MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2024-12-26 07:05:55 -05:00
Code Issues Packages Projects Releases Wiki Activity
f92b7a5621
minio/pkg/iam/policy/policy.go
Harshavardhana 879599b0cf
fix: enforce deny if present for implicit permissions (#11680) 
Implicit permissions for any user is to be allowed to
change their own password, we need to restrict this
further even if there is an implicit allow for this
scenario - we have to honor Deny statements if they
are specified.
2021-03-02 15:35:50 -08:00

211 lines
5.5 KiB
Go
Raw Blame History

/*
* MinIO Cloud Storage, (C) 2018 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package iampolicy
import (
"encoding/json"
"io"
"strings"
"github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/minio/pkg/bucket/policy"
)
// DefaultVersion - default policy version as per AWS S3 specification.
const DefaultVersion = "2012-10-17"
// Args - arguments to policy to check whether it is allowed
type Args struct {
AccountName string `json:"account"`
Action Action `json:"action"`
BucketName string `json:"bucket"`
ConditionValues map[string][]string `json:"conditions"`
IsOwner bool `json:"owner"`
ObjectName string `json:"object"`
Claims map[string]interface{} `json:"claims"`
DenyOnly bool `json:"denyOnly"` // only applies deny
}
// GetPoliciesFromClaims returns the list of policies to be applied for this
// incoming request, extracting the information from input JWT claims.
func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string) (set.StringSet, bool) {
s := set.NewStringSet()
pname, ok := claims[policyClaimName]
if !ok {
return s, false
}
pnames, ok := pname.([]interface{})
if !ok {
pnameStr, ok := pname.(string)
if ok {
for _, pname := range strings.Split(pnameStr, ",") {
pname = strings.TrimSpace(pname)
if pname == "" {
// ignore any empty strings, considerate
// towards some user errors.
continue
}
s.Add(pname)
}
return s, true
}
return s, false
}
for _, pname := range pnames {
pnameStr, ok := pname.(string)
if ok {
for _, pnameStr := range strings.Split(pnameStr, ",") {
pnameStr = strings.TrimSpace(pnameStr)
if pnameStr == "" {
// ignore any empty strings, considerate
// towards some user errors.
continue
}
s.Add(pnameStr)
}
}
}
return s, true
}
// GetPolicies returns the list of policies to be applied for this
// incoming request, extracting the information from JWT claims.
func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool) {
return GetPoliciesFromClaims(a.Claims, policyClaimName)
}
// Policy - iam bucket iamp.
type Policy struct {
ID policy.ID `json:"ID,omitempty"`
Version string
Statements []Statement `json:"Statement"`
}
// IsAllowed - checks given policy args is allowed to continue the Rest API.
func (iamp Policy) IsAllowed(args Args) bool {
// Check all deny statements. If any one statement denies, return false.
for _, statement := range iamp.Statements {
if statement.Effect == policy.Deny {
if !statement.IsAllowed(args) {
return false
}
}
}
// Applied any 'Deny' only policies, if we have
// reached here it means that there were no 'Deny'
// policies - this function mainly used for
// specific scenarios where we only want to validate
// 'Deny' only policies.
if args.DenyOnly {
return true
}
// For owner, its allowed by default.
if args.IsOwner {
return true
}
// Check all allow statements. If any one statement allows, return true.
for _, statement := range iamp.Statements {
if statement.Effect == policy.Allow {
if statement.IsAllowed(args) {
return true
}
}
}
return false
}
// IsEmpty - returns whether policy is empty or not.
func (iamp Policy) IsEmpty() bool {
return len(iamp.Statements) == 0
}
// isValid - checks if Policy is valid or not.
func (iamp Policy) isValid() error {
if iamp.Version != DefaultVersion && iamp.Version != "" {
return Errorf("invalid version '%v'", iamp.Version)
}
for _, statement := range iamp.Statements {
if err := statement.isValid(); err != nil {
return err
}
}
return nil
}
func (iamp *Policy) dropDuplicateStatements() {
redo:
for i := range iamp.Statements {
for j, statement := range iamp.Statements[i+1:] {
if iamp.Statements[i].Effect != statement.Effect {
continue
}
if !iamp.Statements[i].Actions.Equals(statement.Actions) {
continue
}
if !iamp.Statements[i].Resources.Equals(statement.Resources) {
continue
}
if iamp.Statements[i].Conditions.String() != statement.Conditions.String() {
continue
}
iamp.Statements = append(iamp.Statements[:j], iamp.Statements[j+1:]...)
goto redo
}
}
}
// UnmarshalJSON - decodes JSON data to Iamp.
func (iamp *Policy) UnmarshalJSON(data []byte) error {
// subtype to avoid recursive call to UnmarshalJSON()
type subPolicy Policy
var sp subPolicy
if err := json.Unmarshal(data, &sp); err != nil {
return err
}
p := Policy(sp)
p.dropDuplicateStatements()
*iamp = p
return nil
}
// Validate - validates all statements are for given bucket or not.
func (iamp Policy) Validate() error {
return iamp.isValid()
}
// ParseConfig - parses data in given reader to Iamp.
func ParseConfig(reader io.Reader) (*Policy, error) {
var iamp Policy
decoder := json.NewDecoder(reader)
decoder.DisallowUnknownFields()
if err := decoder.Decode(&iamp); err != nil {
return nil, Errorf("%w", err)
}
return &iamp, iamp.Validate()
}
Reference in New Issue View Git Blame Copy Permalink