allow tagging policy condition for GetObject (#15777)

2025-11-07 12:52:58 -05:00 · 2022-10-02 12:29:29 -07:00
parent ed5b67720c
commit f696a221af
10 changed files with 311 additions and 78 deletions
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@@ -36,6 +36,7 @@ func runAllIAMSTSTests(suite *TestSuiteIAM, c *check) {
 	// The STS for root test needs to be the first one after setup.
 	suite.TestSTSForRoot(c)
 	suite.TestSTS(c)
+	suite.TestSTSWithTags(c)
 	suite.TestSTSWithGroupPolicy(c)
 	suite.TearDownSuite(c)
 }
@@ -72,6 +73,117 @@ func TestIAMInternalIDPSTSServerSuite(t *testing.T) {
 	}
 }

+func (s *TestSuiteIAM) TestSTSWithTags(c *check) {
+	ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
+	defer cancel()
+
+	bucket := getRandomBucketName()
+	object := getRandomObjectName()
+	err := s.client.MakeBucket(ctx, bucket, minio.MakeBucketOptions{})
+	if err != nil {
+		c.Fatalf("bucket creat error: %v", err)
+	}
+
+	// Create policy, user and associate policy
+	policy := "mypolicy"
+	policyBytes := []byte(fmt.Sprintf(`{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect":     "Allow",
+      "Action":     "s3:GetObject",
+      "Resource":    "arn:aws:s3:::%s/*",
+      "Condition": {  "StringEquals": {"s3:ExistingObjectTag/security": "public" } }
+    },
+    {
+      "Effect":     "Allow",
+      "Action":     "s3:DeleteObjectTagging",
+      "Resource":    "arn:aws:s3:::%s/*",
+      "Condition": {  "StringEquals": {"s3:ExistingObjectTag/security": "public" } }
+    },
+    {
+      "Effect":     "Allow",
+      "Action":     "s3:DeleteObject",
+      "Resource":    "arn:aws:s3:::%s/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::%s/*"
+      ],
+      "Condition": {
+        "ForAllValues:StringLike": {
+          "s3:RequestObjectTagKeys": [
+            "security",
+            "virus"
+          ]
+        }
+      }
+    }
+  ]
+}`, bucket, bucket, bucket, bucket))
+	err = s.adm.AddCannedPolicy(ctx, policy, policyBytes)
+	if err != nil {
+		c.Fatalf("policy add error: %v", err)
+	}
+
+	accessKey, secretKey := mustGenerateCredentials(c)
+	err = s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
+	if err != nil {
+		c.Fatalf("Unable to set user: %v", err)
+	}
+
+	err = s.adm.SetPolicy(ctx, policy, accessKey, false)
+	if err != nil {
+		c.Fatalf("Unable to set policy: %v", err)
+	}
+
+	// confirm that the user is able to access the bucket
+	uClient := s.getUserClient(c, accessKey, secretKey, "")
+	c.mustPutObjectWithTags(ctx, uClient, bucket, object)
+	c.mustGetObject(ctx, uClient, bucket, object)
+
+	assumeRole := cr.STSAssumeRole{
+		Client:      s.TestSuiteCommon.client,
+		STSEndpoint: s.endPoint,
+		Options: cr.STSAssumeRoleOptions{
+			AccessKey: accessKey,
+			SecretKey: secretKey,
+			Location:  "",
+		},
+	}
+
+	value, err := assumeRole.Retrieve()
+	if err != nil {
+		c.Fatalf("err calling assumeRole: %v", err)
+	}
+
+	minioClient, err := minio.New(s.endpoint, &minio.Options{
+		Creds:     cr.NewStaticV4(value.AccessKeyID, value.SecretAccessKey, value.SessionToken),
+		Secure:    s.secure,
+		Transport: s.TestSuiteCommon.client.Transport,
+	})
+	if err != nil {
+		c.Fatalf("Error initializing client: %v", err)
+	}
+
+	// Validate sts creds can access the object
+	c.mustPutObjectWithTags(ctx, uClient, bucket, object)
+	c.mustGetObject(ctx, uClient, bucket, object)
+
+	// Validate that the client can remove objects
+	if err = minioClient.RemoveObjectTagging(ctx, bucket, object, minio.RemoveObjectTaggingOptions{}); err != nil {
+		c.Fatalf("user is unable to delete the object tags: %v", err)
+	}
+
+	if err = minioClient.RemoveObject(ctx, bucket, object, minio.RemoveObjectOptions{}); err != nil {
+		c.Fatalf("user is unable to delete the object: %v", err)
+	}
+}
+
 func (s *TestSuiteIAM) TestSTS(c *check) {
 	ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
 	defer cancel()