fix S3 per-user-directory Policy (#6443)
* fix S3 per-user-directory Policy * Delete docker/config.json * add tests * remove logs * undo modifications of weed/shell/command_volume_balance.go * remove modifications of docker-compose * fix failing test --------- Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
This commit is contained in:
Tom Crasset
@@ -332,26 +332,23 @@ func GetActions(policy *PolicyDocument) ([]string, error) {
|
||||
// Parse "arn:aws:s3:::my-bucket/shared/*"
|
||||
res := strings.Split(resource, ":")
|
||||
if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
|
||||
return nil, fmt.Errorf("not a valid resource: '%s'. Expected prefix 'arn:aws:s3'", res)
|
||||
glog.Infof("not a valid resource: %s", res)
|
||||
continue
|
||||
}
|
||||
for _, action := range statement.Action {
|
||||
// Parse "s3:Get*"
|
||||
act := strings.Split(action, ":")
|
||||
if len(act) != 2 || act[0] != "s3" {
|
||||
return nil, fmt.Errorf("not a valid action: '%s'. Expected prefix 's3:'", act)
|
||||
glog.Infof("not a valid action: %s", act)
|
||||
continue
|
||||
}
|
||||
statementAction := MapToStatementAction(act[1])
|
||||
if res[5] == "*" {
|
||||
path := res[5]
|
||||
if path == "*" {
|
||||
actions = append(actions, statementAction)
|
||||
continue
|
||||
}
|
||||
// Parse my-bucket/shared/*
|
||||
path := strings.Split(res[5], "/")
|
||||
if len(path) != 2 || path[1] != "*" {
|
||||
glog.Infof("not match bucket: %s", path)
|
||||
continue
|
||||
}
|
||||
actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path[0]))
|
||||
actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
71
weed/iamapi/iamapi_management_handlers_test.go
Normal file
71
weed/iamapi/iamapi_management_handlers_test.go
Normal file
@@ -0,0 +1,71 @@
|
||||
package iamapi
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestGetActionsUserPath(t *testing.T) {
|
||||
|
||||
policyDocument := PolicyDocument{
|
||||
Version: "2012-10-17",
|
||||
Statement: []*Statement{
|
||||
{
|
||||
Effect: "Allow",
|
||||
Action: []string{
|
||||
"s3:Put*",
|
||||
"s3:PutBucketAcl",
|
||||
"s3:Get*",
|
||||
"s3:GetBucketAcl",
|
||||
"s3:List*",
|
||||
"s3:Tagging*",
|
||||
"s3:DeleteBucket*",
|
||||
},
|
||||
Resource: []string{
|
||||
"arn:aws:s3:::shared/user-Alice/*",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
actions, _ := GetActions(&policyDocument)
|
||||
|
||||
expectedActions := []string{
|
||||
"Write:shared/user-Alice/*",
|
||||
"WriteAcp:shared/user-Alice/*",
|
||||
"Read:shared/user-Alice/*",
|
||||
"ReadAcp:shared/user-Alice/*",
|
||||
"List:shared/user-Alice/*",
|
||||
"Tagging:shared/user-Alice/*",
|
||||
"DeleteBucket:shared/user-Alice/*",
|
||||
}
|
||||
assert.Equal(t, expectedActions, actions)
|
||||
}
|
||||
|
||||
func TestGetActionsWildcardPath(t *testing.T) {
|
||||
|
||||
policyDocument := PolicyDocument{
|
||||
Version: "2012-10-17",
|
||||
Statement: []*Statement{
|
||||
{
|
||||
Effect: "Allow",
|
||||
Action: []string{
|
||||
"s3:Get*",
|
||||
"s3:PutBucketAcl",
|
||||
},
|
||||
Resource: []string{
|
||||
"arn:aws:s3:::*",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
actions, _ := GetActions(&policyDocument)
|
||||
|
||||
expectedActions := []string{
|
||||
"Read",
|
||||
"WriteAcp",
|
||||
}
|
||||
assert.Equal(t, expectedActions, actions)
|
||||
}
|
||||
Reference in New Issue
Block a user