oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

default to common conditions if conditions not present (#11546)

Browse Source 
fixes #11544
master
Harshavardhana 4 years ago committed by GitHub
parent 7d4a2d2b68
commit 87cce344f6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 46 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 45
      pkg/iam/policy/action.go
  2. 7
      pkg/iam/policy/statement.go

45
pkg/iam/policy/action.go
Unescape View File

@ -291,34 +291,20 @@ func (action Action) IsValid() bool {
type actionConditionKeyMap map[Action]condition.KeySet
func (a actionConditionKeyMap) Lookup(action Action) (condition.KeySet, bool) {
var ckeysMerged = condition.KeySet{}
var found bool
func (a actionConditionKeyMap) Lookup(action Action) condition.KeySet {
var ckeysMerged = condition.NewKeySet(condition.CommonKeys...)
for act, ckey := range a {
if action.Match(act) {
ckeysMerged.Merge(ckey)
found = true
}
}
return ckeysMerged, found
return ckeysMerged
}
// iamActionConditionKeyMap - holds mapping of supported condition key for an action.
var iamActionConditionKeyMap = actionConditionKeyMap{
AllActions: condition.NewKeySet(condition.AllSupportedKeys...),
AbortMultipartUploadAction: condition.NewKeySet(condition.CommonKeys...),
CreateBucketAction: condition.NewKeySet(condition.CommonKeys...),
DeleteBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
GetBucketLocationAction: condition.NewKeySet(condition.CommonKeys...),
GetBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
GetBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
GetObjectAction: condition.NewKeySet(
append([]condition.Key{
condition.S3XAmzServerSideEncryption,
@ -326,10 +312,6 @@ var iamActionConditionKeyMap = actionConditionKeyMap{
condition.S3VersionID,
}, condition.CommonKeys...)...),
HeadBucketAction: condition.NewKeySet(condition.CommonKeys...),
ListAllMyBucketsAction: condition.NewKeySet(condition.CommonKeys...),
ListBucketAction: condition.NewKeySet(
append([]condition.Key{
condition.S3Prefix,
@ -344,18 +326,6 @@ var iamActionConditionKeyMap = actionConditionKeyMap{
condition.S3MaxKeys,
}, condition.CommonKeys...)...),
ListBucketMultipartUploadsAction: condition.NewKeySet(condition.CommonKeys...),
ListenNotificationAction: condition.NewKeySet(condition.CommonKeys...),
ListenBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
ListMultipartUploadPartsAction: condition.NewKeySet(condition.CommonKeys...),
PutBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
PutBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
DeleteObjectAction: condition.NewKeySet(
append([]condition.Key{
condition.S3VersionID,
@ -385,12 +355,14 @@ var iamActionConditionKeyMap = actionConditionKeyMap{
condition.S3ObjectLockMode,
condition.S3VersionID,
}, condition.CommonKeys...)...),
GetObjectRetentionAction: condition.NewKeySet(
append([]condition.Key{
condition.S3XAmzServerSideEncryption,
condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
condition.S3VersionID,
}, condition.CommonKeys...)...),
PutObjectLegalHoldAction: condition.NewKeySet(
append([]condition.Key{
condition.S3XAmzServerSideEncryption,
@ -410,11 +382,6 @@ var iamActionConditionKeyMap = actionConditionKeyMap{
condition.S3ObjectLockLegalHold,
}, condition.CommonKeys...)...),
GetBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
PutBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
GetBucketTaggingAction: condition.NewKeySet(condition.CommonKeys...),
PutBucketTaggingAction: condition.NewKeySet(condition.CommonKeys...),
PutObjectTaggingAction: condition.NewKeySet(
append([]condition.Key{
condition.S3VersionID,
@ -448,8 +415,6 @@ var iamActionConditionKeyMap = actionConditionKeyMap{
append([]condition.Key{
condition.S3VersionID,
}, condition.CommonKeys...)...),
GetReplicationConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
PutReplicationConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
ReplicateObjectAction: condition.NewKeySet(
append([]condition.Key{
condition.S3VersionID,

7
pkg/iam/policy/statement.go
Unescape View File

@ -114,13 +114,8 @@ func (statement Statement) isValid() error {
return Errorf("unsupported Resource found %v for action %v", statement.Resources, action)
}
condKeys, ok := iamActionConditionKeyMap.Lookup(action)
if !ok {
return Errorf("conditions are not supported for action %v", action)
}
keys := statement.Conditions.Keys()
keyDiff := keys.Difference(condKeys)
keyDiff := keys.Difference(iamActionConditionKeyMap.Lookup(action))
if !keyDiff.IsEmpty() {
return Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
}

Write Preview
Loading…
Cancel
Save