github.com/minio/console@v1.4.1/api/policy/policies.go (about) 1 // This file is part of MinIO Console Server 2 // Copyright (c) 2022 MinIO, Inc. 3 // 4 // This program is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Affero General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // This program is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Affero General Public License for more details. 13 // 14 // You should have received a copy of the GNU Affero General Public License 15 // along with this program. If not, see <http://www.gnu.org/licenses/>. 16 17 package policy 18 19 import ( 20 "bytes" 21 "encoding/json" 22 "fmt" 23 24 "github.com/minio/madmin-go/v3" 25 ) 26 27 // ReplacePolicyVariables replaces known variables from policies with known values 28 func ReplacePolicyVariables(claims map[string]interface{}, accountInfo *madmin.AccountInfo) json.RawMessage { 29 // AWS Variables 30 rawPolicy := bytes.ReplaceAll(accountInfo.Policy, []byte("${aws:username}"), []byte(accountInfo.AccountName)) 31 rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${aws:userid}"), []byte(accountInfo.AccountName)) 32 // JWT Variables 33 rawPolicy = replaceJwtVariables(rawPolicy, claims) 34 // LDAP Variables 35 rawPolicy = replaceLDAPVariables(rawPolicy, claims) 36 return rawPolicy 37 } 38 39 func replaceJwtVariables(rawPolicy []byte, claims map[string]interface{}) json.RawMessage { 40 // list of valid JWT fields we will replace in policy if they are in the response 41 jwtFields := []string{ 42 "sub", 43 "iss", 44 "aud", 45 "jti", 46 "upn", 47 "name", 48 "groups", 49 "given_name", 50 "family_name", 51 "middle_name", 52 "nickname", 53 "preferred_username", 54 "profile", 55 "picture", 56 "website", 57 "email", 58 "gender", 59 "birthdate", 60 "phone_number", 61 "address", 62 "scope", 63 "client_id", 64 } 65 // check which fields are in the claims and replace as variable by casting the value to string 66 for _, field := range jwtFields { 67 if val, ok := claims[field]; ok { 68 variable := fmt.Sprintf("${jwt:%s}", field) 69 rawPolicy = bytes.ReplaceAll(rawPolicy, []byte(variable), []byte(fmt.Sprintf("%v", val))) 70 } 71 } 72 return rawPolicy 73 } 74 75 // ReplacePolicyVariables replaces known variables from policies with known values 76 func replaceLDAPVariables(rawPolicy []byte, claims map[string]interface{}) json.RawMessage { 77 // replace ${ldap:user} 78 if val, ok := claims["ldapUser"]; ok { 79 rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${ldap:user}"), []byte(fmt.Sprintf("%v", val))) 80 } 81 // replace ${ldap:username} 82 if val, ok := claims["ldapUsername"]; ok { 83 rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${ldap:username}"), []byte(fmt.Sprintf("%v", val))) 84 } 85 return rawPolicy 86 }