storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/pkg/bucket/policy/action.go (about) 1 /* 2 * MinIO Cloud Storage, (C) 2018 MinIO, Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package policy 18 19 import ( 20 "encoding/json" 21 22 "storj.io/minio/pkg/bucket/policy/condition" 23 ) 24 25 // Action - policy action. 26 // Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html 27 // for more information about available actions. 28 type Action string 29 30 const ( 31 // AbortMultipartUploadAction - AbortMultipartUpload Rest API action. 32 AbortMultipartUploadAction Action = "s3:AbortMultipartUpload" 33 34 // CreateBucketAction - CreateBucket Rest API action. 35 CreateBucketAction = "s3:CreateBucket" 36 37 // DeleteBucketAction - DeleteBucket Rest API action. 38 DeleteBucketAction = "s3:DeleteBucket" 39 40 // ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag 41 // is specified. 42 ForceDeleteBucketAction = "s3:ForceDeleteBucket" 43 44 // DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action. 45 DeleteBucketPolicyAction = "s3:DeleteBucketPolicy" 46 47 // DeleteObjectAction - DeleteObject Rest API action. 48 DeleteObjectAction = "s3:DeleteObject" 49 50 // GetBucketLocationAction - GetBucketLocation Rest API action. 51 GetBucketLocationAction = "s3:GetBucketLocation" 52 53 // GetBucketNotificationAction - GetBucketNotification Rest API action. 54 GetBucketNotificationAction = "s3:GetBucketNotification" 55 56 // GetBucketPolicyAction - GetBucketPolicy Rest API action. 57 GetBucketPolicyAction = "s3:GetBucketPolicy" 58 59 // GetObjectAction - GetObject Rest API action. 60 GetObjectAction = "s3:GetObject" 61 62 // HeadBucketAction - HeadBucket Rest API action. This action is unused in minio. 63 HeadBucketAction = "s3:HeadBucket" 64 65 // ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action. 66 ListAllMyBucketsAction = "s3:ListAllMyBuckets" 67 68 // ListBucketAction - ListBucket Rest API action. 69 ListBucketAction = "s3:ListBucket" 70 71 // GetBucketPolicyStatusAction - Retrieves the policy status for a bucket. 72 GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus" 73 74 // ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action. 75 ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads" 76 77 // ListBucketVersionsAction - ListBucket versions Rest API action. 78 ListBucketVersionsAction = "s3:ListBucketVersions" 79 80 // ListenNotificationAction - ListenNotification Rest API action. 81 // This is MinIO extension. 82 ListenNotificationAction = "s3:ListenNotification" 83 84 // ListenBucketNotificationAction - ListenBucketNotification Rest API action. 85 // This is MinIO extension. 86 ListenBucketNotificationAction = "s3:ListenBucketNotification" 87 88 // ListMultipartUploadPartsAction - ListParts Rest API action. 89 ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts" 90 91 // PutBucketNotificationAction - PutObjectNotification Rest API action. 92 PutBucketNotificationAction = "s3:PutBucketNotification" 93 94 // PutBucketPolicyAction - PutBucketPolicy Rest API action. 95 PutBucketPolicyAction = "s3:PutBucketPolicy" 96 97 // PutObjectAction - PutObject Rest API action. 98 PutObjectAction = "s3:PutObject" 99 100 // PutBucketLifecycleAction - PutBucketLifecycle Rest API action. 101 PutBucketLifecycleAction = "s3:PutLifecycleConfiguration" 102 103 // GetBucketLifecycleAction - GetBucketLifecycle Rest API action. 104 GetBucketLifecycleAction = "s3:GetLifecycleConfiguration" 105 106 // BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action. 107 BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention" 108 // PutObjectRetentionAction - PutObjectRetention Rest API action. 109 PutObjectRetentionAction = "s3:PutObjectRetention" 110 111 // GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action. 112 GetObjectRetentionAction = "s3:GetObjectRetention" 113 // GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action. 114 GetObjectLegalHoldAction = "s3:GetObjectLegalHold" 115 // PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action. 116 PutObjectLegalHoldAction = "s3:PutObjectLegalHold" 117 // GetBucketObjectLockConfigurationAction - GetObjectLockConfiguration Rest API action 118 GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration" 119 // PutBucketObjectLockConfigurationAction - PutObjectLockConfiguration Rest API action 120 PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration" 121 122 // GetBucketTaggingAction - GetTagging Rest API action 123 GetBucketTaggingAction = "s3:GetBucketTagging" 124 // PutBucketTaggingAction - PutTagging Rest API action 125 PutBucketTaggingAction = "s3:PutBucketTagging" 126 127 // GetObjectTaggingAction - Get Object Tags API action 128 GetObjectTaggingAction = "s3:GetObjectTagging" 129 // PutObjectTaggingAction - Put Object Tags API action 130 PutObjectTaggingAction = "s3:PutObjectTagging" 131 // DeleteObjectTaggingAction - Delete Object Tags API action 132 DeleteObjectTaggingAction = "s3:DeleteObjectTagging" 133 134 // PutBucketEncryptionAction - PutBucketEncryption REST API action 135 PutBucketEncryptionAction = "s3:PutEncryptionConfiguration" 136 // GetBucketEncryptionAction - GetBucketEncryption REST API action 137 GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" 138 139 // PutBucketVersioningAction - PutBucketVersioning REST API action 140 PutBucketVersioningAction = "s3:PutBucketVersioning" 141 // GetBucketVersioningAction - GetBucketVersioning REST API action 142 GetBucketVersioningAction = "s3:GetBucketVersioning" 143 144 // DeleteObjectVersionAction - DeleteObjectVersion Rest API action. 145 DeleteObjectVersionAction = "s3:DeleteObjectVersion" 146 147 // DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action. 148 DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging" 149 150 // GetObjectVersionAction - GetObjectVersionAction Rest API action. 151 GetObjectVersionAction = "s3:GetObjectVersion" 152 153 // GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action. 154 GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging" 155 156 // PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action. 157 PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging" 158 159 // GetReplicationConfigurationAction - GetReplicationConfiguration REST API action 160 GetReplicationConfigurationAction = "s3:GetReplicationConfiguration" 161 // PutReplicationConfigurationAction - PutReplicationConfiguration REST API action 162 PutReplicationConfigurationAction = "s3:PutReplicationConfiguration" 163 164 // ReplicateObjectAction - ReplicateObject REST API action 165 ReplicateObjectAction = "s3:ReplicateObject" 166 167 // ReplicateDeleteAction - ReplicateDelete REST API action 168 ReplicateDeleteAction = "s3:ReplicateDelete" 169 170 // ReplicateTagsAction - ReplicateTags REST API action 171 ReplicateTagsAction = "s3:ReplicateTags" 172 173 // GetObjectVersionForReplicationAction - GetObjectVersionForReplication REST API action 174 GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication" 175 176 // RestoreObjectAction - RestoreObject REST API action 177 RestoreObjectAction = "s3:RestoreObject" 178 ) 179 180 // List of all supported object actions. 181 var supportedObjectActions = map[Action]struct{}{ 182 AbortMultipartUploadAction: {}, 183 DeleteObjectAction: {}, 184 GetObjectAction: {}, 185 ListMultipartUploadPartsAction: {}, 186 PutObjectAction: {}, 187 BypassGovernanceRetentionAction: {}, 188 PutObjectRetentionAction: {}, 189 GetObjectRetentionAction: {}, 190 PutObjectLegalHoldAction: {}, 191 GetObjectLegalHoldAction: {}, 192 GetObjectTaggingAction: {}, 193 PutObjectTaggingAction: {}, 194 DeleteObjectTaggingAction: {}, 195 GetObjectVersionAction: {}, 196 GetObjectVersionTaggingAction: {}, 197 DeleteObjectVersionAction: {}, 198 DeleteObjectVersionTaggingAction: {}, 199 PutObjectVersionTaggingAction: {}, 200 ReplicateObjectAction: {}, 201 ReplicateDeleteAction: {}, 202 ReplicateTagsAction: {}, 203 GetObjectVersionForReplicationAction: {}, 204 RestoreObjectAction: {}, 205 } 206 207 // isObjectAction - returns whether action is object type or not. 208 func (action Action) isObjectAction() bool { 209 _, ok := supportedObjectActions[action] 210 return ok 211 } 212 213 // List of all supported actions. 214 var supportedActions = map[Action]struct{}{ 215 AbortMultipartUploadAction: {}, 216 CreateBucketAction: {}, 217 DeleteBucketAction: {}, 218 ForceDeleteBucketAction: {}, 219 DeleteBucketPolicyAction: {}, 220 DeleteObjectAction: {}, 221 GetBucketLocationAction: {}, 222 GetBucketNotificationAction: {}, 223 GetBucketPolicyAction: {}, 224 GetObjectAction: {}, 225 HeadBucketAction: {}, 226 ListAllMyBucketsAction: {}, 227 ListBucketAction: {}, 228 GetBucketPolicyStatusAction: {}, 229 ListBucketVersionsAction: {}, 230 ListBucketMultipartUploadsAction: {}, 231 ListenNotificationAction: {}, 232 ListenBucketNotificationAction: {}, 233 ListMultipartUploadPartsAction: {}, 234 PutBucketNotificationAction: {}, 235 PutBucketPolicyAction: {}, 236 PutObjectAction: {}, 237 GetBucketLifecycleAction: {}, 238 PutBucketLifecycleAction: {}, 239 PutObjectRetentionAction: {}, 240 GetObjectRetentionAction: {}, 241 GetObjectLegalHoldAction: {}, 242 PutObjectLegalHoldAction: {}, 243 PutBucketObjectLockConfigurationAction: {}, 244 GetBucketObjectLockConfigurationAction: {}, 245 PutBucketTaggingAction: {}, 246 GetBucketTaggingAction: {}, 247 GetObjectVersionAction: {}, 248 GetObjectVersionTaggingAction: {}, 249 DeleteObjectVersionAction: {}, 250 DeleteObjectVersionTaggingAction: {}, 251 PutObjectVersionTaggingAction: {}, 252 BypassGovernanceRetentionAction: {}, 253 GetObjectTaggingAction: {}, 254 PutObjectTaggingAction: {}, 255 DeleteObjectTaggingAction: {}, 256 PutBucketEncryptionAction: {}, 257 GetBucketEncryptionAction: {}, 258 PutBucketVersioningAction: {}, 259 GetBucketVersioningAction: {}, 260 GetReplicationConfigurationAction: {}, 261 PutReplicationConfigurationAction: {}, 262 ReplicateObjectAction: {}, 263 ReplicateDeleteAction: {}, 264 ReplicateTagsAction: {}, 265 GetObjectVersionForReplicationAction: {}, 266 RestoreObjectAction: {}, 267 } 268 269 // IsValid - checks if action is valid or not. 270 func (action Action) IsValid() bool { 271 _, ok := supportedActions[action] 272 return ok 273 } 274 275 // MarshalJSON - encodes Action to JSON data. 276 func (action Action) MarshalJSON() ([]byte, error) { 277 if action.IsValid() { 278 return json.Marshal(string(action)) 279 } 280 281 return nil, Errorf("invalid action '%v'", action) 282 } 283 284 // UnmarshalJSON - decodes JSON data to Action. 285 func (action *Action) UnmarshalJSON(data []byte) error { 286 var s string 287 288 if err := json.Unmarshal(data, &s); err != nil { 289 return err 290 } 291 292 a := Action(s) 293 if !a.IsValid() { 294 return Errorf("invalid action '%v'", s) 295 } 296 297 *action = a 298 299 return nil 300 } 301 302 func parseAction(s string) (Action, error) { 303 action := Action(s) 304 305 if action.IsValid() { 306 return action, nil 307 } 308 309 return action, Errorf("unsupported action '%v'", s) 310 } 311 312 // actionConditionKeyMap - holds mapping of supported condition key for an action. 313 var actionConditionKeyMap = map[Action]condition.KeySet{ 314 AbortMultipartUploadAction: condition.NewKeySet(condition.CommonKeys...), 315 316 CreateBucketAction: condition.NewKeySet(condition.CommonKeys...), 317 318 DeleteObjectAction: condition.NewKeySet(condition.CommonKeys...), 319 320 GetBucketLocationAction: condition.NewKeySet(condition.CommonKeys...), 321 322 GetBucketPolicyStatusAction: condition.NewKeySet(condition.CommonKeys...), 323 324 GetObjectAction: condition.NewKeySet( 325 append([]condition.Key{ 326 condition.S3XAmzServerSideEncryption, 327 condition.S3XAmzServerSideEncryptionCustomerAlgorithm, 328 }, condition.CommonKeys...)...), 329 330 HeadBucketAction: condition.NewKeySet(condition.CommonKeys...), 331 332 ListAllMyBucketsAction: condition.NewKeySet(condition.CommonKeys...), 333 334 ListBucketAction: condition.NewKeySet( 335 append([]condition.Key{ 336 condition.S3Prefix, 337 condition.S3Delimiter, 338 condition.S3MaxKeys, 339 }, condition.CommonKeys...)...), 340 341 ListBucketVersionsAction: condition.NewKeySet( 342 append([]condition.Key{ 343 condition.S3Prefix, 344 condition.S3Delimiter, 345 condition.S3MaxKeys, 346 }, condition.CommonKeys...)...), 347 348 ListBucketMultipartUploadsAction: condition.NewKeySet(condition.CommonKeys...), 349 350 ListenNotificationAction: condition.NewKeySet(condition.CommonKeys...), 351 352 ListenBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...), 353 354 ListMultipartUploadPartsAction: condition.NewKeySet(condition.CommonKeys...), 355 356 PutObjectAction: condition.NewKeySet( 357 append([]condition.Key{ 358 condition.S3XAmzCopySource, 359 condition.S3XAmzServerSideEncryption, 360 condition.S3XAmzServerSideEncryptionCustomerAlgorithm, 361 condition.S3XAmzMetadataDirective, 362 condition.S3XAmzStorageClass, 363 condition.S3ObjectLockRetainUntilDate, 364 condition.S3ObjectLockMode, 365 condition.S3ObjectLockLegalHold, 366 }, condition.CommonKeys...)...), 367 368 // https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html 369 // LockLegalHold is not supported with PutObjectRetentionAction 370 PutObjectRetentionAction: condition.NewKeySet( 371 append([]condition.Key{ 372 condition.S3ObjectLockRemainingRetentionDays, 373 condition.S3ObjectLockRetainUntilDate, 374 condition.S3ObjectLockMode, 375 }, condition.CommonKeys...)...), 376 377 GetObjectRetentionAction: condition.NewKeySet(condition.CommonKeys...), 378 PutObjectLegalHoldAction: condition.NewKeySet( 379 append([]condition.Key{ 380 condition.S3ObjectLockLegalHold, 381 }, condition.CommonKeys...)...), 382 GetObjectLegalHoldAction: condition.NewKeySet(condition.CommonKeys...), 383 384 // https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html 385 BypassGovernanceRetentionAction: condition.NewKeySet( 386 append([]condition.Key{ 387 condition.S3ObjectLockRemainingRetentionDays, 388 condition.S3ObjectLockRetainUntilDate, 389 condition.S3ObjectLockMode, 390 condition.S3ObjectLockLegalHold, 391 }, condition.CommonKeys...)...), 392 393 GetBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...), 394 PutBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...), 395 GetBucketTaggingAction: condition.NewKeySet(condition.CommonKeys...), 396 PutBucketTaggingAction: condition.NewKeySet(condition.CommonKeys...), 397 PutObjectTaggingAction: condition.NewKeySet(condition.CommonKeys...), 398 GetObjectTaggingAction: condition.NewKeySet(condition.CommonKeys...), 399 DeleteObjectTaggingAction: condition.NewKeySet(condition.CommonKeys...), 400 401 PutObjectVersionTaggingAction: condition.NewKeySet(condition.CommonKeys...), 402 GetObjectVersionAction: condition.NewKeySet( 403 append([]condition.Key{ 404 condition.S3VersionID, 405 }, condition.CommonKeys...)...), 406 GetObjectVersionTaggingAction: condition.NewKeySet( 407 append([]condition.Key{ 408 condition.S3VersionID, 409 }, condition.CommonKeys...)...), 410 DeleteObjectVersionAction: condition.NewKeySet( 411 append([]condition.Key{ 412 condition.S3VersionID, 413 }, condition.CommonKeys...)...), 414 DeleteObjectVersionTaggingAction: condition.NewKeySet( 415 append([]condition.Key{ 416 condition.S3VersionID, 417 }, condition.CommonKeys...)...), 418 GetReplicationConfigurationAction: condition.NewKeySet(condition.CommonKeys...), 419 PutReplicationConfigurationAction: condition.NewKeySet(condition.CommonKeys...), 420 ReplicateObjectAction: condition.NewKeySet(condition.CommonKeys...), 421 ReplicateDeleteAction: condition.NewKeySet(condition.CommonKeys...), 422 ReplicateTagsAction: condition.NewKeySet(condition.CommonKeys...), 423 GetObjectVersionForReplicationAction: condition.NewKeySet(condition.CommonKeys...), 424 RestoreObjectAction: condition.NewKeySet(condition.CommonKeys...), 425 }