From 5353edcc3881af624570535ab21498e3346ecdbc Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 21 Jan 2019 10:27:14 +0530 Subject: [PATCH] Support policy variable replacement (#7085) This PR supports iam and bucket policies to have policy variable replacements in resource and condition key values. For example - ${aws:username} - ${aws:userid} --- cmd/auth-handler.go | 8 +-- cmd/object-handlers.go | 6 +- cmd/policy.go | 17 +++++- cmd/web-handlers.go | 28 ++++----- pkg/iam/policy/resource.go | 14 ++++- pkg/iam/policy/resource_test.go | 2 +- pkg/iam/policy/resourceset.go | 4 +- pkg/iam/policy/resourceset_test.go | 2 +- pkg/iam/policy/statement.go | 2 +- pkg/policy/condition/binaryequalsfunc.go | 3 +- pkg/policy/condition/key.go | 60 ++++++++++++++----- pkg/policy/condition/stringequalsfunc.go | 3 +- .../condition/stringequalsignorecasefunc.go | 5 +- pkg/policy/condition/stringlikefunc.go | 4 +- pkg/policy/resource.go | 13 +++- pkg/policy/resource_test.go | 2 +- pkg/policy/resourceset.go | 4 +- pkg/policy/resourceset_test.go | 2 +- pkg/policy/statement.go | 2 +- 19 files changed, 125 insertions(+), 56 deletions(-) diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go index 98f509cce..5859ca678 100644 --- a/cmd/auth-handler.go +++ b/cmd/auth-handler.go @@ -283,7 +283,7 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac AccountName: cred.AccessKey, Action: action, BucketName: bucketName, - ConditionValues: getConditionValues(r, locationConstraint), + ConditionValues: getConditionValues(r, locationConstraint, ""), IsOwner: false, ObjectName: objectName, }) { @@ -296,7 +296,7 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac AccountName: cred.AccessKey, Action: iampolicy.Action(action), BucketName: bucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", cred.AccessKey), ObjectName: objectName, IsOwner: owner, Claims: claims, @@ -448,7 +448,7 @@ func isPutAllowed(atype authType, bucketName, objectName string, r *http.Request AccountName: cred.AccessKey, Action: policy.PutObjectAction, BucketName: bucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, ObjectName: objectName, }) { @@ -461,7 +461,7 @@ func isPutAllowed(atype authType, bucketName, objectName string, r *http.Request AccountName: cred.AccessKey, Action: policy.PutObjectAction, BucketName: bucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", cred.AccessKey), ObjectName: objectName, IsOwner: owner, Claims: claims, diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 753e8124c..ea806a510 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -131,7 +131,7 @@ func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r if globalPolicySys.IsAllowed(policy.Args{ Action: policy.ListBucketAction, BucketName: bucket, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, }) { _, err = getObjectInfo(ctx, bucket, object, opts) @@ -281,7 +281,7 @@ func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Req if globalPolicySys.IsAllowed(policy.Args{ Action: policy.ListBucketAction, BucketName: bucket, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, }) { getObjectInfo := objectAPI.GetObjectInfo @@ -463,7 +463,7 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re if globalPolicySys.IsAllowed(policy.Args{ Action: policy.ListBucketAction, BucketName: bucket, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, }) { _, err = getObjectInfo(ctx, bucket, object, opts) diff --git a/cmd/policy.go b/cmd/policy.go index 686530672..3c57ad122 100644 --- a/cmd/policy.go +++ b/cmd/policy.go @@ -30,6 +30,7 @@ import ( miniogopolicy "github.com/minio/minio-go/pkg/policy" "github.com/minio/minio-go/pkg/set" "github.com/minio/minio/cmd/logger" + "github.com/minio/minio/pkg/event" "github.com/minio/minio/pkg/handlers" "github.com/minio/minio/pkg/policy" ) @@ -183,12 +184,24 @@ func NewPolicySys() *PolicySys { } } -func getConditionValues(request *http.Request, locationConstraint string) map[string][]string { +func getConditionValues(request *http.Request, locationConstraint string, username string) map[string][]string { + currTime := UTCNow() + principalType := func() string { + if username != "" { + return "User" + } + return "Anonymous" + }() args := map[string][]string{ - "SourceIp": {handlers.GetSourceIP(request)}, + "CurrenTime": {currTime.Format(event.AMZTimeFormat)}, + "EpochTime": {fmt.Sprintf("%d", currTime.Unix())}, + "principaltype": {principalType}, "SecureTransport": {fmt.Sprintf("%t", request.TLS != nil)}, + "SourceIp": {handlers.GetSourceIP(request)}, "UserAgent": {request.UserAgent()}, "Referer": {request.Referer()}, + "userid": {username}, + "username": {username}, } for key, values := range request.Header { diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go index 593215dde..6dfb0a38f 100644 --- a/cmd/web-handlers.go +++ b/cmd/web-handlers.go @@ -306,7 +306,7 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re AccountName: claims.Subject, Action: iampolicy.ListBucketAction, BucketName: bucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", claims.Subject), IsOwner: owner, ObjectName: "", }) { @@ -326,7 +326,7 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re AccountName: claims.Subject, Action: iampolicy.ListBucketAction, BucketName: bucket.Name, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", claims.Subject), IsOwner: owner, ObjectName: "", }) { @@ -432,7 +432,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r readable := globalPolicySys.IsAllowed(policy.Args{ Action: policy.ListBucketAction, BucketName: args.BucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, }) @@ -440,7 +440,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r writable := globalPolicySys.IsAllowed(policy.Args{ Action: policy.PutObjectAction, BucketName: args.BucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, ObjectName: args.Prefix + "/", }) @@ -471,7 +471,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r AccountName: claims.Subject, Action: iampolicy.ListBucketAction, BucketName: args.BucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: owner, }) @@ -479,7 +479,7 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r AccountName: claims.Subject, Action: iampolicy.PutObjectAction, BucketName: args.BucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: owner, ObjectName: args.Prefix + "/", }) @@ -611,7 +611,7 @@ next: AccountName: claims.Subject, Action: iampolicy.DeleteObjectAction, BucketName: args.BucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", claims.Subject), IsOwner: owner, ObjectName: objectName, }) { @@ -628,7 +628,7 @@ next: AccountName: claims.Subject, Action: iampolicy.DeleteObjectAction, BucketName: args.BucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", claims.Subject), IsOwner: owner, ObjectName: objectName, }) { @@ -853,7 +853,7 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) { if !globalPolicySys.IsAllowed(policy.Args{ Action: policy.PutObjectAction, BucketName: bucket, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, ObjectName: object, }) { @@ -872,7 +872,7 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) { AccountName: claims.Subject, Action: iampolicy.PutObjectAction, BucketName: bucket, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", claims.Subject), IsOwner: owner, ObjectName: object, }) { @@ -1040,7 +1040,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) { if !globalPolicySys.IsAllowed(policy.Args{ Action: policy.GetObjectAction, BucketName: bucket, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, ObjectName: object, }) { @@ -1059,7 +1059,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) { AccountName: claims.Subject, Action: iampolicy.GetObjectAction, BucketName: bucket, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", claims.Subject), IsOwner: owner, ObjectName: object, }) { @@ -1195,7 +1195,7 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) { if !globalPolicySys.IsAllowed(policy.Args{ Action: policy.GetObjectAction, BucketName: args.BucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", ""), IsOwner: false, ObjectName: pathJoin(args.Prefix, object), }) { @@ -1216,7 +1216,7 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) { AccountName: claims.Subject, Action: iampolicy.GetObjectAction, BucketName: args.BucketName, - ConditionValues: getConditionValues(r, ""), + ConditionValues: getConditionValues(r, "", claims.Subject), IsOwner: owner, ObjectName: pathJoin(args.Prefix, object), }) { diff --git a/pkg/iam/policy/resource.go b/pkg/iam/policy/resource.go index eb1e36d9a..dd7f7b63c 100644 --- a/pkg/iam/policy/resource.go +++ b/pkg/iam/policy/resource.go @@ -21,6 +21,7 @@ import ( "fmt" "strings" + "github.com/minio/minio/pkg/policy/condition" "github.com/minio/minio/pkg/wildcard" ) @@ -47,11 +48,18 @@ func (r Resource) IsValid() bool { } // Match - matches object name with resource pattern. -func (r Resource) Match(resource string) bool { - if strings.HasPrefix(resource, r.Pattern) { +func (r Resource) Match(resource string, conditionValues map[string][]string) bool { + pattern := r.Pattern + for _, key := range condition.CommonKeys { + // Empty values are not supported for policy variables. + if rvalues, ok := conditionValues[key.Name()]; ok && rvalues[0] != "" { + pattern = strings.Replace(pattern, key.VarName(), rvalues[0], -1) + } + } + if strings.HasPrefix(resource, pattern) { return true } - return wildcard.Match(r.Pattern, resource) + return wildcard.Match(pattern, resource) } // MarshalJSON - encodes Resource to JSON data. diff --git a/pkg/iam/policy/resource_test.go b/pkg/iam/policy/resource_test.go index 102a89c22..f28bf40b9 100644 --- a/pkg/iam/policy/resource_test.go +++ b/pkg/iam/policy/resource_test.go @@ -124,7 +124,7 @@ func TestResourceMatch(t *testing.T) { } for i, testCase := range testCases { - result := testCase.resource.Match(testCase.objectName) + result := testCase.resource.Match(testCase.objectName, nil) if result != testCase.expectedResult { t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result) diff --git a/pkg/iam/policy/resourceset.go b/pkg/iam/policy/resourceset.go index 99f700d6e..ce9a9905b 100644 --- a/pkg/iam/policy/resourceset.go +++ b/pkg/iam/policy/resourceset.go @@ -81,9 +81,9 @@ func (resourceSet ResourceSet) MarshalJSON() ([]byte, error) { } // Match - matches object name with anyone of resource pattern in resource set. -func (resourceSet ResourceSet) Match(resource string) bool { +func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool { for r := range resourceSet { - if r.Match(resource) { + if r.Match(resource, conditionValues) { return true } } diff --git a/pkg/iam/policy/resourceset_test.go b/pkg/iam/policy/resourceset_test.go index 8e19e9ac7..ede22855e 100644 --- a/pkg/iam/policy/resourceset_test.go +++ b/pkg/iam/policy/resourceset_test.go @@ -179,7 +179,7 @@ func TestResourceSetMatch(t *testing.T) { } for i, testCase := range testCases { - result := testCase.resourceSet.Match(testCase.resource) + result := testCase.resourceSet.Match(testCase.resource, nil) if result != testCase.expectedResult { t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result) diff --git a/pkg/iam/policy/statement.go b/pkg/iam/policy/statement.go index e231c6c36..5a4e25441 100644 --- a/pkg/iam/policy/statement.go +++ b/pkg/iam/policy/statement.go @@ -52,7 +52,7 @@ func (statement Statement) IsAllowed(args Args) bool { resource += "/" } - if !statement.Resources.Match(resource) { + if !statement.Resources.Match(resource, args.ConditionValues) { return false } diff --git a/pkg/policy/condition/binaryequalsfunc.go b/pkg/policy/condition/binaryequalsfunc.go index 9f74c5b09..2cb8669ca 100644 --- a/pkg/policy/condition/binaryequalsfunc.go +++ b/pkg/policy/condition/binaryequalsfunc.go @@ -51,7 +51,8 @@ func (f binaryEqualsFunc) evaluate(values map[string][]string) bool { requestValue = values[f.k.Name()] } - return !f.values.Intersection(set.CreateStringSet(requestValue...)).IsEmpty() + fvalues := f.values.ApplyFunc(substFuncFromValues(values)) + return !fvalues.Intersection(set.CreateStringSet(requestValue...)).IsEmpty() } // key() - returns condition key which is used by this condition function. diff --git a/pkg/policy/condition/key.go b/pkg/policy/condition/key.go index 83acb86af..9e65c1711 100644 --- a/pkg/policy/condition/key.go +++ b/pkg/policy/condition/key.go @@ -33,49 +33,58 @@ const ( // S3XAmzServerSideEncryption - key representing x-amz-server-side-encryption HTTP header applicable // to PutObject API only. - S3XAmzServerSideEncryption = "s3:x-amz-server-side-encryption" + S3XAmzServerSideEncryption Key = "s3:x-amz-server-side-encryption" // S3XAmzServerSideEncryptionCustomerAlgorithm - key representing // x-amz-server-side-encryption-customer-algorithm HTTP header applicable to PutObject API only. - S3XAmzServerSideEncryptionCustomerAlgorithm = "s3:x-amz-server-side-encryption-customer-algorithm" + S3XAmzServerSideEncryptionCustomerAlgorithm Key = "s3:x-amz-server-side-encryption-customer-algorithm" // S3XAmzMetadataDirective - key representing x-amz-metadata-directive HTTP header applicable to // PutObject API only. - S3XAmzMetadataDirective = "s3:x-amz-metadata-directive" + S3XAmzMetadataDirective Key = "s3:x-amz-metadata-directive" // S3XAmzStorageClass - key representing x-amz-storage-class HTTP header applicable to PutObject API // only. - S3XAmzStorageClass = "s3:x-amz-storage-class" + S3XAmzStorageClass Key = "s3:x-amz-storage-class" // S3LocationConstraint - key representing LocationConstraint XML tag of CreateBucket API only. - S3LocationConstraint = "s3:LocationConstraint" + S3LocationConstraint Key = "s3:LocationConstraint" // S3Prefix - key representing prefix query parameter of ListBucket API only. - S3Prefix = "s3:prefix" + S3Prefix Key = "s3:prefix" // S3Delimiter - key representing delimiter query parameter of ListBucket API only. - S3Delimiter = "s3:delimiter" + S3Delimiter Key = "s3:delimiter" // S3MaxKeys - key representing max-keys query parameter of ListBucket API only. - S3MaxKeys = "s3:max-keys" + S3MaxKeys Key = "s3:max-keys" // AWSReferer - key representing Referer header of any API. - AWSReferer = "aws:Referer" + AWSReferer Key = "aws:Referer" // AWSSourceIP - key representing client's IP address (not intermittent proxies) of any API. - AWSSourceIP = "aws:SourceIp" + AWSSourceIP Key = "aws:SourceIp" // AWSUserAgent - key representing UserAgent header for any API. - AWSUserAgent = "aws:UserAgent" + AWSUserAgent Key = "aws:UserAgent" // AWSSecureTransport - key representing if the clients request is authenticated or not. - AWSSecureTransport = "aws:SecureTransport" + AWSSecureTransport Key = "aws:SecureTransport" // AWSCurrentTime - key representing the current time. - AWSCurrentTime = "aws:CurrentTime" + AWSCurrentTime Key = "aws:CurrentTime" // AWSEpochTime - key representing the current epoch time. - AWSEpochTime = "aws:EpochTime" + AWSEpochTime Key = "aws:EpochTime" + + // AWSPrincipalType - user principal type currently supported values are "User" and "Anonymous". + AWSPrincipalType Key = "aws:principaltype" + + // AWSUserID - user unique ID, in Minio this value is same as your user Access Key. + AWSUserID Key = "aws:userid" + + // AWSUsername - user friendly name, in Minio this value is same as your user Access Key. + AWSUsername Key = "aws:username" ) // AllSupportedKeys - is list of all all supported keys. @@ -95,6 +104,9 @@ var AllSupportedKeys = []Key{ AWSSecureTransport, AWSCurrentTime, AWSEpochTime, + AWSPrincipalType, + AWSUserID, + AWSUsername, // Add new supported condition keys. } @@ -106,6 +118,21 @@ var CommonKeys = []Key{ AWSSecureTransport, AWSCurrentTime, AWSEpochTime, + AWSPrincipalType, + AWSUserID, + AWSUsername, +} + +func substFuncFromValues(values map[string][]string) func(string) string { + return func(v string) string { + for _, key := range CommonKeys { + // Empty values are not supported for policy variables. + if rvalues, ok := values[key.Name()]; ok && rvalues[0] != "" { + v = strings.Replace(v, key.VarName(), rvalues[0], -1) + } + } + return v + } } // IsValid - checks if key is valid or not. @@ -128,6 +155,11 @@ func (key Key) MarshalJSON() ([]byte, error) { return json.Marshal(string(key)) } +// VarName - returns variable key name, such as "${aws:username}" +func (key Key) VarName() string { + return fmt.Sprintf("${%s}", key) +} + // Name - returns key name which is stripped value of prefixes "aws:" and "s3:" func (key Key) Name() string { keyString := string(key) diff --git a/pkg/policy/condition/stringequalsfunc.go b/pkg/policy/condition/stringequalsfunc.go index 795a0fe19..793356596 100644 --- a/pkg/policy/condition/stringequalsfunc.go +++ b/pkg/policy/condition/stringequalsfunc.go @@ -50,7 +50,8 @@ func (f stringEqualsFunc) evaluate(values map[string][]string) bool { requestValue = values[f.k.Name()] } - return !f.values.Intersection(set.CreateStringSet(requestValue...)).IsEmpty() + fvalues := f.values.ApplyFunc(substFuncFromValues(values)) + return !fvalues.Intersection(set.CreateStringSet(requestValue...)).IsEmpty() } // key() - returns condition key which is used by this condition function. diff --git a/pkg/policy/condition/stringequalsignorecasefunc.go b/pkg/policy/condition/stringequalsignorecasefunc.go index 9b713a066..c1e736002 100644 --- a/pkg/policy/condition/stringequalsignorecasefunc.go +++ b/pkg/policy/condition/stringequalsignorecasefunc.go @@ -50,11 +50,14 @@ func (f stringEqualsIgnoreCaseFunc) evaluate(values map[string][]string) bool { requestValue = values[f.k.Name()] } + fvalues := f.values.ApplyFunc(substFuncFromValues(values)) + for _, v := range requestValue { - if !f.values.FuncMatch(strings.EqualFold, v).IsEmpty() { + if !fvalues.FuncMatch(strings.EqualFold, v).IsEmpty() { return true } } + return false } diff --git a/pkg/policy/condition/stringlikefunc.go b/pkg/policy/condition/stringlikefunc.go index 7927d4cd6..a3b76462e 100644 --- a/pkg/policy/condition/stringlikefunc.go +++ b/pkg/policy/condition/stringlikefunc.go @@ -51,8 +51,10 @@ func (f stringLikeFunc) evaluate(values map[string][]string) bool { requestValue = values[f.k.Name()] } + fvalues := f.values.ApplyFunc(substFuncFromValues(values)) + for _, v := range requestValue { - if !f.values.FuncMatch(wildcard.Match, v).IsEmpty() { + if !fvalues.FuncMatch(wildcard.Match, v).IsEmpty() { return true } } diff --git a/pkg/policy/resource.go b/pkg/policy/resource.go index 1e029b745..8223b83e6 100644 --- a/pkg/policy/resource.go +++ b/pkg/policy/resource.go @@ -21,6 +21,7 @@ import ( "fmt" "strings" + "github.com/minio/minio/pkg/policy/condition" "github.com/minio/minio/pkg/wildcard" ) @@ -47,8 +48,16 @@ func (r Resource) IsValid() bool { } // Match - matches object name with resource pattern. -func (r Resource) Match(resource string) bool { - return wildcard.Match(r.Pattern, resource) +func (r Resource) Match(resource string, conditionValues map[string][]string) bool { + pattern := r.Pattern + for _, key := range condition.CommonKeys { + // Empty values are not supported for policy variables. + if rvalues, ok := conditionValues[key.Name()]; ok && rvalues[0] != "" { + pattern = strings.Replace(pattern, key.VarName(), rvalues[0], -1) + } + } + + return wildcard.Match(pattern, resource) } // MarshalJSON - encodes Resource to JSON data. diff --git a/pkg/policy/resource_test.go b/pkg/policy/resource_test.go index b9cb7df51..4c35fbc5b 100644 --- a/pkg/policy/resource_test.go +++ b/pkg/policy/resource_test.go @@ -124,7 +124,7 @@ func TestResourceMatch(t *testing.T) { } for i, testCase := range testCases { - result := testCase.resource.Match(testCase.objectName) + result := testCase.resource.Match(testCase.objectName, nil) if result != testCase.expectedResult { t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result) diff --git a/pkg/policy/resourceset.go b/pkg/policy/resourceset.go index 4a5470819..06d627b09 100644 --- a/pkg/policy/resourceset.go +++ b/pkg/policy/resourceset.go @@ -81,9 +81,9 @@ func (resourceSet ResourceSet) MarshalJSON() ([]byte, error) { } // Match - matches object name with anyone of resource pattern in resource set. -func (resourceSet ResourceSet) Match(resource string) bool { +func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool { for r := range resourceSet { - if r.Match(resource) { + if r.Match(resource, conditionValues) { return true } } diff --git a/pkg/policy/resourceset_test.go b/pkg/policy/resourceset_test.go index 7a31e6f51..34eebcda1 100644 --- a/pkg/policy/resourceset_test.go +++ b/pkg/policy/resourceset_test.go @@ -179,7 +179,7 @@ func TestResourceSetMatch(t *testing.T) { } for i, testCase := range testCases { - result := testCase.resourceSet.Match(testCase.resource) + result := testCase.resourceSet.Match(testCase.resource, nil) if result != testCase.expectedResult { t.Fatalf("case %v: expected: %v, got: %v", i+1, testCase.expectedResult, result) diff --git a/pkg/policy/statement.go b/pkg/policy/statement.go index e1b12bdb9..bfcff310c 100644 --- a/pkg/policy/statement.go +++ b/pkg/policy/statement.go @@ -54,7 +54,7 @@ func (statement Statement) IsAllowed(args Args) bool { resource += args.ObjectName } - if !statement.Resources.Match(resource) { + if !statement.Resources.Match(resource, args.ConditionValues) { return false }