.Is(err, errConfigNotFound) {
 				globalBucketObjectLockConfig.Set(bucket.Name, objectlock.Retention{})
 				continue
 			}
--- a/cmd/policy.go
+++ b/cmd/policy.go
@@ -22,14 +22,17 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
 	"path"
+	"strings"
 	"sync"
+	"time"

 	jsoniter "github.com/json-iterator/go"
 	miniogopolicy "github.com/minio/minio-go/v6/pkg/policy"
+	xhttp "github.com/minio/minio/cmd/http"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/bucket/policy"
-	"github.com/minio/minio/pkg/event"
 	"github.com/minio/minio/pkg/handlers"
 )

@@ -145,14 +148,14 @@ func NewPolicySys() *PolicySys {

 func getConditionValues(request *http.Request, locationConstraint string, username string, claims map[string]interface{}) map[string][]string {
 	currTime := UTCNow()
-	principalType := func() string {
-		if username != "" {
-			return "User"
-		}
-		return "Anonymous"
-	}()
+
+	principalType := "Anonymous"
+	if username != "" {
+		principalType = "User"
+	}
+
 	args := map[string][]string{
-		"CurrenTime":      {currTime.Format(event.AMZTimeFormat)},
+		"CurrentTime":     {currTime.Format(time.RFC3339)},
 		"EpochTime":       {fmt.Sprintf("%d", currTime.Unix())},
 		"principaltype":   {principalType},
 		"SecureTransport": {fmt.Sprintf("%t", request.TLS != nil)},
@@ -163,26 +166,56 @@ func getConditionValues(request *http.Request, locationConstraint string, userna
 		"username":        {username},
 	}

-	for key, values := range request.Header {
-		if existingValues, found := args[key]; found {
-			args[key] = append(existingValues, values...)
-		} else {
-			args[key] = values
-		}
-	}
-
-	for key, values := range request.URL.Query() {
-		if existingValues, found := args[key]; found {
-			args[key] = append(existingValues, values...)
-		} else {
-			args[key] = values
-		}
-	}
-
 	if locationConstraint != "" {
 		args["LocationConstraint"] = []string{locationConstraint}
 	}

+	// TODO: support object-lock-remaining-retention-days
+	cloneHeader := request.Header.Clone()
+
+	for _, objLock := range []string{
+		xhttp.AmzObjectLockMode,
+		xhttp.AmzObjectLockLegalHold,
+		xhttp.AmzObjectLockRetainUntilDate,
+	} {
+		if values, ok := cloneHeader[objLock]; ok {
+			args[strings.TrimPrefix(objLock, "X-Amz-")] = values
+		}
+		cloneHeader.Del(objLock)
+	}
+
+	for key, values := range cloneHeader {
+		if existingValues, found := args[key]; found {
+			args[key] = append(existingValues, values...)
+		} else {
+			args[key] = values
+		}
+	}
+
+	var cloneURLValues = url.Values{}
+	for k, v := range request.URL.Query() {
+		cloneURLValues[k] = v
+	}
+
+	for _, objLock := range []string{
+		xhttp.AmzObjectLockMode,
+		xhttp.AmzObjectLockLegalHold,
+		xhttp.AmzObjectLockRetainUntilDate,
+	} {
+		if values, ok := cloneURLValues[objLock]; ok {
+			args[strings.TrimPrefix(objLock, "X-Amz-")] = values
+		}
+		cloneURLValues.Del(objLock)
+	}
+
+	for key, values := range cloneURLValues {
+		if existingValues, found := args[key]; found {
+			args[key] = append(existingValues, values...)
+		} else {
+			args[key] = values
+		}
+	}
+
 	// JWT specific values
 	for k, v := range claims {
 		vStr, ok := v.(string)
@@ -190,6 +223,7 @@ func getConditionValues(request *http.Request, locationConstraint string, userna
 			args[k] = []string{vStr}
 		}
 	}
+
 	return args
 }