policy

package
v2.0.19 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 10, 2024 License: AGPL-3.0 Imports: 10 Imported by: 6

Documentation

Index

Constants

View Source
const (
	// AbortMultipartUploadAction - AbortMultipartUpload Rest API action.
	AbortMultipartUploadAction Action = "s3:AbortMultipartUpload"

	// CreateBucketAction - CreateBucket Rest API action.
	CreateBucketAction = "s3:CreateBucket"

	// DeleteBucketAction - DeleteBucket Rest API action.
	DeleteBucketAction = "s3:DeleteBucket"

	// ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag
	// is specified.
	ForceDeleteBucketAction = "s3:ForceDeleteBucket"

	// DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action.
	DeleteBucketPolicyAction = "s3:DeleteBucketPolicy"

	// DeleteObjectAction - DeleteObject Rest API action.
	DeleteObjectAction = "s3:DeleteObject"

	// GetBucketLocationAction - GetBucketLocation Rest API action.
	GetBucketLocationAction = "s3:GetBucketLocation"

	// GetBucketNotificationAction - GetBucketNotification Rest API action.
	GetBucketNotificationAction = "s3:GetBucketNotification"

	// GetBucketPolicyAction - GetBucketPolicy Rest API action.
	GetBucketPolicyAction = "s3:GetBucketPolicy"

	// GetObjectAction - GetObject Rest API action.
	GetObjectAction = "s3:GetObject"

	// GetObjectAttributesAction - GetObjectVersionAttributes Rest API action.
	GetObjectAttributesAction = "s3:GetObjectAttributes"

	// HeadBucketAction - HeadBucket Rest API action. This action is unused in minio.
	HeadBucketAction = "s3:HeadBucket"

	// ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action.
	ListAllMyBucketsAction = "s3:ListAllMyBuckets"

	// ListBucketAction - ListBucket Rest API action.
	ListBucketAction = "s3:ListBucket"

	// GetBucketPolicyStatusAction - Retrieves the policy status for a bucket.
	GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus"

	// ListBucketVersionsAction - ListBucketVersions Rest API action.
	ListBucketVersionsAction = "s3:ListBucketVersions"

	// ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action.
	ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads"

	// ListenNotificationAction - ListenNotification Rest API action.
	// This is MinIO extension.
	ListenNotificationAction = "s3:ListenNotification"

	// ListenBucketNotificationAction - ListenBucketNotification Rest API action.
	// This is MinIO extension.
	ListenBucketNotificationAction = "s3:ListenBucketNotification"

	// ListMultipartUploadPartsAction - ListParts Rest API action.
	ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts"

	// PutBucketLifecycleAction - PutBucketLifecycle Rest API action.
	PutBucketLifecycleAction = "s3:PutLifecycleConfiguration"

	// GetBucketLifecycleAction - GetBucketLifecycle Rest API action.
	GetBucketLifecycleAction = "s3:GetLifecycleConfiguration"

	// PutBucketNotificationAction - PutObjectNotification Rest API action.
	PutBucketNotificationAction = "s3:PutBucketNotification"

	// PutBucketPolicyAction - PutBucketPolicy Rest API action.
	PutBucketPolicyAction = "s3:PutBucketPolicy"

	// PutObjectAction - PutObject Rest API action.
	PutObjectAction = "s3:PutObject"

	// DeleteObjectVersionAction - DeleteObjectVersion Rest API action.
	DeleteObjectVersionAction = "s3:DeleteObjectVersion"

	// DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action.
	DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging"

	// GetObjectVersionAction - GetObjectVersionAction Rest API action.
	GetObjectVersionAction = "s3:GetObjectVersion"

	// GetObjectVersionAttributesAction - GetObjectVersionAttributes Rest API action.
	GetObjectVersionAttributesAction = "s3:GetObjectVersionAttributes"

	// GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action.
	GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging"

	// PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action.
	PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging"

	// BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action.
	BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention"

	// PutObjectRetentionAction - PutObjectRetention Rest API action.
	PutObjectRetentionAction = "s3:PutObjectRetention"

	// GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action.
	GetObjectRetentionAction = "s3:GetObjectRetention"

	// GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action.
	GetObjectLegalHoldAction = "s3:GetObjectLegalHold"

	// PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action.
	PutObjectLegalHoldAction = "s3:PutObjectLegalHold"

	// GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action
	GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration"

	// PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action
	PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration"

	// GetBucketTaggingAction - GetBucketTagging Rest API action
	GetBucketTaggingAction = "s3:GetBucketTagging"

	// PutBucketTaggingAction - PutBucketTagging Rest API action
	PutBucketTaggingAction = "s3:PutBucketTagging"

	// GetObjectTaggingAction - Get Object Tags API action
	GetObjectTaggingAction = "s3:GetObjectTagging"

	// PutObjectTaggingAction - Put Object Tags API action
	PutObjectTaggingAction = "s3:PutObjectTagging"

	// DeleteObjectTaggingAction - Delete Object Tags API action
	DeleteObjectTaggingAction = "s3:DeleteObjectTagging"

	// PutBucketEncryptionAction - PutBucketEncryption REST API action
	PutBucketEncryptionAction = "s3:PutEncryptionConfiguration"

	// GetBucketEncryptionAction - GetBucketEncryption REST API action
	GetBucketEncryptionAction = "s3:GetEncryptionConfiguration"

	// PutBucketVersioningAction - PutBucketVersioning REST API action
	PutBucketVersioningAction = "s3:PutBucketVersioning"

	// GetBucketVersioningAction - GetBucketVersioning REST API action
	GetBucketVersioningAction = "s3:GetBucketVersioning"
	// GetReplicationConfigurationAction  - GetReplicationConfiguration REST API action
	GetReplicationConfigurationAction = "s3:GetReplicationConfiguration"
	// PutReplicationConfigurationAction  - PutReplicationConfiguration REST API action
	PutReplicationConfigurationAction = "s3:PutReplicationConfiguration"

	// ReplicateObjectAction  - ReplicateObject REST API action
	ReplicateObjectAction = "s3:ReplicateObject"

	// ReplicateDeleteAction  - ReplicateDelete REST API action
	ReplicateDeleteAction = "s3:ReplicateDelete"

	// ReplicateTagsAction  - ReplicateTags REST API action
	ReplicateTagsAction = "s3:ReplicateTags"

	// GetObjectVersionForReplicationAction  - GetObjectVersionForReplication REST API action
	GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication"

	// RestoreObjectAction - RestoreObject REST API action
	RestoreObjectAction = "s3:RestoreObject"
	// ResetBucketReplicationStateAction - MinIO extension API ResetBucketReplicationState to reset replication state
	// on a bucket
	ResetBucketReplicationStateAction = "s3:ResetBucketReplicationState"

	// PutObjectFanOutAction - PutObject like API action but allows PostUpload() fan-out.
	PutObjectFanOutAction = "s3:PutObjectFanOut"

	// AllActions - all API actions
	AllActions = "s3:*"
)
View Source
const (
	// HealAdminAction - allows heal command
	HealAdminAction = "admin:Heal"

	// DecommissionAdminAction - allows decomissioning of pools
	DecommissionAdminAction = "admin:Decommission"

	// RebalanceAdminAction - allows rebalancing of pools
	RebalanceAdminAction = "admin:Rebalance"

	// StorageInfoAdminAction - allow listing server info
	StorageInfoAdminAction = "admin:StorageInfo"
	// PrometheusAdminAction - prometheus info action
	PrometheusAdminAction = "admin:Prometheus"
	// DataUsageInfoAdminAction - allow listing data usage info
	DataUsageInfoAdminAction = "admin:DataUsageInfo"
	// ForceUnlockAdminAction - allow force unlocking locks
	ForceUnlockAdminAction = "admin:ForceUnlock"
	// TopLocksAdminAction - allow listing top locks
	TopLocksAdminAction = "admin:TopLocksInfo"
	// ProfilingAdminAction - allow profiling
	ProfilingAdminAction = "admin:Profiling"
	// TraceAdminAction - allow listing server trace
	TraceAdminAction = "admin:ServerTrace"
	// ConsoleLogAdminAction - allow listing console logs on terminal
	ConsoleLogAdminAction = "admin:ConsoleLog"
	// KMSCreateKeyAdminAction - allow creating a new KMS master key
	KMSCreateKeyAdminAction = "admin:KMSCreateKey"
	// KMSKeyStatusAdminAction - allow getting KMS key status
	KMSKeyStatusAdminAction = "admin:KMSKeyStatus"
	// ServerInfoAdminAction - allow listing server info
	ServerInfoAdminAction = "admin:ServerInfo"
	// HealthInfoAdminAction - allow obtaining cluster health information
	HealthInfoAdminAction = "admin:OBDInfo"
	// BandwidthMonitorAction - allow monitoring bandwidth usage
	BandwidthMonitorAction = "admin:BandwidthMonitor"
	// InspectDataAction - allows downloading raw files from backend
	InspectDataAction = "admin:InspectData"

	// ServerUpdateAdminAction - allow MinIO binary update
	ServerUpdateAdminAction = "admin:ServerUpdate"
	// ServiceRestartAdminAction - allow restart of MinIO service.
	ServiceRestartAdminAction = "admin:ServiceRestart"
	// ServiceStopAdminAction - allow stopping MinIO service.
	ServiceStopAdminAction = "admin:ServiceStop"
	// ServiceFreezeAdminAction - allow freeze/unfreeze MinIO service.
	ServiceFreezeAdminAction = "admin:ServiceFreeze"

	// ConfigUpdateAdminAction - allow MinIO config management
	ConfigUpdateAdminAction = "admin:ConfigUpdate"

	// CreateUserAdminAction - allow creating MinIO user
	CreateUserAdminAction = "admin:CreateUser"
	// DeleteUserAdminAction - allow deleting MinIO user
	DeleteUserAdminAction = "admin:DeleteUser"
	// ListUsersAdminAction - allow list users permission
	ListUsersAdminAction = "admin:ListUsers"
	// EnableUserAdminAction - allow enable user permission
	EnableUserAdminAction = "admin:EnableUser"
	// DisableUserAdminAction - allow disable user permission
	DisableUserAdminAction = "admin:DisableUser"
	// GetUserAdminAction - allows GET permission on user info
	GetUserAdminAction = "admin:GetUser"

	// SiteReplicationAddAction - allow adding clusters for site-level replication
	SiteReplicationAddAction = "admin:SiteReplicationAdd"
	// SiteReplicationDisableAction - allow disabling a cluster from replication
	SiteReplicationDisableAction = "admin:SiteReplicationDisable"
	// SiteReplicationRemoveAction - allow removing a cluster from replication
	SiteReplicationRemoveAction = "admin:SiteReplicationRemove"
	// SiteReplicationResyncAction - allow resyncing cluster data to another site
	SiteReplicationResyncAction = "admin:SiteReplicationResync"
	// SiteReplicationInfoAction - allow getting site replication info
	SiteReplicationInfoAction = "admin:SiteReplicationInfo"
	// SiteReplicationOperationAction - allow performing site replication
	// create/update/delete operations to peers
	SiteReplicationOperationAction = "admin:SiteReplicationOperation"

	// CreateServiceAccountAdminAction - allow create a service account for a user
	CreateServiceAccountAdminAction = "admin:CreateServiceAccount"
	// UpdateServiceAccountAdminAction - allow updating a service account
	UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount"
	// RemoveServiceAccountAdminAction - allow removing a service account
	RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount"
	// ListServiceAccountsAdminAction - allow listing service accounts
	ListServiceAccountsAdminAction = "admin:ListServiceAccounts"

	// ListTemporaryAccountsAdminAction - allow listing of temporary accounts
	ListTemporaryAccountsAdminAction = "admin:ListTemporaryAccounts"

	// AddUserToGroupAdminAction - allow adding user to group permission
	AddUserToGroupAdminAction = "admin:AddUserToGroup"
	// RemoveUserFromGroupAdminAction - allow removing user to group permission
	RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"
	// GetGroupAdminAction - allow getting group info
	GetGroupAdminAction = "admin:GetGroup"
	// ListGroupsAdminAction - allow list groups permission
	ListGroupsAdminAction = "admin:ListGroups"
	// EnableGroupAdminAction - allow enable group permission
	EnableGroupAdminAction = "admin:EnableGroup"
	// DisableGroupAdminAction - allow disable group permission
	DisableGroupAdminAction = "admin:DisableGroup"

	// CreatePolicyAdminAction - allow create policy permission
	CreatePolicyAdminAction = "admin:CreatePolicy"
	// DeletePolicyAdminAction - allow delete policy permission
	DeletePolicyAdminAction = "admin:DeletePolicy"
	// GetPolicyAdminAction - allow get policy permission
	GetPolicyAdminAction = "admin:GetPolicy"
	// AttachPolicyAdminAction - allows attaching a policy to a user/group
	AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"
	// UpdatePolicyAssociationAction - allows to add/remove policy association
	// on a user or group.
	UpdatePolicyAssociationAction = "admin:UpdatePolicyAssociation"
	// ListUserPoliciesAdminAction - allows listing user policies
	ListUserPoliciesAdminAction = "admin:ListUserPolicies"

	// SetBucketQuotaAdminAction - allow setting bucket quota
	SetBucketQuotaAdminAction = "admin:SetBucketQuota"
	// GetBucketQuotaAdminAction - allow getting bucket quota
	GetBucketQuotaAdminAction = "admin:GetBucketQuota"

	// SetBucketTargetAction - allow setting bucket target
	SetBucketTargetAction = "admin:SetBucketTarget"
	// GetBucketTargetAction - allow getting bucket targets
	GetBucketTargetAction = "admin:GetBucketTarget"

	// ReplicationDiff - allow computing the unreplicated objects in a bucket
	ReplicationDiff = "admin:ReplicationDiff"

	// ImportBucketMetadataAction - allow importing bucket metadata
	ImportBucketMetadataAction = "admin:ImportBucketMetadata"
	// ExportBucketMetadataAction - allow exporting bucket metadata
	ExportBucketMetadataAction = "admin:ExportBucketMetadata"

	// SetTierAction - allow adding/editing a remote tier
	SetTierAction = "admin:SetTier"
	// ListTierAction - allow listing remote tiers
	ListTierAction = "admin:ListTier"

	// ExportIAMAction - allow exporting of all IAM info
	ExportIAMAction = "admin:ExportIAM"
	// ImportIAMAction - allow importing IAM info to MinIO
	ImportIAMAction = "admin:ImportIAM"

	// ListBatchJobsAction allow listing current active jobs
	ListBatchJobsAction = "admin:ListBatchJobs"

	// DescribeBatchJobAction allow getting batch job YAML
	DescribeBatchJobAction = "admin:DescribeBatchJob"

	// StartBatchJobAction allow submitting a batch job
	StartBatchJobAction = "admin:StartBatchJob"

	// CancelBatchJobAction allow canceling a batch job
	CancelBatchJobAction = "admin:CancelBatchJob"

	// AllAdminActions - provides all admin permissions
	AllAdminActions = "admin:*"
)
View Source
const (
	PolicyName        = "policy"
	SessionPolicyName = "sessionPolicy"
)

Policy claim constants

View Source
const (
	// KMSCreateKeyAction - allow creating a new KMS master key
	KMSCreateKeyAction = "kms:CreateKey"
	// KMSDeleteKeyAction - allow deleting a KMS master key
	KMSDeleteKeyAction = "kms:DeleteKey"
	// KMSListKeysAction - allow getting list of KMS keys
	KMSListKeysAction = "kms:ListKeys"
	// KMSImportKeyAction - allow importing KMS key
	KMSImportKeyAction = "kms:ImportKey"
	// KMSDescribePolicyAction - allow getting KMS policy
	KMSDescribePolicyAction = "kms:DescribePolicy"
	// KMSAssignPolicyAction - allow assigning an identity to a KMS policy
	KMSAssignPolicyAction = "kms:AssignPolicy"
	// KMSDeletePolicyAction - allow deleting a policy
	KMSDeletePolicyAction = "kms:DeletePolicy"
	// KMSSetPolicyAction - allow creating or updating a policy
	KMSSetPolicyAction = "kms:SetPolicy"
	// KMSGetPolicyAction - allow getting a policy
	KMSGetPolicyAction = "kms:GetPolicy"
	// KMSListPoliciesAction - allow getting list of KMS policies
	KMSListPoliciesAction = "kms:ListPolicies"
	// KMSDescribeIdentityAction - allow getting KMS identity
	KMSDescribeIdentityAction = "kms:DescribeIdentity"
	// KMSDescribeSelfIdentityAction - allow getting self KMS identity
	KMSDescribeSelfIdentityAction = "kms:DescribeSelfIdentity"
	// KMSDeleteIdentityAction - allow deleting a policy
	KMSDeleteIdentityAction = "kms:DeleteIdentity"
	// KMSListIdentitiesAction - allow getting list of KMS identities
	KMSListIdentitiesAction = "kms:ListIdentities"
	// KMSKeyStatusAction - allow getting KMS key status
	KMSKeyStatusAction = "kms:KeyStatus"
	// KMSStatusAction - allow getting KMS status
	KMSStatusAction = "kms:Status"
	// KMSAPIAction - allow getting a list of supported API endpoints
	KMSAPIAction = "kms:API"
	// KMSMetricsAction - allow getting server metrics in the Prometheus exposition format
	KMSMetricsAction = "kms:Metrics"
	// KMSVersionAction - allow getting version information
	KMSVersionAction = "kms:Version"
	// KMSAuditLogAction - subscribes to the audit log
	KMSAuditLogAction = "kms:AuditLog"
	// KMSErrorLogAction - subscribes to the error log
	KMSErrorLogAction = "kms:ErrorLog"
	// AllKMSActions - provides all admin permissions
	AllKMSActions = "kms:*"
)
View Source
const (
	// AssumeRoleWithWebIdentityAction - STS action for AssumeRoleWithWebIdentity call
	AssumeRoleWithWebIdentityAction = "sts:AssumeRoleWithWebIdentity"
	// AllSTSActions - select all STS actions
	AllSTSActions = "*"
)
View Source
const DefaultVersion = "2012-10-17"

DefaultVersion - default policy version as per AWS S3 specification.

View Source
const ResourceARNPrefix = "arn:aws:s3:::"

ResourceARNPrefix - resource ARN prefix as per AWS S3 specification.

Variables

View Source
var DefaultPolicies = []struct {
	Name       string
	Definition Policy
}{

	{
		Name: "readwrite",
		Definition: Policy{
			Version: DefaultVersion,
			Statements: []Statement{
				{
					SID:       ID(""),
					Effect:    Allow,
					Actions:   NewActionSet(AllActions),
					Resources: NewResourceSet(NewResource("*")),
				},
			},
		},
	},

	{
		Name: "readonly",
		Definition: Policy{
			Version: DefaultVersion,
			Statements: []Statement{
				{
					SID:       ID(""),
					Effect:    Allow,
					Actions:   NewActionSet(GetBucketLocationAction, GetObjectAction),
					Resources: NewResourceSet(NewResource("*")),
				},
			},
		},
	},

	{
		Name: "writeonly",
		Definition: Policy{
			Version: DefaultVersion,
			Statements: []Statement{
				{
					SID:       ID(""),
					Effect:    Allow,
					Actions:   NewActionSet(PutObjectAction),
					Resources: NewResourceSet(NewResource("*")),
				},
			},
		},
	},

	{
		Name: "diagnostics",
		Definition: Policy{
			Version: DefaultVersion,
			Statements: []Statement{
				{
					SID:    ID(""),
					Effect: Allow,
					Actions: NewActionSet(ProfilingAdminAction,
						TraceAdminAction, ConsoleLogAdminAction,
						ServerInfoAdminAction, TopLocksAdminAction,
						HealthInfoAdminAction, BandwidthMonitorAction,
						PrometheusAdminAction,
					),
					Resources: NewResourceSet(NewResource("*")),
				},
			},
		},
	},

	{
		Name: "consoleAdmin",
		Definition: Policy{
			Version: DefaultVersion,
			Statements: []Statement{
				{
					SID:        ID(""),
					Effect:     Allow,
					Actions:    NewActionSet(AllAdminActions),
					Resources:  NewResourceSet(),
					Conditions: condition.NewFunctions(),
				},
				{
					SID:        ID(""),
					Effect:     Allow,
					Actions:    NewActionSet(AllKMSActions),
					Resources:  NewResourceSet(),
					Conditions: condition.NewFunctions(),
				},
				{
					SID:        ID(""),
					Effect:     Allow,
					Actions:    NewActionSet(AllActions),
					Resources:  NewResourceSet(NewResource("*")),
					Conditions: condition.NewFunctions(),
				},
			},
		},
	},
}

DefaultPolicies - list of canned policies available in MinIO.

View Source
var IAMActionConditionKeyMap = createActionConditionKeyMap()

IAMActionConditionKeyMap - holds mapping of supported condition key for an action.

Functions

func Errorf

func Errorf(format string, a ...interface{}) error

Errorf - formats according to a format specifier and returns the string as a value that satisfies error of type policy.Error

func GetPoliciesFromClaims

func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string) (set.StringSet, bool)

GetPoliciesFromClaims returns the list of policies to be applied for this incoming request, extracting the information from input JWT claims.

func GetValuesFromClaims

func GetValuesFromClaims(claims map[string]interface{}, claimName string) (set.StringSet, bool)

GetValuesFromClaims returns the list of values for the input claimName. Supports values in following formats - string - comma separated values - string array

Types

type Action

type Action string

Action - policy action. Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html for more information about available actions.

func (Action) IsObjectAction

func (action Action) IsObjectAction() bool

IsObjectAction - returns whether action is object type or not.

func (Action) IsValid

func (action Action) IsValid() bool

IsValid - checks if action is valid or not.

func (Action) Match

func (action Action) Match(a Action) bool

Match - matches action name with action patter.

type ActionConditionKeyMap

type ActionConditionKeyMap map[Action]condition.KeySet

ActionConditionKeyMap is alias for the map type used here.

func (ActionConditionKeyMap) Lookup

func (a ActionConditionKeyMap) Lookup(action Action) condition.KeySet

Lookup - looks up the action in the condition key map.

type ActionSet

type ActionSet map[Action]struct{}

ActionSet - set of actions.

func NewActionSet

func NewActionSet(actions ...Action) ActionSet

NewActionSet - creates new action set.

func (ActionSet) Add

func (actionSet ActionSet) Add(action Action)

Add - add action to the set.

func (ActionSet) Clone

func (actionSet ActionSet) Clone() ActionSet

Clone clones ActionSet structure

func (ActionSet) Contains

func (actionSet ActionSet) Contains(action Action) bool

Contains - checks given action exists in the action set.

func (ActionSet) Equals

func (actionSet ActionSet) Equals(sactionSet ActionSet) bool

Equals - checks whether given action set is equal to current action set or not.

func (ActionSet) Intersection

func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet

Intersection - returns actions available in both ActionSet.

func (ActionSet) IsEmpty

func (actionSet ActionSet) IsEmpty() bool

IsEmpty - returns if the current action set is empty

func (ActionSet) MarshalJSON

func (actionSet ActionSet) MarshalJSON() ([]byte, error)

MarshalJSON - encodes ActionSet to JSON data.

func (ActionSet) Match

func (actionSet ActionSet) Match(action Action) bool

Match - matches object name with anyone of action pattern in action set.

func (ActionSet) String

func (actionSet ActionSet) String() string

func (ActionSet) ToAdminSlice

func (actionSet ActionSet) ToAdminSlice() []AdminAction

ToAdminSlice - returns slice of admin actions from the action set.

func (ActionSet) ToKMSSlice

func (actionSet ActionSet) ToKMSSlice() (actions []KMSAction)

ToKMSSlice - returns slice of kms actions from the action set.

func (ActionSet) ToSTSSlice added in v2.0.9

func (actionSet ActionSet) ToSTSSlice() []STSAction

ToSTSSlice - returns slice of STS actions from the action set.

func (ActionSet) ToSlice

func (actionSet ActionSet) ToSlice() []Action

ToSlice - returns slice of actions from the action set.

func (*ActionSet) UnmarshalJSON

func (actionSet *ActionSet) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to ActionSet.

func (ActionSet) Validate

func (actionSet ActionSet) Validate() error

Validate checks if all actions are valid

func (ActionSet) ValidateAdmin

func (actionSet ActionSet) ValidateAdmin() error

ValidateAdmin checks if all actions are valid Admin actions

func (ActionSet) ValidateKMS

func (actionSet ActionSet) ValidateKMS() error

ValidateKMS checks if all actions are valid KMS actions

func (ActionSet) ValidateSTS added in v2.0.9

func (actionSet ActionSet) ValidateSTS() error

ValidateSTS checks if all actions are valid STS actions

type AdminAction

type AdminAction string

AdminAction - admin policy action.

func (AdminAction) IsValid

func (action AdminAction) IsValid() bool

IsValid - checks if action is valid or not.

type Args

type Args struct {
	AccountName     string                 `json:"account"`
	Groups          []string               `json:"groups"`
	Action          Action                 `json:"action"`
	BucketName      string                 `json:"bucket"`
	ConditionValues map[string][]string    `json:"conditions"`
	IsOwner         bool                   `json:"owner"`
	ObjectName      string                 `json:"object"`
	Claims          map[string]interface{} `json:"claims"`
	DenyOnly        bool                   `json:"denyOnly"` // only applies deny
}

Args - arguments to policy to check whether it is allowed

func (Args) GetPolicies

func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool)

GetPolicies returns the list of policies to be applied for this incoming request, extracting the information from JWT claims.

func (Args) GetRoleArn

func (a Args) GetRoleArn() string

GetRoleArn returns the role ARN from JWT claims if present. Otherwise returns empty string.

type BPStatement

type BPStatement struct {
	SID        ID                  `json:"Sid,omitempty"`
	Effect     Effect              `json:"Effect"`
	Principal  Principal           `json:"Principal"`
	Actions    ActionSet           `json:"Action"`
	NotActions ActionSet           `json:"NotAction,omitempty"`
	Resources  ResourceSet         `json:"Resource"`
	Conditions condition.Functions `json:"Condition,omitempty"`
}

BPStatement - policy statement.

func NewBPStatement

func NewBPStatement(sid ID, effect Effect, principal Principal, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) BPStatement

NewBPStatement - creates new statement.

func NewBPStatementWithNotAction

func NewBPStatementWithNotAction(sid ID, effect Effect, principal Principal, notActions ActionSet, resources ResourceSet, conditions condition.Functions) BPStatement

NewBPStatementWithNotAction - creates new statement with NotAction.

func (BPStatement) Clone

func (statement BPStatement) Clone() BPStatement

Clone clones Statement structure

func (BPStatement) Equals

func (statement BPStatement) Equals(st BPStatement) bool

Equals checks if two statements are equal

func (BPStatement) IsAllowed

func (statement BPStatement) IsAllowed(args BucketPolicyArgs) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (BPStatement) Validate

func (statement BPStatement) Validate(bucketName string) error

Validate - validates Statement is for given bucket or not.

type BucketPolicy

type BucketPolicy struct {
	ID         ID `json:"ID,omitempty"`
	Version    string
	Statements []BPStatement `json:"Statement"`
}

BucketPolicy - bucket policy.

func ParseBucketPolicyConfig

func ParseBucketPolicyConfig(reader io.Reader, bucketName string) (*BucketPolicy, error)

ParseBucketPolicyConfig - parses data in given reader to Policy.

func (*BucketPolicy) Equals

func (policy *BucketPolicy) Equals(p BucketPolicy) bool

Equals returns true if the two policies are identical

func (BucketPolicy) IsAllowed

func (policy BucketPolicy) IsAllowed(args BucketPolicyArgs) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (BucketPolicy) IsEmpty

func (policy BucketPolicy) IsEmpty() bool

IsEmpty - returns whether policy is empty or not.

func (BucketPolicy) MarshalJSON

func (policy BucketPolicy) MarshalJSON() ([]byte, error)

MarshalJSON - encodes Policy to JSON data.

func (*BucketPolicy) UnmarshalJSON

func (policy *BucketPolicy) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Policy.

func (BucketPolicy) Validate

func (policy BucketPolicy) Validate(bucketName string) error

Validate - validates all statements are for given bucket or not.

type BucketPolicyArgs

type BucketPolicyArgs struct {
	AccountName     string              `json:"account"`
	Groups          []string            `json:"groups"`
	Action          Action              `json:"action"`
	BucketName      string              `json:"bucket"`
	ConditionValues map[string][]string `json:"conditions"`
	IsOwner         bool                `json:"owner"`
	ObjectName      string              `json:"object"`
}

BucketPolicyArgs - arguments to policy to check whether it is allowed

type Effect

type Effect string

Effect - policy statement effect Allow or Deny.

const (
	// Allow - allow effect.
	Allow Effect = "Allow"

	// Deny - deny effect.
	Deny = "Deny"
)

func (Effect) IsAllowed

func (effect Effect) IsAllowed(b bool) bool

IsAllowed - returns if given check is allowed or not.

func (Effect) IsValid

func (effect Effect) IsValid() bool

IsValid - checks if Effect is valid or not

type Error

type Error struct {
	// contains filtered or unexported fields
}

Error is the generic type for any error happening during policy parsing.

func (Error) Error

func (e Error) Error() string

Error 'error' compatible method.

func (Error) Unwrap

func (e Error) Unwrap() error

Unwrap the internal error.

type ID

type ID string

ID - policy ID.

func (ID) IsValid

func (id ID) IsValid() bool

IsValid - checks if ID is valid or not.

type KMSAction

type KMSAction string

KMSAction - KMS policy action.

func (KMSAction) IsValid

func (action KMSAction) IsValid() bool

IsValid - checks if action is valid or not.

type Policy

type Policy struct {
	ID         ID `json:"ID,omitempty"`
	Version    string
	Statements []Statement `json:"Statement"`
}

Policy - iam bucket iamp.

func MergePolicies

func MergePolicies(inputs ...Policy) Policy

MergePolicies merges all the given policies into a single policy dropping any duplicate statements.

func ParseConfig

func ParseConfig(reader io.Reader) (*Policy, error)

ParseConfig - parses data in given reader to Iamp.

func (*Policy) Equals

func (iamp *Policy) Equals(p Policy) bool

Equals returns true if the two policies are identical

func (Policy) IsAllowed

func (iamp Policy) IsAllowed(args Args) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (Policy) IsAllowedActions

func (iamp Policy) IsAllowedActions(bucketName, objectName string, conditionValues map[string][]string) ActionSet

IsAllowedActions returns all supported actions for this policy.

func (Policy) IsEmpty

func (iamp Policy) IsEmpty() bool

IsEmpty - returns whether policy is empty or not.

func (Policy) MatchResource

func (iamp Policy) MatchResource(resource string) bool

MatchResource matches resource with match resource patterns

func (*Policy) UnmarshalJSON

func (iamp *Policy) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Iamp.

func (Policy) Validate

func (iamp Policy) Validate() error

Validate - validates all statements are for given bucket or not.

type Principal

type Principal struct {
	AWS set.StringSet
}

Principal - policy principal.

func NewPrincipal

func NewPrincipal(principals ...string) Principal

NewPrincipal - creates new Principal.

func (Principal) Clone

func (p Principal) Clone() Principal

Clone clones Principal structure

func (Principal) Equals

func (p Principal) Equals(pp Principal) bool

Equals - returns true if principals are equal.

func (Principal) Intersection

func (p Principal) Intersection(principal Principal) set.StringSet

Intersection - returns principals available in both Principal.

func (Principal) IsValid

func (p Principal) IsValid() bool

IsValid - checks whether Principal is valid or not.

func (Principal) MarshalJSON

func (p Principal) MarshalJSON() ([]byte, error)

MarshalJSON - encodes Principal to JSON data.

func (Principal) Match

func (p Principal) Match(principal string) bool

Match - matches given principal is wildcard matching with Principal.

func (*Principal) UnmarshalJSON

func (p *Principal) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Principal.

type Resource

type Resource struct {
	Pattern string
}

Resource - resource in policy statement.

func NewResource

func NewResource(pattern string) Resource

NewResource - creates new resource.

func (Resource) IsValid

func (r Resource) IsValid() bool

IsValid - checks whether Resource is valid or not.

func (Resource) MarshalJSON

func (r Resource) MarshalJSON() ([]byte, error)

MarshalJSON - encodes Resource to JSON data.

func (Resource) Match

func (r Resource) Match(resource string, conditionValues map[string][]string) bool

Match - matches object name with resource pattern, including specific conditionals.

func (Resource) MatchResource

func (r Resource) MatchResource(resource string) bool

MatchResource matches object name with resource pattern only.

func (Resource) String

func (r Resource) String() string

func (*Resource) UnmarshalJSON

func (r *Resource) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Resource.

func (Resource) Validate

func (r Resource) Validate() error

Validate - validates Resource.

func (Resource) ValidateBucket

func (r Resource) ValidateBucket(bucketName string) error

ValidateBucket - validates that given bucketName is matched by Resource.

type ResourceSet

type ResourceSet map[Resource]struct{}

ResourceSet - set of resources in policy statement.

func NewResourceSet

func NewResourceSet(resources ...Resource) ResourceSet

NewResourceSet - creates new resource set.

func (ResourceSet) Add

func (resourceSet ResourceSet) Add(resource Resource)

Add - adds resource to resource set.

func (ResourceSet) BucketResourceExists

func (resourceSet ResourceSet) BucketResourceExists() bool

BucketResourceExists - checks if at least one bucket resource exists in the set.

func (ResourceSet) Clone

func (resourceSet ResourceSet) Clone() ResourceSet

Clone clones ResourceSet structure

func (ResourceSet) Equals

func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool

Equals - checks whether given resource set is equal to current resource set or not.

func (ResourceSet) Intersection

func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet

Intersection - returns resources available in both ResourceSet.

func (ResourceSet) MarshalJSON

func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)

MarshalJSON - encodes ResourceSet to JSON data.

func (ResourceSet) Match

func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool

Match - matches object name with anyone of resource pattern in resource set.

func (ResourceSet) MatchResource

func (resourceSet ResourceSet) MatchResource(resource string) bool

MatchResource matches object name with resource patterns only.

func (ResourceSet) ObjectResourceExists

func (resourceSet ResourceSet) ObjectResourceExists() bool

ObjectResourceExists - checks if at least one object resource exists in the set.

func (ResourceSet) String

func (resourceSet ResourceSet) String() string

func (ResourceSet) ToSlice

func (resourceSet ResourceSet) ToSlice() []Resource

ToSlice - returns slice of resources from the resource set.

func (*ResourceSet) UnmarshalJSON

func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to ResourceSet.

func (ResourceSet) Validate

func (resourceSet ResourceSet) Validate() error

Validate - validates ResourceSet.

func (ResourceSet) ValidateBucket

func (resourceSet ResourceSet) ValidateBucket(bucketName string) error

ValidateBucket - validates ResourceSet is for given bucket or not.

type STSAction added in v2.0.9

type STSAction string

STSAction - STS policy action.

func (STSAction) IsValid added in v2.0.9

func (action STSAction) IsValid() bool

IsValid - checks if action is valid or not.

type Statement

type Statement struct {
	SID        ID                  `json:"Sid,omitempty"`
	Effect     Effect              `json:"Effect"`
	Actions    ActionSet           `json:"Action"`
	NotActions ActionSet           `json:"NotAction,omitempty"`
	Resources  ResourceSet         `json:"Resource,omitempty"`
	Conditions condition.Functions `json:"Condition,omitempty"`
}

Statement - iam policy statement.

func NewStatement

func NewStatement(sid ID, effect Effect, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) Statement

NewStatement - creates new statement.

func NewStatementWithNotAction

func NewStatementWithNotAction(sid ID, effect Effect, notActions ActionSet, resources ResourceSet, conditions condition.Functions) Statement

NewStatementWithNotAction - creates new statement with NotAction.

func (Statement) Clone

func (statement Statement) Clone() Statement

Clone clones Statement structure

func (Statement) Equals

func (statement Statement) Equals(st Statement) bool

Equals checks if two statements are equal

func (Statement) IsAllowed

func (statement Statement) IsAllowed(args Args) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (Statement) Validate

func (statement Statement) Validate() error

Validate - validates Statement is for given bucket or not.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL