Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11244 Commits
32 Branches
298 Tags
167 MiB
Tree: aa299462f2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'aa299462f2'
${ noResults }
seaweedfs/weed/iamapi/iamapi_management_handlers.go

540 lines
17 KiB
Raw Normal View History

init Iam Api Server
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
Fix iam service response 500 (#5405)
10 months ago
base handlers
4 years ago
init Iam Api Server
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
add tests
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
move to https://github.com/seaweedfs/seaweedfs
3 years ago
Fix iam service response 500 (#5405)
10 months ago
move to https://github.com/seaweedfs/seaweedfs
3 years ago
complete project code, remain test code
3 years ago
init Iam Api Server
4 years ago
[iam] Replace action read/write to readAcp/writeAcp for handlers with acl (#4858) Replace action read/write to readAcp/writeAcp for handlers with acl query https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
added s3 iam DeleteBucket permission management (#5599)
8 months ago
init Iam Api Server
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
GetUserPolicy
4 years ago
[iam] Replace action read/write to readAcp/writeAcp for handlers with acl (#4858) Replace action read/write to readAcp/writeAcp for handlers with acl query https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
GetUserPolicy
4 years ago
[iam] Replace action read/write to readAcp/writeAcp for handlers with acl (#4858) Replace action read/write to readAcp/writeAcp for handlers with acl query https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
GetUserPolicy
4 years ago
added s3 iam DeleteBucket permission management (#5599)
8 months ago
GetUserPolicy
4 years ago
[iam] Replace action read/write to readAcp/writeAcp for handlers with acl (#4858) Replace action read/write to readAcp/writeAcp for handlers with acl query https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
GetUserPolicy
4 years ago
[iam] Replace action read/write to readAcp/writeAcp for handlers with acl (#4858) Replace action read/write to readAcp/writeAcp for handlers with acl query https://github.com/seaweedfs/seaweedfs/issues/4519 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
1 year ago
GetUserPolicy
4 years ago
added s3 iam DeleteBucket permission management (#5599)
8 months ago
GetUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
add tests
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
add tests
4 years ago
base handlers
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
base handlers
4 years ago
iam ListAccessKeys filtred by username
4 years ago
base handlers
4 years ago
iam ListAccessKeys filtred by username
4 years ago
base handlers
4 years ago
iam GetUser
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
iam GetUser
4 years ago
GetUserPolicy
4 years ago
iam GetUser
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
iam GetUser
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
iam GetUser
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
iam GetUser
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
complete project code, remain test code
3 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
complete project code, remain test code
3 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
GetUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
refine PutUserPolicy
3 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
refine PutUserPolicy
3 years ago
PutUserAction should completely replace identity actions
3 years ago
refactor code
3 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
GetUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
GetUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
GetUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
add DeleteUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
add DeleteUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
SaveAs S3 Configuration
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
base handlers
4 years ago
filter duplicated action
3 years ago
base handlers
4 years ago
init Iam Api Server
4 years ago
handle implicit username
3 years ago
add more checks and comments
3 years ago
handle implicit username
3 years ago
Merge branch 'master' into handle_implicit_username
3 years ago
add more checks and comments
3 years ago
Merge branch 'master' into handle_implicit_username
3 years ago
add more checks and comments
3 years ago
Merge branch 'master' into handle_implicit_username
3 years ago
add more checks and comments
3 years ago
handle implicit username
3 years ago
init Iam Api Server
4 years ago
refactoring
3 years ago
init Iam Api Server
4 years ago
Fix iam service response 500 (#5405)
10 months ago
refactoring
3 years ago
init Iam Api Server
4 years ago
add tests
4 years ago
init Iam Api Server
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
SaveAs S3 Configuration
4 years ago
init Iam Api Server
4 years ago
handle implicit username
3 years ago
base handlers
4 years ago
SaveAs S3 Configuration
4 years ago
base handlers
4 years ago
iam GetUser
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
iam GetUser
4 years ago
GetUserPolicy
4 years ago
complete project code, remain test code
3 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
complete project code, remain test code
3 years ago
base handlers
4 years ago
iam GetUser
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
iam GetUser
4 years ago
base handlers
4 years ago
handle implicit username
3 years ago
base handlers
4 years ago
handle implicit username
3 years ago
base handlers
4 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
refactoring
3 years ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
handler PutUserPolicy https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
4 years ago
GetUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
GetUserPolicy
4 years ago
add DeleteUserPolicy
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
add missing return
3 years ago
add DeleteUserPolicy
4 years ago
init Iam Api Server
4 years ago
add DeleteUserPolicy
4 years ago
refactoring
3 years ago
init Iam Api Server
4 years ago
SaveAs S3 Configuration
4 years ago
add tests
4 years ago
SaveInsideFiler S3 Configuration
4 years ago
improve iam error handling (#6446) * improve iam error handling * Delete docker/test.py
6 days ago
SaveAs S3 Configuration
4 years ago
refactoring
3 years ago
init Iam Api Server
4 years ago
  1. package iamapi
  3. import (
  4. "crypto/sha1"
  5. "encoding/json"
  6. "errors"
  7. "fmt"
  8. "math/rand"
  9. "net/http"
  10. "net/url"
  11. "reflect"
  12. "strings"
  13. "sync"
  14. "time"
  16. "github.com/seaweedfs/seaweedfs/weed/glog"
  17. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  18. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  19. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  20. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  22. "github.com/aws/aws-sdk-go/service/iam"
  23. )
  25. const (
  26. charsetUpper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  27. charset = charsetUpper + "abcdefghijklmnopqrstuvwxyz/"
  28. policyDocumentVersion = "2012-10-17"
  29. StatementActionAdmin = "*"
  30. StatementActionWrite = "Put*"
  31. StatementActionWriteAcp = "PutBucketAcl"
  32. StatementActionRead = "Get*"
  33. StatementActionReadAcp = "GetBucketAcl"
  34. StatementActionList = "List*"
  35. StatementActionTagging = "Tagging*"
  36. StatementActionDelete = "DeleteBucket*"
  37. )
  39. var (
  40. seededRand *rand.Rand = rand.New(
  41. rand.NewSource(time.Now().UnixNano()))
  42. policyDocuments = map[string]*PolicyDocument{}
  43. policyLock = sync.RWMutex{}
  44. )
  46. func MapToStatementAction(action string) string {
  47. switch action {
  48. case StatementActionAdmin:
  49. return s3_constants.ACTION_ADMIN
  50. case StatementActionWrite:
  51. return s3_constants.ACTION_WRITE
  52. case StatementActionWriteAcp:
  53. return s3_constants.ACTION_WRITE_ACP
  54. case StatementActionRead:
  55. return s3_constants.ACTION_READ
  56. case StatementActionReadAcp:
  57. return s3_constants.ACTION_READ_ACP
  58. case StatementActionList:
  59. return s3_constants.ACTION_LIST
  60. case StatementActionTagging:
  61. return s3_constants.ACTION_TAGGING
  62. case StatementActionDelete:
  63. return s3_constants.ACTION_DELETE_BUCKET
  64. default:
  65. return ""
  66. }
  67. }
  69. func MapToIdentitiesAction(action string) string {
  70. switch action {
  71. case s3_constants.ACTION_ADMIN:
  72. return StatementActionAdmin
  73. case s3_constants.ACTION_WRITE:
  74. return StatementActionWrite
  75. case s3_constants.ACTION_WRITE_ACP:
  76. return StatementActionWriteAcp
  77. case s3_constants.ACTION_READ:
  78. return StatementActionRead
  79. case s3_constants.ACTION_READ_ACP:
  80. return StatementActionReadAcp
  81. case s3_constants.ACTION_LIST:
  82. return StatementActionList
  83. case s3_constants.ACTION_TAGGING:
  84. return StatementActionTagging
  85. case s3_constants.ACTION_DELETE_BUCKET:
  86. return StatementActionDelete
  87. default:
  88. return ""
  89. }
  90. }
  92. const (
  93. USER_DOES_NOT_EXIST = "the user with name %s cannot be found."
  94. )
  96. type Statement struct {
  97. Effect string `json:"Effect"`
  98. Action []string `json:"Action"`
  99. Resource []string `json:"Resource"`
  100. }
  102. type Policies struct {
  103. Policies map[string]PolicyDocument `json:"policies"`
  104. }
  106. type PolicyDocument struct {
  107. Version string `json:"Version"`
  108. Statement []*Statement `json:"Statement"`
  109. }
  111. func (p PolicyDocument) String() string {
  112. b, _ := json.Marshal(p)
  113. return string(b)
  114. }
  116. func Hash(s *string) string {
  117. h := sha1.New()
  118. h.Write([]byte(*s))
  119. return fmt.Sprintf("%x", h.Sum(nil))
  120. }
  122. func StringWithCharset(length int, charset string) string {
  123. b := make([]byte, length)
  124. for i := range b {
  125. b[i] = charset[seededRand.Intn(len(charset))]
  126. }
  127. return string(b)
  128. }
  130. func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListUsersResponse) {
  131. for _, ident := range s3cfg.Identities {
  132. resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name})
  133. }
  134. return resp
  135. }
  137. func (iama *IamApiServer) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListAccessKeysResponse) {
  138. status := iam.StatusTypeActive
  139. userName := values.Get("UserName")
  140. for _, ident := range s3cfg.Identities {
  141. if userName != "" && userName != ident.Name {
  142. continue
  143. }
  144. for _, cred := range ident.Credentials {
  145. resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata,
  146. &iam.AccessKeyMetadata{UserName: &ident.Name, AccessKeyId: &cred.AccessKey, Status: &status},
  147. )
  148. }
  149. }
  150. return resp
  151. }
  153. func (iama *IamApiServer) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateUserResponse) {
  154. userName := values.Get("UserName")
  155. resp.CreateUserResult.User.UserName = &userName
  156. s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName})
  157. return resp
  158. }
  160. func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp DeleteUserResponse, err *IamError) {
  161. for i, ident := range s3cfg.Identities {
  162. if userName == ident.Name {
  163. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  164. return resp, nil
  165. }
  166. }
  167. return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
  168. }
  170. func (iama *IamApiServer) GetUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp GetUserResponse, err *IamError) {
  171. for _, ident := range s3cfg.Identities {
  172. if userName == ident.Name {
  173. resp.GetUserResult.User = iam.User{UserName: &ident.Name}
  174. return resp, nil
  175. }
  176. }
  177. return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
  178. }
  180. func (iama *IamApiServer) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp UpdateUserResponse, err *IamError) {
  181. userName := values.Get("UserName")
  182. newUserName := values.Get("NewUserName")
  183. if newUserName != "" {
  184. for _, ident := range s3cfg.Identities {
  185. if userName == ident.Name {
  186. ident.Name = newUserName
  187. return resp, nil
  188. }
  189. }
  190. } else {
  191. return resp, nil
  192. }
  193. return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
  194. }
  196. func GetPolicyDocument(policy *string) (policyDocument PolicyDocument, err error) {
  197. if err = json.Unmarshal([]byte(*policy), &policyDocument); err != nil {
  198. return PolicyDocument{}, err
  199. }
  200. return policyDocument, err
  201. }
  203. func (iama *IamApiServer) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreatePolicyResponse, iamError *IamError) {
  204. policyName := values.Get("PolicyName")
  205. policyDocumentString := values.Get("PolicyDocument")
  206. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  207. if err != nil {
  208. return CreatePolicyResponse{}, &IamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
  209. }
  210. policyId := Hash(&policyDocumentString)
  211. arn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
  212. resp.CreatePolicyResult.Policy.PolicyName = &policyName
  213. resp.CreatePolicyResult.Policy.Arn = &arn
  214. resp.CreatePolicyResult.Policy.PolicyId = &policyId
  215. policies := Policies{}
  216. policyLock.Lock()
  217. defer policyLock.Unlock()
  218. if err = iama.s3ApiConfig.GetPolicies(&policies); err != nil {
  219. return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
  220. }
  221. policies.Policies[policyName] = policyDocument
  222. if err = iama.s3ApiConfig.PutPolicies(&policies); err != nil {
  223. return resp, &IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
  224. }
  225. return resp, nil
  226. }
  228. type IamError struct {
  229. Code string
  230. Error error
  231. }
  233. // https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
  234. func (iama *IamApiServer) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, iamError *IamError) {
  235. userName := values.Get("UserName")
  236. policyName := values.Get("PolicyName")
  237. policyDocumentString := values.Get("PolicyDocument")
  238. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  239. if err != nil {
  240. return PutUserPolicyResponse{}, &IamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
  241. }
  242. policyDocuments[policyName] = &policyDocument
  243. actions, err := GetActions(&policyDocument)
  244. if err != nil {
  245. return PutUserPolicyResponse{}, &IamError{Code: iam.ErrCodeMalformedPolicyDocumentException, Error: err}
  246. }
  247. // Log the actions
  248. glog.V(3).Infof("PutUserPolicy: actions=%v", actions)
  249. for _, ident := range s3cfg.Identities {
  250. if userName != ident.Name {
  251. continue
  252. }
  253. ident.Actions = actions
  254. return resp, nil
  255. }
  256. return PutUserPolicyResponse{}, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("the user with name %s cannot be found", userName)}
  257. }
  259. func (iama *IamApiServer) GetUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp GetUserPolicyResponse, err *IamError) {
  260. userName := values.Get("UserName")
  261. policyName := values.Get("PolicyName")
  262. for _, ident := range s3cfg.Identities {
  263. if userName != ident.Name {
  264. continue
  265. }
  267. resp.GetUserPolicyResult.UserName = userName
  268. resp.GetUserPolicyResult.PolicyName = policyName
  269. if len(ident.Actions) == 0 {
  270. return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: errors.New("no actions found")}
  271. }
  273. policyDocument := PolicyDocument{Version: policyDocumentVersion}
  274. statements := make(map[string][]string)
  275. for _, action := range ident.Actions {
  276. // parse "Read:EXAMPLE-BUCKET"
  277. act := strings.Split(action, ":")
  279. resource := "*"
  280. if len(act) == 2 {
  281. resource = fmt.Sprintf("arn:aws:s3:::%s/*", act[1])
  282. }
  283. statements[resource] = append(statements[resource],
  284. fmt.Sprintf("s3:%s", MapToIdentitiesAction(act[0])),
  285. )
  286. }
  287. for resource, actions := range statements {
  288. isEqAction := false
  289. for i, statement := range policyDocument.Statement {
  290. if reflect.DeepEqual(statement.Action, actions) {
  291. policyDocument.Statement[i].Resource = append(
  292. policyDocument.Statement[i].Resource, resource)
  293. isEqAction = true
  294. break
  295. }
  296. }
  297. if isEqAction {
  298. continue
  299. }
  300. policyDocumentStatement := Statement{
  301. Effect: "Allow",
  302. Action: actions,
  303. }
  304. policyDocumentStatement.Resource = append(policyDocumentStatement.Resource, resource)
  305. policyDocument.Statement = append(policyDocument.Statement, &policyDocumentStatement)
  306. }
  307. resp.GetUserPolicyResult.PolicyDocument = policyDocument.String()
  308. return resp, nil
  309. }
  310. return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
  311. }
  313. func (iama *IamApiServer) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err *IamError) {
  314. userName := values.Get("UserName")
  315. for i, ident := range s3cfg.Identities {
  316. if ident.Name == userName {
  317. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  318. return resp, nil
  319. }
  320. }
  321. return resp, &IamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf(USER_DOES_NOT_EXIST, userName)}
  322. }
  324. func GetActions(policy *PolicyDocument) ([]string, error) {
  325. var actions []string
  327. for _, statement := range policy.Statement {
  328. if statement.Effect != "Allow" {
  329. return nil, fmt.Errorf("not a valid effect: '%s'. Only 'Allow' is possible", statement.Effect)
  330. }
  331. for _, resource := range statement.Resource {
  332. // Parse "arn:aws:s3:::my-bucket/shared/*"
  333. res := strings.Split(resource, ":")
  334. if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
  335. return nil, fmt.Errorf("not a valid resource: '%s'. Expected prefix 'arn:aws:s3'", res)
  336. }
  337. for _, action := range statement.Action {
  338. // Parse "s3:Get*"
  339. act := strings.Split(action, ":")
  340. if len(act) != 2 || act[0] != "s3" {
  341. return nil, fmt.Errorf("not a valid action: '%s'. Expected prefix 's3:'", act)
  342. }
  343. statementAction := MapToStatementAction(act[1])
  344. if res[5] == "*" {
  345. actions = append(actions, statementAction)
  346. continue
  347. }
  348. // Parse my-bucket/shared/*
  349. path := strings.Split(res[5], "/")
  350. if len(path) != 2 || path[1] != "*" {
  351. glog.Infof("not match bucket: %s", path)
  352. continue
  353. }
  354. actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path[0]))
  355. }
  356. }
  357. }
  358. return actions, nil
  359. }
  361. func (iama *IamApiServer) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateAccessKeyResponse) {
  362. userName := values.Get("UserName")
  363. status := iam.StatusTypeActive
  364. accessKeyId := StringWithCharset(21, charsetUpper)
  365. secretAccessKey := StringWithCharset(42, charset)
  366. resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId
  367. resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey
  368. resp.CreateAccessKeyResult.AccessKey.UserName = &userName
  369. resp.CreateAccessKeyResult.AccessKey.Status = &status
  370. changed := false
  371. for _, ident := range s3cfg.Identities {
  372. if userName == ident.Name {
  373. ident.Credentials = append(ident.Credentials,
  374. &iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey})
  375. changed = true
  376. break
  377. }
  378. }
  379. if !changed {
  380. s3cfg.Identities = append(s3cfg.Identities,
  381. &iam_pb.Identity{
  382. Name: userName,
  383. Credentials: []*iam_pb.Credential{
  384. {
  385. AccessKey: accessKeyId,
  386. SecretKey: secretAccessKey,
  387. },
  388. },
  389. },
  390. )
  391. }
  392. return resp
  393. }
  395. func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp DeleteAccessKeyResponse) {
  396. userName := values.Get("UserName")
  397. accessKeyId := values.Get("AccessKeyId")
  398. for _, ident := range s3cfg.Identities {
  399. if userName == ident.Name {
  400. for i, cred := range ident.Credentials {
  401. if cred.AccessKey == accessKeyId {
  402. ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
  403. break
  404. }
  405. }
  406. break
  407. }
  408. }
  409. return resp
  410. }
  412. // handleImplicitUsername adds username who signs the request to values if 'username' is not specified
  413. // According to https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-access-key.html/
  414. // "If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web
  415. // Services access key ID signing the request."
  416. func handleImplicitUsername(r *http.Request, values url.Values) {
  417. if len(r.Header["Authorization"]) == 0 || values.Get("UserName") != "" {
  418. return
  419. }
  420. // get username who signs the request. For a typical Authorization:
  421. // "AWS4-HMAC-SHA256 Credential=197FSAQ7HHTA48X64O3A/20220420/test1/iam/aws4_request, SignedHeaders=content-type;
  422. // host;x-amz-date, Signature=6757dc6b3d7534d67e17842760310e99ee695408497f6edc4fdb84770c252dc8",
  423. // the "test1" will be extracted as the username
  424. glog.V(4).Infof("Authorization field: %v", r.Header["Authorization"][0])
  425. s := strings.Split(r.Header["Authorization"][0], "Credential=")
  426. if len(s) < 2 {
  427. return
  428. }
  429. s = strings.Split(s[1], ",")
  430. if len(s) < 2 {
  431. return
  432. }
  433. s = strings.Split(s[0], "/")
  434. if len(s) < 5 {
  435. return
  436. }
  437. userName := s[2]
  438. values.Set("UserName", userName)
  439. }
  441. func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
  442. if err := r.ParseForm(); err != nil {
  443. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  444. return
  445. }
  446. values := r.PostForm
  447. s3cfg := &iam_pb.S3ApiConfiguration{}
  448. if err := iama.s3ApiConfig.GetS3ApiConfiguration(s3cfg); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
  449. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  450. return
  451. }
  453. glog.V(4).Infof("DoActions: %+v", values)
  454. var response interface{}
  455. var iamError *IamError
  456. changed := true
  457. switch r.Form.Get("Action") {
  458. case "ListUsers":
  459. response = iama.ListUsers(s3cfg, values)
  460. changed = false
  461. case "ListAccessKeys":
  462. handleImplicitUsername(r, values)
  463. response = iama.ListAccessKeys(s3cfg, values)
  464. changed = false
  465. case "CreateUser":
  466. response = iama.CreateUser(s3cfg, values)
  467. case "GetUser":
  468. userName := values.Get("UserName")
  469. response, iamError = iama.GetUser(s3cfg, userName)
  470. if iamError != nil {
  471. writeIamErrorResponse(w, r, iamError)
  472. return
  473. }
  474. changed = false
  475. case "UpdateUser":
  476. response, iamError = iama.UpdateUser(s3cfg, values)
  477. if iamError != nil {
  478. glog.Errorf("UpdateUser: %+v", iamError.Error)
  479. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  480. return
  481. }
  482. case "DeleteUser":
  483. userName := values.Get("UserName")
  484. response, iamError = iama.DeleteUser(s3cfg, userName)
  485. if iamError != nil {
  486. writeIamErrorResponse(w, r, iamError)
  487. return
  488. }
  489. case "CreateAccessKey":
  490. handleImplicitUsername(r, values)
  491. response = iama.CreateAccessKey(s3cfg, values)
  492. case "DeleteAccessKey":
  493. handleImplicitUsername(r, values)
  494. response = iama.DeleteAccessKey(s3cfg, values)
  495. case "CreatePolicy":
  496. response, iamError = iama.CreatePolicy(s3cfg, values)
  497. if iamError != nil {
  498. glog.Errorf("CreatePolicy: %+v", iamError.Error)
  499. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  500. return
  501. }
  502. case "PutUserPolicy":
  503. var iamError *IamError
  504. response, iamError = iama.PutUserPolicy(s3cfg, values)
  505. if iamError != nil {
  506. glog.Errorf("PutUserPolicy: %+v", iamError.Error)
  508. writeIamErrorResponse(w, r, iamError)
  509. return
  510. }
  511. case "GetUserPolicy":
  512. response, iamError = iama.GetUserPolicy(s3cfg, values)
  513. if iamError != nil {
  514. writeIamErrorResponse(w, r, iamError)
  515. return
  516. }
  517. changed = false
  518. case "DeleteUserPolicy":
  519. if response, iamError = iama.DeleteUserPolicy(s3cfg, values); iamError != nil {
  520. writeIamErrorResponse(w, r, iamError)
  521. return
  522. }
  523. default:
  524. errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented)
  525. errorResponse := ErrorResponse{}
  526. errorResponse.Error.Code = &errNotImplemented.Code
  527. errorResponse.Error.Message = &errNotImplemented.Description
  528. s3err.WriteXMLResponse(w, r, errNotImplemented.HTTPStatusCode, errorResponse)
  529. return
  530. }
  531. if changed {
  532. err := iama.s3ApiConfig.PutS3ApiConfiguration(s3cfg)
  533. if err != nil {
  534. var iamError = IamError{Code: iam.ErrCodeServiceFailureException, Error: err}
  535. writeIamErrorResponse(w, r, &iamError)
  536. return
  537. }
  538. }
  539. s3err.WriteXMLResponse(w, r, http.StatusOK, response)
  540. }