storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/cmd/bucket-policy-handlers.go (about)

     1  /*
     2   * MinIO Cloud Storage, (C) 2015, 2016, 2017, 2018 MinIO, Inc.
     3   *
     4   * Licensed under the Apache License, Version 2.0 (the "License");
     5   * you may not use this file except in compliance with the License.
     6   * You may obtain a copy of the License at
     7   *
     8   *     http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13   * See the License for the specific language governing permissions and
    14   * limitations under the License.
    15   */
    16  
    17  package cmd
    18  
    19  import (
    20  	"encoding/json"
    21  	"io"
    22  	"net/http"
    23  
    24  	humanize "github.com/dustin/go-humanize"
    25  	"github.com/gorilla/mux"
    26  
    27  	"storj.io/minio/cmd/logger"
    28  	"storj.io/minio/pkg/bucket/policy"
    29  )
    30  
    31  const (
    32  	// As per AWS S3 specification, 20KiB policy JSON data is allowed.
    33  	maxBucketPolicySize = 20 * humanize.KiByte
    34  
    35  	// Policy configuration file.
    36  	bucketPolicyConfig = "policy.json"
    37  )
    38  
    39  // PutBucketPolicyHandler - This HTTP handler stores given bucket policy configuration as per
    40  // https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
    41  func (api ObjectAPIHandlers) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
    42  	ctx := NewContext(r, w, "PutBucketPolicy")
    43  
    44  	defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
    45  
    46  	objAPI := api.ObjectAPI()
    47  	if objAPI == nil {
    48  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
    49  		return
    50  	}
    51  
    52  	vars := mux.Vars(r)
    53  	bucket := vars["bucket"]
    54  
    55  	if s3Error := checkRequestAuthType(ctx, r, policy.PutBucketPolicyAction, bucket, ""); s3Error != ErrNone {
    56  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
    57  		return
    58  	}
    59  
    60  	// Check if bucket exists.
    61  	if _, err := objAPI.GetBucketInfo(ctx, bucket); err != nil {
    62  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
    63  		return
    64  	}
    65  
    66  	// Error out if Content-Length is missing.
    67  	// PutBucketPolicy always needs Content-Length.
    68  	if r.ContentLength <= 0 {
    69  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL, guessIsBrowserReq(r))
    70  		return
    71  	}
    72  
    73  	// Error out if Content-Length is beyond allowed size.
    74  	if r.ContentLength > maxBucketPolicySize {
    75  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrPolicyTooLarge), r.URL, guessIsBrowserReq(r))
    76  		return
    77  	}
    78  
    79  	bucketPolicy, err := policy.ParseConfig(io.LimitReader(r.Body, r.ContentLength), bucket)
    80  	if err != nil {
    81  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
    82  		return
    83  	}
    84  
    85  	// Version in policy must not be empty
    86  	if bucketPolicy.Version == "" {
    87  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMalformedPolicy), r.URL, guessIsBrowserReq(r))
    88  		return
    89  	}
    90  
    91  	configData, err := json.Marshal(bucketPolicy)
    92  	if err != nil {
    93  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
    94  		return
    95  	}
    96  
    97  	if err = globalBucketMetadataSys.Update(bucket, bucketPolicyConfig, configData); err != nil {
    98  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
    99  		return
   100  	}
   101  
   102  	// Success.
   103  	writeSuccessNoContent(w)
   104  }
   105  
   106  // DeleteBucketPolicyHandler - This HTTP handler removes bucket policy configuration.
   107  func (api ObjectAPIHandlers) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
   108  	ctx := NewContext(r, w, "DeleteBucketPolicy")
   109  
   110  	defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
   111  
   112  	objAPI := api.ObjectAPI()
   113  	if objAPI == nil {
   114  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
   115  		return
   116  	}
   117  
   118  	vars := mux.Vars(r)
   119  	bucket := vars["bucket"]
   120  
   121  	if s3Error := checkRequestAuthType(ctx, r, policy.DeleteBucketPolicyAction, bucket, ""); s3Error != ErrNone {
   122  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
   123  		return
   124  	}
   125  
   126  	// Check if bucket exists.
   127  	if _, err := objAPI.GetBucketInfo(ctx, bucket); err != nil {
   128  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
   129  		return
   130  	}
   131  
   132  	if err := globalBucketMetadataSys.Update(bucket, bucketPolicyConfig, nil); err != nil {
   133  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
   134  		return
   135  	}
   136  
   137  	// Success.
   138  	writeSuccessNoContent(w)
   139  }
   140  
   141  // GetBucketPolicyHandler - This HTTP handler returns bucket policy configuration.
   142  func (api ObjectAPIHandlers) GetBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
   143  	ctx := NewContext(r, w, "GetBucketPolicy")
   144  
   145  	defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
   146  
   147  	objAPI := api.ObjectAPI()
   148  	if objAPI == nil {
   149  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
   150  		return
   151  	}
   152  
   153  	vars := mux.Vars(r)
   154  	bucket := vars["bucket"]
   155  
   156  	if s3Error := checkRequestAuthType(ctx, r, policy.GetBucketPolicyAction, bucket, ""); s3Error != ErrNone {
   157  		WriteErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
   158  		return
   159  	}
   160  
   161  	// Check if bucket exists.
   162  	if _, err := objAPI.GetBucketInfo(ctx, bucket); err != nil {
   163  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
   164  		return
   165  	}
   166  
   167  	// Read bucket access policy.
   168  	config, err := globalPolicySys.Get(bucket)
   169  	if err != nil {
   170  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
   171  		return
   172  	}
   173  
   174  	configData, err := json.Marshal(config)
   175  	if err != nil {
   176  		WriteErrorResponse(ctx, w, ToAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
   177  		return
   178  	}
   179  
   180  	// Write to client.
   181  	writeSuccessResponseJSON(w, configData)
   182  }