|
| 1 | +// This file is part of MinIO Console Server |
| 2 | +// Copyright (c) 2020 MinIO, Inc. |
| 3 | +// |
| 4 | +// This program is free software: you can redistribute it and/or modify |
| 5 | +// it under the terms of the GNU Affero General Public License as published by |
| 6 | +// the Free Software Foundation, either version 3 of the License, or |
| 7 | +// (at your option) any later version. |
| 8 | +// |
| 9 | +// This program is distributed in the hope that it will be useful, |
| 10 | +// but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | +// GNU Affero General Public License for more details. |
| 13 | +// |
| 14 | +// You should have received a copy of the GNU Affero General Public License |
| 15 | +// along with this program. If not, see <http://www.gnu.org/licenses/>. |
| 16 | + |
| 17 | +package acl |
| 18 | + |
| 19 | +import iampolicy "github.com/minio/minio/pkg/iam/policy" |
| 20 | + |
| 21 | +// endpoints definition |
| 22 | +var ( |
| 23 | + configuration = "/configurations-list" |
| 24 | + users = "/users" |
| 25 | + groups = "/groups" |
| 26 | + iamPolicies = "/policies" |
| 27 | + dashboard = "/dashboard" |
| 28 | + profiling = "/profiling" |
| 29 | + trace = "/trace" |
| 30 | + logs = "/logs" |
| 31 | + watch = "/watch" |
| 32 | + notifications = "/notification-endpoints" |
| 33 | + buckets = "/buckets" |
| 34 | +) |
| 35 | + |
| 36 | +type ConfigurationActionSet struct { |
| 37 | + actionTypes iampolicy.ActionSet |
| 38 | + actions iampolicy.ActionSet |
| 39 | +} |
| 40 | + |
| 41 | +// configurationActionSet contains the list of admin actions required for this endpoint to work |
| 42 | +var configurationActionSet = ConfigurationActionSet{ |
| 43 | + actionTypes: iampolicy.NewActionSet( |
| 44 | + iampolicy.AllAdminActions, |
| 45 | + ), |
| 46 | + actions: iampolicy.NewActionSet( |
| 47 | + iampolicy.ConfigUpdateAdminAction, |
| 48 | + ), |
| 49 | +} |
| 50 | + |
| 51 | +// logsActionSet contains the list of admin actions required for this endpoint to work |
| 52 | +var logsActionSet = ConfigurationActionSet{ |
| 53 | + actionTypes: iampolicy.NewActionSet( |
| 54 | + iampolicy.AllAdminActions, |
| 55 | + ), |
| 56 | + actions: iampolicy.NewActionSet( |
| 57 | + iampolicy.ConsoleLogAdminAction, |
| 58 | + ), |
| 59 | +} |
| 60 | + |
| 61 | +// dashboardActionSet contains the list of admin actions required for this endpoint to work |
| 62 | +var dashboardActionSet = ConfigurationActionSet{ |
| 63 | + actionTypes: iampolicy.NewActionSet( |
| 64 | + iampolicy.AllAdminActions, |
| 65 | + ), |
| 66 | + actions: iampolicy.NewActionSet( |
| 67 | + iampolicy.ServerInfoAdminAction, |
| 68 | + ), |
| 69 | +} |
| 70 | + |
| 71 | +// groupsActionSet contains the list of admin actions required for this endpoint to work |
| 72 | +var groupsActionSet = ConfigurationActionSet{ |
| 73 | + actionTypes: iampolicy.NewActionSet( |
| 74 | + iampolicy.AllAdminActions, |
| 75 | + ), |
| 76 | + actions: iampolicy.NewActionSet( |
| 77 | + iampolicy.ListGroupsAdminAction, |
| 78 | + iampolicy.AddUserToGroupAdminAction, |
| 79 | + //iampolicy.GetGroupAdminAction, |
| 80 | + iampolicy.EnableGroupAdminAction, |
| 81 | + iampolicy.DisableGroupAdminAction, |
| 82 | + ), |
| 83 | +} |
| 84 | + |
| 85 | +// iamPoliciesActionSet contains the list of admin actions required for this endpoint to work |
| 86 | +var iamPoliciesActionSet = ConfigurationActionSet{ |
| 87 | + actionTypes: iampolicy.NewActionSet( |
| 88 | + iampolicy.AllAdminActions, |
| 89 | + ), |
| 90 | + actions: iampolicy.NewActionSet( |
| 91 | + iampolicy.GetPolicyAdminAction, |
| 92 | + iampolicy.DeletePolicyAdminAction, |
| 93 | + iampolicy.CreatePolicyAdminAction, |
| 94 | + iampolicy.AttachPolicyAdminAction, |
| 95 | + iampolicy.ListUserPoliciesAdminAction, |
| 96 | + ), |
| 97 | +} |
| 98 | + |
| 99 | +// profilingActionSet contains the list of admin actions required for this endpoint to work |
| 100 | +var profilingActionSet = ConfigurationActionSet{ |
| 101 | + actionTypes: iampolicy.NewActionSet( |
| 102 | + iampolicy.AllAdminActions, |
| 103 | + ), |
| 104 | + actions: iampolicy.NewActionSet( |
| 105 | + iampolicy.ProfilingAdminAction, |
| 106 | + ), |
| 107 | +} |
| 108 | + |
| 109 | +// traceActionSet contains the list of admin actions required for this endpoint to work |
| 110 | +var traceActionSet = ConfigurationActionSet{ |
| 111 | + actionTypes: iampolicy.NewActionSet( |
| 112 | + iampolicy.AllAdminActions, |
| 113 | + ), |
| 114 | + actions: iampolicy.NewActionSet( |
| 115 | + iampolicy.TraceAdminAction, |
| 116 | + ), |
| 117 | +} |
| 118 | + |
| 119 | +// usersActionSet contains the list of admin actions required for this endpoint to work |
| 120 | +var usersActionSet = ConfigurationActionSet{ |
| 121 | + actionTypes: iampolicy.NewActionSet( |
| 122 | + iampolicy.AllAdminActions, |
| 123 | + ), |
| 124 | + actions: iampolicy.NewActionSet( |
| 125 | + iampolicy.ListUsersAdminAction, |
| 126 | + iampolicy.CreateUserAdminAction, |
| 127 | + iampolicy.DeleteUserAdminAction, |
| 128 | + iampolicy.GetUserAdminAction, |
| 129 | + iampolicy.EnableUserAdminAction, |
| 130 | + iampolicy.DisableUserAdminAction, |
| 131 | + ), |
| 132 | +} |
| 133 | + |
| 134 | +// watchActionSet contains the list of admin actions required for this endpoint to work |
| 135 | +var watchActionSet = ConfigurationActionSet{ |
| 136 | + actionTypes: iampolicy.NewActionSet( |
| 137 | + iampolicy.AllAdminActions, |
| 138 | + ), |
| 139 | + actions: iampolicy.NewActionSet( |
| 140 | + iampolicy.ListenBucketNotificationAction, |
| 141 | + ), |
| 142 | +} |
| 143 | + |
| 144 | +// notificationsActionSet contains the list of admin actions required for this endpoint to work |
| 145 | +var notificationsActionSet = ConfigurationActionSet{ |
| 146 | + actionTypes: iampolicy.NewActionSet( |
| 147 | + iampolicy.AllActions, |
| 148 | + ), |
| 149 | + actions: iampolicy.NewActionSet( |
| 150 | + iampolicy.ListenBucketNotificationAction, |
| 151 | + iampolicy.PutBucketNotificationAction, |
| 152 | + iampolicy.GetBucketNotificationAction, |
| 153 | + ), |
| 154 | +} |
| 155 | + |
| 156 | +// bucketsActionSet contains the list of admin actions required for this endpoint to work |
| 157 | +var bucketsActionSet = ConfigurationActionSet{ |
| 158 | + actionTypes: iampolicy.NewActionSet( |
| 159 | + iampolicy.AllActions, |
| 160 | + ), |
| 161 | + actions: iampolicy.NewActionSet( |
| 162 | + // Read access to buckets |
| 163 | + iampolicy.ListMultipartUploadPartsAction, |
| 164 | + iampolicy.ListBucketMultipartUploadsAction, |
| 165 | + iampolicy.ListBucketAction, |
| 166 | + iampolicy.HeadBucketAction, |
| 167 | + iampolicy.GetObjectAction, |
| 168 | + iampolicy.GetBucketLocationAction, |
| 169 | + // Write access to buckets |
| 170 | + iampolicy.AbortMultipartUploadAction, |
| 171 | + iampolicy.CreateBucketAction, |
| 172 | + iampolicy.PutObjectAction, |
| 173 | + iampolicy.DeleteObjectAction, |
| 174 | + iampolicy.DeleteBucketAction, |
| 175 | + // Assign bucket policies |
| 176 | + iampolicy.PutBucketPolicyAction, |
| 177 | + iampolicy.DeleteBucketPolicyAction, |
| 178 | + iampolicy.GetBucketPolicyAction, |
| 179 | + ), |
| 180 | +} |
| 181 | + |
| 182 | +// endpointRules contains the mapping between endpoints and ActionSets, additional rules can be added here |
| 183 | +var endpointRules = map[string]ConfigurationActionSet{ |
| 184 | + configuration: configurationActionSet, |
| 185 | + users: usersActionSet, |
| 186 | + groups: groupsActionSet, |
| 187 | + iamPolicies: iamPoliciesActionSet, |
| 188 | + dashboard: dashboardActionSet, |
| 189 | + profiling: profilingActionSet, |
| 190 | + trace: traceActionSet, |
| 191 | + logs: logsActionSet, |
| 192 | + watch: watchActionSet, |
| 193 | + notifications: notificationsActionSet, |
| 194 | + buckets: bucketsActionSet, |
| 195 | +} |
| 196 | + |
| 197 | +// GetActionsStringFromPolicy extract the admin/s3 actions from a given policy and return them in []string format |
| 198 | +// |
| 199 | +// ie: |
| 200 | +// { |
| 201 | +// "Version": "2012-10-17", |
| 202 | +// "Statement": [{ |
| 203 | +// "Action": [ |
| 204 | +// "admin:ServerInfo", |
| 205 | +// "admin:CreatePolicy", |
| 206 | +// "admin:GetUser" |
| 207 | +// ], |
| 208 | +// ... |
| 209 | +// }, |
| 210 | +// { |
| 211 | +// "Action": [ |
| 212 | +// "s3:ListenBucketNotification", |
| 213 | +// "s3:PutBucketNotification" |
| 214 | +// ], |
| 215 | +// ... |
| 216 | +// } |
| 217 | +// ] |
| 218 | +// } |
| 219 | +// Will produce an array like: ["admin:ServerInfo", "admin:CreatePolicy", "admin:GetUser", "s3:ListenBucketNotification", "s3:PutBucketNotification"]\ |
| 220 | +func GetActionsStringFromPolicy(policy *iampolicy.Policy) []string { |
| 221 | + var actions []string |
| 222 | + for _, statement := range policy.Statements { |
| 223 | + // We only care about allowed actions |
| 224 | + if statement.Effect.IsAllowed(true) { |
| 225 | + for _, action := range statement.Actions.ToSlice() { |
| 226 | + actions = append(actions, string(action)) |
| 227 | + } |
| 228 | + } |
| 229 | + } |
| 230 | + return actions |
| 231 | +} |
| 232 | + |
| 233 | +// actionsStringToActionSet convert a given string array to iampolicy.ActionSet structure |
| 234 | +// this avoids ending with duplicate actions |
| 235 | +func actionsStringToActionSet(actions []string) iampolicy.ActionSet { |
| 236 | + actionsSet := iampolicy.ActionSet{} |
| 237 | + for _, action := range actions { |
| 238 | + actionsSet.Add(iampolicy.Action(action)) |
| 239 | + } |
| 240 | + return actionsSet |
| 241 | +} |
| 242 | + |
| 243 | +// GetAuthorizedEndpoints return a list of allowed endpoint based on a provided *iampolicy.Policy |
| 244 | +// ie: pages the user should have access based on his current privileges |
| 245 | +func GetAuthorizedEndpoints(actions []string) []string { |
| 246 | + if len(actions) == 0 { |
| 247 | + return []string{} |
| 248 | + } |
| 249 | + // Prepare new ActionSet structure that will hold all the user actions |
| 250 | + userAllowedAction := actionsStringToActionSet(actions) |
| 251 | + allowedEndpoints := []string{} |
| 252 | + for endpoint, rules := range endpointRules { |
| 253 | + // check if user policy matches s3:* or admin:* typesIntersection |
| 254 | + endpointActionTypes := rules.actionTypes |
| 255 | + typesIntersection := endpointActionTypes.Intersection(userAllowedAction) |
| 256 | + if len(typesIntersection) == len(endpointActionTypes.ToSlice()) { |
| 257 | + allowedEndpoints = append(allowedEndpoints, endpoint) |
| 258 | + continue |
| 259 | + } |
| 260 | + // check if user policy matches explicitly defined endpoint required actions |
| 261 | + endpointRequiredActions := rules.actions |
| 262 | + actionsIntersection := endpointRequiredActions.Intersection(userAllowedAction) |
| 263 | + if len(actionsIntersection) == len(endpointRequiredActions.ToSlice()) { |
| 264 | + allowedEndpoints = append(allowedEndpoints, endpoint) |
| 265 | + } |
| 266 | + } |
| 267 | + return allowedEndpoints |
| 268 | +} |
0 commit comments