// Copyright (c) 2015-2021 MinIO, Inc. // // This file is part of MinIO Object Storage stack // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU Affero General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Affero General Public License for more details. // // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see . package condition import ( "encoding/json" "fmt" "strings" ) // Key - conditional key which is used to fetch values for any condition. // Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_s3.html // for more information about available condition keys. type Key string const ( // S3XAmzCopySource - key representing x-amz-copy-source HTTP header applicable to PutObject API only. S3XAmzCopySource Key = "s3:x-amz-copy-source" // S3XAmzServerSideEncryption - key representing x-amz-server-side-encryption HTTP header applicable // to PutObject API only. S3XAmzServerSideEncryption Key = "s3:x-amz-server-side-encryption" // S3XAmzServerSideEncryptionCustomerAlgorithm - key representing // x-amz-server-side-encryption-customer-algorithm HTTP header applicable to PutObject API only. S3XAmzServerSideEncryptionCustomerAlgorithm Key = "s3:x-amz-server-side-encryption-customer-algorithm" // S3XAmzMetadataDirective - key representing x-amz-metadata-directive HTTP header applicable to // PutObject API only. S3XAmzMetadataDirective Key = "s3:x-amz-metadata-directive" // S3XAmzContentSha256 - set a static content-sha256 for all calls for a given action. S3XAmzContentSha256 = "s3:x-amz-content-sha256" // S3XAmzStorageClass - key representing x-amz-storage-class HTTP header applicable to PutObject API // only. S3XAmzStorageClass Key = "s3:x-amz-storage-class" // S3LocationConstraint - key representing LocationConstraint XML tag of CreateBucket API only. S3LocationConstraint Key = "s3:LocationConstraint" // S3Prefix - key representing prefix query parameter of ListBucket API only. S3Prefix Key = "s3:prefix" // S3Delimiter - key representing delimiter query parameter of ListBucket API only. S3Delimiter Key = "s3:delimiter" // S3VersionID - Enables you to limit the permission for the // s3:PutObjectVersionTagging action to a specific object version. S3VersionID Key = "s3:versionid" // S3MaxKeys - key representing max-keys query parameter of ListBucket API only. S3MaxKeys Key = "s3:max-keys" // S3ObjectLockRemainingRetentionDays - key representing object-lock-remaining-retention-days // Enables enforcement of an object relative to the remaining retention days, you can set // minimum and maximum allowable retention periods for a bucket using a bucket policy. // This key are specific for s3:PutObjectRetention API. S3ObjectLockRemainingRetentionDays Key = "s3:object-lock-remaining-retention-days" // S3ObjectLockMode - key representing object-lock-mode // Enables enforcement of the specified object retention mode S3ObjectLockMode Key = "s3:object-lock-mode" // S3ObjectLockRetainUntilDate - key representing object-lock-retain-util-date // Enables enforcement of a specific retain-until-date S3ObjectLockRetainUntilDate Key = "s3:object-lock-retain-until-date" // S3ObjectLockLegalHold - key representing object-local-legal-hold // Enables enforcement of the specified object legal hold status S3ObjectLockLegalHold Key = "s3:object-lock-legal-hold" // AWSReferer - key representing Referer header of any API. AWSReferer Key = "aws:Referer" // AWSSourceIP - key representing client's IP address (not intermittent proxies) of any API. AWSSourceIP Key = "aws:SourceIp" // AWSUserAgent - key representing UserAgent header for any API. AWSUserAgent Key = "aws:UserAgent" // AWSSecureTransport - key representing if the clients request is authenticated or not. AWSSecureTransport Key = "aws:SecureTransport" // AWSCurrentTime - key representing the current time. AWSCurrentTime Key = "aws:CurrentTime" // AWSEpochTime - key representing the current epoch time. AWSEpochTime Key = "aws:EpochTime" // AWSPrincipalType - user principal type currently supported values are "User" and "Anonymous". AWSPrincipalType Key = "aws:principaltype" // AWSUserID - user unique ID, in MinIO this value is same as your user Access Key. AWSUserID Key = "aws:userid" // AWSUsername - user friendly name, in MinIO this value is same as your user Access Key. AWSUsername Key = "aws:username" // S3SignatureVersion - identifies the version of AWS Signature that you want to support for authenticated requests. S3SignatureVersion = "s3:signatureversion" // S3AuthType - optionally use this condition key to restrict incoming requests to use a specific authentication method. S3AuthType = "s3:authType" ) // AllSupportedKeys - is list of all all supported keys. var AllSupportedKeys = append([]Key{ S3SignatureVersion, S3AuthType, S3XAmzCopySource, S3XAmzServerSideEncryption, S3XAmzServerSideEncryptionCustomerAlgorithm, S3XAmzMetadataDirective, S3XAmzStorageClass, S3XAmzContentSha256, S3LocationConstraint, S3Prefix, S3Delimiter, S3MaxKeys, S3VersionID, S3ObjectLockRemainingRetentionDays, S3ObjectLockMode, S3ObjectLockLegalHold, S3ObjectLockRetainUntilDate, AWSReferer, AWSSourceIP, AWSUserAgent, AWSSecureTransport, AWSCurrentTime, AWSEpochTime, AWSPrincipalType, AWSUserID, AWSUsername, LDAPUser, // Add new supported condition keys. }, JWTKeys...) // CommonKeys - is list of all common condition keys. var CommonKeys = append([]Key{ S3SignatureVersion, S3AuthType, S3XAmzContentSha256, S3LocationConstraint, AWSReferer, AWSSourceIP, AWSUserAgent, AWSSecureTransport, AWSCurrentTime, AWSEpochTime, AWSPrincipalType, AWSUserID, AWSUsername, LDAPUser, }, JWTKeys...) func substFuncFromValues(values map[string][]string) func(string) string { return func(v string) string { for _, key := range CommonKeys { // Empty values are not supported for policy variables. if rvalues, ok := values[key.Name()]; ok && rvalues[0] != "" { v = strings.Replace(v, key.VarName(), rvalues[0], -1) } } return v } } // IsValid - checks if key is valid or not. func (key Key) IsValid() bool { for _, supKey := range AllSupportedKeys { if supKey == key { return true } } return false } // MarshalJSON - encodes Key to JSON data. func (key Key) MarshalJSON() ([]byte, error) { if !key.IsValid() { return nil, fmt.Errorf("unknown key %v", key) } return json.Marshal(string(key)) } // VarName - returns variable key name, such as "${aws:username}" func (key Key) VarName() string { return fmt.Sprintf("${%s}", key) } // Name - returns key name which is stripped value of prefixes "aws:" and "s3:" func (key Key) Name() string { keyString := string(key) if strings.HasPrefix(keyString, "aws:") { return strings.TrimPrefix(keyString, "aws:") } else if strings.HasPrefix(keyString, "jwt:") { return strings.TrimPrefix(keyString, "jwt:") } else if strings.HasPrefix(keyString, "ldap:") { return strings.TrimPrefix(keyString, "ldap:") } return strings.TrimPrefix(keyString, "s3:") } // UnmarshalJSON - decodes JSON data to Key. func (key *Key) UnmarshalJSON(data []byte) error { var s string if err := json.Unmarshal(data, &s); err != nil { return err } parsedKey, err := parseKey(s) if err != nil { return err } *key = parsedKey return nil } func parseKey(s string) (Key, error) { key := Key(s) if key.IsValid() { return key, nil } return key, fmt.Errorf("invalid condition key '%v'", s) } // KeySet - set representation of slice of keys. type KeySet map[Key]struct{} // Add - add a key to key set. func (set KeySet) Add(key Key) { set[key] = struct{}{} } // Merge merges two key sets, duplicates are overwritten func (set KeySet) Merge(mset KeySet) { for k, v := range mset { set[k] = v } } // Difference - returns a key set contains difference of two keys. // Example: // keySet1 := ["one", "two", "three"] // keySet2 := ["two", "four", "three"] // keySet1.Difference(keySet2) == ["one"] func (set KeySet) Difference(sset KeySet) KeySet { nset := make(KeySet) for k := range set { if _, ok := sset[k]; !ok { nset.Add(k) } } return nset } // IsEmpty - returns whether key set is empty or not. func (set KeySet) IsEmpty() bool { return len(set) == 0 } func (set KeySet) String() string { return fmt.Sprintf("%v", set.ToSlice()) } // ToSlice - returns slice of keys. func (set KeySet) ToSlice() []Key { keys := []Key{} for key := range set { keys = append(keys, key) } return keys } // NewKeySet - returns new KeySet contains given keys. func NewKeySet(keys ...Key) KeySet { set := make(KeySet) for _, key := range keys { set.Add(key) } return set } // AllSupportedAdminKeys - is list of all admin supported keys. var AllSupportedAdminKeys = []Key{ AWSReferer, AWSSourceIP, AWSUserAgent, AWSSecureTransport, AWSCurrentTime, AWSEpochTime, // Add new supported condition keys. }