storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/pkg/iam/policy/action.go (about) 1 /* 2 * MinIO Cloud Storage, (C) 2018 MinIO, Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package iampolicy 18 19 import ( 20 "storj.io/minio/pkg/bucket/policy/condition" 21 "storj.io/minio/pkg/wildcard" 22 ) 23 24 // Action - policy action. 25 // Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html 26 // for more information about available actions. 27 type Action string 28 29 const ( 30 // AbortMultipartUploadAction - AbortMultipartUpload Rest API action. 31 AbortMultipartUploadAction Action = "s3:AbortMultipartUpload" 32 33 // CreateBucketAction - CreateBucket Rest API action. 34 CreateBucketAction = "s3:CreateBucket" 35 36 // DeleteBucketAction - DeleteBucket Rest API action. 37 DeleteBucketAction = "s3:DeleteBucket" 38 39 // ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag 40 // is specified. 41 ForceDeleteBucketAction = "s3:ForceDeleteBucket" 42 43 // DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action. 44 DeleteBucketPolicyAction = "s3:DeleteBucketPolicy" 45 46 // DeleteObjectAction - DeleteObject Rest API action. 47 DeleteObjectAction = "s3:DeleteObject" 48 49 // GetBucketLocationAction - GetBucketLocation Rest API action. 50 GetBucketLocationAction = "s3:GetBucketLocation" 51 52 // GetBucketNotificationAction - GetBucketNotification Rest API action. 53 GetBucketNotificationAction = "s3:GetBucketNotification" 54 55 // GetBucketPolicyAction - GetBucketPolicy Rest API action. 56 GetBucketPolicyAction = "s3:GetBucketPolicy" 57 58 // GetObjectAction - GetObject Rest API action. 59 GetObjectAction = "s3:GetObject" 60 61 // HeadBucketAction - HeadBucket Rest API action. This action is unused in minio. 62 HeadBucketAction = "s3:HeadBucket" 63 64 // ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action. 65 ListAllMyBucketsAction = "s3:ListAllMyBuckets" 66 67 // ListBucketAction - ListBucket Rest API action. 68 ListBucketAction = "s3:ListBucket" 69 70 // GetBucketPolicyStatusAction - Retrieves the policy status for a bucket. 71 GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus" 72 73 // ListBucketVersionsAction - ListBucketVersions Rest API action. 74 ListBucketVersionsAction = "s3:ListBucketVersions" 75 76 // ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action. 77 ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads" 78 79 // ListenNotificationAction - ListenNotification Rest API action. 80 // This is MinIO extension. 81 ListenNotificationAction = "s3:ListenNotification" 82 83 // ListenBucketNotificationAction - ListenBucketNotification Rest API action. 84 // This is MinIO extension. 85 ListenBucketNotificationAction = "s3:ListenBucketNotification" 86 87 // ListMultipartUploadPartsAction - ListParts Rest API action. 88 ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts" 89 90 // PutBucketLifecycleAction - PutBucketLifecycle Rest API action. 91 PutBucketLifecycleAction = "s3:PutLifecycleConfiguration" 92 93 // GetBucketLifecycleAction - GetBucketLifecycle Rest API action. 94 GetBucketLifecycleAction = "s3:GetLifecycleConfiguration" 95 96 // PutBucketNotificationAction - PutObjectNotification Rest API action. 97 PutBucketNotificationAction = "s3:PutBucketNotification" 98 99 // PutBucketPolicyAction - PutBucketPolicy Rest API action. 100 PutBucketPolicyAction = "s3:PutBucketPolicy" 101 102 // PutObjectAction - PutObject Rest API action. 103 PutObjectAction = "s3:PutObject" 104 105 // DeleteObjectVersionAction - DeleteObjectVersion Rest API action. 106 DeleteObjectVersionAction = "s3:DeleteObjectVersion" 107 108 // DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action. 109 DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging" 110 111 // GetObjectVersionAction - GetObjectVersionAction Rest API action. 112 GetObjectVersionAction = "s3:GetObjectVersion" 113 114 // GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action. 115 GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging" 116 117 // PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action. 118 PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging" 119 120 // BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action. 121 BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention" 122 123 // PutObjectRetentionAction - PutObjectRetention Rest API action. 124 PutObjectRetentionAction = "s3:PutObjectRetention" 125 126 // GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action. 127 GetObjectRetentionAction = "s3:GetObjectRetention" 128 129 // GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action. 130 GetObjectLegalHoldAction = "s3:GetObjectLegalHold" 131 132 // PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action. 133 PutObjectLegalHoldAction = "s3:PutObjectLegalHold" 134 135 // GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action 136 GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration" 137 138 // PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action 139 PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration" 140 141 // GetBucketTaggingAction - GetBucketTagging Rest API action 142 GetBucketTaggingAction = "s3:GetBucketTagging" 143 144 // PutBucketTaggingAction - PutBucketTagging Rest API action 145 PutBucketTaggingAction = "s3:PutBucketTagging" 146 147 // GetObjectTaggingAction - Get Object Tags API action 148 GetObjectTaggingAction = "s3:GetObjectTagging" 149 150 // PutObjectTaggingAction - Put Object Tags API action 151 PutObjectTaggingAction = "s3:PutObjectTagging" 152 153 // DeleteObjectTaggingAction - Delete Object Tags API action 154 DeleteObjectTaggingAction = "s3:DeleteObjectTagging" 155 156 // PutBucketEncryptionAction - PutBucketEncryption REST API action 157 PutBucketEncryptionAction = "s3:PutEncryptionConfiguration" 158 159 // GetBucketEncryptionAction - GetBucketEncryption REST API action 160 GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" 161 162 // PutBucketVersioningAction - PutBucketVersioning REST API action 163 PutBucketVersioningAction = "s3:PutBucketVersioning" 164 165 // GetBucketVersioningAction - GetBucketVersioning REST API action 166 GetBucketVersioningAction = "s3:GetBucketVersioning" 167 // GetReplicationConfigurationAction - GetReplicationConfiguration REST API action 168 GetReplicationConfigurationAction = "s3:GetReplicationConfiguration" 169 // PutReplicationConfigurationAction - PutReplicationConfiguration REST API action 170 PutReplicationConfigurationAction = "s3:PutReplicationConfiguration" 171 172 // ReplicateObjectAction - ReplicateObject REST API action 173 ReplicateObjectAction = "s3:ReplicateObject" 174 175 // ReplicateDeleteAction - ReplicateDelete REST API action 176 ReplicateDeleteAction = "s3:ReplicateDelete" 177 178 // ReplicateTagsAction - ReplicateTags REST API action 179 ReplicateTagsAction = "s3:ReplicateTags" 180 181 // GetObjectVersionForReplicationAction - GetObjectVersionForReplication REST API action 182 GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication" 183 184 // AllActions - all API actions 185 AllActions = "s3:*" 186 ) 187 188 // List of all supported actions. 189 var supportedActions = map[Action]struct{}{ 190 AbortMultipartUploadAction: {}, 191 CreateBucketAction: {}, 192 DeleteBucketAction: {}, 193 ForceDeleteBucketAction: {}, 194 DeleteBucketPolicyAction: {}, 195 DeleteObjectAction: {}, 196 GetBucketLocationAction: {}, 197 GetBucketNotificationAction: {}, 198 GetBucketPolicyAction: {}, 199 GetObjectAction: {}, 200 HeadBucketAction: {}, 201 ListAllMyBucketsAction: {}, 202 ListBucketAction: {}, 203 GetBucketPolicyStatusAction: {}, 204 ListBucketVersionsAction: {}, 205 ListBucketMultipartUploadsAction: {}, 206 ListenNotificationAction: {}, 207 ListenBucketNotificationAction: {}, 208 ListMultipartUploadPartsAction: {}, 209 PutBucketLifecycleAction: {}, 210 GetBucketLifecycleAction: {}, 211 PutBucketNotificationAction: {}, 212 PutBucketPolicyAction: {}, 213 PutObjectAction: {}, 214 BypassGovernanceRetentionAction: {}, 215 PutObjectRetentionAction: {}, 216 GetObjectRetentionAction: {}, 217 GetObjectLegalHoldAction: {}, 218 PutObjectLegalHoldAction: {}, 219 GetBucketObjectLockConfigurationAction: {}, 220 PutBucketObjectLockConfigurationAction: {}, 221 GetBucketTaggingAction: {}, 222 PutBucketTaggingAction: {}, 223 GetObjectVersionAction: {}, 224 GetObjectVersionTaggingAction: {}, 225 DeleteObjectVersionAction: {}, 226 DeleteObjectVersionTaggingAction: {}, 227 PutObjectVersionTaggingAction: {}, 228 GetObjectTaggingAction: {}, 229 PutObjectTaggingAction: {}, 230 DeleteObjectTaggingAction: {}, 231 PutBucketEncryptionAction: {}, 232 GetBucketEncryptionAction: {}, 233 PutBucketVersioningAction: {}, 234 GetBucketVersioningAction: {}, 235 GetReplicationConfigurationAction: {}, 236 PutReplicationConfigurationAction: {}, 237 ReplicateObjectAction: {}, 238 ReplicateDeleteAction: {}, 239 ReplicateTagsAction: {}, 240 GetObjectVersionForReplicationAction: {}, 241 AllActions: {}, 242 } 243 244 // List of all supported object actions. 245 var supportedObjectActions = map[Action]struct{}{ 246 AllActions: {}, 247 AbortMultipartUploadAction: {}, 248 DeleteObjectAction: {}, 249 GetObjectAction: {}, 250 ListMultipartUploadPartsAction: {}, 251 PutObjectAction: {}, 252 BypassGovernanceRetentionAction: {}, 253 PutObjectRetentionAction: {}, 254 GetObjectRetentionAction: {}, 255 PutObjectLegalHoldAction: {}, 256 GetObjectLegalHoldAction: {}, 257 GetObjectTaggingAction: {}, 258 PutObjectTaggingAction: {}, 259 DeleteObjectTaggingAction: {}, 260 GetObjectVersionAction: {}, 261 GetObjectVersionTaggingAction: {}, 262 DeleteObjectVersionAction: {}, 263 DeleteObjectVersionTaggingAction: {}, 264 PutObjectVersionTaggingAction: {}, 265 ReplicateObjectAction: {}, 266 ReplicateDeleteAction: {}, 267 ReplicateTagsAction: {}, 268 GetObjectVersionForReplicationAction: {}, 269 } 270 271 // isObjectAction - returns whether action is object type or not. 272 func (action Action) isObjectAction() bool { 273 for supAction := range supportedObjectActions { 274 if action.Match(supAction) { 275 return true 276 } 277 } 278 return false 279 } 280 281 // Match - matches action name with action patter. 282 func (action Action) Match(a Action) bool { 283 return wildcard.Match(string(action), string(a)) 284 } 285 286 // IsValid - checks if action is valid or not. 287 func (action Action) IsValid() bool { 288 for supAction := range supportedActions { 289 if action.Match(supAction) { 290 return true 291 } 292 } 293 return false 294 } 295 296 type actionConditionKeyMap map[Action]condition.KeySet 297 298 func (a actionConditionKeyMap) Lookup(action Action) condition.KeySet { 299 var ckeysMerged = condition.NewKeySet(condition.CommonKeys...) 300 for act, ckey := range a { 301 if action.Match(act) { 302 ckeysMerged.Merge(ckey) 303 } 304 } 305 return ckeysMerged 306 } 307 308 // iamActionConditionKeyMap - holds mapping of supported condition key for an action. 309 var iamActionConditionKeyMap = actionConditionKeyMap{ 310 AllActions: condition.NewKeySet(condition.AllSupportedKeys...), 311 312 GetObjectAction: condition.NewKeySet( 313 append([]condition.Key{ 314 condition.S3XAmzServerSideEncryption, 315 condition.S3XAmzServerSideEncryptionCustomerAlgorithm, 316 condition.S3VersionID, 317 }, condition.CommonKeys...)...), 318 319 ListBucketAction: condition.NewKeySet( 320 append([]condition.Key{ 321 condition.S3Prefix, 322 condition.S3Delimiter, 323 condition.S3MaxKeys, 324 }, condition.CommonKeys...)...), 325 326 ListBucketVersionsAction: condition.NewKeySet( 327 append([]condition.Key{ 328 condition.S3Prefix, 329 condition.S3Delimiter, 330 condition.S3MaxKeys, 331 }, condition.CommonKeys...)...), 332 333 DeleteObjectAction: condition.NewKeySet( 334 append([]condition.Key{ 335 condition.S3VersionID, 336 }, condition.CommonKeys...)...), 337 338 PutObjectAction: condition.NewKeySet( 339 append([]condition.Key{ 340 condition.S3XAmzCopySource, 341 condition.S3XAmzServerSideEncryption, 342 condition.S3XAmzServerSideEncryptionCustomerAlgorithm, 343 condition.S3XAmzMetadataDirective, 344 condition.S3XAmzStorageClass, 345 condition.S3VersionID, 346 condition.S3ObjectLockRetainUntilDate, 347 condition.S3ObjectLockMode, 348 condition.S3ObjectLockLegalHold, 349 }, condition.CommonKeys...)...), 350 351 // https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html 352 // LockLegalHold is not supported with PutObjectRetentionAction 353 PutObjectRetentionAction: condition.NewKeySet( 354 append([]condition.Key{ 355 condition.S3XAmzServerSideEncryption, 356 condition.S3XAmzServerSideEncryptionCustomerAlgorithm, 357 condition.S3ObjectLockRemainingRetentionDays, 358 condition.S3ObjectLockRetainUntilDate, 359 condition.S3ObjectLockMode, 360 condition.S3VersionID, 361 }, condition.CommonKeys...)...), 362 363 GetObjectRetentionAction: condition.NewKeySet( 364 append([]condition.Key{ 365 condition.S3XAmzServerSideEncryption, 366 condition.S3XAmzServerSideEncryptionCustomerAlgorithm, 367 condition.S3VersionID, 368 }, condition.CommonKeys...)...), 369 370 PutObjectLegalHoldAction: condition.NewKeySet( 371 append([]condition.Key{ 372 condition.S3XAmzServerSideEncryption, 373 condition.S3XAmzServerSideEncryptionCustomerAlgorithm, 374 condition.S3ObjectLockLegalHold, 375 condition.S3VersionID, 376 }, condition.CommonKeys...)...), 377 GetObjectLegalHoldAction: condition.NewKeySet(condition.CommonKeys...), 378 379 // https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html 380 BypassGovernanceRetentionAction: condition.NewKeySet( 381 append([]condition.Key{ 382 condition.S3VersionID, 383 condition.S3ObjectLockRemainingRetentionDays, 384 condition.S3ObjectLockRetainUntilDate, 385 condition.S3ObjectLockMode, 386 condition.S3ObjectLockLegalHold, 387 }, condition.CommonKeys...)...), 388 389 PutObjectTaggingAction: condition.NewKeySet( 390 append([]condition.Key{ 391 condition.S3VersionID, 392 }, condition.CommonKeys...)...), 393 GetObjectTaggingAction: condition.NewKeySet( 394 append([]condition.Key{ 395 condition.S3VersionID, 396 }, condition.CommonKeys...)...), 397 DeleteObjectTaggingAction: condition.NewKeySet( 398 append([]condition.Key{ 399 condition.S3VersionID, 400 }, condition.CommonKeys...)...), 401 402 PutObjectVersionTaggingAction: condition.NewKeySet( 403 append([]condition.Key{ 404 condition.S3VersionID, 405 }, condition.CommonKeys...)...), 406 GetObjectVersionAction: condition.NewKeySet( 407 append([]condition.Key{ 408 condition.S3VersionID, 409 }, condition.CommonKeys...)...), 410 GetObjectVersionTaggingAction: condition.NewKeySet( 411 append([]condition.Key{ 412 condition.S3VersionID, 413 }, condition.CommonKeys...)...), 414 DeleteObjectVersionAction: condition.NewKeySet( 415 append([]condition.Key{ 416 condition.S3VersionID, 417 }, condition.CommonKeys...)...), 418 DeleteObjectVersionTaggingAction: condition.NewKeySet( 419 append([]condition.Key{ 420 condition.S3VersionID, 421 }, condition.CommonKeys...)...), 422 ReplicateObjectAction: condition.NewKeySet( 423 append([]condition.Key{ 424 condition.S3VersionID, 425 }, condition.CommonKeys...)...), 426 ReplicateDeleteAction: condition.NewKeySet( 427 append([]condition.Key{ 428 condition.S3VersionID, 429 }, condition.CommonKeys...)...), 430 ReplicateTagsAction: condition.NewKeySet( 431 append([]condition.Key{ 432 condition.S3VersionID, 433 }, condition.CommonKeys...)...), 434 GetObjectVersionForReplicationAction: condition.NewKeySet( 435 append([]condition.Key{ 436 condition.S3VersionID, 437 }, condition.CommonKeys...)...), 438 }