fix: indicate PutBucketEncryption as a valid policy action (#9009)

master
Harshavardhana 5 years ago committed by GitHub
parent 1b427ddb69
commit 16a6e68d7b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 3
      cmd/iam.go
  2. 103
      pkg/bucket/policy/action.go
  3. 45
      pkg/iam/policy/action.go

@ -1171,6 +1171,9 @@ var iamAccountOtherAccessActions = iampolicy.NewActionSet(
iampolicy.PutBucketPolicyAction, iampolicy.PutBucketPolicyAction,
iampolicy.DeleteBucketPolicyAction, iampolicy.DeleteBucketPolicyAction,
iampolicy.GetBucketPolicyAction, iampolicy.GetBucketPolicyAction,
iampolicy.PutBucketEncryptionAction,
iampolicy.GetBucketEncryptionAction,
) )
// GetAccountAccess iterates over all policies documents associated to a user // GetAccountAccess iterates over all policies documents associated to a user

@ -120,58 +120,71 @@ const (
GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" GetBucketEncryptionAction = "s3:GetEncryptionConfiguration"
) )
// List of all supported object actions.
var supportedObjectActions = map[Action]struct{}{
AbortMultipartUploadAction: {},
DeleteObjectAction: {},
GetObjectAction: {},
ListMultipartUploadPartsAction: {},
PutObjectAction: {},
BypassGovernanceModeAction: {},
BypassGovernanceRetentionAction: {},
PutObjectRetentionAction: {},
GetObjectRetentionAction: {},
PutObjectLegalHoldAction: {},
GetObjectLegalHoldAction: {},
GetObjectTaggingAction: {},
PutObjectTaggingAction: {},
DeleteObjectTaggingAction: {},
}
// isObjectAction - returns whether action is object type or not. // isObjectAction - returns whether action is object type or not.
func (action Action) isObjectAction() bool { func (action Action) isObjectAction() bool {
switch action { _, ok := supportedObjectActions[action]
case AbortMultipartUploadAction, DeleteObjectAction, GetObjectAction: return ok
fallthrough }
case ListMultipartUploadPartsAction, PutObjectAction:
return true
case PutObjectRetentionAction, GetObjectRetentionAction:
return true
case PutObjectLegalHoldAction, GetObjectLegalHoldAction:
return true
case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
return true
case GetObjectTaggingAction, PutObjectTaggingAction, DeleteObjectTaggingAction:
return true
}
return false // List of all supported actions.
var supportedActions = map[Action]struct{}{
AbortMultipartUploadAction: {},
CreateBucketAction: {},
DeleteBucketAction: {},
DeleteBucketPolicyAction: {},
DeleteObjectAction: {},
GetBucketLocationAction: {},
GetBucketNotificationAction: {},
GetBucketPolicyAction: {},
GetObjectAction: {},
HeadBucketAction: {},
ListAllMyBucketsAction: {},
ListBucketAction: {},
ListBucketMultipartUploadsAction: {},
ListenBucketNotificationAction: {},
ListMultipartUploadPartsAction: {},
PutBucketNotificationAction: {},
PutBucketPolicyAction: {},
PutObjectAction: {},
GetBucketLifecycleAction: {},
PutBucketLifecycleAction: {},
PutObjectRetentionAction: {},
GetObjectRetentionAction: {},
GetObjectLegalHoldAction: {},
PutObjectLegalHoldAction: {},
PutBucketObjectLockConfigurationAction: {},
GetBucketObjectLockConfigurationAction: {},
BypassGovernanceModeAction: {},
BypassGovernanceRetentionAction: {},
GetObjectTaggingAction: {},
PutObjectTaggingAction: {},
DeleteObjectTaggingAction: {},
PutBucketEncryptionAction: {},
GetBucketEncryptionAction: {},
} }
// IsValid - checks if action is valid or not. // IsValid - checks if action is valid or not.
func (action Action) IsValid() bool { func (action Action) IsValid() bool {
switch action { _, ok := supportedActions[action]
case AbortMultipartUploadAction, CreateBucketAction, DeleteBucketAction: return ok
fallthrough
case DeleteBucketPolicyAction, DeleteObjectAction, GetBucketLocationAction:
fallthrough
case GetBucketNotificationAction, GetBucketPolicyAction, GetObjectAction:
fallthrough
case HeadBucketAction, ListAllMyBucketsAction, ListBucketAction:
fallthrough
case ListBucketMultipartUploadsAction, ListenBucketNotificationAction:
fallthrough
case ListMultipartUploadPartsAction, PutBucketNotificationAction:
fallthrough
case PutBucketPolicyAction, PutObjectAction:
fallthrough
case PutBucketLifecycleAction, GetBucketLifecycleAction:
return true
case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
return true
case PutObjectRetentionAction, GetObjectRetentionAction:
return true
case PutObjectLegalHoldAction, GetObjectLegalHoldAction:
return true
case PutBucketObjectLockConfigurationAction, GetBucketObjectLockConfigurationAction:
return true
case GetObjectTaggingAction, PutObjectTaggingAction, DeleteObjectTaggingAction:
return true
}
return false
} }
// MarshalJSON - encodes Action to JSON data. // MarshalJSON - encodes Action to JSON data.

@ -123,6 +123,12 @@ const (
// DeleteObjectTaggingAction - Delete Object Tags API action // DeleteObjectTaggingAction - Delete Object Tags API action
DeleteObjectTaggingAction = "s3:DeleteObjectTagging" DeleteObjectTaggingAction = "s3:DeleteObjectTagging"
// PutBucketEncryptionAction - PutBucketEncryption REST API action
PutBucketEncryptionAction = "s3:PutEncryptionConfiguration"
// GetBucketEncryptionAction - GetBucketEncryption REST API action
GetBucketEncryptionAction = "s3:GetEncryptionConfiguration"
// AllActions - all API actions // AllActions - all API actions
AllActions = "s3:*" AllActions = "s3:*"
) )
@ -161,26 +167,33 @@ var supportedActions = map[Action]struct{}{
GetObjectTaggingAction: {}, GetObjectTaggingAction: {},
PutObjectTaggingAction: {}, PutObjectTaggingAction: {},
DeleteObjectTaggingAction: {}, DeleteObjectTaggingAction: {},
PutBucketEncryptionAction: {},
GetBucketEncryptionAction: {},
}
// List of all supported object actions.
var supportedObjectActions = map[Action]struct{}{
AllActions: {},
AbortMultipartUploadAction: {},
DeleteObjectAction: {},
GetObjectAction: {},
ListMultipartUploadPartsAction: {},
PutObjectAction: {},
BypassGovernanceModeAction: {},
BypassGovernanceRetentionAction: {},
PutObjectRetentionAction: {},
GetObjectRetentionAction: {},
PutObjectLegalHoldAction: {},
GetObjectLegalHoldAction: {},
GetObjectTaggingAction: {},
PutObjectTaggingAction: {},
DeleteObjectTaggingAction: {},
} }
// isObjectAction - returns whether action is object type or not. // isObjectAction - returns whether action is object type or not.
func (action Action) isObjectAction() bool { func (action Action) isObjectAction() bool {
switch action { _, ok := supportedObjectActions[action]
case AbortMultipartUploadAction, DeleteObjectAction, GetObjectAction: return ok
fallthrough
case ListMultipartUploadPartsAction, PutObjectAction, AllActions:
return true
case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
return true
case PutObjectRetentionAction, GetObjectRetentionAction:
return true
case PutObjectLegalHoldAction, GetObjectLegalHoldAction:
return true
case GetObjectTaggingAction, PutObjectTaggingAction, DeleteObjectTaggingAction:
return true
}
return false
} }
// Match - matches object name with resource pattern. // Match - matches object name with resource pattern.

Loading…
Cancel
Save