540fc97e00
* request_id: add shared request middleware
* s3err: preserve request ids in responses and logs
* iam: reuse request ids in XML responses
* sts: reuse request ids in XML responses
* request_id: drop legacy header fallback
* request_id: use AWS-style request id format
* iam: fix AWS-compatible XML format for ErrorResponse and field ordering
- ErrorResponse uses bare <RequestId> at root level instead of
<ResponseMetadata> wrapper, matching the AWS IAM error response spec
- Move CommonResponse to last field in success response structs so
<ResponseMetadata> serializes after result elements
- Add randomness to request ID generation to avoid collisions
- Add tests for XML ordering and ErrorResponse format
* iam: remove duplicate error_response_test.go
Test is already covered by responses_test.go.
* address PR review comments
- Guard against typed nil pointers in SetResponseRequestID before
interface assertion (CodeRabbit)
- Use regexp instead of strings.Index in test helpers for extracting
request IDs (Gemini)
* request_id: prevent spoofing, fix nil-error branch, thread reqID to error writers
- Ensure() now always generates a server-side ID, ignoring client-sent
x-amz-request-id headers to prevent request ID spoofing. Uses a
private context key (contextKey{}) instead of the header string.
- writeIamErrorResponse in both iamapi and embedded IAM now accepts
reqID as a parameter instead of calling Ensure() internally, ensuring
a single request ID per request lifecycle.
- The nil-iamError branch in writeIamErrorResponse now writes a 500
Internal Server Error response instead of returning silently.
- Updated tests to set request IDs via context (not headers) and added
tests for spoofing prevention and context reuse.
* sts: add request-id consistency assertions to ActionInBody tests
* test: update admin test to expect server-generated request IDs
The test previously sent a client x-amz-request-id header and expected
it echoed back. Since Ensure() now ignores client headers to prevent
spoofing, update the test to verify the server returns a non-empty
server-generated request ID instead.
* iam: add generic WithRequestID helper alongside reflection-based fallback
Add WithRequestID[T] that uses generics to take the address of a value
type, satisfying the pointer receiver on SetRequestId without reflection.
The existing SetResponseRequestID is kept for the two call sites that
operate on interface{} (from large action switches where the concrete
type varies at runtime). Generics cannot replace reflection there since
Go cannot infer type parameters from interface{}.
* Remove reflection and generics from request ID setting
Call SetRequestId directly on concrete response types in each switch
branch before boxing into interface{}, eliminating the need for
WithRequestID (generics) and SetResponseRequestID (reflection).
* iam: return pointer responses in action dispatch
* Fix IAM error handling consistency and ensure request IDs on all responses
- UpdateUser/CreatePolicy error branches: use writeIamErrorResponse instead
of s3err.WriteErrorResponse to preserve IAM formatting and request ID
- ExecuteAction: accept reqID parameter and generate one if empty, ensuring
every response carries a RequestId regardless of caller
* Clean up inline policies on DeleteUser and UpdateUser rename
DeleteUser: remove InlinePolicies[userName] from policy storage before
removing the identity, so policies are not orphaned.
UpdateUser: move InlinePolicies[userName] to InlinePolicies[newUserName]
when renaming, so GetUserPolicy/DeleteUserPolicy work under the new name.
Both operations persist the updated policies and return an error if
the storage write fails, preventing partial state.
1083 lines
38 KiB
Go
1083 lines
38 KiB
Go
package iamapi
|
|
|
|
// This file provides IAM API handlers for the standalone IAM server.
|
|
// Common IAM types and helpers are imported from the shared weed/iam package.
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
|
iamlib "github.com/seaweedfs/seaweedfs/weed/iam"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
|
|
"github.com/seaweedfs/seaweedfs/weed/util/request_id"
|
|
)
|
|
|
|
// Constants from shared package
|
|
const (
|
|
charsetUpper = iamlib.CharsetUpper
|
|
charset = iamlib.Charset
|
|
policyDocumentVersion = iamlib.PolicyDocumentVersion
|
|
StatementActionAdmin = iamlib.StatementActionAdmin
|
|
StatementActionWrite = iamlib.StatementActionWrite
|
|
StatementActionWriteAcp = iamlib.StatementActionWriteAcp
|
|
StatementActionRead = iamlib.StatementActionRead
|
|
StatementActionReadAcp = iamlib.StatementActionReadAcp
|
|
StatementActionList = iamlib.StatementActionList
|
|
StatementActionTagging = iamlib.StatementActionTagging
|
|
StatementActionDelete = iamlib.StatementActionDelete
|
|
USER_DOES_NOT_EXIST = iamlib.UserDoesNotExist
|
|
accessKeyStatusActive = iamlib.AccessKeyStatusActive
|
|
accessKeyStatusInactive = iamlib.AccessKeyStatusInactive
|
|
)
|
|
|
|
var policyLock = sync.RWMutex{}
|
|
|
|
const policyArnPrefix = "arn:aws:iam:::policy/"
|
|
|
|
// parsePolicyArn validates an IAM policy ARN and extracts the policy name.
|
|
func parsePolicyArn(policyArn string) (string, *IamError) {
|
|
if !strings.HasPrefix(policyArn, policyArnPrefix) {
|
|
return "", &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("invalid policy ARN: %s", policyArn)}
|
|
}
|
|
policyName := strings.TrimPrefix(policyArn, policyArnPrefix)
|
|
if policyName == "" {
|
|
return "", &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("invalid policy ARN: %s", policyArn)}
|
|
}
|
|
return policyName, nil
|
|
}
|
|
|
|
// userPolicyKey returns a namespaced key for inline user policies to prevent collision with managed policies.
|
|
// getOrCreateUserPolicies returns the policy map for a user, creating it if needed.
|
|
// Returns a pointer to the user's policy map from Policies.InlinePolicies.
|
|
func (p *Policies) getOrCreateUserPolicies(userName string) map[string]policy_engine.PolicyDocument {
|
|
if p.InlinePolicies == nil {
|
|
p.InlinePolicies = make(map[string]map[string]policy_engine.PolicyDocument)
|
|
}
|
|
if p.InlinePolicies[userName] == nil {
|
|
p.InlinePolicies[userName] = make(map[string]policy_engine.PolicyDocument)
|
|
}
|
|
return p.InlinePolicies[userName]
|
|
}
|
|
|
|
// computeAggregatedActionsForUser computes the union of actions across all inline policies for a user.
|
|
// Directly accesses user's policies from Policies.InlinePolicies[userName] for O(1) lookup.
|
|
// If policies is non-nil, it uses that instead of fetching from storage (for I/O optimization).
|
|
// When policies is nil, it fetches from storage using GetPolicies.
|
|
//
|
|
// Performance: O(user_policies) instead of O(all_policies) with per-user index.
|
|
//
|
|
// Best-effort aggregation: If GetActions fails for a policy document, that policy is logged at Warning level
|
|
// but is NOT removed from persistent storage. This intentional choice ensures:
|
|
// - Stored policy documents survive even if they temporarily fail to parse
|
|
// - The policy data is preserved for potential future fixes or manual inspection
|
|
// - Only the runtime action set (ident.Actions) is affected when GetActions fails
|
|
// This keeps persistent state consistent while gracefully handling parsing errors.
|
|
func computeAggregatedActionsForUser(iama *IamApiServer, userName string, policies *Policies) ([]string, error) {
|
|
var aggregatedActions []string
|
|
actionSet := make(map[string]bool)
|
|
|
|
var policiesToUse Policies
|
|
if policies != nil {
|
|
// Use provided Policies (caller already fetched, avoids redundant I/O)
|
|
policiesToUse = *policies
|
|
} else {
|
|
// Fetch from storage
|
|
if err := iama.s3ApiConfig.GetPolicies(&policiesToUse); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
// Direct O(1) access to user's policies using per-user index
|
|
userPolicies := policiesToUse.InlinePolicies[userName]
|
|
if len(userPolicies) == 0 {
|
|
return aggregatedActions, nil
|
|
}
|
|
|
|
for policyName, policyDocument := range userPolicies {
|
|
actions, err := GetActions(&policyDocument)
|
|
if err != nil {
|
|
// Best-effort: policy stored successfully but failed to parse; log and skip from aggregation
|
|
glog.Warningf("Failed to get actions from stored policy '%s' for user %s (policy retained in storage): %v", policyName, userName, err)
|
|
continue
|
|
}
|
|
for _, action := range actions {
|
|
if !actionSet[action] {
|
|
actionSet[action] = true
|
|
aggregatedActions = append(aggregatedActions, action)
|
|
}
|
|
}
|
|
}
|
|
|
|
return aggregatedActions, nil
|
|
}
|
|
|
|
// Helper function wrappers using shared package
|
|
func MapToStatementAction(action string) string {
|
|
return iamlib.MapToStatementAction(action)
|
|
}
|
|
|
|
func MapToIdentitiesAction(action string) string {
|
|
return iamlib.MapToIdentitiesAction(action)
|
|
}
|
|
|
|
type Policies struct {
|
|
// Policies: managed policies (flat map, unchanged for backward compatibility)
|
|
Policies map[string]policy_engine.PolicyDocument `json:"policies"`
|
|
|
|
// InlinePolicies: user-indexed inline policies for O(1) lookup
|
|
// Structure: [userName][policyName] -> PolicyDocument
|
|
// Enables fast access without iterating all policies
|
|
InlinePolicies map[string]map[string]policy_engine.PolicyDocument `json:"inlinePolicies"`
|
|
}
|
|
|
|
func Hash(s *string) string {
|
|
return iamlib.Hash(s)
|
|
}
|
|
|
|
func StringWithCharset(length int, charset string) (string, error) {
|
|
return iamlib.GenerateRandomString(length, charset)
|
|
}
|
|
|
|
func stringSlicesEqual(a, b []string) bool {
|
|
return iamlib.StringSlicesEqual(a, b)
|
|
}
|
|
|
|
func validateAccessKeyStatus(status string) error {
|
|
switch status {
|
|
case accessKeyStatusActive, accessKeyStatusInactive:
|
|
return nil
|
|
case "":
|
|
return fmt.Errorf("Status parameter is required")
|
|
default:
|
|
return fmt.Errorf("Status must be '%s' or '%s'", accessKeyStatusActive, accessKeyStatusInactive)
|
|
}
|
|
}
|
|
|
|
func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *ListUsersResponse) {
|
|
resp = &ListUsersResponse{}
|
|
for _, ident := range s3cfg.Identities {
|
|
resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name})
|
|
}
|
|
return resp
|
|
}
|
|
|
|
func (iama *IamApiServer) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *ListAccessKeysResponse) {
|
|
resp = &ListAccessKeysResponse{}
|
|
userName := values.Get("UserName")
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName != "" && userName != ident.Name {
|
|
continue
|
|
}
|
|
for _, cred := range ident.Credentials {
|
|
status := cred.Status
|
|
if status == "" {
|
|
status = accessKeyStatusActive
|
|
}
|
|
identName := ident.Name
|
|
accessKey := cred.AccessKey
|
|
resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata,
|
|
&iam.AccessKeyMetadata{UserName: &identName, AccessKeyId: &accessKey, Status: &status},
|
|
)
|
|
}
|
|
}
|
|
return resp
|
|
}
|
|
|
|
func (iama *IamApiServer) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *CreateUserResponse) {
|
|
resp = &CreateUserResponse{}
|
|
userName := values.Get("UserName")
|
|
resp.CreateUserResult.User.UserName = &userName
|
|
s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName})
|
|
return resp
|
|
}
|
|
|
|
func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp *DeleteUserResponse, err *IamError) {
|
|
resp = &DeleteUserResponse{}
|
|
for i, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
// Clean up any inline policies stored for this user
|
|
policies := Policies{}
|
|
if pErr := iama.s3ApiConfig.GetPolicies(&policies); pErr != nil && !errors.Is(pErr, filer_pb.ErrNotFound) {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
|
|
}
|
|
if policies.InlinePolicies != nil {
|
|
if _, exists := policies.InlinePolicies[userName]; exists {
|
|
delete(policies.InlinePolicies, userName)
|
|
if pErr := iama.s3ApiConfig.PutPolicies(&policies); pErr != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
|
|
}
|
|
}
|
|
}
|
|
s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
|
|
return resp, nil
|
|
}
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
func (iama *IamApiServer) GetUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp *GetUserResponse, err *IamError) {
|
|
resp = &GetUserResponse{}
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
resp.GetUserResult.User = iam.User{UserName: &ident.Name}
|
|
return resp, nil
|
|
}
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
func (iama *IamApiServer) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *UpdateUserResponse, err *IamError) {
|
|
resp = &UpdateUserResponse{}
|
|
userName := values.Get("UserName")
|
|
newUserName := values.Get("NewUserName")
|
|
if newUserName != "" {
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
ident.Name = newUserName
|
|
// Move any inline policies from old username to new username
|
|
policies := Policies{}
|
|
if pErr := iama.s3ApiConfig.GetPolicies(&policies); pErr != nil && !errors.Is(pErr, filer_pb.ErrNotFound) {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
|
|
}
|
|
if policies.InlinePolicies != nil {
|
|
if userPolicies, exists := policies.InlinePolicies[userName]; exists {
|
|
delete(policies.InlinePolicies, userName)
|
|
policies.InlinePolicies[newUserName] = userPolicies
|
|
if pErr := iama.s3ApiConfig.PutPolicies(&policies); pErr != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: pErr}
|
|
}
|
|
}
|
|
}
|
|
return resp, nil
|
|
}
|
|
}
|
|
} else {
|
|
return resp, nil
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
func GetPolicyDocument(policy *string) (policy_engine.PolicyDocument, error) {
|
|
var policyDocument policy_engine.PolicyDocument
|
|
if err := json.Unmarshal([]byte(*policy), &policyDocument); err != nil {
|
|
return policy_engine.PolicyDocument{}, err
|
|
}
|
|
return policyDocument, nil
|
|
}
|
|
|
|
func (iama *IamApiServer) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *CreatePolicyResponse, iamError *IamError) {
|
|
resp = &CreatePolicyResponse{}
|
|
policyName := values.Get("PolicyName")
|
|
policyDocumentString := values.Get("PolicyDocument")
|
|
policyDocument, err := GetPolicyDocument(&policyDocumentString)
|
|
if err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
|
|
}
|
|
policyId := Hash(&policyName)
|
|
arn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
|
|
resp.CreatePolicyResult.Policy.PolicyName = &policyName
|
|
resp.CreatePolicyResult.Policy.Arn = &arn
|
|
resp.CreatePolicyResult.Policy.PolicyId = &policyId
|
|
policies := Policies{}
|
|
// Note: Lock is already held by DoActions, no need to acquire here
|
|
if err = iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if policies.Policies == nil {
|
|
policies.Policies = make(map[string]policy_engine.PolicyDocument)
|
|
}
|
|
policies.Policies[policyName] = policyDocument
|
|
if err = iama.s3ApiConfig.PutPolicies(&policies); err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
type IamError struct {
|
|
Code string
|
|
Error error
|
|
}
|
|
|
|
// https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
|
|
func (iama *IamApiServer) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *PutUserPolicyResponse, iamError *IamError) {
|
|
resp = &PutUserPolicyResponse{}
|
|
userName := values.Get("UserName")
|
|
policyName := values.Get("PolicyName")
|
|
policyDocumentString := values.Get("PolicyDocument")
|
|
policyDocument, err := GetPolicyDocument(&policyDocumentString)
|
|
if err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
|
|
}
|
|
if _, err := GetActions(&policyDocument); err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
|
|
}
|
|
|
|
// Verify the user exists before persisting the policy
|
|
var targetIdent *iam_pb.Identity
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name == userName {
|
|
targetIdent = ident
|
|
break
|
|
}
|
|
}
|
|
if targetIdent == nil {
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("the user with name %s cannot be found", userName)}
|
|
}
|
|
|
|
// Persist inline policy to storage using per-user indexed structure
|
|
policies := Policies{}
|
|
if err = iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
userPolicies := policies.getOrCreateUserPolicies(userName)
|
|
userPolicies[policyName] = policyDocument
|
|
|
|
if err = iama.s3ApiConfig.PutPolicies(&policies); err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
// Recompute aggregated actions (inline + managed)
|
|
aggregatedActions, computeErr := computeAllActionsForUser(iama, userName, &policies, targetIdent)
|
|
if computeErr != nil {
|
|
glog.Warningf("Failed to compute aggregated actions for user %s: %v; keeping existing actions", userName, computeErr)
|
|
} else {
|
|
targetIdent.Actions = aggregatedActions
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (iama *IamApiServer) GetUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *GetUserPolicyResponse, err *IamError) {
|
|
resp = &GetUserPolicyResponse{}
|
|
userName := values.Get("UserName")
|
|
policyName := values.Get("PolicyName")
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName != ident.Name {
|
|
continue
|
|
}
|
|
|
|
resp.GetUserPolicyResult.UserName = userName
|
|
resp.GetUserPolicyResult.PolicyName = policyName
|
|
|
|
// Try to retrieve stored inline policy from persistent storage using per-user index
|
|
policies := Policies{}
|
|
if err := iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
// Propagate storage errors
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
// Direct O(1) access to user's policy using per-user index
|
|
if userPolicies := policies.InlinePolicies[userName]; userPolicies != nil {
|
|
if policyDocument, exists := userPolicies[policyName]; exists {
|
|
policyDocumentJSON, err := json.Marshal(policyDocument)
|
|
if err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
resp.GetUserPolicyResult.PolicyDocument = string(policyDocumentJSON)
|
|
return resp, nil
|
|
} else {
|
|
// User's inline policies exist but this specific policy does not
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: errors.New("policy not found")}
|
|
}
|
|
}
|
|
|
|
if len(ident.Actions) == 0 {
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: errors.New("no actions found")}
|
|
}
|
|
|
|
policyDocument := policy_engine.PolicyDocument{Version: policyDocumentVersion}
|
|
statements := make(map[string][]string)
|
|
for _, action := range ident.Actions {
|
|
// parse "Read:EXAMPLE-BUCKET"
|
|
act := strings.Split(action, ":")
|
|
|
|
resource := "*"
|
|
if len(act) == 2 {
|
|
resource = fmt.Sprintf("arn:aws:s3:::%s/*", act[1])
|
|
}
|
|
statements[resource] = append(statements[resource],
|
|
fmt.Sprintf("s3:%s", MapToIdentitiesAction(act[0])),
|
|
)
|
|
}
|
|
for resource, actions := range statements {
|
|
isEqAction := false
|
|
for i, statement := range policyDocument.Statement {
|
|
// Use order-independent comparison to avoid duplicates from different action orderings
|
|
if stringSlicesEqual(statement.Action.Strings(), actions) {
|
|
policyDocument.Statement[i].Resource = policy_engine.NewStringOrStringSlice(append(
|
|
policyDocument.Statement[i].Resource.Strings(), resource)...)
|
|
isEqAction = true
|
|
break
|
|
}
|
|
}
|
|
if isEqAction {
|
|
continue
|
|
}
|
|
policyDocumentStatement := policy_engine.PolicyStatement{
|
|
Effect: policy_engine.PolicyEffectAllow,
|
|
Action: policy_engine.NewStringOrStringSlice(actions...),
|
|
Resource: policy_engine.NewStringOrStringSlice(resource),
|
|
}
|
|
policyDocument.Statement = append(policyDocument.Statement, policyDocumentStatement)
|
|
}
|
|
policyDocumentJSON, err := json.Marshal(policyDocument)
|
|
if err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
resp.GetUserPolicyResult.PolicyDocument = string(policyDocumentJSON)
|
|
return resp, nil
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
// DeleteUserPolicy removes the inline policy from a user (clears their actions).
|
|
func (iama *IamApiServer) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *DeleteUserPolicyResponse, err *IamError) {
|
|
resp = &DeleteUserPolicyResponse{}
|
|
userName := values.Get("UserName")
|
|
policyName := values.Get("PolicyName")
|
|
|
|
// First, verify the user exists in identities before modifying storage
|
|
var targetIdent *iam_pb.Identity
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name == userName {
|
|
targetIdent = ident
|
|
break
|
|
}
|
|
}
|
|
if targetIdent == nil {
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
// User exists; now proceed with removing the stored inline policy from persistent storage
|
|
policies := Policies{}
|
|
if err := iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
// Propagate storage errors immediately
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
// Direct O(1) access to user's policy map using per-user index
|
|
if userPolicies := policies.InlinePolicies[userName]; userPolicies != nil {
|
|
delete(userPolicies, policyName)
|
|
// Note: userPolicies is a map, so the delete modifies the map in policies.InlinePolicies[userName]
|
|
if err := iama.s3ApiConfig.PutPolicies(&policies); err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
}
|
|
|
|
// Recompute aggregated actions from remaining inline + managed policies
|
|
aggregatedActions, computeErr := computeAllActionsForUser(iama, userName, &policies, targetIdent)
|
|
if computeErr != nil {
|
|
glog.Warningf("Failed to recompute aggregated actions for user %s: %v; keeping existing actions", userName, computeErr)
|
|
} else {
|
|
targetIdent.Actions = aggregatedActions
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
// GetPolicy retrieves a managed policy by ARN.
|
|
func (iama *IamApiServer) GetPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *GetPolicyResponse, iamError *IamError) {
|
|
resp = &GetPolicyResponse{}
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, iamError := parsePolicyArn(policyArn)
|
|
if iamError != nil {
|
|
return resp, iamError
|
|
}
|
|
|
|
policies := Policies{}
|
|
if err := iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
if _, exists := policies.Policies[policyName]; !exists {
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
|
|
policyId := Hash(&policyName)
|
|
resp.GetPolicyResult.Policy.PolicyName = &policyName
|
|
resp.GetPolicyResult.Policy.Arn = &policyArn
|
|
resp.GetPolicyResult.Policy.PolicyId = &policyId
|
|
return resp, nil
|
|
}
|
|
|
|
// DeletePolicy removes a managed policy. Rejects deletion if the policy is still attached to any user
|
|
// (matching AWS IAM behavior: must detach before deleting).
|
|
func (iama *IamApiServer) DeletePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *DeletePolicyResponse, iamError *IamError) {
|
|
resp = &DeletePolicyResponse{}
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, iamError := parsePolicyArn(policyArn)
|
|
if iamError != nil {
|
|
return resp, iamError
|
|
}
|
|
|
|
policies := Policies{}
|
|
if err := iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
if _, exists := policies.Policies[policyName]; !exists {
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
|
|
// Reject deletion if the policy is still attached to any user
|
|
for _, ident := range s3cfg.Identities {
|
|
for _, name := range ident.PolicyNames {
|
|
if name == policyName {
|
|
return resp, &IamError{
|
|
Code: iam.ErrCodeDeleteConflictException,
|
|
Error: fmt.Errorf("policy %s is still attached to user %s", policyName, ident.Name),
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
delete(policies.Policies, policyName)
|
|
if err := iama.s3ApiConfig.PutPolicies(&policies); err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
// ListPolicies lists all managed policies.
|
|
func (iama *IamApiServer) ListPolicies(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *ListPoliciesResponse, iamError *IamError) {
|
|
resp = &ListPoliciesResponse{}
|
|
policies := Policies{}
|
|
if err := iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
|
|
for policyName := range policies.Policies {
|
|
name := policyName
|
|
arn := fmt.Sprintf("arn:aws:iam:::policy/%s", name)
|
|
policyId := Hash(&name)
|
|
resp.ListPoliciesResult.Policies = append(resp.ListPoliciesResult.Policies, &iam.Policy{
|
|
PolicyName: &name,
|
|
Arn: &arn,
|
|
PolicyId: &policyId,
|
|
})
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
// AttachUserPolicy attaches a managed policy to a user.
|
|
func (iama *IamApiServer) AttachUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *AttachUserPolicyResponse, iamError *IamError) {
|
|
resp = &AttachUserPolicyResponse{}
|
|
userName := values.Get("UserName")
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, iamError := parsePolicyArn(policyArn)
|
|
if iamError != nil {
|
|
return resp, iamError
|
|
}
|
|
|
|
// Verify managed policy exists
|
|
policies := Policies{}
|
|
if err := iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
if _, exists := policies.Policies[policyName]; !exists {
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
|
|
}
|
|
|
|
// Find user and attach policy
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name != userName {
|
|
continue
|
|
}
|
|
// Check if already attached
|
|
for _, name := range ident.PolicyNames {
|
|
if name == policyName {
|
|
return resp, nil // Already attached, idempotent
|
|
}
|
|
}
|
|
prevPolicyNames := ident.PolicyNames
|
|
ident.PolicyNames = append(ident.PolicyNames, policyName)
|
|
|
|
// Recompute aggregated actions (inline + managed)
|
|
aggregatedActions, err := computeAllActionsForUser(iama, userName, &policies, ident)
|
|
if err != nil {
|
|
// Roll back PolicyNames to keep identity consistent
|
|
ident.PolicyNames = prevPolicyNames
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to compute actions after attaching policy: %w", err)}
|
|
}
|
|
ident.Actions = aggregatedActions
|
|
return resp, nil
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
// DetachUserPolicy detaches a managed policy from a user.
|
|
func (iama *IamApiServer) DetachUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *DetachUserPolicyResponse, iamError *IamError) {
|
|
resp = &DetachUserPolicyResponse{}
|
|
userName := values.Get("UserName")
|
|
policyArn := values.Get("PolicyArn")
|
|
policyName, iamError := parsePolicyArn(policyArn)
|
|
if iamError != nil {
|
|
return resp, iamError
|
|
}
|
|
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name != userName {
|
|
continue
|
|
}
|
|
// Find and remove policy name from the list
|
|
prevPolicyNames := make([]string, len(ident.PolicyNames))
|
|
copy(prevPolicyNames, ident.PolicyNames)
|
|
|
|
found := false
|
|
for i, name := range ident.PolicyNames {
|
|
if name == policyName {
|
|
ident.PolicyNames = append(ident.PolicyNames[:i], ident.PolicyNames[i+1:]...)
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
if !found {
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s is not attached to user %s", policyName, userName)}
|
|
}
|
|
|
|
// Recompute aggregated actions (inline + managed)
|
|
policies := Policies{}
|
|
if err := iama.s3ApiConfig.GetPolicies(&policies); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
// Roll back PolicyNames on storage error
|
|
ident.PolicyNames = prevPolicyNames
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
}
|
|
aggregatedActions, err := computeAllActionsForUser(iama, userName, &policies, ident)
|
|
if err != nil {
|
|
// Roll back PolicyNames to keep identity consistent
|
|
ident.PolicyNames = prevPolicyNames
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to compute actions after detaching policy: %w", err)}
|
|
}
|
|
ident.Actions = aggregatedActions
|
|
return resp, nil
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
// ListAttachedUserPolicies lists the managed policies attached to a user.
|
|
func (iama *IamApiServer) ListAttachedUserPolicies(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *ListAttachedUserPoliciesResponse, iamError *IamError) {
|
|
resp = &ListAttachedUserPoliciesResponse{}
|
|
userName := values.Get("UserName")
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name != userName {
|
|
continue
|
|
}
|
|
for _, policyName := range ident.PolicyNames {
|
|
name := policyName
|
|
arn := fmt.Sprintf("arn:aws:iam:::policy/%s", name)
|
|
resp.ListAttachedUserPoliciesResult.AttachedPolicies = append(
|
|
resp.ListAttachedUserPoliciesResult.AttachedPolicies,
|
|
&iam.AttachedPolicy{PolicyName: &name, PolicyArn: &arn},
|
|
)
|
|
}
|
|
return resp, nil
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
// computeAllActionsForUser computes the union of actions from both inline and managed policies.
|
|
func computeAllActionsForUser(iama *IamApiServer, userName string, policies *Policies, ident *iam_pb.Identity) ([]string, error) {
|
|
actionSet := make(map[string]bool)
|
|
var aggregatedActions []string
|
|
|
|
addUniqueActions := func(actions []string) {
|
|
for _, action := range actions {
|
|
if !actionSet[action] {
|
|
actionSet[action] = true
|
|
aggregatedActions = append(aggregatedActions, action)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Include inline policy actions
|
|
inlineActions, err := computeAggregatedActionsForUser(iama, userName, policies)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
addUniqueActions(inlineActions)
|
|
|
|
// Include managed policy actions
|
|
for _, policyName := range ident.PolicyNames {
|
|
if policyDoc, exists := policies.Policies[policyName]; exists {
|
|
actions, err := GetActions(&policyDoc)
|
|
if err != nil {
|
|
glog.Warningf("Failed to get actions from managed policy '%s' for user %s: %v", policyName, userName, err)
|
|
continue
|
|
}
|
|
addUniqueActions(actions)
|
|
}
|
|
}
|
|
|
|
return aggregatedActions, nil
|
|
}
|
|
|
|
func GetActions(policy *policy_engine.PolicyDocument) ([]string, error) {
|
|
var actions []string
|
|
|
|
for _, statement := range policy.Statement {
|
|
if statement.Effect != policy_engine.PolicyEffectAllow {
|
|
return nil, fmt.Errorf("not a valid effect: '%s'. Only 'Allow' is possible", statement.Effect)
|
|
}
|
|
for _, resource := range statement.Resource.Strings() {
|
|
// Parse "arn:aws:s3:::my-bucket/shared/*"
|
|
res := strings.Split(resource, ":")
|
|
if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
|
|
continue
|
|
}
|
|
for _, action := range statement.Action.Strings() {
|
|
// Parse "s3:Get*"
|
|
act := strings.Split(action, ":")
|
|
if len(act) != 2 || act[0] != "s3" {
|
|
continue
|
|
}
|
|
statementAction := MapToStatementAction(act[1])
|
|
|
|
if statementAction == "" {
|
|
return nil, fmt.Errorf("not a valid action: '%s'", act[1])
|
|
}
|
|
|
|
path := res[5]
|
|
if path == "*" {
|
|
actions = append(actions, statementAction)
|
|
continue
|
|
}
|
|
actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path))
|
|
}
|
|
}
|
|
}
|
|
return actions, nil
|
|
}
|
|
|
|
func (iama *IamApiServer) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *CreateAccessKeyResponse, iamErr *IamError) {
|
|
resp = &CreateAccessKeyResponse{}
|
|
userName := values.Get("UserName")
|
|
status := iam.StatusTypeActive
|
|
|
|
accessKeyId, err := StringWithCharset(21, charsetUpper)
|
|
if err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to generate access key: %w", err)}
|
|
}
|
|
secretAccessKey, err := StringWithCharset(42, charset)
|
|
if err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: fmt.Errorf("failed to generate secret key: %w", err)}
|
|
}
|
|
|
|
resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId
|
|
resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey
|
|
resp.CreateAccessKeyResult.AccessKey.UserName = &userName
|
|
resp.CreateAccessKeyResult.AccessKey.Status = &status
|
|
changed := false
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
ident.Credentials = append(ident.Credentials,
|
|
&iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey, Status: accessKeyStatusActive})
|
|
changed = true
|
|
break
|
|
}
|
|
}
|
|
if !changed {
|
|
s3cfg.Identities = append(s3cfg.Identities,
|
|
&iam_pb.Identity{
|
|
Name: userName,
|
|
Credentials: []*iam_pb.Credential{
|
|
{
|
|
AccessKey: accessKeyId,
|
|
SecretKey: secretAccessKey,
|
|
Status: accessKeyStatusActive,
|
|
},
|
|
},
|
|
},
|
|
)
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
// UpdateAccessKey updates the status of an access key (Active or Inactive).
|
|
func (iama *IamApiServer) UpdateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *UpdateAccessKeyResponse, err *IamError) {
|
|
resp = &UpdateAccessKeyResponse{}
|
|
userName := values.Get("UserName")
|
|
accessKeyId := values.Get("AccessKeyId")
|
|
status := values.Get("Status")
|
|
|
|
if userName == "" {
|
|
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("UserName is required")}
|
|
}
|
|
if accessKeyId == "" {
|
|
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: fmt.Errorf("AccessKeyId is required")}
|
|
}
|
|
if err := validateAccessKeyStatus(status); err != nil {
|
|
return resp, &IamError{Code: iam.ErrCodeInvalidInputException, Error: err}
|
|
}
|
|
|
|
for _, ident := range s3cfg.Identities {
|
|
if ident.Name != userName {
|
|
continue
|
|
}
|
|
for _, cred := range ident.Credentials {
|
|
if cred.AccessKey == accessKeyId {
|
|
cred.Status = status
|
|
return resp, nil
|
|
}
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("the access key with id %s for user %s cannot be found", accessKeyId, userName)}
|
|
}
|
|
return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
|
|
}
|
|
|
|
func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp *DeleteAccessKeyResponse) {
|
|
resp = &DeleteAccessKeyResponse{}
|
|
userName := values.Get("UserName")
|
|
accessKeyId := values.Get("AccessKeyId")
|
|
for _, ident := range s3cfg.Identities {
|
|
if userName == ident.Name {
|
|
for i, cred := range ident.Credentials {
|
|
if cred.AccessKey == accessKeyId {
|
|
ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
|
|
break
|
|
}
|
|
}
|
|
break
|
|
}
|
|
}
|
|
return resp
|
|
}
|
|
|
|
// handleImplicitUsername adds username who signs the request to values if 'username' is not specified.
|
|
// According to AWS documentation: "If you do not specify a user name, IAM determines the user name
|
|
// implicitly based on the Amazon Web Services access key ID signing the request."
|
|
// This function extracts the AccessKeyId from the SigV4 credential and looks up the corresponding
|
|
// identity name in the credential store.
|
|
func (iama *IamApiServer) handleImplicitUsername(r *http.Request, values url.Values) {
|
|
if len(r.Header["Authorization"]) == 0 || values.Get("UserName") != "" {
|
|
return
|
|
}
|
|
// Log presence of auth header without exposing sensitive signature material
|
|
glog.V(4).Infof("Authorization header present, extracting access key")
|
|
// Parse AWS SigV4 Authorization header format:
|
|
// "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/iam/aws4_request, ..."
|
|
s := strings.Split(r.Header["Authorization"][0], "Credential=")
|
|
if len(s) < 2 {
|
|
return
|
|
}
|
|
s = strings.Split(s[1], ",")
|
|
if len(s) < 1 {
|
|
return
|
|
}
|
|
s = strings.Split(s[0], "/")
|
|
if len(s) < 1 {
|
|
return
|
|
}
|
|
// s[0] is the AccessKeyId
|
|
accessKeyId := s[0]
|
|
if accessKeyId == "" {
|
|
return
|
|
}
|
|
// Nil-guard: ensure iam is initialized before lookup
|
|
if iama.iam == nil {
|
|
glog.V(4).Infof("IAM not initialized, cannot look up access key")
|
|
return
|
|
}
|
|
// Look up the identity by access key to get the username
|
|
identity, _, found := iama.iam.LookupByAccessKey(accessKeyId)
|
|
if !found {
|
|
// Mask access key in logs - show only first 4 chars
|
|
maskedKey := accessKeyId
|
|
if len(accessKeyId) > 4 {
|
|
maskedKey = accessKeyId[:4] + "***"
|
|
}
|
|
glog.V(4).Infof("Access key %s not found in credential store", maskedKey)
|
|
return
|
|
}
|
|
values.Set("UserName", identity.Name)
|
|
}
|
|
|
|
func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
|
|
// Lock to prevent concurrent read-modify-write race conditions
|
|
policyLock.Lock()
|
|
defer policyLock.Unlock()
|
|
|
|
r, reqID := request_id.Ensure(r)
|
|
|
|
if err := r.ParseForm(); err != nil {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
|
|
return
|
|
}
|
|
values := r.PostForm
|
|
s3cfg := &iam_pb.S3ApiConfiguration{}
|
|
if err := iama.s3ApiConfig.GetS3ApiConfiguration(s3cfg); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
|
|
return
|
|
}
|
|
|
|
glog.V(4).Infof("DoActions: %+v", values)
|
|
var response iamlib.RequestIDSetter
|
|
changed := true
|
|
switch r.Form.Get("Action") {
|
|
case "ListUsers":
|
|
response = iama.ListUsers(s3cfg, values)
|
|
changed = false
|
|
case "ListAccessKeys":
|
|
iama.handleImplicitUsername(r, values)
|
|
response = iama.ListAccessKeys(s3cfg, values)
|
|
changed = false
|
|
case "CreateUser":
|
|
response = iama.CreateUser(s3cfg, values)
|
|
case "GetUser":
|
|
userName := values.Get("UserName")
|
|
var err *IamError
|
|
response, err = iama.GetUser(s3cfg, userName)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
changed = false
|
|
case "UpdateUser":
|
|
var err *IamError
|
|
response, err = iama.UpdateUser(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
case "DeleteUser":
|
|
userName := values.Get("UserName")
|
|
var err *IamError
|
|
response, err = iama.DeleteUser(s3cfg, userName)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
case "CreateAccessKey":
|
|
iama.handleImplicitUsername(r, values)
|
|
var err *IamError
|
|
response, err = iama.CreateAccessKey(s3cfg, values)
|
|
if err != nil {
|
|
glog.Errorf("CreateAccessKey: %+v", err.Error)
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
case "DeleteAccessKey":
|
|
iama.handleImplicitUsername(r, values)
|
|
response = iama.DeleteAccessKey(s3cfg, values)
|
|
case "UpdateAccessKey":
|
|
iama.handleImplicitUsername(r, values)
|
|
var err *IamError
|
|
response, err = iama.UpdateAccessKey(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
case "CreatePolicy":
|
|
var err *IamError
|
|
response, err = iama.CreatePolicy(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
// CreatePolicy persists the policy document via iama.s3ApiConfig.PutPolicies().
|
|
// The `changed` flag is false because this does not modify the main s3cfg.Identities configuration.
|
|
changed = false
|
|
case "PutUserPolicy":
|
|
var err *IamError
|
|
response, err = iama.PutUserPolicy(s3cfg, values)
|
|
if err != nil {
|
|
glog.Errorf("PutUserPolicy: %+v", err.Error)
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
case "GetUserPolicy":
|
|
var err *IamError
|
|
response, err = iama.GetUserPolicy(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
changed = false
|
|
case "DeleteUserPolicy":
|
|
var err *IamError
|
|
response, err = iama.DeleteUserPolicy(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
case "GetPolicy":
|
|
var err *IamError
|
|
response, err = iama.GetPolicy(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
changed = false
|
|
case "DeletePolicy":
|
|
var err *IamError
|
|
response, err = iama.DeletePolicy(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
changed = false
|
|
case "ListPolicies":
|
|
var err *IamError
|
|
response, err = iama.ListPolicies(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
changed = false
|
|
case "AttachUserPolicy":
|
|
var err *IamError
|
|
response, err = iama.AttachUserPolicy(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
case "DetachUserPolicy":
|
|
var err *IamError
|
|
response, err = iama.DetachUserPolicy(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
case "ListAttachedUserPolicies":
|
|
var err *IamError
|
|
response, err = iama.ListAttachedUserPolicies(s3cfg, values)
|
|
if err != nil {
|
|
writeIamErrorResponse(w, r, reqID, err)
|
|
return
|
|
}
|
|
changed = false
|
|
default:
|
|
errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented)
|
|
errorResponse := newErrorResponse(errNotImplemented.Code, errNotImplemented.Description, reqID)
|
|
s3err.WriteXMLResponse(w, r, errNotImplemented.HTTPStatusCode, errorResponse)
|
|
return
|
|
}
|
|
if changed {
|
|
err := iama.s3ApiConfig.PutS3ApiConfiguration(s3cfg)
|
|
if err != nil {
|
|
var iamError = IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
|
|
writeIamErrorResponse(w, r, reqID, &iamError)
|
|
return
|
|
}
|
|
// Reload in-memory identity maps so subsequent LookupByAccessKey calls
|
|
// can see newly created or deleted keys immediately
|
|
if iama.iam != nil {
|
|
if err := iama.iam.LoadS3ApiConfigurationFromCredentialManager(); err != nil {
|
|
glog.Warningf("Failed to reload IAM configuration after mutation: %v", err)
|
|
// Don't fail the request since the persistent save succeeded
|
|
}
|
|
}
|
|
}
|
|
response.SetRequestId(reqID)
|
|
s3err.WriteXMLResponse(w, r, http.StatusOK, response)
|
|
}
|