Documentation ¶
Index ¶
- Constants
- Variables
- func CheckIfAccountsExist(accs []string, iam IAMService) ([]string, error)
- func IsAdminOrOwner(acct Account, isRoot bool, acl ACL) error
- func MayCreateBucket(acct Account, isRoot bool) error
- func UpdateACL(input *s3.PutBucketAclInput, acl ACL, iam IAMService) ([]byte, error)
- func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) error
- func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) error
- func VerifyObjectCopyAccess(ctx context.Context, be backend.Backend, copySource string, opts AccessOptions) error
- type ACL
- type AccessControlList
- type AccessControlPolicy
- type AccessOptions
- type Account
- type Action
- type Actions
- type BucketPolicy
- type BucketPolicyAccessType
- type BucketPolicyItem
- type GetBucketAclOutput
- type Grantee
- type IAMCache
- type IAMService
- type IAMServiceInternal
- func (s *IAMServiceInternal) CreateAccount(account Account) error
- func (s *IAMServiceInternal) DeleteUserAccount(access string) error
- func (s *IAMServiceInternal) GetUserAccount(access string) (Account, error)
- func (s *IAMServiceInternal) ListUserAccounts() ([]Account, error)
- func (s *IAMServiceInternal) Shutdown() error
- type IAMServiceS3
- func (s *IAMServiceS3) CreateAccount(account Account) error
- func (s *IAMServiceS3) DeleteUserAccount(access string) error
- func (s *IAMServiceS3) GetUserAccount(access string) (Account, error)
- func (s *IAMServiceS3) ListUserAccounts() ([]Account, error)
- func (s *IAMServiceS3) ResolveEndpoint(service, region string, options ...interface{}) (aws.Endpoint, error)
- func (s *IAMServiceS3) Shutdown() error
- type IAMServiceSingle
- type LdapIAMService
- func (ld *LdapIAMService) CreateAccount(account Account) error
- func (ld *LdapIAMService) DeleteUserAccount(access string) error
- func (ld *LdapIAMService) GetUserAccount(access string) (Account, error)
- func (ld *LdapIAMService) ListUserAccounts() ([]Account, error)
- func (ld *LdapIAMService) Shutdown() error
- type Opts
- type Principals
- type Resources
- type Role
- type UpdateAcctFunc
Constants ¶
const ResourceArnPrefix = "arn:aws:s3:::"
Variables ¶
var ErrNoSuchUser = errors.New("user not found")
var ErrNotSupported = errors.New("method is not supported")
Functions ¶
func CheckIfAccountsExist ¶
func CheckIfAccountsExist(accs []string, iam IAMService) ([]string, error)
func MayCreateBucket ¶
func UpdateACL ¶
func UpdateACL(input *s3.PutBucketAclInput, acl ACL, iam IAMService) ([]byte, error)
func ValidatePolicyDocument ¶
func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) error
func VerifyAccess ¶
func VerifyObjectCopyAccess ¶
Types ¶
type AccessControlList ¶
type AccessControlPolicy ¶
type AccessControlPolicy struct { AccessControlList AccessControlList `xml:"AccessControlList"` Owner types.Owner }
type AccessOptions ¶
type Account ¶
type Account struct { Access string `json:"access"` Secret string `json:"secret"` Role Role `json:"role"` UserID int `json:"userID"` GroupID int `json:"groupID"` ProjectID int `json:"projectID"` }
Account is a gateway IAM account
type Action ¶
type Action string
const ( GetBucketAclAction Action = "s3:GetBucketAcl" CreateBucketAction Action = "s3:CreateBucket" PutBucketAclAction Action = "s3:PutBucketAcl" DeleteBucketAction Action = "s3:DeleteBucket" PutBucketVersioningAction Action = "s3:PutBucketVersioning" GetBucketVersioningAction Action = "s3:GetBucketVersioning" PutBucketPolicyAction Action = "s3:PutBucketPolicy" GetBucketPolicyAction Action = "s3:GetBucketPolicy" DeleteBucketPolicyAction Action = "s3:DeleteBucketPolicy" AbortMultipartUploadAction Action = "s3:AbortMultipartUpload" ListMultipartUploadPartsAction Action = "s3:ListMultipartUploadParts" ListBucketMultipartUploadsAction Action = "s3:ListBucketMultipartUploads" PutObjectAction Action = "s3:PutObject" GetObjectAction Action = "s3:GetObject" DeleteObjectAction Action = "s3:DeleteObject" GetObjectAclAction Action = "s3:GetObjectAcl" GetObjectAttributesAction Action = "s3:GetObjectAttributes" PutObjectAclAction Action = "s3:PutObjectAcl" RestoreObjectAction Action = "s3:RestoreObject" GetBucketTaggingAction Action = "s3:GetBucketTagging" PutBucketTaggingAction Action = "s3:PutBucketTagging" GetObjectTaggingAction Action = "s3:GetObjectTagging" PutObjectTaggingAction Action = "s3:PutObjectTagging" DeleteObjectTaggingAction Action = "s3:DeleteObjectTagging" ListBucketVersionsAction Action = "s3:ListBucketVersions" ListBucketAction Action = "s3:ListBucket" AllActions Action = "s3:*" )
func (Action) IsObjectAction ¶
Checks if the action is object action
func (Action) IsValid ¶
Validates Action: it should either wildcard match with supported actions list or be in it
func (Action) WildCardMatch ¶
type Actions ¶
type Actions map[Action]struct{}
func (*Actions) UnmarshalJSON ¶
Override UnmarshalJSON method to decode both []string and string properties
type BucketPolicy ¶
type BucketPolicy struct {
Statement []BucketPolicyItem `json:"Statement"`
}
func (*BucketPolicy) Validate ¶
func (bp *BucketPolicy) Validate(bucket string, iam IAMService) error
type BucketPolicyAccessType ¶
type BucketPolicyAccessType string
const ( BucketPolicyAccessTypeDeny BucketPolicyAccessType = "Deny" BucketPolicyAccessTypeAllow BucketPolicyAccessType = "Allow" )
func (BucketPolicyAccessType) Validate ¶
func (bpat BucketPolicyAccessType) Validate() error
Checks policy statement Effect to be valid ("Deny", "Allow")
type BucketPolicyItem ¶
type BucketPolicyItem struct { Effect BucketPolicyAccessType `json:"Effect"` Principals Principals `json:"Principal"` Actions Actions `json:"Action"` Resources Resources `json:"Resource"` }
func (*BucketPolicyItem) Validate ¶
func (bpi *BucketPolicyItem) Validate(bucket string, iam IAMService) error
type GetBucketAclOutput ¶
type GetBucketAclOutput struct { Owner *types.Owner AccessControlList AccessControlList }
func ParseACLOutput ¶
func ParseACLOutput(data []byte) (GetBucketAclOutput, error)
type Grantee ¶
type Grantee struct { Permission types.Permission Access string }
type IAMCache ¶
type IAMCache struct {
// contains filtered or unexported fields
}
IAMCache is an in memory cache of the IAM accounts with expiration. This helps to alleviate the load on the real IAM service if the gateway is handling many requests. This forwards account updates to the underlying service, and returns cached results while the in memory account is not expired.
func NewCache ¶
func NewCache(service IAMService, expireTime, cleanupInterval time.Duration) *IAMCache
NewCache initializes an IAM cache for the provided service. The expireTime is the duration a cache entry can be valid, and the cleanupInterval is how often to scan cache and cleanup expired entries.
func (*IAMCache) CreateAccount ¶
CreateAccount send create to IAM service and creates an account cache entry
func (*IAMCache) DeleteUserAccount ¶
DeleteUserAccount deletes account from IAM service and cache
func (*IAMCache) GetUserAccount ¶
GetUserAccount retrieves the cache account if it is in the cache and not expired. Otherwise retrieves from underlying IAM service and caches result for the expire duration.
func (*IAMCache) ListUserAccounts ¶
ListUserAccounts is a passthrough to the underlying service and does not make use of the cache
type IAMService ¶
type IAMService interface { CreateAccount(account Account) error GetUserAccount(access string) (Account, error) DeleteUserAccount(access string) error ListUserAccounts() ([]Account, error) Shutdown() error }
IAMService is the interface for all IAM service implementations
func New ¶
func New(o *Opts) (IAMService, error)
func NewLDAPService ¶
func NewLDAPService(url, bindDN, pass, queryBase, accAtr, secAtr, roleAtr, objClasses string) (IAMService, error)
type IAMServiceInternal ¶
type IAMServiceInternal struct {
// contains filtered or unexported fields
}
IAMServiceInternal manages the internal IAM service
func NewInternal ¶
func NewInternal(dir string) (*IAMServiceInternal, error)
NewInternal creates a new instance for the Internal IAM service
func (*IAMServiceInternal) CreateAccount ¶
func (s *IAMServiceInternal) CreateAccount(account Account) error
CreateAccount creates a new IAM account. Returns an error if the account already exists.
func (*IAMServiceInternal) DeleteUserAccount ¶
func (s *IAMServiceInternal) DeleteUserAccount(access string) error
DeleteUserAccount deletes the specified user account. Does not check if account exists.
func (*IAMServiceInternal) GetUserAccount ¶
func (s *IAMServiceInternal) GetUserAccount(access string) (Account, error)
GetUserAccount retrieves account info for the requested user. Returns ErrNoSuchUser if the account does not exist.
func (*IAMServiceInternal) ListUserAccounts ¶
func (s *IAMServiceInternal) ListUserAccounts() ([]Account, error)
ListUserAccounts lists all the user accounts stored.
func (*IAMServiceInternal) Shutdown ¶
func (s *IAMServiceInternal) Shutdown() error
Shutdown graceful termination of service
type IAMServiceS3 ¶
type IAMServiceS3 struct {
// contains filtered or unexported fields
}
func NewS3 ¶
func NewS3(access, secret, region, bucket, endpoint string, sslSkipVerify, debug bool) (*IAMServiceS3, error)
func (*IAMServiceS3) CreateAccount ¶
func (s *IAMServiceS3) CreateAccount(account Account) error
func (*IAMServiceS3) DeleteUserAccount ¶
func (s *IAMServiceS3) DeleteUserAccount(access string) error
func (*IAMServiceS3) GetUserAccount ¶
func (s *IAMServiceS3) GetUserAccount(access string) (Account, error)
func (*IAMServiceS3) ListUserAccounts ¶
func (s *IAMServiceS3) ListUserAccounts() ([]Account, error)
func (*IAMServiceS3) ResolveEndpoint ¶
func (s *IAMServiceS3) ResolveEndpoint(service, region string, options ...interface{}) (aws.Endpoint, error)
ResolveEndpoint is used for on prem or non-aws endpoints
func (*IAMServiceS3) Shutdown ¶
func (s *IAMServiceS3) Shutdown() error
type IAMServiceSingle ¶
type IAMServiceSingle struct{}
IAMServiceSingle manages the single tenant (root-only) IAM service
func (IAMServiceSingle) CreateAccount ¶
func (IAMServiceSingle) CreateAccount(account Account) error
CreateAccount not valid in single tenant mode
func (IAMServiceSingle) DeleteUserAccount ¶
func (IAMServiceSingle) DeleteUserAccount(access string) error
DeleteUserAccount no accounts in single tenant mode
func (IAMServiceSingle) GetUserAccount ¶
func (IAMServiceSingle) GetUserAccount(access string) (Account, error)
GetUserAccount no accounts in single tenant mode
func (IAMServiceSingle) ListUserAccounts ¶
func (IAMServiceSingle) ListUserAccounts() ([]Account, error)
ListUserAccounts no accounts in single tenant mode
func (IAMServiceSingle) Shutdown ¶
func (IAMServiceSingle) Shutdown() error
Shutdown graceful termination of service
type LdapIAMService ¶
type LdapIAMService struct {
// contains filtered or unexported fields
}
func (*LdapIAMService) CreateAccount ¶
func (ld *LdapIAMService) CreateAccount(account Account) error
func (*LdapIAMService) DeleteUserAccount ¶
func (ld *LdapIAMService) DeleteUserAccount(access string) error
func (*LdapIAMService) GetUserAccount ¶
func (ld *LdapIAMService) GetUserAccount(access string) (Account, error)
func (*LdapIAMService) ListUserAccounts ¶
func (ld *LdapIAMService) ListUserAccounts() ([]Account, error)
func (*LdapIAMService) Shutdown ¶
func (ld *LdapIAMService) Shutdown() error
Shutdown graceful termination of service
type Opts ¶
type Opts struct { Dir string LDAPServerURL string LDAPBindDN string LDAPPassword string LDAPQueryBase string LDAPObjClasses string LDAPAccessAtr string LDAPSecretAtr string LDAPRoleAtr string S3Access string S3Secret string S3Region string S3Bucket string S3Endpoint string S3DisableSSlVerfiy bool S3Debug bool CacheDisable bool CacheTTL int CachePrune int }
type Principals ¶
type Principals map[string]struct{}
func (Principals) Add ¶
func (p Principals) Add(key string)
func (Principals) Contains ¶
func (p Principals) Contains(userAccess string) bool
func (Principals) ToSlice ¶
func (p Principals) ToSlice() []string
Converts Principals map to a slice, by omitting "*"
func (*Principals) UnmarshalJSON ¶
func (p *Principals) UnmarshalJSON(data []byte) error
Override UnmarshalJSON method to decode both []string and string properties
func (Principals) Validate ¶
func (p Principals) Validate(iam IAMService) error
Validates Principals by checking user account access keys existence
type Resources ¶
type Resources map[string]struct{}
func (Resources) ContainsBucketPattern ¶
Checks if the resources contain bucket pattern
func (Resources) ContainsObjectPattern ¶
Checks if the resources contain object pattern
func (*Resources) UnmarshalJSON ¶
Override UnmarshalJSON method to decode both []string and string properties
type UpdateAcctFunc ¶
UpdateAcctFunc accepts the current data and returns the new data to be stored