540fc97e00
* request_id: add shared request middleware
* s3err: preserve request ids in responses and logs
* iam: reuse request ids in XML responses
* sts: reuse request ids in XML responses
* request_id: drop legacy header fallback
* request_id: use AWS-style request id format
* iam: fix AWS-compatible XML format for ErrorResponse and field ordering
- ErrorResponse uses bare <RequestId> at root level instead of
<ResponseMetadata> wrapper, matching the AWS IAM error response spec
- Move CommonResponse to last field in success response structs so
<ResponseMetadata> serializes after result elements
- Add randomness to request ID generation to avoid collisions
- Add tests for XML ordering and ErrorResponse format
* iam: remove duplicate error_response_test.go
Test is already covered by responses_test.go.
* address PR review comments
- Guard against typed nil pointers in SetResponseRequestID before
interface assertion (CodeRabbit)
- Use regexp instead of strings.Index in test helpers for extracting
request IDs (Gemini)
* request_id: prevent spoofing, fix nil-error branch, thread reqID to error writers
- Ensure() now always generates a server-side ID, ignoring client-sent
x-amz-request-id headers to prevent request ID spoofing. Uses a
private context key (contextKey{}) instead of the header string.
- writeIamErrorResponse in both iamapi and embedded IAM now accepts
reqID as a parameter instead of calling Ensure() internally, ensuring
a single request ID per request lifecycle.
- The nil-iamError branch in writeIamErrorResponse now writes a 500
Internal Server Error response instead of returning silently.
- Updated tests to set request IDs via context (not headers) and added
tests for spoofing prevention and context reuse.
* sts: add request-id consistency assertions to ActionInBody tests
* test: update admin test to expect server-generated request IDs
The test previously sent a client x-amz-request-id header and expected
it echoed back. Since Ensure() now ignores client headers to prevent
spoofing, update the test to verify the server returns a non-empty
server-generated request ID instead.
* iam: add generic WithRequestID helper alongside reflection-based fallback
Add WithRequestID[T] that uses generics to take the address of a value
type, satisfying the pointer receiver on SetRequestId without reflection.
The existing SetResponseRequestID is kept for the two call sites that
operate on interface{} (from large action switches where the concrete
type varies at runtime). Generics cannot replace reflection there since
Go cannot infer type parameters from interface{}.
* Remove reflection and generics from request ID setting
Call SetRequestId directly on concrete response types in each switch
branch before boxing into interface{}, eliminating the need for
WithRequestID (generics) and SetResponseRequestID (reflection).
* iam: return pointer responses in action dispatch
* Fix IAM error handling consistency and ensure request IDs on all responses
- UpdateUser/CreatePolicy error branches: use writeIamErrorResponse instead
of s3err.WriteErrorResponse to preserve IAM formatting and request ID
- ExecuteAction: accept reqID parameter and generate one if empty, ensuring
every response carries a RequestId regardless of caller
* Clean up inline policies on DeleteUser and UpdateUser rename
DeleteUser: remove InlinePolicies[userName] from policy storage before
removing the identity, so policies are not orphaned.
UpdateUser: move InlinePolicies[userName] to InlinePolicies[newUserName]
when renaming, so GetUserPolicy/DeleteUserPolicy work under the new name.
Both operations persist the updated policies and return an error if
the storage write fails, preventing partial state.
1800 lines
65 KiB
Go
1800 lines
65 KiB
Go
package s3api
|
|
|
|
// This file provides IAM API functionality embedded in the S3 server.
|
|
// Common IAM types and helpers are imported from the shared weed/iam package.
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
|
"github.com/seaweedfs/seaweedfs/weed/credential"
|
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
|
iamlib "github.com/seaweedfs/seaweedfs/weed/iam"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
|
|
"github.com/seaweedfs/seaweedfs/weed/util/request_id"
|
|
"google.golang.org/protobuf/proto"
|
|
)
|
|
|
|
// EmbeddedIamApi provides IAM API functionality embedded in the S3 server.
|
|
// This allows running a single server that handles both S3 and IAM requests.
|
|
type EmbeddedIamApi struct {
|
|
credentialManager *credential.CredentialManager
|
|
iam *IdentityAccessManagement
|
|
policyLock sync.RWMutex
|
|
// Test hook
|
|
getS3ApiConfigurationFunc func(*iam_pb.S3ApiConfiguration) error
|
|
putS3ApiConfigurationFunc func(*iam_pb.S3ApiConfiguration) error
|
|
reloadConfigurationFunc func() error
|
|
readOnly bool
|
|
}
|
|
|
|
// NewEmbeddedIamApi creates a new embedded IAM API handler.
|
|
func NewEmbeddedIamApi(credentialManager *credential.CredentialManager, iam *IdentityAccessManagement, readOnly bool) *EmbeddedIamApi {
|
|
return &EmbeddedIamApi{
|
|
credentialManager: credentialManager,
|
|
iam: iam,
|
|
readOnly: readOnly,
|
|
}
|
|
}
|
|
|
|
func (e *EmbeddedIamApi) refreshIAMConfiguration() error {
|
|
if e.reloadConfigurationFunc != nil {
|
|
return e.reloadConfigurationFunc()
|
|
}
|
|
if e.iam == nil {
|
|
return nil
|
|
}
|
|
if err := e.iam.LoadS3ApiConfigurationFromCredentialManager(); err != nil {
|
|
return fmt.Errorf("failed to refresh IAM configuration: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Constants for service account identifiers
|
|
const (
|
|
ServiceAccountIDLength = 12 // Length of the service account ID
|
|
AccessKeyLength = 20 // AWS standard access key length
|
|
SecretKeyLength = 40 // AWS standard secret key length (base64 encoded)
|
|
ServiceAccountIDPrefix = "sa"
|
|
ServiceAccountKeyPrefix = "ABIA" // Service account access keys start with ABIA
|
|
UserAccessKeyPrefix = "AKIA" // User access keys start with AKIA
|
|
|
|
// Operational limits (AWS IAM compatible)
|
|
MaxServiceAccountsPerUser = 100 // Maximum service accounts per user
|
|
MaxDescriptionLength = 1000 // Maximum description length in characters
|
|
MaxManagedPoliciesPerUser = 10 // Maximum managed policies attached to a user
|
|
)
|
|
|
|
// Type aliases for IAM response types from shared package
|
|
type (
|
|
iamListUsersResponse = iamlib.ListUsersResponse
|
|
iamListAccessKeysResponse = iamlib.ListAccessKeysResponse
|
|
iamDeleteAccessKeyResponse = iamlib.DeleteAccessKeyResponse
|
|
iamCreatePolicyResponse = iamlib.CreatePolicyResponse
|
|
iamDeletePolicyResponse = iamlib.DeletePolicyResponse
|
|
iamListPoliciesResponse = iamlib.ListPoliciesResponse
|
|
iamGetPolicyResponse = iamlib.GetPolicyResponse
|
|
iamListPolicyVersionsResponse = iamlib.ListPolicyVersionsResponse
|
|
iamGetPolicyVersionResponse = iamlib.GetPolicyVersionResponse
|
|
iamCreateUserResponse = iamlib.CreateUserResponse
|
|
iamDeleteUserResponse = iamlib.DeleteUserResponse
|
|
iamGetUserResponse = iamlib.GetUserResponse
|
|
iamUpdateUserResponse = iamlib.UpdateUserResponse
|
|
iamCreateAccessKeyResponse = iamlib.CreateAccessKeyResponse
|
|
iamPutUserPolicyResponse = iamlib.PutUserPolicyResponse
|
|
iamDeleteUserPolicyResponse = iamlib.DeleteUserPolicyResponse
|
|
iamGetUserPolicyResponse = iamlib.GetUserPolicyResponse
|
|
iamAttachUserPolicyResponse = iamlib.AttachUserPolicyResponse
|
|
iamDetachUserPolicyResponse = iamlib.DetachUserPolicyResponse
|
|
iamListAttachedUserPoliciesResponse = iamlib.ListAttachedUserPoliciesResponse
|
|
iamSetUserStatusResponse = iamlib.SetUserStatusResponse
|
|
iamUpdateAccessKeyResponse = iamlib.UpdateAccessKeyResponse
|
|
iamErrorResponse = iamlib.ErrorResponse
|
|
iamError = iamlib.Error
|
|
// Service account response types
|
|
iamServiceAccountInfo = iamlib.ServiceAccountInfo
|
|
iamCreateServiceAccountResponse = iamlib.CreateServiceAccountResponse
|
|
iamDeleteServiceAccountResponse = iamlib.DeleteServiceAccountResponse
|
|
iamListServiceAccountsResponse = iamlib.ListServiceAccountsResponse
|
|
iamGetServiceAccountResponse = iamlib.GetServiceAccountResponse
|
|
iamUpdateServiceAccountResponse = iamlib.UpdateServiceAccountResponse
|
|
)
|
|
|
|
// Helper function wrappers using shared package
|
|
func iamHash(s *string) string {
|
|
return iamlib.Hash(s)
|
|
}
|
|
|
|
func iamStringWithCharset(length int, charset string) (string, error) {
|
|
return iamlib.GenerateRandomString(length, charset)
|
|
}
|
|
|
|
func iamStringSlicesEqual(a, b []string) bool {
|
|
return iamlib.StringSlicesEqual(a, b)
|
|
}
|
|
|
|
func iamMapToStatementAction(action string) string {
|
|
return iamlib.MapToStatementAction(action)
|
|
}
|
|
|
|
func iamMapToIdentitiesAction(action string) string {
|
|
return iamlib.MapToIdentitiesAction(action)
|
|
}
|
|
|
|
// iamValidateStatus validates that status is either Active or Inactive.
|
|
func iamValidateStatus(status string) error {
|
|
switch status {
|
|
case iamAccessKeyStatusActive, iamAccessKeyStatusInactive:
|
|
return nil
|
|
case "":
|
|
return fmt.Errorf("Status parameter is required")
|
|
default:
|
|
return fmt.Errorf("Status must be '%s' or '%s'", iamAccessKeyStatusActive, iamAccessKeyStatusInactive)
|
|
}
|
|
}
|
|
|
|
// Constants from shared package
|
|
const (
|
|
iamCharsetUpper = iamlib.CharsetUpper
|
|
iamCharset = iamlib.Charset
|
|
iamPolicyDocumentVersion = iamlib.PolicyDocumentVersion
|
|
iamUserDoesNotExist = iamlib.UserDoesNotExist
|
|
iamAccessKeyStatusActive = iamlib.AccessKeyStatusActive
|
|
iamAccessKeyStatusInactive = iamlib.AccessKeyStatusInactive
|
|
)
|
|
|
|
func newIamErrorResponse(errCode string, errMsg string, requestID string) iamErrorResponse {
|
|
errorResp := iamErrorResponse{}
|
|
errorResp.Error.Type = "Sender"
|
|
errorResp.Error.Code = &errCode
|
|
errorResp.Error.Message = &errMsg
|
|
errorResp.SetRequestId(requestID)
|
|
return errorResp
|
|
}
|
|
|
|
func (e *EmbeddedIamApi) writeIamErrorResponse(w http.ResponseWriter, r *http.Request, reqID string, iamErr *iamError) {
|
|
if iamErr == nil {
|
|
glog.Errorf("writeIamErrorResponse called with nil error")
|
|
internalResp := newIamErrorResponse(iam.ErrCodeServiceFailureException, "Internal server error", reqID)
|
|
s3err.WriteXMLResponse(w, r, http.StatusInternalServerError, internalResp)
|
|
return
|
|
}
|
|
|
|
errCode := iamErr.Code
|
|
errMsg := iamErr.Error.Error()
|
|
glog.Errorf("IAM Response %+v", errMsg)
|
|
|
|
errorResp := newIamErrorResponse(errCode, errMsg, reqID)
|
|
internalErrorResponse := newIamErrorResponse(iam.ErrCodeServiceFailureException, "Internal server error", reqID)
|
|
|
|
switch errCode {
|
|
case iam.ErrCodeNoSuchEntityException:
|
|
s3err.WriteXMLResponse(w, r, http.StatusNotFound, errorResp)
|
|
case iam.ErrCodeEntityAlreadyExistsException:
|
|
s3err.WriteXMLResponse(w, r, http.StatusConflict, errorResp)
|
|
case iam.ErrCodeMalformedPolicyDocumentException, iam.ErrCodeInvalidInputException:
|
|
s3err.WriteXMLResponse(w, r, http.StatusBadRequest, errorResp)
|
|
case "AccessDenied", iam.ErrCodeLimitExceededException:
|
|
s3err.WriteXMLResponse(w, r, http.StatusForbidden, errorResp)
|
|
case iam.ErrCodeServiceFailureException:
|
|
s3err.WriteXMLResponse(w, r, http.StatusInternalServerError, internalErrorResponse)
|
|
case "NotImplemented":
|
|
s3err.WriteXMLResponse(w, r, http.StatusNotImplemented, errorResp)
|
|
case iam.ErrCodeDeleteConflictException:
|
|
s3err.WriteXMLResponse(w, r, http.StatusConflict, errorResp)
|
|
default:
|
|
s3err.WriteXMLResponse(w, r, http.StatusInternalServerError, internalErrorResponse)
|
|
}
|
|
}
|
|
|
|
// GetS3ApiConfiguration loads the S3 API configuration from the credential manager.
|
|
func (e *EmbeddedIamApi) GetS3ApiConfiguration(s3cfg *iam_pb.S3ApiConfiguration) error {
|
|
if e.getS3ApiConfigurationFunc != nil {
|
|
return e.getS3ApiConfigurationFunc(s3cfg)
|
|
}
|
|
config, err := e.credentialManager.LoadConfiguration(context.Background())
|
|
if err != nil {
|
|
return fmt.Errorf("failed to load configuration: %w", err)
|
|
}
|
|
proto.Merge(s3cfg, config)
|
|
return nil
|
|
}
|
|
|
|
// PutS3ApiConfiguration saves the S3 API configuration to the credential manager.
|
|
func (e *EmbeddedIamApi) PutS3ApiConfiguration(s3cfg *iam_pb.S3ApiConfiguration) error {
|
|
if e.putS3ApiConfigurationFunc != nil {
|
|
return e.putS3ApiConfigurationFunc(s3cfg)
|
|
}
|
|
return e.credentialManager.SaveConfiguration(context.Background(), s3cfg)
|
|
}
|
|
|
|
// ReloadConfiguration reloads the IAM configuration from the credential manager.
|
|
func (e *EmbeddedIamApi) ReloadConfiguration() error {
|
|
glog.V(4).Infof("IAM: reloading configuration via EmbeddedIamApi")
|
|
if e.reloadConfigurationFunc != nil {
|
|
return e.reloadConfigurationFunc()
|
|
}
|
|
return e.iam.LoadS3ApiConfigurationFromCredentialManager()
|
|
}
|
|
|
|
// ListUsers lists all IAM users.
|
|
func (e *EmbeddedIamApi) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) *iamListUsersResponse {
|
|
resp := &iamListUsersResponse{}
|
|
for _, ident := range s3cfg.Identities {
|
|
resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name})
|
|
}
|
|
return resp
|
|
}
|
|
|
|
// ListAccessKeys lists access keys for a user.
|
|
func (e *EmbeddedIamApi) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) *iamListAccessKeysResponse {
|
|
resp := &iamListAccessKeysResponse{}
|
|
userName := values.Get("UserName")
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName != "" && userName != ident.Name {
|
|
continue
|
|
}
|
|
for _, cred := range ident.Credentials {
|
|
// Return actual status from credential, default to Active if not set
|
|
status := cred.Status
|
|
if status == "" {
|
|
status = iamAccessKeyStatusActive
|
|
}
|
|
// Capture copies to avoid loop variable pointer aliasing
|
|
identName := ident.Name
|
|
accessKey := cred.AccessKey
|
|
statusCopy := status
|
|
resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata,
|
|
&iam.AccessKeyMetadata{UserName: &identName, AccessKeyId: &accessKey, Status: &statusCopy},
|
|
)
|
|
}
|
|
}
|
|
return resp
|
|
}
|
|
|
|
// CreateUser creates a new IAM user.
|
|
func (e *EmbeddedIamApi) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamCreateUserResponse, *iamError) {
|
|
resp := &iamCreateUserResponse{}
|
|
userName := values.Get("UserName")
|
|
|
|
// Validate UserName is not empty
|
|
if userName == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
|
}
|
|
|
|
// Check for duplicate user
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name == userName {
|
|
return resp, &iamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("user %s already exists", userName)}
|
|
}
|
|
}
|
|
|
|
resp.CreateUserResult.User.UserName = &userName
|
|
s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName}) // Disabled defaults to false (enabled)
|
|
return resp, nil
|
|
}
|
|
|
|
// DeleteUser deletes an IAM user.
|
|
func (e *EmbeddedIamApi) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (*iamDeleteUserResponse, *iamError) {
|
|
resp := &iamDeleteUserResponse{}
|
|
for i, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
// AWS IAM behavior: prevent deletion if user has service accounts
|
|
// This ensures explicit cleanup and prevents orphaned resources
|
|
if len(ident.ServiceAccountIds) > 0 {
|
|
return resp, &iamError{
|
|
Code: iam.ErrCodeDeleteConflictException,
|
|
Error: fmt.Errorf("cannot delete user %s: user has %d service account(s). Delete service accounts first",
|
|
userName, len(ident.ServiceAccountIds)),
|
|
}
|
|
}
|
|
s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
|
|
return resp, nil
|
|
}
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
|
|
// GetUser gets an IAM user.
|
|
func (e *EmbeddedIamApi) GetUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (*iamGetUserResponse, *iamError) {
|
|
resp := &iamGetUserResponse{}
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
resp.GetUserResult.User = iam.User{UserName: &ident.Name}
|
|
return resp, nil
|
|
}
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
|
|
// UpdateUser updates an IAM user.
|
|
func (e *EmbeddedIamApi) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamUpdateUserResponse, *iamError) {
|
|
resp := &iamUpdateUserResponse{}
|
|
userName := values.Get("UserName")
|
|
newUserName := values.Get("NewUserName")
|
|
if newUserName != "" {
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
ident.Name = newUserName
|
|
return resp, nil
|
|
}
|
|
}
|
|
} else {
|
|
return resp, nil
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
|
|
// CreateAccessKey creates an access key for a user.
|
|
func (e *EmbeddedIamApi) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamCreateAccessKeyResponse, *iamError) {
|
|
resp := &iamCreateAccessKeyResponse{}
|
|
userName := values.Get("UserName")
|
|
status := iam.StatusTypeActive
|
|
|
|
// Generate AWS-standard access key: AKIA prefix + 16 random uppercase chars = 20 total
|
|
randomPart, err := iamStringWithCharset(AccessKeyLength-len(UserAccessKeyPrefix), iamCharsetUpper)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to generate access key: %w", err)}
|
|
}
|
|
accessKeyId := UserAccessKeyPrefix + randomPart
|
|
|
|
secretAccessKey, err := iamStringWithCharset(SecretKeyLength, iamCharset)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to generate secret key: %w", err)}
|
|
}
|
|
|
|
resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId
|
|
resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey
|
|
resp.CreateAccessKeyResult.AccessKey.UserName = &userName
|
|
resp.CreateAccessKeyResult.AccessKey.Status = &status
|
|
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
ident.Credentials = append(ident.Credentials,
|
|
&iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey, Status: iamAccessKeyStatusActive})
|
|
return resp, nil
|
|
}
|
|
}
|
|
// User not found - return error instead of implicitly creating the user
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
|
|
// DeleteAccessKey deletes an access key for a user.
|
|
func (e *EmbeddedIamApi) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) *iamDeleteAccessKeyResponse {
|
|
resp := &iamDeleteAccessKeyResponse{}
|
|
userName := values.Get("UserName")
|
|
accessKeyId := values.Get("AccessKeyId")
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
for i, cred := range ident.Credentials {
|
|
if cred.AccessKey == accessKeyId {
|
|
ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
|
|
break
|
|
}
|
|
}
|
|
break
|
|
}
|
|
}
|
|
return resp
|
|
}
|
|
|
|
// GetPolicyDocument parses a policy document string.
|
|
func (e *EmbeddedIamApi) GetPolicyDocument(policy *string) (policy_engine.PolicyDocument, error) {
|
|
var policyDocument policy_engine.PolicyDocument
|
|
if err := json.Unmarshal([]byte(*policy), &policyDocument); err != nil {
|
|
return policy_engine.PolicyDocument{}, err
|
|
}
|
|
return policyDocument, nil
|
|
}
|
|
|
|
// CreatePolicy validates and creates a new IAM managed policy.
|
|
func (e *EmbeddedIamApi) CreatePolicy(ctx context.Context, values url.Values) (*iamCreatePolicyResponse, *iamError) {
|
|
resp := &iamCreatePolicyResponse{}
|
|
policyName := values.Get("PolicyName")
|
|
policyDocumentString := values.Get("PolicyDocument")
|
|
if policyName == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("PolicyName is required")}
|
|
}
|
|
if policyDocumentString == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("PolicyDocument is required")}
|
|
}
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
policyDocument, err := e.GetPolicyDocument(&policyDocumentString)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
|
|
}
|
|
existing, err := e.credentialManager.GetPolicy(ctx, policyName)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if existing != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("policy %s already exists", policyName)}
|
|
}
|
|
if err := e.credentialManager.CreatePolicy(ctx, policyName, policyDocument); err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
policyId := iamHash(&policyName)
|
|
arn := iamPolicyArn(policyName)
|
|
resp.CreatePolicyResult.Policy.PolicyName = &policyName
|
|
resp.CreatePolicyResult.Policy.Arn = &arn
|
|
resp.CreatePolicyResult.Policy.PolicyId = &policyId
|
|
path := "/"
|
|
defaultVersionId := "v1"
|
|
isAttachable := true
|
|
resp.CreatePolicyResult.Policy.Path = &path
|
|
resp.CreatePolicyResult.Policy.DefaultVersionId = &defaultVersionId
|
|
resp.CreatePolicyResult.Policy.IsAttachable = &isAttachable
|
|
return resp, nil
|
|
}
|
|
|
|
// DeletePolicy deletes a managed policy by ARN.
|
|
func (e *EmbeddedIamApi) DeletePolicy(ctx context.Context, values url.Values) (*iamDeletePolicyResponse, *iamError) {
|
|
resp := &iamDeletePolicyResponse{}
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, err := iamPolicyNameFromArn(policyArn)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
policy, err := e.credentialManager.GetPolicy(ctx, policyName)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if policy == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
users, err := e.credentialManager.ListUsers(ctx)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
for _, user := range users {
|
|
attachedPolicies, err := e.credentialManager.ListAttachedUserPolicies(ctx, user)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
for _, attached := range attachedPolicies {
|
|
if attached == policyName {
|
|
return resp, &iamError{
|
|
Code: iam.ErrCodeDeleteConflictException,
|
|
Error: fmt.Errorf("policy %s is attached to user %s", policyName, user),
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if err := e.credentialManager.DeletePolicy(ctx, policyName); err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
// ListPolicies lists managed policies.
|
|
func (e *EmbeddedIamApi) ListPolicies(ctx context.Context, values url.Values) (*iamListPoliciesResponse, *iamError) {
|
|
resp := &iamListPoliciesResponse{}
|
|
pathPrefix := values.Get("PathPrefix")
|
|
if pathPrefix == "" {
|
|
pathPrefix = "/"
|
|
}
|
|
maxItems := 0
|
|
if maxItemsStr := values.Get("MaxItems"); maxItemsStr != "" {
|
|
parsedMaxItems, err := strconv.Atoi(maxItemsStr)
|
|
if err != nil || parsedMaxItems <= 0 {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("MaxItems must be a positive integer")}
|
|
}
|
|
maxItems = parsedMaxItems
|
|
}
|
|
marker := values.Get("Marker")
|
|
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
|
|
if pathPrefix != "/" {
|
|
return resp, &iamError{Code: "NotImplemented", Error: fmt.Errorf("PathPrefix filtering is not supported yet")}
|
|
}
|
|
|
|
policyNames, err := e.credentialManager.ListPolicyNames(ctx)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
sort.Strings(policyNames)
|
|
|
|
if marker != "" {
|
|
i := sort.SearchStrings(policyNames, marker)
|
|
if i < len(policyNames) && policyNames[i] == marker {
|
|
policyNames = policyNames[i+1:]
|
|
} else if i < len(policyNames) {
|
|
policyNames = policyNames[i:]
|
|
} else {
|
|
policyNames = nil
|
|
}
|
|
}
|
|
|
|
// Policy paths are not tracked in the current configuration, so PathPrefix filtering is not supported yet.
|
|
for _, name := range policyNames {
|
|
policyNameCopy := name
|
|
policyArnCopy := iamPolicyArn(name)
|
|
policyId := iamHash(&policyNameCopy)
|
|
path := "/"
|
|
defaultVersionId := "v1"
|
|
isAttachable := true
|
|
resp.ListPoliciesResult.Policies = append(resp.ListPoliciesResult.Policies, &iam.Policy{
|
|
PolicyName: &policyNameCopy,
|
|
Arn: &policyArnCopy,
|
|
PolicyId: &policyId,
|
|
Path: &path,
|
|
DefaultVersionId: &defaultVersionId,
|
|
IsAttachable: &isAttachable,
|
|
})
|
|
}
|
|
|
|
if maxItems > 0 && len(resp.ListPoliciesResult.Policies) > maxItems {
|
|
resp.ListPoliciesResult.Policies = resp.ListPoliciesResult.Policies[:maxItems]
|
|
resp.ListPoliciesResult.IsTruncated = true
|
|
if name := resp.ListPoliciesResult.Policies[maxItems-1].PolicyName; name != nil {
|
|
resp.ListPoliciesResult.Marker = *name
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
resp.ListPoliciesResult.IsTruncated = false
|
|
return resp, nil
|
|
}
|
|
|
|
// GetPolicy returns metadata for a managed policy.
|
|
func (e *EmbeddedIamApi) GetPolicy(ctx context.Context, values url.Values) (*iamGetPolicyResponse, *iamError) {
|
|
resp := &iamGetPolicyResponse{}
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, err := iamPolicyNameFromArn(policyArn)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
policy, err := e.credentialManager.GetPolicy(ctx, policyName)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if policy == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
|
|
policyNameCopy := policyName
|
|
policyArnCopy := iamPolicyArn(policyName)
|
|
policyId := iamHash(&policyNameCopy)
|
|
path := "/"
|
|
defaultVersionId := "v1"
|
|
isAttachable := true
|
|
resp.GetPolicyResult.Policy = iam.Policy{
|
|
PolicyName: &policyNameCopy,
|
|
Arn: &policyArnCopy,
|
|
PolicyId: &policyId,
|
|
Path: &path,
|
|
DefaultVersionId: &defaultVersionId,
|
|
IsAttachable: &isAttachable,
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
// ListPolicyVersions lists versions for a managed policy.
|
|
// Current SeaweedFS implementation stores one version per policy (v1).
|
|
func (e *EmbeddedIamApi) ListPolicyVersions(ctx context.Context, values url.Values) (*iamListPolicyVersionsResponse, *iamError) {
|
|
resp := &iamListPolicyVersionsResponse{}
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, err := iamPolicyNameFromArn(policyArn)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
policy, err := e.credentialManager.GetPolicy(ctx, policyName)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if policy == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
|
|
versionID := "v1"
|
|
isDefaultVersion := true
|
|
resp.ListPolicyVersionsResult.Versions = []*iam.PolicyVersion{{
|
|
VersionId: &versionID,
|
|
IsDefaultVersion: &isDefaultVersion,
|
|
}}
|
|
resp.ListPolicyVersionsResult.IsTruncated = false
|
|
return resp, nil
|
|
}
|
|
|
|
// GetPolicyVersion returns the document for a specific policy version.
|
|
// Current SeaweedFS implementation stores one version per policy (v1).
|
|
func (e *EmbeddedIamApi) GetPolicyVersion(ctx context.Context, values url.Values) (*iamGetPolicyVersionResponse, *iamError) {
|
|
resp := &iamGetPolicyVersionResponse{}
|
|
policyArn := values.Get("PolicyArn")
|
|
versionID := values.Get("VersionId")
|
|
if versionID == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("VersionId is required")}
|
|
}
|
|
|
|
policyName, err := iamPolicyNameFromArn(policyArn)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
policy, err := e.credentialManager.GetPolicy(ctx, policyName)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if policy == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
if versionID != "v1" {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy version %s not found", versionID)}
|
|
}
|
|
policyDocumentJSON, err := json.Marshal(policy)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
isDefaultVersion := true
|
|
document := string(policyDocumentJSON)
|
|
resp.GetPolicyVersionResult.PolicyVersion = iam.PolicyVersion{
|
|
VersionId: &versionID,
|
|
IsDefaultVersion: &isDefaultVersion,
|
|
Document: &document,
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func iamPolicyNameFromArn(policyArn string) (string, error) {
|
|
const policyPathDelimiter = ":policy/"
|
|
idx := strings.Index(policyArn, policyPathDelimiter)
|
|
if idx < 0 {
|
|
return "", fmt.Errorf("invalid policy arn: %s", policyArn)
|
|
}
|
|
|
|
policyPath := strings.Trim(policyArn[idx+len(policyPathDelimiter):], "/")
|
|
if policyPath == "" {
|
|
return "", fmt.Errorf("invalid policy arn: %s", policyArn)
|
|
}
|
|
|
|
parts := strings.Split(policyPath, "/")
|
|
policyName := parts[len(parts)-1]
|
|
if policyName == "" {
|
|
return "", fmt.Errorf("invalid policy arn: %s", policyArn)
|
|
}
|
|
|
|
return policyName, nil
|
|
}
|
|
|
|
func iamPolicyArn(policyName string) string {
|
|
return fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
|
|
}
|
|
|
|
// getActions extracts actions from a policy document.
|
|
// S3 ARN format: arn:aws:s3:::bucket or arn:aws:s3:::bucket/path/*
|
|
// res[5] contains the bucket and optional path after :::
|
|
func (e *EmbeddedIamApi) getActions(policy *policy_engine.PolicyDocument) ([]string, error) {
|
|
var actions []string
|
|
|
|
for _, statement := range policy.Statement {
|
|
if statement.Effect != policy_engine.PolicyEffectAllow {
|
|
return nil, fmt.Errorf("not a valid effect: '%s'. Only 'Allow' is possible", statement.Effect)
|
|
}
|
|
for _, resource := range statement.Resource.Strings() {
|
|
res := strings.Split(resource, ":")
|
|
if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
|
|
continue
|
|
}
|
|
for _, action := range statement.Action.Strings() {
|
|
act := strings.Split(action, ":")
|
|
if len(act) != 2 || act[0] != "s3" {
|
|
continue
|
|
}
|
|
statementAction := iamMapToStatementAction(act[1])
|
|
if statementAction == "" {
|
|
return nil, fmt.Errorf("not a valid action: '%s'", act[1])
|
|
}
|
|
|
|
resourcePath := res[5]
|
|
if resourcePath == "*" {
|
|
// Wildcard - applies to all buckets
|
|
actions = append(actions, statementAction)
|
|
continue
|
|
}
|
|
|
|
// Parse bucket and optional object path
|
|
// Examples: "mybucket", "mybucket/*", "mybucket/prefix/*"
|
|
bucket, objectPath, hasSep := strings.Cut(resourcePath, "/")
|
|
if bucket == "" {
|
|
continue // Invalid: empty bucket name
|
|
}
|
|
|
|
if !hasSep || objectPath == "" || objectPath == "*" {
|
|
// Bucket-level or bucket/* - use just bucket name
|
|
actions = append(actions, fmt.Sprintf("%s:%s", statementAction, bucket))
|
|
} else {
|
|
// Path-specific: bucket/path/* -> Action:bucket/path
|
|
// Remove trailing /* if present for cleaner action format
|
|
objectPath = strings.TrimSuffix(objectPath, "/*")
|
|
objectPath = strings.TrimSuffix(objectPath, "*")
|
|
if objectPath == "" {
|
|
actions = append(actions, fmt.Sprintf("%s:%s", statementAction, bucket))
|
|
} else {
|
|
actions = append(actions, fmt.Sprintf("%s:%s/%s", statementAction, bucket, objectPath))
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if len(actions) == 0 {
|
|
return nil, fmt.Errorf("no valid actions found in policy document")
|
|
}
|
|
return actions, nil
|
|
}
|
|
|
|
// PutUserPolicy attaches a policy to a user.
|
|
func (e *EmbeddedIamApi) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamPutUserPolicyResponse, *iamError) {
|
|
resp := &iamPutUserPolicyResponse{}
|
|
userName := values.Get("UserName")
|
|
policyDocumentString := values.Get("PolicyDocument")
|
|
policyDocument, err := e.GetPolicyDocument(&policyDocumentString)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
|
|
}
|
|
actions, err := e.getActions(&policyDocument)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
|
|
}
|
|
glog.V(3).Infof("PutUserPolicy: actions=%v", actions)
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName != ident.Name {
|
|
continue
|
|
}
|
|
ident.Actions = actions
|
|
return resp, nil
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("the user with name %s cannot be found", userName)}
|
|
}
|
|
|
|
// GetUserPolicy gets the policy attached to a user.
|
|
func (e *EmbeddedIamApi) GetUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamGetUserPolicyResponse, *iamError) {
|
|
resp := &iamGetUserPolicyResponse{}
|
|
userName := values.Get("UserName")
|
|
policyName := values.Get("PolicyName")
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName != ident.Name {
|
|
continue
|
|
}
|
|
|
|
resp.GetUserPolicyResult.UserName = userName
|
|
resp.GetUserPolicyResult.PolicyName = policyName
|
|
if len(ident.Actions) == 0 {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: errors.New("no actions found")}
|
|
}
|
|
|
|
policyDocument := policy_engine.PolicyDocument{Version: iamPolicyDocumentVersion}
|
|
statements := make(map[string][]string)
|
|
for _, action := range ident.Actions {
|
|
// Action format: "ActionType" (global) or "ActionType:bucket" or "ActionType:bucket/path"
|
|
actionType, bucketPath, hasPath := strings.Cut(action, ":")
|
|
var resource string
|
|
if !hasPath {
|
|
// Global action (no bucket specified)
|
|
resource = "*"
|
|
} else if strings.Contains(bucketPath, "/") {
|
|
// Path-specific: bucket/path -> arn:aws:s3:::bucket/path/*
|
|
resource = fmt.Sprintf("arn:aws:s3:::%s/*", bucketPath)
|
|
} else {
|
|
// Bucket-level: bucket -> arn:aws:s3:::bucket/*
|
|
resource = fmt.Sprintf("arn:aws:s3:::%s/*", bucketPath)
|
|
}
|
|
statements[resource] = append(statements[resource],
|
|
fmt.Sprintf("s3:%s", iamMapToIdentitiesAction(actionType)),
|
|
)
|
|
}
|
|
for resource, actions := range statements {
|
|
isEqAction := false
|
|
for i, statement := range policyDocument.Statement {
|
|
// Use order-independent comparison to avoid duplicates from different action orderings
|
|
if iamStringSlicesEqual(statement.Action.Strings(), actions) {
|
|
policyDocument.Statement[i].Resource = policy_engine.NewStringOrStringSlice(append(
|
|
policyDocument.Statement[i].Resource.Strings(), resource)...)
|
|
isEqAction = true
|
|
break
|
|
}
|
|
}
|
|
if isEqAction {
|
|
continue
|
|
}
|
|
policyDocumentStatement := policy_engine.PolicyStatement{
|
|
Effect: policy_engine.PolicyEffectAllow,
|
|
Action: policy_engine.NewStringOrStringSlice(actions...),
|
|
Resource: policy_engine.NewStringOrStringSlice(resource),
|
|
}
|
|
policyDocument.Statement = append(policyDocument.Statement, policyDocumentStatement)
|
|
}
|
|
policyDocumentJSON, err := json.Marshal(policyDocument)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
resp.GetUserPolicyResult.PolicyDocument = string(policyDocumentJSON)
|
|
return resp, nil
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
|
|
// DeleteUserPolicy removes the inline policy from a user (clears their actions).
|
|
func (e *EmbeddedIamApi) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamDeleteUserPolicyResponse, *iamError) {
|
|
resp := &iamDeleteUserPolicyResponse{}
|
|
userName := values.Get("UserName")
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name == userName {
|
|
ident.Actions = nil
|
|
return resp, nil
|
|
}
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
|
|
// AttachUserPolicy attaches a managed policy to a user.
|
|
func (e *EmbeddedIamApi) AttachUserPolicy(ctx context.Context, values url.Values) (*iamAttachUserPolicyResponse, *iamError) {
|
|
resp := &iamAttachUserPolicyResponse{}
|
|
|
|
userName := values.Get("UserName")
|
|
if userName == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
|
}
|
|
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, err := iamPolicyNameFromArn(policyArn)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
|
|
policy, err := e.credentialManager.GetPolicy(ctx, policyName)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if policy == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
|
|
attachedPolicies, err := e.credentialManager.ListAttachedUserPolicies(ctx, userName)
|
|
if err != nil {
|
|
if errors.Is(err, credential.ErrUserNotFound) {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
for _, attached := range attachedPolicies {
|
|
if attached == policyName {
|
|
return resp, nil
|
|
}
|
|
}
|
|
if len(attachedPolicies) >= MaxManagedPoliciesPerUser {
|
|
return resp, &iamError{
|
|
Code: iam.ErrCodeLimitExceededException,
|
|
Error: fmt.Errorf("cannot attach more than %d managed policies to user %s", MaxManagedPoliciesPerUser, userName),
|
|
}
|
|
}
|
|
|
|
if err := e.credentialManager.AttachUserPolicy(ctx, userName, policyName); err != nil {
|
|
if errors.Is(err, credential.ErrUserNotFound) {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
if errors.Is(err, credential.ErrPolicyNotFound) {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
if errors.Is(err, credential.ErrPolicyAlreadyAttached) {
|
|
// AWS IAM is idempotent for AttachUserPolicy
|
|
return resp, nil
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
// Best-effort refresh: log any failures but don't fail the API call since the mutation succeeded
|
|
if err := e.refreshIAMConfiguration(); err != nil {
|
|
glog.Warningf("Failed to refresh IAM configuration after attaching policy %s to user %s: %v", policyName, userName, err)
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
// DetachUserPolicy detaches a managed policy from a user.
|
|
func (e *EmbeddedIamApi) DetachUserPolicy(ctx context.Context, values url.Values) (*iamDetachUserPolicyResponse, *iamError) {
|
|
resp := &iamDetachUserPolicyResponse{}
|
|
|
|
userName := values.Get("UserName")
|
|
if userName == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
|
}
|
|
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, err := iamPolicyNameFromArn(policyArn)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
|
|
policy, err := e.credentialManager.GetPolicy(ctx, policyName)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if policy == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
|
|
if err := e.credentialManager.DetachUserPolicy(ctx, userName, policyName); err != nil {
|
|
if errors.Is(err, credential.ErrUserNotFound) {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
if errors.Is(err, credential.ErrPolicyNotAttached) {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not attached to user %s", policyName, userName)}
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
// Best-effort refresh: log any failures but don't fail the API call since the mutation succeeded
|
|
if err := e.refreshIAMConfiguration(); err != nil {
|
|
glog.Warningf("Failed to refresh IAM configuration after detaching policy %s from user %s: %v", policyName, userName, err)
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
// ListAttachedUserPolicies lists managed policies attached to a user.
|
|
func (e *EmbeddedIamApi) ListAttachedUserPolicies(ctx context.Context, values url.Values) (*iamListAttachedUserPoliciesResponse, *iamError) {
|
|
resp := &iamListAttachedUserPoliciesResponse{}
|
|
|
|
userName := values.Get("UserName")
|
|
if userName == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
|
}
|
|
|
|
pathPrefix := values.Get("PathPrefix")
|
|
if pathPrefix == "" {
|
|
pathPrefix = "/"
|
|
}
|
|
|
|
maxItems := 0
|
|
if maxItemsStr := values.Get("MaxItems"); maxItemsStr != "" {
|
|
parsedMaxItems, err := strconv.Atoi(maxItemsStr)
|
|
if err != nil || parsedMaxItems <= 0 {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("MaxItems must be a positive integer")}
|
|
}
|
|
maxItems = parsedMaxItems
|
|
}
|
|
marker := values.Get("Marker")
|
|
|
|
if e.credentialManager == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("credential manager not configured")}
|
|
}
|
|
|
|
policyNames, err := e.credentialManager.ListAttachedUserPolicies(ctx, userName)
|
|
if err != nil {
|
|
if errors.Is(err, credential.ErrUserNotFound) {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
var attachedPolicies []*iam.AttachedPolicy
|
|
for _, attachedPolicyName := range policyNames {
|
|
// Policy paths are not tracked in the current configuration, so PathPrefix
|
|
// filtering is not supported yet. Always return the policy for now.
|
|
policyNameCopy := attachedPolicyName
|
|
policyArn := iamPolicyArn(attachedPolicyName)
|
|
policyArnCopy := policyArn
|
|
attachedPolicies = append(attachedPolicies, &iam.AttachedPolicy{
|
|
PolicyName: &policyNameCopy,
|
|
PolicyArn: &policyArnCopy,
|
|
})
|
|
}
|
|
|
|
start := 0
|
|
markerFound := false
|
|
if marker != "" {
|
|
for i, p := range attachedPolicies {
|
|
if p.PolicyName != nil && *p.PolicyName == marker {
|
|
start = i + 1
|
|
markerFound = true
|
|
break
|
|
}
|
|
}
|
|
if !markerFound && len(attachedPolicies) > 0 {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("marker %s not found", marker)}
|
|
}
|
|
}
|
|
if start > 0 && start < len(attachedPolicies) {
|
|
attachedPolicies = attachedPolicies[start:]
|
|
} else if start >= len(attachedPolicies) {
|
|
attachedPolicies = nil
|
|
}
|
|
|
|
if maxItems > 0 && len(attachedPolicies) > maxItems {
|
|
resp.ListAttachedUserPoliciesResult.AttachedPolicies = attachedPolicies[:maxItems]
|
|
resp.ListAttachedUserPoliciesResult.IsTruncated = true
|
|
if name := resp.ListAttachedUserPoliciesResult.AttachedPolicies[maxItems-1].PolicyName; name != nil {
|
|
resp.ListAttachedUserPoliciesResult.Marker = *name
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
resp.ListAttachedUserPoliciesResult.AttachedPolicies = attachedPolicies
|
|
resp.ListAttachedUserPoliciesResult.IsTruncated = false
|
|
return resp, nil
|
|
}
|
|
|
|
// SetUserStatus enables or disables a user without deleting them.
|
|
// This is a SeaweedFS extension for temporary user suspension, offboarding, etc.
|
|
// When a user is disabled, all API requests using their credentials will return AccessDenied.
|
|
func (e *EmbeddedIamApi) SetUserStatus(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamSetUserStatusResponse, *iamError) {
|
|
resp := &iamSetUserStatusResponse{}
|
|
userName := values.Get("UserName")
|
|
status := values.Get("Status")
|
|
|
|
// Validate UserName
|
|
if userName == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
|
}
|
|
|
|
// Validate Status - must be "Active" or "Inactive"
|
|
if err := iamValidateStatus(status); err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name == userName {
|
|
// Set disabled based on status: Active = not disabled, Inactive = disabled
|
|
ident.Disabled = (status == iamAccessKeyStatusInactive)
|
|
return resp, nil
|
|
}
|
|
}
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
|
|
// UpdateAccessKey updates the status of an access key (Active or Inactive).
|
|
// This allows key rotation workflows where old keys are deactivated before deletion.
|
|
func (e *EmbeddedIamApi) UpdateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamUpdateAccessKeyResponse, *iamError) {
|
|
resp := &iamUpdateAccessKeyResponse{}
|
|
userName := values.Get("UserName")
|
|
accessKeyId := values.Get("AccessKeyId")
|
|
status := values.Get("Status")
|
|
|
|
// Validate required parameters
|
|
if userName == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
|
}
|
|
if accessKeyId == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("AccessKeyId is required")}
|
|
}
|
|
if err := iamValidateStatus(status); err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name != userName {
|
|
continue
|
|
}
|
|
for _, cred := range ident.Credentials {
|
|
if cred.AccessKey == accessKeyId {
|
|
cred.Status = status
|
|
return resp, nil
|
|
}
|
|
}
|
|
// User found but access key not found
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("the access key with id %s for user %s cannot be found", accessKeyId, userName)}
|
|
}
|
|
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, userName)}
|
|
}
|
|
|
|
// findIdentityByName is a helper function to find an identity by name.
|
|
// Returns the identity or nil if not found.
|
|
func findIdentityByName(s3cfg *iam_pb.S3ApiConfiguration, name string) *iam_pb.Identity {
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name == name {
|
|
return ident
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// CreateServiceAccount creates a new service account for a user.
|
|
func (e *EmbeddedIamApi) CreateServiceAccount(s3cfg *iam_pb.S3ApiConfiguration, values url.Values, createdBy string) (*iamCreateServiceAccountResponse, *iamError) {
|
|
resp := &iamCreateServiceAccountResponse{}
|
|
parentUser := values.Get("ParentUser")
|
|
description := values.Get("Description")
|
|
expirationStr := values.Get("Expiration") // Unix timestamp as string
|
|
|
|
if parentUser == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("ParentUser is required")}
|
|
}
|
|
|
|
// Validate description length
|
|
if len(description) > MaxDescriptionLength {
|
|
return resp, &iamError{
|
|
Code: iam.ErrCodeInvalidInputException,
|
|
Error: fmt.Errorf("description exceeds maximum length of %d characters", MaxDescriptionLength),
|
|
}
|
|
}
|
|
|
|
// Verify parent user exists
|
|
parentIdent := findIdentityByName(s3cfg, parentUser)
|
|
if parentIdent == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(iamUserDoesNotExist, parentUser)}
|
|
}
|
|
|
|
// Check service account limit per user
|
|
if len(parentIdent.ServiceAccountIds) >= MaxServiceAccountsPerUser {
|
|
return resp, &iamError{
|
|
Code: iam.ErrCodeLimitExceededException,
|
|
Error: fmt.Errorf("user %s has reached the maximum limit of %d service accounts",
|
|
parentUser, MaxServiceAccountsPerUser),
|
|
}
|
|
}
|
|
|
|
// Generate unique ID and credentials
|
|
saId, err := iamStringWithCharset(ServiceAccountIDLength, iamCharsetUpper)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to generate ID: %w", err)}
|
|
}
|
|
saId = ServiceAccountIDPrefix + "-" + saId
|
|
|
|
// Generate access key ID with correct length (20 chars total including prefix)
|
|
// AWS access keys are always 20 characters: 4-char prefix (ABIA) + 16 random chars
|
|
accessKeyId, err := iamStringWithCharset(AccessKeyLength-len(ServiceAccountKeyPrefix), iamCharsetUpper)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to generate access key: %w", err)}
|
|
}
|
|
accessKeyId = ServiceAccountKeyPrefix + accessKeyId
|
|
|
|
secretAccessKey, err := iamStringWithCharset(SecretKeyLength, iamCharset)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to generate secret key: %w", err)}
|
|
}
|
|
|
|
// Parse expiration if provided
|
|
var expiration int64
|
|
if expirationStr != "" {
|
|
var err error
|
|
expiration, err = strconv.ParseInt(expirationStr, 10, 64)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("invalid expiration format: %w", err)}
|
|
}
|
|
if expiration > 0 && expiration < time.Now().Unix() {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("expiration must be in the future")}
|
|
}
|
|
}
|
|
|
|
now := time.Now()
|
|
|
|
// Copy parent's actions to avoid shared slice reference
|
|
actions := make([]string, len(parentIdent.Actions))
|
|
copy(actions, parentIdent.Actions)
|
|
|
|
sa := &iam_pb.ServiceAccount{
|
|
Id: saId,
|
|
ParentUser: parentUser,
|
|
Description: description,
|
|
Credential: &iam_pb.Credential{
|
|
AccessKey: accessKeyId,
|
|
SecretKey: secretAccessKey,
|
|
Status: iamAccessKeyStatusActive,
|
|
},
|
|
Actions: actions, // Independent copy of parent's actions
|
|
Expiration: expiration,
|
|
Disabled: false,
|
|
CreatedAt: now.Unix(),
|
|
CreatedBy: createdBy,
|
|
}
|
|
|
|
s3cfg.ServiceAccounts = append(s3cfg.ServiceAccounts, sa)
|
|
parentIdent.ServiceAccountIds = append(parentIdent.ServiceAccountIds, saId)
|
|
|
|
// Build response
|
|
resp.CreateServiceAccountResult.ServiceAccount = iamServiceAccountInfo{
|
|
ServiceAccountId: saId,
|
|
ParentUser: parentUser,
|
|
Description: description,
|
|
AccessKeyId: accessKeyId,
|
|
SecretAccessKey: &secretAccessKey,
|
|
Status: iamAccessKeyStatusActive,
|
|
CreateDate: now.Format(time.RFC3339),
|
|
}
|
|
if expiration > 0 {
|
|
expStr := time.Unix(expiration, 0).Format(time.RFC3339)
|
|
resp.CreateServiceAccountResult.ServiceAccount.Expiration = &expStr
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
// DeleteServiceAccount deletes a service account.
|
|
func (e *EmbeddedIamApi) DeleteServiceAccount(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamDeleteServiceAccountResponse, *iamError) {
|
|
resp := &iamDeleteServiceAccountResponse{}
|
|
saId := values.Get("ServiceAccountId")
|
|
|
|
if saId == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("ServiceAccountId is required")}
|
|
}
|
|
|
|
// Find and remove the service account
|
|
for i, sa := range s3cfg.ServiceAccounts {
|
|
if sa.Id == saId {
|
|
// Remove from parent's list
|
|
if parentIdent := findIdentityByName(s3cfg, sa.ParentUser); parentIdent != nil {
|
|
// Remove service account ID from parent's list using filter pattern
|
|
// This avoids mutating the slice during iteration
|
|
filtered := parentIdent.ServiceAccountIds[:0]
|
|
for _, id := range parentIdent.ServiceAccountIds {
|
|
if id != saId {
|
|
filtered = append(filtered, id)
|
|
}
|
|
}
|
|
parentIdent.ServiceAccountIds = filtered
|
|
}
|
|
// Remove service account
|
|
s3cfg.ServiceAccounts = append(s3cfg.ServiceAccounts[:i], s3cfg.ServiceAccounts[i+1:]...)
|
|
return resp, nil
|
|
}
|
|
}
|
|
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("service account %s not found", saId)}
|
|
}
|
|
|
|
// ListServiceAccounts lists service accounts, optionally filtered by parent user.
|
|
func (e *EmbeddedIamApi) ListServiceAccounts(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) *iamListServiceAccountsResponse {
|
|
resp := &iamListServiceAccountsResponse{}
|
|
parentUser := values.Get("ParentUser") // Optional filter
|
|
|
|
for _, sa := range s3cfg.ServiceAccounts {
|
|
if parentUser != "" && sa.ParentUser != parentUser {
|
|
continue
|
|
}
|
|
if sa.Credential == nil {
|
|
glog.Warningf("Service account %s has nil credential, skipping", sa.Id)
|
|
continue
|
|
}
|
|
status := iamAccessKeyStatusActive
|
|
if sa.Disabled {
|
|
status = iamAccessKeyStatusInactive
|
|
}
|
|
info := &iamServiceAccountInfo{
|
|
ServiceAccountId: sa.Id,
|
|
ParentUser: sa.ParentUser,
|
|
Description: sa.Description,
|
|
AccessKeyId: sa.Credential.AccessKey,
|
|
Status: status,
|
|
CreateDate: time.Unix(sa.CreatedAt, 0).Format(time.RFC3339),
|
|
}
|
|
if sa.Expiration > 0 {
|
|
expStr := time.Unix(sa.Expiration, 0).Format(time.RFC3339)
|
|
info.Expiration = &expStr
|
|
}
|
|
resp.ListServiceAccountsResult.ServiceAccounts = append(resp.ListServiceAccountsResult.ServiceAccounts, info)
|
|
}
|
|
|
|
return resp
|
|
}
|
|
|
|
// GetServiceAccount retrieves a service account by ID.
|
|
func (e *EmbeddedIamApi) GetServiceAccount(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamGetServiceAccountResponse, *iamError) {
|
|
resp := &iamGetServiceAccountResponse{}
|
|
saId := values.Get("ServiceAccountId")
|
|
|
|
if saId == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("ServiceAccountId is required")}
|
|
}
|
|
|
|
for _, sa := range s3cfg.ServiceAccounts {
|
|
if sa.Id == saId {
|
|
if sa.Credential == nil {
|
|
return resp, &iamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("service account %s has no credentials", saId)}
|
|
}
|
|
status := iamAccessKeyStatusActive
|
|
if sa.Disabled {
|
|
status = iamAccessKeyStatusInactive
|
|
}
|
|
resp.GetServiceAccountResult.ServiceAccount = iamServiceAccountInfo{
|
|
ServiceAccountId: sa.Id,
|
|
ParentUser: sa.ParentUser,
|
|
Description: sa.Description,
|
|
AccessKeyId: sa.Credential.AccessKey,
|
|
Status: status,
|
|
CreateDate: time.Unix(sa.CreatedAt, 0).Format(time.RFC3339),
|
|
}
|
|
if sa.Expiration > 0 {
|
|
expStr := time.Unix(sa.Expiration, 0).Format(time.RFC3339)
|
|
resp.GetServiceAccountResult.ServiceAccount.Expiration = &expStr
|
|
}
|
|
return resp, nil
|
|
}
|
|
}
|
|
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("service account %s not found", saId)}
|
|
}
|
|
|
|
// UpdateServiceAccount updates a service account's status, description, or expiration.
|
|
func (e *EmbeddedIamApi) UpdateServiceAccount(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamUpdateServiceAccountResponse, *iamError) {
|
|
resp := &iamUpdateServiceAccountResponse{}
|
|
saId := values.Get("ServiceAccountId")
|
|
newStatus := values.Get("Status")
|
|
newDescription := values.Get("Description")
|
|
newExpirationStr := values.Get("Expiration")
|
|
|
|
if saId == "" {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("ServiceAccountId is required")}
|
|
}
|
|
|
|
for _, sa := range s3cfg.ServiceAccounts {
|
|
if sa.Id == saId {
|
|
// Update status if provided
|
|
if newStatus != "" {
|
|
if err := iamValidateStatus(newStatus); err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
sa.Disabled = (newStatus == iamAccessKeyStatusInactive)
|
|
}
|
|
// Update description if provided (check for key existence to allow clearing)
|
|
if _, hasDescription := values["Description"]; hasDescription {
|
|
if len(newDescription) > MaxDescriptionLength {
|
|
return resp, &iamError{
|
|
Code: iam.ErrCodeInvalidInputException,
|
|
Error: fmt.Errorf("description exceeds maximum length of %d characters", MaxDescriptionLength),
|
|
}
|
|
}
|
|
sa.Description = newDescription
|
|
}
|
|
// Update expiration if provided (check for key existence to allow clearing to 0)
|
|
if _, hasExpiration := values["Expiration"]; hasExpiration {
|
|
if newExpirationStr != "" {
|
|
newExpiration, err := strconv.ParseInt(newExpirationStr, 10, 64)
|
|
if err != nil {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("invalid expiration format: %w", err)}
|
|
}
|
|
// Validate expiration value
|
|
if newExpiration < 0 {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("expiration must not be negative")}
|
|
}
|
|
if newExpiration > 0 && newExpiration < time.Now().Unix() {
|
|
return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("expiration must be in the future")}
|
|
}
|
|
// 0 is explicitly allowed to clear expiration
|
|
sa.Expiration = newExpiration
|
|
} else {
|
|
// Empty string means clear expiration (set to 0 = no expiration)
|
|
sa.Expiration = 0
|
|
}
|
|
}
|
|
return resp, nil
|
|
}
|
|
}
|
|
|
|
return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("service account %s not found", saId)}
|
|
}
|
|
|
|
// handleImplicitUsername adds username who signs the request to values if 'username' is not specified.
|
|
// According to AWS documentation: "If you do not specify a user name, IAM determines the user name
|
|
// implicitly based on the Amazon Web Services access key ID signing the request."
|
|
// This function extracts the AccessKeyId from the SigV4 credential and looks up the corresponding
|
|
// identity name in the credential store.
|
|
func (e *EmbeddedIamApi) handleImplicitUsername(r *http.Request, values url.Values) {
|
|
if len(r.Header["Authorization"]) == 0 || values.Get("UserName") != "" {
|
|
return
|
|
}
|
|
// Log presence of auth header without exposing sensitive signature material
|
|
glog.V(4).Infof("Authorization header present, extracting access key")
|
|
// Parse AWS SigV4 Authorization header format:
|
|
// "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/iam/aws4_request, ..."
|
|
s := strings.Split(r.Header["Authorization"][0], "Credential=")
|
|
if len(s) < 2 {
|
|
return
|
|
}
|
|
s = strings.Split(s[1], ",")
|
|
if len(s) < 1 {
|
|
return
|
|
}
|
|
s = strings.Split(s[0], "/")
|
|
if len(s) < 1 {
|
|
return
|
|
}
|
|
// s[0] is the AccessKeyId
|
|
accessKeyId := s[0]
|
|
if accessKeyId == "" {
|
|
return
|
|
}
|
|
// Nil-guard: ensure iam is initialized before lookup
|
|
if e.iam == nil {
|
|
glog.V(4).Infof("IAM not initialized, cannot look up access key")
|
|
return
|
|
}
|
|
// Look up the identity by access key to get the username
|
|
identity, _, found := e.iam.LookupByAccessKey(accessKeyId)
|
|
if !found {
|
|
// Mask access key in logs - show only first 4 chars
|
|
maskedKey := accessKeyId
|
|
if len(accessKeyId) > 4 {
|
|
maskedKey = accessKeyId[:4] + "***"
|
|
}
|
|
glog.V(4).Infof("Access key %s not found in credential store", maskedKey)
|
|
return
|
|
}
|
|
values.Set("UserName", identity.Name)
|
|
}
|
|
|
|
// iamSelfServiceActions are actions that users can perform on their own resources without admin rights.
|
|
// According to AWS IAM, users can manage their own access keys without requiring full admin permissions.
|
|
var iamSelfServiceActions = map[string]bool{
|
|
"CreateAccessKey": true,
|
|
"DeleteAccessKey": true,
|
|
"ListAccessKeys": true,
|
|
"GetUser": true,
|
|
"UpdateAccessKey": true,
|
|
}
|
|
|
|
// iamRequiresAdminForOthers returns true if the action requires admin rights when operating on other users.
|
|
func iamRequiresAdminForOthers(action string) bool {
|
|
return iamSelfServiceActions[action]
|
|
}
|
|
|
|
// AuthIam provides IAM-specific authentication that allows self-service operations.
|
|
// Users can manage their own access keys without admin rights, but need admin for operations on other users.
|
|
// The action parameter is accepted for interface compatibility with cb.Limit but is not used
|
|
// since IAM permission checking is done based on the IAM Action parameter in the request.
|
|
func (e *EmbeddedIamApi) AuthIam(f http.HandlerFunc, _ Action) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
// If auth is not enabled, allow all
|
|
if !e.iam.isEnabled() {
|
|
f(w, r)
|
|
return
|
|
}
|
|
|
|
// Authenticate BEFORE parsing form.
|
|
// ParseForm() reads and consumes the request body, but signature verification
|
|
// needs to hash the body for IAM requests (service != "s3").
|
|
// The streamHashRequestBody function in auth_signature_v4.go preserves the body
|
|
// after reading it, so ParseForm() will work correctly after authentication.
|
|
identity, errCode := e.iam.AuthSignatureOnly(r)
|
|
if errCode != s3err.ErrNone {
|
|
s3err.WriteErrorResponse(w, r, errCode)
|
|
return
|
|
}
|
|
|
|
// Now parse form to get Action and UserName (body was preserved by auth)
|
|
if err := r.ParseForm(); err != nil {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
|
|
return
|
|
}
|
|
|
|
action := r.Form.Get("Action")
|
|
targetUserName := r.PostForm.Get("UserName")
|
|
|
|
// IAM API requests must be authenticated - reject nil identity
|
|
// (can happen for authTypePostPolicy or authTypeStreamingUnsigned)
|
|
if identity == nil {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrAccessDenied)
|
|
return
|
|
}
|
|
|
|
// Store identity in context
|
|
if identity != nil && identity.Name != "" {
|
|
ctx := SetIdentityNameInContext(r.Context(), identity.Name)
|
|
ctx = SetIdentityInContext(ctx, identity)
|
|
r = r.WithContext(ctx)
|
|
}
|
|
|
|
// Check permissions based on action type
|
|
if iamRequiresAdminForOthers(action) {
|
|
// Self-service action: allow if operating on own resources or no target specified
|
|
if targetUserName == "" || targetUserName == identity.Name {
|
|
// Self-service: allowed
|
|
f(w, r)
|
|
return
|
|
}
|
|
// Operating on another user: require admin or permission
|
|
if !identity.isAdmin() {
|
|
if e.iam.VerifyActionPermission(r, identity, Action("iam:"+action), "arn:aws:iam:::*", "") != s3err.ErrNone {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrAccessDenied)
|
|
return
|
|
}
|
|
}
|
|
} else {
|
|
// All other IAM actions require admin or permission
|
|
if !identity.isAdmin() {
|
|
if e.iam.VerifyActionPermission(r, identity, Action("iam:"+action), "arn:aws:iam:::*", "") != s3err.ErrNone {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrAccessDenied)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
f(w, r)
|
|
}
|
|
}
|
|
|
|
// ExecuteAction executes an IAM action with the given values.
|
|
// If skipPersist is true, the changed configuration is not saved to the persistent store.
|
|
// reqID is set on the response; if empty, a new request ID is generated.
|
|
func (e *EmbeddedIamApi) ExecuteAction(ctx context.Context, values url.Values, skipPersist bool, reqID string) (iamlib.RequestIDSetter, *iamError) {
|
|
if reqID == "" {
|
|
reqID = request_id.New()
|
|
}
|
|
// Lock to prevent concurrent read-modify-write race conditions
|
|
e.policyLock.Lock()
|
|
defer e.policyLock.Unlock()
|
|
|
|
action := values.Get("Action")
|
|
if e.readOnly {
|
|
switch action {
|
|
case "ListUsers", "ListAccessKeys", "GetUser", "GetUserPolicy", "ListAttachedUserPolicies", "ListPolicies", "GetPolicy", "ListPolicyVersions", "GetPolicyVersion", "ListServiceAccounts", "GetServiceAccount":
|
|
// Allowed read-only actions
|
|
default:
|
|
return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrAccessDenied).Code, Error: fmt.Errorf("IAM write operations are disabled on this server")}
|
|
}
|
|
}
|
|
|
|
s3cfg := &iam_pb.S3ApiConfiguration{}
|
|
if err := e.GetS3ApiConfiguration(s3cfg); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrInternalError).Code, Error: fmt.Errorf("failed to get s3 api configuration: %v", err)}
|
|
}
|
|
|
|
glog.V(4).Infof("IAM ExecuteAction: %+v", values)
|
|
var response iamlib.RequestIDSetter
|
|
changed := true
|
|
switch values.Get("Action") {
|
|
case "ListUsers":
|
|
response = e.ListUsers(s3cfg, values)
|
|
changed = false
|
|
case "ListAccessKeys":
|
|
// Note: handleImplicitUsername requires request context which we don't have here for gRPC
|
|
// gRPC callers must provide UserName explicitly
|
|
response = e.ListAccessKeys(s3cfg, values)
|
|
changed = false
|
|
case "CreateUser":
|
|
var iamErr *iamError
|
|
response, iamErr = e.CreateUser(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
case "GetUser":
|
|
userName := values.Get("UserName")
|
|
var iamErr *iamError
|
|
response, iamErr = e.GetUser(s3cfg, userName)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "UpdateUser":
|
|
var iamErr *iamError
|
|
response, iamErr = e.UpdateUser(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
case "DeleteUser":
|
|
userName := values.Get("UserName")
|
|
var iamErr *iamError
|
|
response, iamErr = e.DeleteUser(s3cfg, userName)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
case "CreateAccessKey":
|
|
var iamErr *iamError
|
|
response, iamErr = e.CreateAccessKey(s3cfg, values)
|
|
if iamErr != nil {
|
|
glog.Errorf("CreateAccessKey: %+v", iamErr.Error)
|
|
return nil, iamErr
|
|
}
|
|
case "DeleteAccessKey":
|
|
response = e.DeleteAccessKey(s3cfg, values)
|
|
case "CreatePolicy":
|
|
var iamErr *iamError
|
|
response, iamErr = e.CreatePolicy(ctx, values)
|
|
if iamErr != nil {
|
|
glog.Errorf("CreatePolicy: %+v", iamErr.Error)
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "DeletePolicy":
|
|
var iamErr *iamError
|
|
response, iamErr = e.DeletePolicy(ctx, values)
|
|
if iamErr != nil {
|
|
glog.Errorf("DeletePolicy: %+v", iamErr.Error)
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "PutUserPolicy":
|
|
var iamErr *iamError
|
|
response, iamErr = e.PutUserPolicy(s3cfg, values)
|
|
if iamErr != nil {
|
|
glog.Errorf("PutUserPolicy: %+v", iamErr.Error)
|
|
return nil, iamErr
|
|
}
|
|
case "GetUserPolicy":
|
|
var iamErr *iamError
|
|
response, iamErr = e.GetUserPolicy(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "DeleteUserPolicy":
|
|
var iamErr *iamError
|
|
response, iamErr = e.DeleteUserPolicy(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
case "AttachUserPolicy":
|
|
var iamErr *iamError
|
|
response, iamErr = e.AttachUserPolicy(ctx, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "DetachUserPolicy":
|
|
var iamErr *iamError
|
|
response, iamErr = e.DetachUserPolicy(ctx, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "ListAttachedUserPolicies":
|
|
var iamErr *iamError
|
|
response, iamErr = e.ListAttachedUserPolicies(ctx, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "ListPolicies":
|
|
var iamErr *iamError
|
|
response, iamErr = e.ListPolicies(ctx, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "GetPolicy":
|
|
var iamErr *iamError
|
|
response, iamErr = e.GetPolicy(ctx, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "ListPolicyVersions":
|
|
var iamErr *iamError
|
|
response, iamErr = e.ListPolicyVersions(ctx, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "GetPolicyVersion":
|
|
var iamErr *iamError
|
|
response, iamErr = e.GetPolicyVersion(ctx, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "SetUserStatus":
|
|
var iamErr *iamError
|
|
response, iamErr = e.SetUserStatus(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
case "UpdateAccessKey":
|
|
var iamErr *iamError
|
|
response, iamErr = e.UpdateAccessKey(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
// Service Account actions
|
|
case "CreateServiceAccount":
|
|
createdBy := values.Get("CreatedBy")
|
|
var iamErr *iamError
|
|
response, iamErr = e.CreateServiceAccount(s3cfg, values, createdBy)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
case "DeleteServiceAccount":
|
|
var iamErr *iamError
|
|
response, iamErr = e.DeleteServiceAccount(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
case "ListServiceAccounts":
|
|
response = e.ListServiceAccounts(s3cfg, values)
|
|
changed = false
|
|
case "GetServiceAccount":
|
|
var iamErr *iamError
|
|
response, iamErr = e.GetServiceAccount(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
changed = false
|
|
case "UpdateServiceAccount":
|
|
var iamErr *iamError
|
|
response, iamErr = e.UpdateServiceAccount(s3cfg, values)
|
|
if iamErr != nil {
|
|
return nil, iamErr
|
|
}
|
|
default:
|
|
return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrNotImplemented).Code, Error: errors.New(s3err.GetAPIError(s3err.ErrNotImplemented).Description)}
|
|
}
|
|
if changed {
|
|
if !skipPersist {
|
|
if err := e.PutS3ApiConfiguration(s3cfg); err != nil {
|
|
return nil, &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
}
|
|
// Reload in-memory identity maps so subsequent LookupByAccessKey calls
|
|
// can see newly created or deleted keys immediately
|
|
if err := e.ReloadConfiguration(); err != nil {
|
|
glog.Errorf("Failed to reload IAM configuration after mutation: %v", err)
|
|
// Don't fail the request since the persistent save succeeded
|
|
}
|
|
} else if action == "AttachUserPolicy" || action == "DetachUserPolicy" || action == "CreatePolicy" || action == "DeletePolicy" {
|
|
// Even if changed=false (persisted via credentialManager), we should still reload
|
|
// if we are utilizing the local in-memory cache for speed
|
|
if err := e.ReloadConfiguration(); err != nil {
|
|
glog.Errorf("Failed to reload IAM configuration after managed policy mutation: %v", err)
|
|
}
|
|
}
|
|
response.SetRequestId(reqID)
|
|
return response, nil
|
|
}
|
|
|
|
// DoActions handles IAM API actions.
|
|
func (e *EmbeddedIamApi) DoActions(w http.ResponseWriter, r *http.Request) {
|
|
r, reqID := request_id.Ensure(r)
|
|
if err := r.ParseForm(); err != nil {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
|
|
return
|
|
}
|
|
values := r.PostForm
|
|
|
|
// Handle implicit username for HTTP requests
|
|
switch r.Form.Get("Action") {
|
|
case "ListAccessKeys", "CreateAccessKey", "DeleteAccessKey", "UpdateAccessKey":
|
|
e.handleImplicitUsername(r, values)
|
|
case "CreateServiceAccount":
|
|
createdBy := s3_constants.GetIdentityNameFromContext(r)
|
|
values.Set("CreatedBy", createdBy)
|
|
}
|
|
|
|
response, iamErr := e.ExecuteAction(r.Context(), values, false, reqID)
|
|
if iamErr != nil {
|
|
e.writeIamErrorResponse(w, r, reqID, iamErr)
|
|
return
|
|
}
|
|
|
|
s3err.WriteXMLResponse(w, r, http.StatusOK, response)
|
|
}
|