github.com/minio/console@v1.4.1/api/policy/policies.go

github.com/minio/console@v1.4.1/api/policy/policies.go (about)

     1  // This file is part of MinIO Console Server
     2  // Copyright (c) 2022 MinIO, Inc.
     3  //
     4  // This program is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Affero General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // This program is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12  // GNU Affero General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Affero General Public License
    15  // along with this program.  If not, see <http://www.gnu.org/licenses/>.
    16  
    17  package policy
    18  
    19  import (
    20  	"bytes"
    21  	"encoding/json"
    22  	"fmt"
    23  
    24  	"github.com/minio/madmin-go/v3"
    25  )
    26  
    27  // ReplacePolicyVariables replaces known variables from policies with known values
    28  func ReplacePolicyVariables(claims map[string]interface{}, accountInfo *madmin.AccountInfo) json.RawMessage {
    29  	// AWS Variables
    30  	rawPolicy := bytes.ReplaceAll(accountInfo.Policy, []byte("${aws:username}"), []byte(accountInfo.AccountName))
    31  	rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${aws:userid}"), []byte(accountInfo.AccountName))
    32  	// JWT Variables
    33  	rawPolicy = replaceJwtVariables(rawPolicy, claims)
    34  	// LDAP Variables
    35  	rawPolicy = replaceLDAPVariables(rawPolicy, claims)
    36  	return rawPolicy
    37  }
    38  
    39  func replaceJwtVariables(rawPolicy []byte, claims map[string]interface{}) json.RawMessage {
    40  	// list of valid JWT fields we will replace in policy if they are in the response
    41  	jwtFields := []string{
    42  		"sub",
    43  		"iss",
    44  		"aud",
    45  		"jti",
    46  		"upn",
    47  		"name",
    48  		"groups",
    49  		"given_name",
    50  		"family_name",
    51  		"middle_name",
    52  		"nickname",
    53  		"preferred_username",
    54  		"profile",
    55  		"picture",
    56  		"website",
    57  		"email",
    58  		"gender",
    59  		"birthdate",
    60  		"phone_number",
    61  		"address",
    62  		"scope",
    63  		"client_id",
    64  	}
    65  	// check which fields are in the claims and replace as variable by casting the value to string
    66  	for _, field := range jwtFields {
    67  		if val, ok := claims[field]; ok {
    68  			variable := fmt.Sprintf("${jwt:%s}", field)
    69  			rawPolicy = bytes.ReplaceAll(rawPolicy, []byte(variable), []byte(fmt.Sprintf("%v", val)))
    70  		}
    71  	}
    72  	return rawPolicy
    73  }
    74  
    75  // ReplacePolicyVariables replaces known variables from policies with known values
    76  func replaceLDAPVariables(rawPolicy []byte, claims map[string]interface{}) json.RawMessage {
    77  	// replace ${ldap:user}
    78  	if val, ok := claims["ldapUser"]; ok {
    79  		rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${ldap:user}"), []byte(fmt.Sprintf("%v", val)))
    80  	}
    81  	// replace ${ldap:username}
    82  	if val, ok := claims["ldapUsername"]; ok {
    83  		rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${ldap:username}"), []byte(fmt.Sprintf("%v", val)))
    84  	}
    85  	return rawPolicy
    86  }