From 16a6e68d7b49b36f3addc49a9b868ff9acb64b08 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Wed, 19 Feb 2020 00:02:53 +0530 Subject: [PATCH] fix: indicate PutBucketEncryption as a valid policy action (#9009) --- cmd/iam.go | 3 ++ pkg/bucket/policy/action.go | 103 ++++++++++++++++++++---------------- pkg/iam/policy/action.go | 45 ++++++++++------ 3 files changed, 90 insertions(+), 61 deletions(-) diff --git a/cmd/iam.go b/cmd/iam.go index be18521e2..c86b8ba6e 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1171,6 +1171,9 @@ var iamAccountOtherAccessActions = iampolicy.NewActionSet( iampolicy.PutBucketPolicyAction, iampolicy.DeleteBucketPolicyAction, iampolicy.GetBucketPolicyAction, + + iampolicy.PutBucketEncryptionAction, + iampolicy.GetBucketEncryptionAction, ) // GetAccountAccess iterates over all policies documents associated to a user diff --git a/pkg/bucket/policy/action.go b/pkg/bucket/policy/action.go index 33933a9d7..e6d843f80 100644 --- a/pkg/bucket/policy/action.go +++ b/pkg/bucket/policy/action.go @@ -120,58 +120,71 @@ const ( GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" ) +// List of all supported object actions. +var supportedObjectActions = map[Action]struct{}{ + AbortMultipartUploadAction: {}, + DeleteObjectAction: {}, + GetObjectAction: {}, + ListMultipartUploadPartsAction: {}, + PutObjectAction: {}, + BypassGovernanceModeAction: {}, + BypassGovernanceRetentionAction: {}, + PutObjectRetentionAction: {}, + GetObjectRetentionAction: {}, + PutObjectLegalHoldAction: {}, + GetObjectLegalHoldAction: {}, + GetObjectTaggingAction: {}, + PutObjectTaggingAction: {}, + DeleteObjectTaggingAction: {}, +} + // isObjectAction - returns whether action is object type or not. func (action Action) isObjectAction() bool { - switch action { - case AbortMultipartUploadAction, DeleteObjectAction, GetObjectAction: - fallthrough - case ListMultipartUploadPartsAction, PutObjectAction: - return true - case PutObjectRetentionAction, GetObjectRetentionAction: - return true - case PutObjectLegalHoldAction, GetObjectLegalHoldAction: - return true - case BypassGovernanceModeAction, BypassGovernanceRetentionAction: - return true - case GetObjectTaggingAction, PutObjectTaggingAction, DeleteObjectTaggingAction: - return true - } + _, ok := supportedObjectActions[action] + return ok +} - return false +// List of all supported actions. +var supportedActions = map[Action]struct{}{ + AbortMultipartUploadAction: {}, + CreateBucketAction: {}, + DeleteBucketAction: {}, + DeleteBucketPolicyAction: {}, + DeleteObjectAction: {}, + GetBucketLocationAction: {}, + GetBucketNotificationAction: {}, + GetBucketPolicyAction: {}, + GetObjectAction: {}, + HeadBucketAction: {}, + ListAllMyBucketsAction: {}, + ListBucketAction: {}, + ListBucketMultipartUploadsAction: {}, + ListenBucketNotificationAction: {}, + ListMultipartUploadPartsAction: {}, + PutBucketNotificationAction: {}, + PutBucketPolicyAction: {}, + PutObjectAction: {}, + GetBucketLifecycleAction: {}, + PutBucketLifecycleAction: {}, + PutObjectRetentionAction: {}, + GetObjectRetentionAction: {}, + GetObjectLegalHoldAction: {}, + PutObjectLegalHoldAction: {}, + PutBucketObjectLockConfigurationAction: {}, + GetBucketObjectLockConfigurationAction: {}, + BypassGovernanceModeAction: {}, + BypassGovernanceRetentionAction: {}, + GetObjectTaggingAction: {}, + PutObjectTaggingAction: {}, + DeleteObjectTaggingAction: {}, + PutBucketEncryptionAction: {}, + GetBucketEncryptionAction: {}, } // IsValid - checks if action is valid or not. func (action Action) IsValid() bool { - switch action { - case AbortMultipartUploadAction, CreateBucketAction, DeleteBucketAction: - fallthrough - case DeleteBucketPolicyAction, DeleteObjectAction, GetBucketLocationAction: - fallthrough - case GetBucketNotificationAction, GetBucketPolicyAction, GetObjectAction: - fallthrough - case HeadBucketAction, ListAllMyBucketsAction, ListBucketAction: - fallthrough - case ListBucketMultipartUploadsAction, ListenBucketNotificationAction: - fallthrough - case ListMultipartUploadPartsAction, PutBucketNotificationAction: - fallthrough - case PutBucketPolicyAction, PutObjectAction: - fallthrough - case PutBucketLifecycleAction, GetBucketLifecycleAction: - return true - case BypassGovernanceModeAction, BypassGovernanceRetentionAction: - return true - case PutObjectRetentionAction, GetObjectRetentionAction: - return true - case PutObjectLegalHoldAction, GetObjectLegalHoldAction: - return true - case PutBucketObjectLockConfigurationAction, GetBucketObjectLockConfigurationAction: - return true - case GetObjectTaggingAction, PutObjectTaggingAction, DeleteObjectTaggingAction: - return true - } - - return false + _, ok := supportedActions[action] + return ok } // MarshalJSON - encodes Action to JSON data. diff --git a/pkg/iam/policy/action.go b/pkg/iam/policy/action.go index 31759e26b..cbf03ee7d 100644 --- a/pkg/iam/policy/action.go +++ b/pkg/iam/policy/action.go @@ -123,6 +123,12 @@ const ( // DeleteObjectTaggingAction - Delete Object Tags API action DeleteObjectTaggingAction = "s3:DeleteObjectTagging" + // PutBucketEncryptionAction - PutBucketEncryption REST API action + PutBucketEncryptionAction = "s3:PutEncryptionConfiguration" + + // GetBucketEncryptionAction - GetBucketEncryption REST API action + GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" + // AllActions - all API actions AllActions = "s3:*" ) @@ -161,26 +167,33 @@ var supportedActions = map[Action]struct{}{ GetObjectTaggingAction: {}, PutObjectTaggingAction: {}, DeleteObjectTaggingAction: {}, + PutBucketEncryptionAction: {}, + GetBucketEncryptionAction: {}, +} + +// List of all supported object actions. +var supportedObjectActions = map[Action]struct{}{ + AllActions: {}, + AbortMultipartUploadAction: {}, + DeleteObjectAction: {}, + GetObjectAction: {}, + ListMultipartUploadPartsAction: {}, + PutObjectAction: {}, + BypassGovernanceModeAction: {}, + BypassGovernanceRetentionAction: {}, + PutObjectRetentionAction: {}, + GetObjectRetentionAction: {}, + PutObjectLegalHoldAction: {}, + GetObjectLegalHoldAction: {}, + GetObjectTaggingAction: {}, + PutObjectTaggingAction: {}, + DeleteObjectTaggingAction: {}, } // isObjectAction - returns whether action is object type or not. func (action Action) isObjectAction() bool { - switch action { - case AbortMultipartUploadAction, DeleteObjectAction, GetObjectAction: - fallthrough - case ListMultipartUploadPartsAction, PutObjectAction, AllActions: - return true - case BypassGovernanceModeAction, BypassGovernanceRetentionAction: - return true - case PutObjectRetentionAction, GetObjectRetentionAction: - return true - case PutObjectLegalHoldAction, GetObjectLegalHoldAction: - return true - case GetObjectTaggingAction, PutObjectTaggingAction, DeleteObjectTaggingAction: - return true - } - - return false + _, ok := supportedObjectActions[action] + return ok } // Match - matches object name with resource pattern.