/* * MinIO Cloud Storage, (C) 2018 MinIO, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package iampolicy import ( "encoding/json" "path" "strings" "github.com/minio/minio/pkg/bucket/policy/condition" "github.com/minio/minio/pkg/wildcard" ) // ResourceARNPrefix - resource ARN prefix as per AWS S3 specification. const ResourceARNPrefix = "arn:aws:s3:::" // Resource - resource in policy statement. type Resource struct { BucketName string Pattern string } func (r Resource) isBucketPattern() bool { return !strings.Contains(r.Pattern, "/") || r.Pattern == "*" } func (r Resource) isObjectPattern() bool { return strings.Contains(r.Pattern, "/") || strings.Contains(r.BucketName, "*") || r.Pattern == "*/*" } // IsValid - checks whether Resource is valid or not. func (r Resource) IsValid() bool { return r.Pattern != "" } // Match - matches object name with resource pattern. func (r Resource) Match(resource string, conditionValues map[string][]string) bool { pattern := r.Pattern for _, key := range condition.CommonKeys { // Empty values are not supported for policy variables. if rvalues, ok := conditionValues[key.Name()]; ok && rvalues[0] != "" { pattern = strings.Replace(pattern, key.VarName(), rvalues[0], -1) } } if cp := path.Clean(resource); cp != "." && cp == pattern { return true } return wildcard.Match(pattern, resource) } // MarshalJSON - encodes Resource to JSON data. func (r Resource) MarshalJSON() ([]byte, error) { if !r.IsValid() { return nil, Errorf("invalid resource %v", r) } return json.Marshal(r.String()) } func (r Resource) String() string { return ResourceARNPrefix + r.Pattern } // UnmarshalJSON - decodes JSON data to Resource. func (r *Resource) UnmarshalJSON(data []byte) error { var s string if err := json.Unmarshal(data, &s); err != nil { return err } parsedResource, err := parseResource(s) if err != nil { return err } *r = parsedResource return nil } // Validate - validates Resource is for given bucket or not. func (r Resource) Validate() error { if !r.IsValid() { return Errorf("invalid resource") } return nil } // parseResource - parses string to Resource. func parseResource(s string) (Resource, error) { if !strings.HasPrefix(s, ResourceARNPrefix) { return Resource{}, Errorf("invalid resource '%v'", s) } pattern := strings.TrimPrefix(s, ResourceARNPrefix) tokens := strings.SplitN(pattern, "/", 2) bucketName := tokens[0] if bucketName == "" { return Resource{}, Errorf("invalid resource format '%v'", s) } return Resource{ BucketName: bucketName, Pattern: pattern, }, nil } // NewResource - creates new resource. func NewResource(bucketName, keyName string) Resource { pattern := bucketName if keyName != "" { if !strings.HasPrefix(keyName, "/") { pattern += "/" } pattern += keyName } return Resource{ BucketName: bucketName, Pattern: pattern, } }