mirror of
https://github.com/minio/minio.git
synced 2025-01-07 13:03:22 -05:00
4444ba13a4
LDAPusername is the simpler form of LDAPUser (userDN), using a simpler version is convenient from policy conditions point of view, since these are unique id's used for LDAP login.
323 lines
9.2 KiB
Go
323 lines
9.2 KiB
Go
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
//
|
|
// This file is part of MinIO Object Storage stack
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package condition
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"strings"
|
|
)
|
|
|
|
// Key - conditional key which is used to fetch values for any condition.
|
|
// Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_s3.html
|
|
// for more information about available condition keys.
|
|
type Key string
|
|
|
|
const (
|
|
// S3XAmzCopySource - key representing x-amz-copy-source HTTP header applicable to PutObject API only.
|
|
S3XAmzCopySource Key = "s3:x-amz-copy-source"
|
|
|
|
// S3XAmzServerSideEncryption - key representing x-amz-server-side-encryption HTTP header applicable
|
|
// to PutObject API only.
|
|
S3XAmzServerSideEncryption Key = "s3:x-amz-server-side-encryption"
|
|
|
|
// S3XAmzServerSideEncryptionCustomerAlgorithm - key representing
|
|
// x-amz-server-side-encryption-customer-algorithm HTTP header applicable to PutObject API only.
|
|
S3XAmzServerSideEncryptionCustomerAlgorithm Key = "s3:x-amz-server-side-encryption-customer-algorithm"
|
|
|
|
// S3XAmzMetadataDirective - key representing x-amz-metadata-directive HTTP header applicable to
|
|
// PutObject API only.
|
|
S3XAmzMetadataDirective Key = "s3:x-amz-metadata-directive"
|
|
|
|
// S3XAmzContentSha256 - set a static content-sha256 for all calls for a given action.
|
|
S3XAmzContentSha256 = "s3:x-amz-content-sha256"
|
|
|
|
// S3XAmzStorageClass - key representing x-amz-storage-class HTTP header applicable to PutObject API
|
|
// only.
|
|
S3XAmzStorageClass Key = "s3:x-amz-storage-class"
|
|
|
|
// S3LocationConstraint - key representing LocationConstraint XML tag of CreateBucket API only.
|
|
S3LocationConstraint Key = "s3:LocationConstraint"
|
|
|
|
// S3Prefix - key representing prefix query parameter of ListBucket API only.
|
|
S3Prefix Key = "s3:prefix"
|
|
|
|
// S3Delimiter - key representing delimiter query parameter of ListBucket API only.
|
|
S3Delimiter Key = "s3:delimiter"
|
|
|
|
// S3VersionID - Enables you to limit the permission for the
|
|
// s3:PutObjectVersionTagging action to a specific object version.
|
|
S3VersionID Key = "s3:versionid"
|
|
|
|
// S3MaxKeys - key representing max-keys query parameter of ListBucket API only.
|
|
S3MaxKeys Key = "s3:max-keys"
|
|
|
|
// S3ObjectLockRemainingRetentionDays - key representing object-lock-remaining-retention-days
|
|
// Enables enforcement of an object relative to the remaining retention days, you can set
|
|
// minimum and maximum allowable retention periods for a bucket using a bucket policy.
|
|
// This key are specific for s3:PutObjectRetention API.
|
|
S3ObjectLockRemainingRetentionDays Key = "s3:object-lock-remaining-retention-days"
|
|
|
|
// S3ObjectLockMode - key representing object-lock-mode
|
|
// Enables enforcement of the specified object retention mode
|
|
S3ObjectLockMode Key = "s3:object-lock-mode"
|
|
|
|
// S3ObjectLockRetainUntilDate - key representing object-lock-retain-util-date
|
|
// Enables enforcement of a specific retain-until-date
|
|
S3ObjectLockRetainUntilDate Key = "s3:object-lock-retain-until-date"
|
|
|
|
// S3ObjectLockLegalHold - key representing object-local-legal-hold
|
|
// Enables enforcement of the specified object legal hold status
|
|
S3ObjectLockLegalHold Key = "s3:object-lock-legal-hold"
|
|
|
|
// AWSReferer - key representing Referer header of any API.
|
|
AWSReferer Key = "aws:Referer"
|
|
|
|
// AWSSourceIP - key representing client's IP address (not intermittent proxies) of any API.
|
|
AWSSourceIP Key = "aws:SourceIp"
|
|
|
|
// AWSUserAgent - key representing UserAgent header for any API.
|
|
AWSUserAgent Key = "aws:UserAgent"
|
|
|
|
// AWSSecureTransport - key representing if the clients request is authenticated or not.
|
|
AWSSecureTransport Key = "aws:SecureTransport"
|
|
|
|
// AWSCurrentTime - key representing the current time.
|
|
AWSCurrentTime Key = "aws:CurrentTime"
|
|
|
|
// AWSEpochTime - key representing the current epoch time.
|
|
AWSEpochTime Key = "aws:EpochTime"
|
|
|
|
// AWSPrincipalType - user principal type currently supported values are "User" and "Anonymous".
|
|
AWSPrincipalType Key = "aws:principaltype"
|
|
|
|
// AWSUserID - user unique ID, in MinIO this value is same as your user Access Key.
|
|
AWSUserID Key = "aws:userid"
|
|
|
|
// AWSUsername - user friendly name, in MinIO this value is same as your user Access Key.
|
|
AWSUsername Key = "aws:username"
|
|
|
|
// S3SignatureVersion - identifies the version of AWS Signature that you want to support for authenticated requests.
|
|
S3SignatureVersion = "s3:signatureversion"
|
|
|
|
// S3AuthType - optionally use this condition key to restrict incoming requests to use a specific authentication method.
|
|
S3AuthType = "s3:authType"
|
|
)
|
|
|
|
// AllSupportedKeys - is list of all all supported keys.
|
|
var AllSupportedKeys = append([]Key{
|
|
S3SignatureVersion,
|
|
S3AuthType,
|
|
S3XAmzCopySource,
|
|
S3XAmzServerSideEncryption,
|
|
S3XAmzServerSideEncryptionCustomerAlgorithm,
|
|
S3XAmzMetadataDirective,
|
|
S3XAmzStorageClass,
|
|
S3XAmzContentSha256,
|
|
S3LocationConstraint,
|
|
S3Prefix,
|
|
S3Delimiter,
|
|
S3MaxKeys,
|
|
S3VersionID,
|
|
S3ObjectLockRemainingRetentionDays,
|
|
S3ObjectLockMode,
|
|
S3ObjectLockLegalHold,
|
|
S3ObjectLockRetainUntilDate,
|
|
AWSReferer,
|
|
AWSSourceIP,
|
|
AWSUserAgent,
|
|
AWSSecureTransport,
|
|
AWSCurrentTime,
|
|
AWSEpochTime,
|
|
AWSPrincipalType,
|
|
AWSUserID,
|
|
AWSUsername,
|
|
LDAPUser,
|
|
LDAPUsername,
|
|
// Add new supported condition keys.
|
|
}, JWTKeys...)
|
|
|
|
// CommonKeys - is list of all common condition keys.
|
|
var CommonKeys = append([]Key{
|
|
S3SignatureVersion,
|
|
S3AuthType,
|
|
S3XAmzContentSha256,
|
|
S3LocationConstraint,
|
|
AWSReferer,
|
|
AWSSourceIP,
|
|
AWSUserAgent,
|
|
AWSSecureTransport,
|
|
AWSCurrentTime,
|
|
AWSEpochTime,
|
|
AWSPrincipalType,
|
|
AWSUserID,
|
|
AWSUsername,
|
|
LDAPUser,
|
|
LDAPUsername,
|
|
}, JWTKeys...)
|
|
|
|
func substFuncFromValues(values map[string][]string) func(string) string {
|
|
return func(v string) string {
|
|
for _, key := range CommonKeys {
|
|
// Empty values are not supported for policy variables.
|
|
if rvalues, ok := values[key.Name()]; ok && rvalues[0] != "" {
|
|
v = strings.Replace(v, key.VarName(), rvalues[0], -1)
|
|
}
|
|
}
|
|
return v
|
|
}
|
|
}
|
|
|
|
// IsValid - checks if key is valid or not.
|
|
func (key Key) IsValid() bool {
|
|
for _, supKey := range AllSupportedKeys {
|
|
if supKey == key {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// MarshalJSON - encodes Key to JSON data.
|
|
func (key Key) MarshalJSON() ([]byte, error) {
|
|
if !key.IsValid() {
|
|
return nil, fmt.Errorf("unknown key %v", key)
|
|
}
|
|
|
|
return json.Marshal(string(key))
|
|
}
|
|
|
|
// VarName - returns variable key name, such as "${aws:username}"
|
|
func (key Key) VarName() string {
|
|
return fmt.Sprintf("${%s}", key)
|
|
}
|
|
|
|
// Name - returns key name which is stripped value of prefixes "aws:" and "s3:"
|
|
func (key Key) Name() string {
|
|
keyString := string(key)
|
|
|
|
if strings.HasPrefix(keyString, "aws:") {
|
|
return strings.TrimPrefix(keyString, "aws:")
|
|
} else if strings.HasPrefix(keyString, "jwt:") {
|
|
return strings.TrimPrefix(keyString, "jwt:")
|
|
} else if strings.HasPrefix(keyString, "ldap:") {
|
|
return strings.TrimPrefix(keyString, "ldap:")
|
|
}
|
|
return strings.TrimPrefix(keyString, "s3:")
|
|
}
|
|
|
|
// UnmarshalJSON - decodes JSON data to Key.
|
|
func (key *Key) UnmarshalJSON(data []byte) error {
|
|
var s string
|
|
if err := json.Unmarshal(data, &s); err != nil {
|
|
return err
|
|
}
|
|
|
|
parsedKey, err := parseKey(s)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
*key = parsedKey
|
|
return nil
|
|
}
|
|
|
|
func parseKey(s string) (Key, error) {
|
|
key := Key(s)
|
|
|
|
if key.IsValid() {
|
|
return key, nil
|
|
}
|
|
|
|
return key, fmt.Errorf("invalid condition key '%v'", s)
|
|
}
|
|
|
|
// KeySet - set representation of slice of keys.
|
|
type KeySet map[Key]struct{}
|
|
|
|
// Add - add a key to key set.
|
|
func (set KeySet) Add(key Key) {
|
|
set[key] = struct{}{}
|
|
}
|
|
|
|
// Merge merges two key sets, duplicates are overwritten
|
|
func (set KeySet) Merge(mset KeySet) {
|
|
for k, v := range mset {
|
|
set[k] = v
|
|
}
|
|
}
|
|
|
|
// Difference - returns a key set contains difference of two keys.
|
|
// Example:
|
|
// keySet1 := ["one", "two", "three"]
|
|
// keySet2 := ["two", "four", "three"]
|
|
// keySet1.Difference(keySet2) == ["one"]
|
|
func (set KeySet) Difference(sset KeySet) KeySet {
|
|
nset := make(KeySet)
|
|
|
|
for k := range set {
|
|
if _, ok := sset[k]; !ok {
|
|
nset.Add(k)
|
|
}
|
|
}
|
|
|
|
return nset
|
|
}
|
|
|
|
// IsEmpty - returns whether key set is empty or not.
|
|
func (set KeySet) IsEmpty() bool {
|
|
return len(set) == 0
|
|
}
|
|
|
|
func (set KeySet) String() string {
|
|
return fmt.Sprintf("%v", set.ToSlice())
|
|
}
|
|
|
|
// ToSlice - returns slice of keys.
|
|
func (set KeySet) ToSlice() []Key {
|
|
keys := []Key{}
|
|
|
|
for key := range set {
|
|
keys = append(keys, key)
|
|
}
|
|
|
|
return keys
|
|
}
|
|
|
|
// NewKeySet - returns new KeySet contains given keys.
|
|
func NewKeySet(keys ...Key) KeySet {
|
|
set := make(KeySet)
|
|
for _, key := range keys {
|
|
set.Add(key)
|
|
}
|
|
|
|
return set
|
|
}
|
|
|
|
// AllSupportedAdminKeys - is list of all admin supported keys.
|
|
var AllSupportedAdminKeys = []Key{
|
|
AWSReferer,
|
|
AWSSourceIP,
|
|
AWSUserAgent,
|
|
AWSSecureTransport,
|
|
AWSCurrentTime,
|
|
AWSEpochTime,
|
|
// Add new supported condition keys.
|
|
}
|