| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | package iamapi | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 	"crypto/sha1" | 
					
						
							|  |  |  | 	"encoding/json" | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 	"fmt" | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	"github.com/chrislusf/seaweedfs/weed/glog" | 
					
						
							|  |  |  | 	"github.com/chrislusf/seaweedfs/weed/pb/iam_pb" | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 	"github.com/chrislusf/seaweedfs/weed/s3api/s3_constants" | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	"github.com/chrislusf/seaweedfs/weed/s3api/s3err" | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 	"math/rand" | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	"net/http" | 
					
						
							|  |  |  | 	"net/url" | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 	"reflect" | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 	"strings" | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 	"sync" | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 	"time" | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	"github.com/aws/aws-sdk-go/service/iam" | 
					
						
							|  |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | const ( | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 	charsetUpper           = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | 
					
						
							|  |  |  | 	charset                = charsetUpper + "abcdefghijklmnopqrstuvwxyz/" | 
					
						
							|  |  |  | 	policyDocumentVersion  = "2012-10-17" | 
					
						
							|  |  |  | 	StatementActionAdmin   = "*" | 
					
						
							|  |  |  | 	StatementActionWrite   = "Put*" | 
					
						
							|  |  |  | 	StatementActionRead    = "Get*" | 
					
						
							|  |  |  | 	StatementActionList    = "List*" | 
					
						
							|  |  |  | 	StatementActionTagging = "Tagging*" | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | var ( | 
					
						
							|  |  |  | 	seededRand *rand.Rand = rand.New( | 
					
						
							|  |  |  | 		rand.NewSource(time.Now().UnixNano())) | 
					
						
							|  |  |  | 	policyDocuments = map[string]*PolicyDocument{} | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 	policyLock      = sync.RWMutex{} | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | ) | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | func MapToStatementAction(action string) string { | 
					
						
							|  |  |  | 	switch action { | 
					
						
							|  |  |  | 	case StatementActionAdmin: | 
					
						
							|  |  |  | 		return s3_constants.ACTION_ADMIN | 
					
						
							|  |  |  | 	case StatementActionWrite: | 
					
						
							|  |  |  | 		return s3_constants.ACTION_WRITE | 
					
						
							|  |  |  | 	case StatementActionRead: | 
					
						
							|  |  |  | 		return s3_constants.ACTION_READ | 
					
						
							|  |  |  | 	case StatementActionList: | 
					
						
							|  |  |  | 		return s3_constants.ACTION_LIST | 
					
						
							|  |  |  | 	case StatementActionTagging: | 
					
						
							|  |  |  | 		return s3_constants.ACTION_TAGGING | 
					
						
							|  |  |  | 	default: | 
					
						
							|  |  |  | 		return "" | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func MapToIdentitiesAction(action string) string { | 
					
						
							|  |  |  | 	switch action { | 
					
						
							|  |  |  | 	case s3_constants.ACTION_ADMIN: | 
					
						
							|  |  |  | 		return StatementActionAdmin | 
					
						
							|  |  |  | 	case s3_constants.ACTION_WRITE: | 
					
						
							|  |  |  | 		return StatementActionWrite | 
					
						
							|  |  |  | 	case s3_constants.ACTION_READ: | 
					
						
							|  |  |  | 		return StatementActionRead | 
					
						
							|  |  |  | 	case s3_constants.ACTION_LIST: | 
					
						
							|  |  |  | 		return StatementActionList | 
					
						
							|  |  |  | 	case s3_constants.ACTION_TAGGING: | 
					
						
							|  |  |  | 		return StatementActionTagging | 
					
						
							|  |  |  | 	default: | 
					
						
							|  |  |  | 		return "" | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | type Statement struct { | 
					
						
							|  |  |  | 	Effect   string   `json:"Effect"` | 
					
						
							|  |  |  | 	Action   []string `json:"Action"` | 
					
						
							|  |  |  | 	Resource []string `json:"Resource"` | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | type Policies struct { | 
					
						
							|  |  |  | 	Policies map[string]PolicyDocument `json:"policies"` | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | type PolicyDocument struct { | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 	Version   string       `json:"Version"` | 
					
						
							|  |  |  | 	Statement []*Statement `json:"Statement"` | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | func (p PolicyDocument) String() string { | 
					
						
							|  |  |  | 	b, _ := json.Marshal(p) | 
					
						
							|  |  |  | 	return string(b) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | func Hash(s *string) string { | 
					
						
							|  |  |  | 	h := sha1.New() | 
					
						
							|  |  |  | 	h.Write([]byte(*s)) | 
					
						
							|  |  |  | 	return fmt.Sprintf("%x", h.Sum(nil)) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | func StringWithCharset(length int, charset string) string { | 
					
						
							|  |  |  | 	b := make([]byte, length) | 
					
						
							|  |  |  | 	for i := range b { | 
					
						
							|  |  |  | 		b[i] = charset[seededRand.Intn(len(charset))] | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return string(b) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListUsersResponse) { | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	for _, ident := range s3cfg.Identities { | 
					
						
							|  |  |  | 		resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name}) | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | func (iama *IamApiServer) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListAccessKeysResponse) { | 
					
						
							|  |  |  | 	status := iam.StatusTypeActive | 
					
						
							| 
									
										
										
										
											2021-04-28 17:15:22 +05:00
										 |  |  | 	userName := values.Get("UserName") | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 	for _, ident := range s3cfg.Identities { | 
					
						
							| 
									
										
										
										
											2021-04-28 17:15:22 +05:00
										 |  |  | 		if userName != "" && userName != ident.Name { | 
					
						
							|  |  |  | 			continue | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 		for _, cred := range ident.Credentials { | 
					
						
							|  |  |  | 			resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata, | 
					
						
							|  |  |  | 				&iam.AccessKeyMetadata{UserName: &ident.Name, AccessKeyId: &cred.AccessKey, Status: &status}, | 
					
						
							|  |  |  | 			) | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateUserResponse) { | 
					
						
							|  |  |  | 	userName := values.Get("UserName") | 
					
						
							|  |  |  | 	resp.CreateUserResult.User.UserName = &userName | 
					
						
							|  |  |  | 	s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName}) | 
					
						
							|  |  |  | 	return resp | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2021-03-29 12:01:44 +05:00
										 |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp DeleteUserResponse, err error) { | 
					
						
							|  |  |  | 	for i, ident := range s3cfg.Identities { | 
					
						
							|  |  |  | 		if userName == ident.Name { | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 			s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...) | 
					
						
							| 
									
										
										
										
											2021-03-29 12:01:44 +05:00
										 |  |  | 			return resp, nil | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) GetUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp GetUserResponse, err error) { | 
					
						
							|  |  |  | 	for _, ident := range s3cfg.Identities { | 
					
						
							|  |  |  | 		if userName == ident.Name { | 
					
						
							|  |  |  | 			resp.GetUserResult.User = iam.User{UserName: &ident.Name} | 
					
						
							|  |  |  | 			return resp, nil | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | func GetPolicyDocument(policy *string) (policyDocument PolicyDocument, err error) { | 
					
						
							|  |  |  | 	if err = json.Unmarshal([]byte(*policy), &policyDocument); err != nil { | 
					
						
							|  |  |  | 		return PolicyDocument{}, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return policyDocument, err | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreatePolicyResponse, err error) { | 
					
						
							|  |  |  | 	policyName := values.Get("PolicyName") | 
					
						
							|  |  |  | 	policyDocumentString := values.Get("PolicyDocument") | 
					
						
							|  |  |  | 	policyDocument, err := GetPolicyDocument(&policyDocumentString) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return CreatePolicyResponse{}, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	policyId := Hash(&policyDocumentString) | 
					
						
							|  |  |  | 	arn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName) | 
					
						
							|  |  |  | 	resp.CreatePolicyResult.Policy.PolicyName = &policyName | 
					
						
							|  |  |  | 	resp.CreatePolicyResult.Policy.Arn = &arn | 
					
						
							|  |  |  | 	resp.CreatePolicyResult.Policy.PolicyId = &policyId | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 	policies := Policies{} | 
					
						
							|  |  |  | 	policyLock.Lock() | 
					
						
							|  |  |  | 	defer policyLock.Unlock() | 
					
						
							|  |  |  | 	if err = iama.s3ApiConfig.GetPolicies(&policies); err != nil { | 
					
						
							|  |  |  | 		return resp, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	policies.Policies[policyName] = policyDocument | 
					
						
							|  |  |  | 	if err = iama.s3ApiConfig.PutPolicies(&policies); err != nil { | 
					
						
							|  |  |  | 		return resp, err | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 	return resp, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) { | 
					
						
							|  |  |  | 	userName := values.Get("UserName") | 
					
						
							|  |  |  | 	policyName := values.Get("PolicyName") | 
					
						
							|  |  |  | 	policyDocumentString := values.Get("PolicyDocument") | 
					
						
							|  |  |  | 	policyDocument, err := GetPolicyDocument(&policyDocumentString) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return PutUserPolicyResponse{}, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	policyDocuments[policyName] = &policyDocument | 
					
						
							|  |  |  | 	actions := GetActions(&policyDocument) | 
					
						
							|  |  |  | 	for _, ident := range s3cfg.Identities { | 
					
						
							|  |  |  | 		if userName == ident.Name { | 
					
						
							|  |  |  | 			for _, action := range actions { | 
					
						
							|  |  |  | 				ident.Actions = append(ident.Actions, action) | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			break | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | func (iama *IamApiServer) GetUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp GetUserPolicyResponse, err error) { | 
					
						
							|  |  |  | 	userName := values.Get("UserName") | 
					
						
							|  |  |  | 	policyName := values.Get("PolicyName") | 
					
						
							|  |  |  | 	for _, ident := range s3cfg.Identities { | 
					
						
							|  |  |  | 		if userName != ident.Name { | 
					
						
							|  |  |  | 			continue | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		resp.GetUserPolicyResult.UserName = userName | 
					
						
							|  |  |  | 		resp.GetUserPolicyResult.PolicyName = policyName | 
					
						
							|  |  |  | 		if len(ident.Actions) == 0 { | 
					
						
							|  |  |  | 			return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException) | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		policyDocument := PolicyDocument{Version: policyDocumentVersion} | 
					
						
							|  |  |  | 		statements := make(map[string][]string) | 
					
						
							|  |  |  | 		for _, action := range ident.Actions { | 
					
						
							|  |  |  | 			// parse "Read:EXAMPLE-BUCKET" | 
					
						
							|  |  |  | 			act := strings.Split(action, ":") | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			resource := "*" | 
					
						
							|  |  |  | 			if len(act) == 2 { | 
					
						
							|  |  |  | 				resource = fmt.Sprintf("arn:aws:s3:::%s/*", act[1]) | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			statements[resource] = append(statements[resource], | 
					
						
							|  |  |  | 				fmt.Sprintf("s3:%s", MapToIdentitiesAction(act[0])), | 
					
						
							|  |  |  | 			) | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		for resource, actions := range statements { | 
					
						
							|  |  |  | 			isEqAction := false | 
					
						
							|  |  |  | 			for i, statement := range policyDocument.Statement { | 
					
						
							|  |  |  | 				if reflect.DeepEqual(statement.Action, actions) { | 
					
						
							|  |  |  | 					policyDocument.Statement[i].Resource = append( | 
					
						
							|  |  |  | 						policyDocument.Statement[i].Resource, resource) | 
					
						
							|  |  |  | 					isEqAction = true | 
					
						
							|  |  |  | 					break | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			if isEqAction { | 
					
						
							|  |  |  | 				continue | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			policyDocumentStatement := Statement{ | 
					
						
							|  |  |  | 				Effect: "Allow", | 
					
						
							|  |  |  | 				Action: actions, | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			policyDocumentStatement.Resource = append(policyDocumentStatement.Resource, resource) | 
					
						
							|  |  |  | 			policyDocument.Statement = append(policyDocument.Statement, &policyDocumentStatement) | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		resp.GetUserPolicyResult.PolicyDocument = policyDocument.String() | 
					
						
							|  |  |  | 		return resp, nil | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-04-08 11:16:36 +05:00
										 |  |  | func (iama *IamApiServer) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) { | 
					
						
							|  |  |  | 	userName := values.Get("UserName") | 
					
						
							|  |  |  | 	for i, ident := range s3cfg.Identities { | 
					
						
							|  |  |  | 		if ident.Name == userName { | 
					
						
							|  |  |  | 			s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...) | 
					
						
							|  |  |  | 			return resp, nil | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | func GetActions(policy *PolicyDocument) (actions []string) { | 
					
						
							|  |  |  | 	for _, statement := range policy.Statement { | 
					
						
							|  |  |  | 		if statement.Effect != "Allow" { | 
					
						
							|  |  |  | 			continue | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		for _, resource := range statement.Resource { | 
					
						
							|  |  |  | 			// Parse "arn:aws:s3:::my-bucket/shared/*" | 
					
						
							|  |  |  | 			res := strings.Split(resource, ":") | 
					
						
							| 
									
										
										
										
											2020-12-10 17:03:55 +05:00
										 |  |  | 			if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" { | 
					
						
							| 
									
										
										
										
											2020-12-10 21:03:25 +05:00
										 |  |  | 				glog.Infof("not match resource: %s", res) | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 				continue | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			for _, action := range statement.Action { | 
					
						
							|  |  |  | 				// Parse "s3:Get*" | 
					
						
							|  |  |  | 				act := strings.Split(action, ":") | 
					
						
							|  |  |  | 				if len(act) != 2 || act[0] != "s3" { | 
					
						
							| 
									
										
										
										
											2020-12-10 17:03:55 +05:00
										 |  |  | 					glog.Infof("not match action: %s", act) | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 					continue | 
					
						
							|  |  |  | 				} | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 				statementAction := MapToStatementAction(act[1]) | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 				if res[5] == "*" { | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 					actions = append(actions, statementAction) | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 					continue | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 				// Parse my-bucket/shared/* | 
					
						
							|  |  |  | 				path := strings.Split(res[5], "/") | 
					
						
							|  |  |  | 				if len(path) != 2 || path[1] != "*" { | 
					
						
							| 
									
										
										
										
											2020-12-10 17:03:55 +05:00
										 |  |  | 					glog.Infof("not match bucket: %s", path) | 
					
						
							|  |  |  | 					continue | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 				} | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 				actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path[0])) | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return actions | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateAccessKeyResponse) { | 
					
						
							|  |  |  | 	userName := values.Get("UserName") | 
					
						
							|  |  |  | 	status := iam.StatusTypeActive | 
					
						
							|  |  |  | 	accessKeyId := StringWithCharset(21, charsetUpper) | 
					
						
							|  |  |  | 	secretAccessKey := StringWithCharset(42, charset) | 
					
						
							|  |  |  | 	resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId | 
					
						
							|  |  |  | 	resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey | 
					
						
							|  |  |  | 	resp.CreateAccessKeyResult.AccessKey.UserName = &userName | 
					
						
							|  |  |  | 	resp.CreateAccessKeyResult.AccessKey.Status = &status | 
					
						
							|  |  |  | 	changed := false | 
					
						
							|  |  |  | 	for _, ident := range s3cfg.Identities { | 
					
						
							|  |  |  | 		if userName == ident.Name { | 
					
						
							|  |  |  | 			ident.Credentials = append(ident.Credentials, | 
					
						
							|  |  |  | 				&iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey}) | 
					
						
							|  |  |  | 			changed = true | 
					
						
							|  |  |  | 			break | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	if !changed { | 
					
						
							|  |  |  | 		s3cfg.Identities = append(s3cfg.Identities, | 
					
						
							|  |  |  | 			&iam_pb.Identity{Name: userName, | 
					
						
							|  |  |  | 				Credentials: []*iam_pb.Credential{ | 
					
						
							|  |  |  | 					{ | 
					
						
							|  |  |  | 						AccessKey: accessKeyId, | 
					
						
							|  |  |  | 						SecretKey: secretAccessKey, | 
					
						
							|  |  |  | 					}, | 
					
						
							|  |  |  | 				}, | 
					
						
							|  |  |  | 			}, | 
					
						
							|  |  |  | 		) | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp DeleteAccessKeyResponse) { | 
					
						
							|  |  |  | 	userName := values.Get("UserName") | 
					
						
							|  |  |  | 	accessKeyId := values.Get("AccessKeyId") | 
					
						
							|  |  |  | 	for _, ident := range s3cfg.Identities { | 
					
						
							|  |  |  | 		if userName == ident.Name { | 
					
						
							|  |  |  | 			for i, cred := range ident.Credentials { | 
					
						
							|  |  |  | 				if cred.AccessKey == accessKeyId { | 
					
						
							|  |  |  | 					ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...) | 
					
						
							|  |  |  | 					break | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			break | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return resp | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) { | 
					
						
							|  |  |  | 	if err := r.ParseForm(); err != nil { | 
					
						
							| 
									
										
										
										
											2021-06-10 21:50:21 -07:00
										 |  |  | 		s3err.WriteErrorResponse(w, s3err.ErrInvalidRequest, r) | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	values := r.PostForm | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 	var s3cfgLock sync.RWMutex | 
					
						
							|  |  |  | 	s3cfgLock.RLock() | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	s3cfg := &iam_pb.S3ApiConfiguration{} | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 	if err := iama.s3ApiConfig.GetS3ApiConfiguration(s3cfg); err != nil { | 
					
						
							| 
									
										
										
										
											2021-06-10 21:50:21 -07:00
										 |  |  | 		s3err.WriteErrorResponse(w, s3err.ErrInternalError, r) | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 	s3cfgLock.RUnlock() | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 	glog.V(4).Infof("DoActions: %+v", values) | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	var response interface{} | 
					
						
							| 
									
										
										
										
											2021-03-29 12:01:44 +05:00
										 |  |  | 	var err error | 
					
						
							| 
									
										
										
										
											2020-12-10 17:03:55 +05:00
										 |  |  | 	changed := true | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	switch r.Form.Get("Action") { | 
					
						
							|  |  |  | 	case "ListUsers": | 
					
						
							|  |  |  | 		response = iama.ListUsers(s3cfg, values) | 
					
						
							| 
									
										
										
										
											2020-12-10 17:03:55 +05:00
										 |  |  | 		changed = false | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	case "ListAccessKeys": | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 		response = iama.ListAccessKeys(s3cfg, values) | 
					
						
							| 
									
										
										
										
											2020-12-10 17:03:55 +05:00
										 |  |  | 		changed = false | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 	case "CreateUser": | 
					
						
							|  |  |  | 		response = iama.CreateUser(s3cfg, values) | 
					
						
							| 
									
										
										
										
											2021-03-29 12:01:44 +05:00
										 |  |  | 	case "GetUser": | 
					
						
							|  |  |  | 		userName := values.Get("UserName") | 
					
						
							|  |  |  | 		response, err = iama.GetUser(s3cfg, userName) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							| 
									
										
										
										
											2021-04-08 11:16:36 +05:00
										 |  |  | 			writeIamErrorResponse(w, err, "user", userName, nil) | 
					
						
							| 
									
										
										
										
											2021-03-29 12:01:44 +05:00
										 |  |  | 			return | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 		changed = false | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 	case "DeleteUser": | 
					
						
							| 
									
										
										
										
											2021-03-29 12:01:44 +05:00
										 |  |  | 		userName := values.Get("UserName") | 
					
						
							|  |  |  | 		response, err = iama.DeleteUser(s3cfg, userName) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							| 
									
										
										
										
											2021-04-08 11:16:36 +05:00
										 |  |  | 			writeIamErrorResponse(w, err, "user", userName, nil) | 
					
						
							| 
									
										
										
										
											2021-03-29 12:01:44 +05:00
										 |  |  | 			return | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2020-12-10 00:03:14 +05:00
										 |  |  | 	case "CreateAccessKey": | 
					
						
							|  |  |  | 		response = iama.CreateAccessKey(s3cfg, values) | 
					
						
							|  |  |  | 	case "DeleteAccessKey": | 
					
						
							|  |  |  | 		response = iama.DeleteAccessKey(s3cfg, values) | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 	case "CreatePolicy": | 
					
						
							|  |  |  | 		response, err = iama.CreatePolicy(s3cfg, values) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 			glog.Errorf("CreatePolicy:  %+v", err) | 
					
						
							| 
									
										
										
										
											2021-06-10 21:50:21 -07:00
										 |  |  | 			s3err.WriteErrorResponse(w, s3err.ErrInvalidRequest, r) | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 			return | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	case "PutUserPolicy": | 
					
						
							|  |  |  | 		response, err = iama.PutUserPolicy(s3cfg, values) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 			glog.Errorf("PutUserPolicy:  %+v", err) | 
					
						
							| 
									
										
										
										
											2021-06-10 21:50:21 -07:00
										 |  |  | 			s3err.WriteErrorResponse(w, s3err.ErrInvalidRequest, r) | 
					
						
							| 
									
										
										
										
											2020-12-10 15:36:04 +05:00
										 |  |  | 			return | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2021-04-10 23:57:45 +05:00
										 |  |  | 	case "GetUserPolicy": | 
					
						
							|  |  |  | 		response, err = iama.GetUserPolicy(s3cfg, values) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			writeIamErrorResponse(w, err, "user", values.Get("UserName"), nil) | 
					
						
							|  |  |  | 			return | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		changed = false | 
					
						
							| 
									
										
										
										
											2021-04-08 11:16:36 +05:00
										 |  |  | 	case "DeleteUserPolicy": | 
					
						
							|  |  |  | 		if response, err = iama.DeleteUserPolicy(s3cfg, values); err != nil { | 
					
						
							|  |  |  | 			writeIamErrorResponse(w, err, "user", values.Get("UserName"), nil) | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 	default: | 
					
						
							| 
									
										
										
										
											2021-04-08 11:16:36 +05:00
										 |  |  | 		errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented) | 
					
						
							|  |  |  | 		errorResponse := ErrorResponse{} | 
					
						
							|  |  |  | 		errorResponse.Error.Code = &errNotImplemented.Code | 
					
						
							|  |  |  | 		errorResponse.Error.Message = &errNotImplemented.Description | 
					
						
							| 
									
										
										
										
											2021-06-10 21:50:21 -07:00
										 |  |  | 		s3err.WriteXMLResponse(w, errNotImplemented.HTTPStatusCode, errorResponse) | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2020-12-10 17:03:55 +05:00
										 |  |  | 	if changed { | 
					
						
							| 
									
										
										
										
											2021-04-06 13:43:08 +05:00
										 |  |  | 		s3cfgLock.Lock() | 
					
						
							|  |  |  | 		err := iama.s3ApiConfig.PutS3ApiConfiguration(s3cfg) | 
					
						
							|  |  |  | 		s3cfgLock.Unlock() | 
					
						
							| 
									
										
										
										
											2020-12-10 21:03:25 +05:00
										 |  |  | 		if err != nil { | 
					
						
							| 
									
										
										
										
											2021-04-08 11:16:36 +05:00
										 |  |  | 			writeIamErrorResponse(w, fmt.Errorf(iam.ErrCodeServiceFailureException), "", "", err) | 
					
						
							| 
									
										
										
										
											2020-12-10 17:03:55 +05:00
										 |  |  | 			return | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2021-06-10 21:50:21 -07:00
										 |  |  | 	s3err.WriteXMLResponse(w, http.StatusOK, response) | 
					
						
							| 
									
										
										
										
											2020-12-09 17:11:49 +05:00
										 |  |  | } |