Aaron Walker
5db533c024
bucket-policy: Add IPAddress/NotIPAddress conditions support ( #4736 )
8 years ago
Harshavardhana
533338bdeb
all/windows: Be case in-sensitive about pattern matching. ( #3682 )
...
Resource strings and paths are case insensitive on windows
deployments but if user happens to use upper case instead of
lower case for certain configuration params like bucket
policies and bucket notification config. We might not honor
them which leads to a wrong behavior on windows.
This is windows only behavior, for all other platforms case
is still kept sensitive.
8 years ago
Krishnan Parthasarathi
2665aba555
Fail PutBucketPolicy if conditions are incompatible with actions. ( #3659 )
8 years ago
Krishnan Parthasarathi
b408d0e87d
Add aws:Referer condition key support. ( #3641 )
...
This change implements bucket policy enhancements required to restrict access based on HTTP referer.
See https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-4 for more information.
Fixes #3540
8 years ago
Harshavardhana
b0cfceb211
event: Enhance event message struct to provide origin server. ( #3557 )
...
`principalId` i.e user identity is kept as AccessKey in
accordance with S3 spec.
Additionally responseElements{} are added starting with
`x-amz-request-id` is a hexadecimal of the event time itself in nanosecs.
`x-minio-origin-server` - points to the server generating the event.
Fixes #3556
8 years ago
Bala FA
bef0a50bc1
Cleanup and fixes ( #3273 )
...
* newRequestID() (previously generateUploadID()) returns string than byte array.
* Remove unclear comments and added appropriate comments.
* SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array.
* Remove duplicate MD5 hasher functions.
* Rename listObjectsValidateArgs() into validateListObjectsArgs()
* Remove repeated auth check code in all bucket request handlers.
* Remove abbreviated names in bucket-metadata
* Avoid nested if in bucketPolicyMatchStatement()
* Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll()
* Set crossDomainXML as constant.
8 years ago
Harshavardhana
1b85302161
Fix spelling and golint errors. ( #3266 )
...
Fixes #3263
8 years ago
Aditya Manthramurthy
0aabc1d8d9
Use Peer RPC to propagate bucket policy changes ( #2891 )
8 years ago
Anis Elleuch
b5a6dd1395
Avoid path-cleaning policy resources for a better compliance with S3 ( #2823 )
8 years ago
Harshavardhana
ef3c807b4a
policies: Parser should handle Principals with various forms. ( #2733 )
...
Handles cases for these three combinations
- "Principal": "*",
- "Principal": { "AWS" : "*" }
- "Principal": { "AWS" : [ "*" ]}
Fixes #2732
8 years ago
Harshavardhana
975eb31973
api/bucketPolicy: Use minio-go/pkg/set and fix bucket policy regression. ( #2506 )
...
Current master has a regression 'mc policy <policy-type> alias/bucket/prefix'
does not work anymore, due to the way new minio-go changes do json marshalling.
This led to a regression on server side when a ``prefix`` is provided
policy is rejected as malformed from th server which is not the case with
AWS S3.
This patch uses the new ``minio-go/pkg/set`` package to address the
unmarshalling problems.
Fixes #2503
8 years ago
Harshavardhana
bccf549463
server: Move all the top level files into cmd folder. ( #2490 )
...
This change brings a change which was done for the 'mc'
package to allow for clean repo and have a cleaner
github drop in experience.
8 years ago
Harshavardhana
d1bb8a5b21
api: refactor the bucket policy reading and writing. ( #2395 )
...
Policies are read once during server startup and subsequently
managed through in memory map. In-memory map is updated as
and when there are new changes coming in.
9 years ago
karthic rao
48aa5f2199
api/bucket-policy: Add unit tests for more coverage, fixes couple of bugs. ( #2055 )
...
Changes to ResourceMatch logic.
Test for action match function.
9 years ago
Aakash Muttineni
6f3bd76754
api: Add new bucket policy nesting error ( #1883 )
...
* Added ErrPolicyNesting which is returned when nesting of policies has occured
* Replaces ErrMalformedPolicy in the case of nesting
* Changed test case in bucket-policy-parser_test.go (ErrMalformedPolicy -> ErrPolicyNesting)
9 years ago
Harshavardhana
ba5805e60a
bucketPolicy: Do not use regexes, just do prefix matches. ( #1497 )
...
AWS arn supports wildcards and this is flat namespace, simple
prefix matching is fine.
Fixes #1481
Fixes #1482
9 years ago
karthic rao
188bb92d8a
bucket-policy parset tests, and bug fixes ( #1317 )
9 years ago
Harshavardhana
996d2e2a10
bucketpolicy: checkBucketPolicy should keep resources in map.
...
This is done to make sure to avoid appending duplicates for
resources for each actions.
9 years ago
Harshavardhana
88714e7c8e
bucketpolicy: Improve bucket policy validation, avoid nested rules.
...
Bucket policy validation is more stricter now, to avoid nested
rules. The reason to do this is keep the rules simpler and more
meaningful avoiding conflicts.
This patch implements stricter checks.
Example policy to be generally avoided.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::jarjarbing/*"
]
},
{
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::jarjarbing/restic/key/*"
]
}
]
}
```
9 years ago
Harshavardhana
d5057b3c51
accessPolicy: Implement Put, Get, Delete access policy.
...
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
9 years ago