mirror of
https://github.com/minio/minio.git
synced 2024-12-25 22:55:54 -05:00
0d52126023
- remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
132 lines
3.0 KiB
Go
132 lines
3.0 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2018 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package policy
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/minio/minio/pkg/wildcard"
|
|
)
|
|
|
|
// ResourceARNPrefix - resource ARN prefix as per AWS S3 specification.
|
|
const ResourceARNPrefix = "arn:aws:s3:::"
|
|
|
|
// Resource - resource in policy statement.
|
|
type Resource struct {
|
|
bucketName string
|
|
pattern string
|
|
}
|
|
|
|
func (r Resource) isBucketPattern() bool {
|
|
return !strings.Contains(r.pattern, "/")
|
|
}
|
|
|
|
func (r Resource) isObjectPattern() bool {
|
|
return strings.Contains(r.pattern, "/") || strings.Contains(r.bucketName, "*")
|
|
}
|
|
|
|
// IsValid - checks whether Resource is valid or not.
|
|
func (r Resource) IsValid() bool {
|
|
return r.bucketName != "" && r.pattern != ""
|
|
}
|
|
|
|
// Match - matches object name with resource pattern.
|
|
func (r Resource) Match(resource string) bool {
|
|
return wildcard.Match(r.pattern, resource)
|
|
}
|
|
|
|
// MarshalJSON - encodes Resource to JSON data.
|
|
func (r Resource) MarshalJSON() ([]byte, error) {
|
|
if !r.IsValid() {
|
|
return nil, fmt.Errorf("invalid resource %v", r)
|
|
}
|
|
|
|
return json.Marshal(r.String())
|
|
}
|
|
|
|
func (r Resource) String() string {
|
|
return ResourceARNPrefix + r.pattern
|
|
}
|
|
|
|
// UnmarshalJSON - decodes JSON data to Resource.
|
|
func (r *Resource) UnmarshalJSON(data []byte) error {
|
|
var s string
|
|
if err := json.Unmarshal(data, &s); err != nil {
|
|
return err
|
|
}
|
|
|
|
parsedResource, err := parseResource(s)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
*r = parsedResource
|
|
|
|
return nil
|
|
}
|
|
|
|
// Validate - validates Resource is for given bucket or not.
|
|
func (r Resource) Validate(bucketName string) error {
|
|
if !r.IsValid() {
|
|
return fmt.Errorf("invalid resource")
|
|
}
|
|
|
|
if !wildcard.Match(r.bucketName, bucketName) {
|
|
return fmt.Errorf("bucket name does not match")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// parseResource - parses string to Resource.
|
|
func parseResource(s string) (Resource, error) {
|
|
if !strings.HasPrefix(s, ResourceARNPrefix) {
|
|
return Resource{}, fmt.Errorf("invalid resource '%v'", s)
|
|
}
|
|
|
|
pattern := strings.TrimPrefix(s, ResourceARNPrefix)
|
|
tokens := strings.SplitN(pattern, "/", 2)
|
|
bucketName := tokens[0]
|
|
if bucketName == "" {
|
|
return Resource{}, fmt.Errorf("invalid resource format '%v'", s)
|
|
}
|
|
|
|
return Resource{
|
|
bucketName: bucketName,
|
|
pattern: pattern,
|
|
}, nil
|
|
}
|
|
|
|
// NewResource - creates new resource.
|
|
func NewResource(bucketName, keyName string) Resource {
|
|
pattern := bucketName
|
|
if keyName != "" {
|
|
if !strings.HasPrefix(keyName, "/") {
|
|
pattern += "/"
|
|
}
|
|
|
|
pattern += keyName
|
|
}
|
|
|
|
return Resource{
|
|
bucketName: bucketName,
|
|
pattern: pattern,
|
|
}
|
|
}
|