minio/pkg/iam/policy/statement.go

146 lines
3.9 KiB
Go

/*
* MinIO Cloud Storage, (C) 2018 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package iampolicy
import (
"strings"
"github.com/minio/minio/pkg/bucket/policy"
"github.com/minio/minio/pkg/bucket/policy/condition"
)
// Statement - iam policy statement.
type Statement struct {
SID policy.ID `json:"Sid,omitempty"`
Effect policy.Effect `json:"Effect"`
Actions ActionSet `json:"Action"`
Resources ResourceSet `json:"Resource,omitempty"`
Conditions condition.Functions `json:"Condition,omitempty"`
}
// IsAllowed - checks given policy args is allowed to continue the Rest API.
func (statement Statement) IsAllowed(args Args) bool {
check := func() bool {
if !statement.Actions.Match(args.Action) {
return false
}
resource := args.BucketName
if args.ObjectName != "" {
if !strings.HasPrefix(args.ObjectName, "/") {
resource += "/"
}
resource += args.ObjectName
} else {
resource += "/"
}
// For admin statements, resource match can be ignored.
if !statement.Resources.Match(resource, args.ConditionValues) && !statement.isAdmin() {
return false
}
return statement.Conditions.Evaluate(args.ConditionValues)
}
return statement.Effect.IsAllowed(check())
}
func (statement Statement) isAdmin() bool {
for action := range statement.Actions {
if AdminAction(action).IsValid() {
return true
}
}
return false
}
// isValid - checks whether statement is valid or not.
func (statement Statement) isValid() error {
if !statement.Effect.IsValid() {
return Errorf("invalid Effect %v", statement.Effect)
}
if len(statement.Actions) == 0 {
return Errorf("Action must not be empty")
}
if statement.isAdmin() {
if err := statement.Actions.ValidateAdmin(); err != nil {
return err
}
for action := range statement.Actions {
keys := statement.Conditions.Keys()
keyDiff := keys.Difference(adminActionConditionKeyMap[action])
if !keyDiff.IsEmpty() {
return Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
}
}
return nil
}
if !statement.SID.IsValid() {
return Errorf("invalid SID %v", statement.SID)
}
if len(statement.Resources) == 0 {
return Errorf("Resource must not be empty")
}
if err := statement.Resources.Validate(); err != nil {
return err
}
if err := statement.Actions.Validate(); err != nil {
return err
}
for action := range statement.Actions {
if !statement.Resources.objectResourceExists() && !statement.Resources.bucketResourceExists() {
return Errorf("unsupported Resource found %v for action %v", statement.Resources, action)
}
condKeys, ok := iamActionConditionKeyMap.Lookup(action)
if !ok {
return Errorf("conditions are not supported for action %v", action)
}
keys := statement.Conditions.Keys()
keyDiff := keys.Difference(condKeys)
if !keyDiff.IsEmpty() {
return Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
}
}
return nil
}
// Validate - validates Statement is for given bucket or not.
func (statement Statement) Validate() error {
return statement.isValid()
}
// NewStatement - creates new statement.
func NewStatement(effect policy.Effect, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) Statement {
return Statement{
Effect: effect,
Actions: actionSet,
Resources: resourceSet,
Conditions: conditions,
}
}