Documentation ¶
Index ¶
- Constants
- Variables
- func JoinContext(parent PolicyContextVars, this PolicyContextVars) *joinContext
- func MatchesConditions(conditions PolicyConditions, context PolicyContextVars) bool
- func ParseAmzTime(text string) (t time.Time, err error)
- func WildcardMatch[T ~string](rule, obj T) bool
- type Action
- type Authorization
- type BucketFilesystemProvider
- type BucketIterator
- type CommonPrefixes
- type ConditionOperator
- type Contents
- type Credential
- type Error
- type ErrorCode
- type FileIdentityProvider
- type Identity
- type IdentityProvider
- type Keyring
- type ListBucketResult
- type ListBucketResultV2
- type MapContext
- type Method
- type MultiIdentityProvider
- type NullContext
- type Object
- type OptionalList
- type PolicyConditions
- type PolicyContextVars
- type PolicyStatement
- type RequestContext
- func (ctx *RequestContext) CheckAccess(action Action, resource Resource, vars PolicyContextVars) *Error
- func (ctx *RequestContext) Get(k string) (string, bool)
- func (ctx *RequestContext) Header() http.Header
- func (ctx *RequestContext) SendKnownError(err *Error)
- func (ctx *RequestContext) SendPlain(statusCode int) io.Writer
- func (ctx *RequestContext) SendXML(statusCode int, payload any)
- type Resource
- type Server
- func (s *Server) GetBucketLocation(ctx *RequestContext) *Error
- func (s *Server) GetObject(ctx *RequestContext) *Error
- func (s *Server) HeadBucket(ctx *RequestContext) *Error
- func (s *Server) HeadObject(ctx *RequestContext) *Error
- func (s *Server) ListBuckets(ctx *RequestContext) *Error
- func (s *Server) ListObjects(ctx *RequestContext) *Error
- func (s *Server) ListObjectsV2(ctx *RequestContext) *Error
- func (s *Server) ServeHTTP(rw http.ResponseWriter, r *http.Request)
- type ServerOptions
- type SignAWSV4
- func (s SignAWSV4) Sign(r *http.Request, identity *Identity, payload []byte) error
- func (s SignAWSV4) Verify(r *http.Request, provider IdentityProvider) (*Identity, error)
- func (s SignAWSV4) VerifyHeaders(r *http.Request, provider IdentityProvider) (*Identity, error)
- func (s SignAWSV4) VerifyQuery(r *http.Request, provider IdentityProvider) (*Identity, error)
- type Signer
- type SingleBucketFilesystem
- type SubdirBucketFilesystem
Constants ¶
const (
// IdentityUnauthenticatedPublic is a special AccessKeyId for unauthenticated requests.
IdentityUnauthenticatedPublic = ""
)
Variables ¶
var ( AccessDenied = ErrorCode{Code: "AccessDenied", StatusCode: 403} InvalidAccessKeyId = ErrorCode{Code: "InvalidAccessKeyId", StatusCode: 403} SignatureDoesNotMatch = ErrorCode{Code: "SignatureDoesNotMatch", StatusCode: 403} MethodNotAllowed = ErrorCode{Code: "MethodNotAllowed", StatusCode: 405} InvalidRequest = ErrorCode{Code: "InvalidRequest", StatusCode: 400} ExpiredToken = ErrorCode{Code: "ExpiredToken", StatusCode: 400} InvalidArgument = ErrorCode{Code: "InvalidArgument", StatusCode: 400} BadDigest = ErrorCode{Code: "BadDigest", StatusCode: 400} NoSuchKey = ErrorCode{Code: "NoSuchKey", StatusCode: 404} MissingSecurityHeader = ErrorCode{Code: "MissingSecurityHeader", StatusCode: 400} InvalidToken = ErrorCode{Code: "InvalidToken", StatusCode: 400} InvalidObjectState = ErrorCode{Code: "InvalidObjectState", StatusCode: 403} InvalidRange = ErrorCode{Code: "InvalidRange", StatusCode: 416} NoSuchBucket = ErrorCode{Code: "NoSuchBucket", StatusCode: 404} InvalidBucketState = ErrorCode{Code: "InvalidBucketState", StatusCode: 409} InternalError = ErrorCode{Code: "InternalError", StatusCode: 500} MalformedXML = ErrorCode{Code: "MalformedXML", StatusCode: 400} AuthorizationHeaderMalformed = ErrorCode{Code: "AuthorizationHeaderMalformed", StatusCode: 400} InvalidSecurity = ErrorCode{Code: "InvalidSecurity", StatusCode: 403} AccountProblem = ErrorCode{Code: "AccountProblem", StatusCode: 403} )
var ErrMissingAccessKeyId = &Error{ ErrorCode: InvalidAccessKeyId, Message: "The AWS access key ID that you provided does not exist in our records.", }
var PreAuthenticationIdentity = &Identity{ Name: "PreAuthentication", Policy: []*PolicyStatement{ { Deny: true, Resource: []Resource{"*"}, Action: []Action{"*"}, }, }, }
PreAuthenticationIdentity is used in logging as the initial identity given to a new request context. It always denies access to all resources
var (
StatRegistry = prometheus.NewRegistry()
)
Functions ¶
func JoinContext ¶ added in v0.20.0
func JoinContext(parent PolicyContextVars, this PolicyContextVars) *joinContext
func MatchesConditions ¶ added in v0.20.0
func MatchesConditions(conditions PolicyConditions, context PolicyContextVars) bool
func WildcardMatch ¶ added in v0.20.0
Types ¶
type Authorization ¶
type Authorization struct { Credentials Credential SignedHeaders []string Signature []byte // raw decoded hex }
func ParseAuthorizationHeader ¶ added in v0.9.0
func ParseAuthorizationHeader(hdr string) (*Authorization, error)
ParseAuthorizationHeader parses the contents of the given Authorization header. Returns a non-nil *ErrInvalidAuthorizationHeader when an invalid header is given.
func (Authorization) AppendFormat ¶
func (a Authorization) AppendFormat(b []byte) []byte
type BucketFilesystemProvider ¶ added in v0.5.0
type BucketIterator ¶ added in v0.6.0
type BucketIterator struct { IsTruncated bool Continue string // contains filtered or unexported fields }
func NewBucketIterator ¶ added in v0.6.0
func NewBucketIterator(fs fs.FS) *BucketIterator
func (*BucketIterator) CommonPrefixes ¶ added in v0.6.0
func (it *BucketIterator) CommonPrefixes() (prefixes []CommonPrefixes)
func (*BucketIterator) PrefixScan ¶ added in v0.6.0
func (*BucketIterator) Seek ¶ added in v0.6.0
func (it *BucketIterator) Seek(after string)
Seek sets the starting object key to begin seeking during the next PrefixScan. It set, all objects will be discarded until the first occurrence of after.
type CommonPrefixes ¶ added in v0.6.0
type CommonPrefixes struct {
Prefix string
}
type ConditionOperator ¶ added in v0.20.0
type ConditionOperator string
const ( StringEquals ConditionOperator = "StringEquals" StringNotEquals ConditionOperator = "StringNotEquals" StringEqualsIgnoreCase ConditionOperator = "StringEqualsIgnoreCase" StringNotEqualsIgnoreCase ConditionOperator = "StringNotEqualsIgnoreCase" StringLike ConditionOperator = "StringLike" StringNotLike ConditionOperator = "StringNotLike" IpAddress ConditionOperator = "IpAddress" NotIpAddress ConditionOperator = "NotIpAddress" Bool ConditionOperator = "Bool" )
type Credential ¶
type Credential struct { AccessKeyID string Date time.Time Region string Service string Type string }
func ParseCredential ¶
func ParseCredential(value string) (*Credential, error)
func (Credential) AppendFormat ¶
func (c Credential) AppendFormat(b []byte) []byte
type Error ¶
func EvaluatePolicy ¶ added in v0.20.0
func EvaluatePolicy(action Action, resource Resource, policies []*PolicyStatement, context PolicyContextVars) *Error
EvaluatePolicy returns true if the given concrete action and resource applies to any of the given policies. The default action is to deny.
type FileIdentityProvider ¶ added in v0.20.0
type FileIdentityProvider struct {
// contains filtered or unexported fields
}
FileIdentityProvider implements ls3.IdentityProvider by reading from a single JSON file. The file is cached for up to the configured amount of time.
func NewFileIdentityProvider ¶ added in v0.20.0
type Identity ¶ added in v0.20.0
type Identity struct { Name string AccessKeyId string SecretAccessKey string Policy []*PolicyStatement }
type IdentityProvider ¶ added in v0.20.0
type Keyring ¶ added in v0.20.0
Keyring implements IdentityProvider for a static set of identities, where the key is the AccessKeyId.
type ListBucketResult ¶ added in v0.20.0
type ListBucketResultV2 ¶ added in v0.20.0
type ListBucketResultV2 struct { XMLName xml.Name `xml:"http://s3.amazonaws.com/doc/2006-03-01/ ListBucketResult"` Name string Prefix string Delimiter string MaxKeys int IsTruncated bool EncodingType string ContinuationToken string NextContinuationToken string StartAfter string Contents []Contents CommonPrefixes []CommonPrefixes }
type MapContext ¶ added in v0.20.0
MapContext implements PolicyContextVars for a map.
type Method ¶
type Method func(ctx *RequestContext) *Error
type MultiIdentityProvider ¶ added in v0.20.0
type MultiIdentityProvider []IdentityProvider
MultiIdentityProvider implements IdentityProvider by trying each provider in order from first to last. If the provider returns InvalidAccessKeyId then MultiIdentityProvider continues to the next identity. If there are no valid identities then ErrMissingAccessKeyId is returned.
type NullContext ¶ added in v0.20.0
type NullContext struct{}
NullContext implements PolicyContextVars but never returns a value
type Object ¶
type Object struct { io.ReadCloser Size int64 Range *http_range.Range LastModified time.Time // ContentType contains the MIME type of the object data. // It is the best guess based on the filetype library. // This is always set, if unknown the MIME type becomes application/octet-stream ContentType string // ETag represents the ETag field of the Object. // It is always empty. ETag string }
type OptionalList ¶ added in v0.20.0
type OptionalList[T any] []T
OptionalList provides JSON unmarshalling for a slice of objects of type T. T may not be itself a list. If the JSON object is a list or 'null', then the contents is assumed to be a list of T, otherwise it is a single T.
func (*OptionalList[T]) UnmarshalJSON ¶ added in v0.20.0
func (l *OptionalList[T]) UnmarshalJSON(b []byte) error
type PolicyConditions ¶ added in v0.20.0
type PolicyConditions map[ConditionOperator]map[string]OptionalList[string]
type PolicyContextVars ¶ added in v0.20.0
type PolicyStatement ¶ added in v0.20.0
type PolicyStatement struct { // Deny marks this policy as an explicit deny. Deny bool // Action one or more actions that this policy applies to. Action OptionalList[Action] // Resource is one or more resources that this policy applies to. Resource OptionalList[Resource] // Condition sets conditions on when this policy applies. Condition PolicyConditions `json:",omitempty"` }
func (*PolicyStatement) AppliesTo ¶ added in v0.20.0
func (p *PolicyStatement) AppliesTo(action Action, resource Resource, context PolicyContextVars) bool
AppliesTo returns true if the given concrete action and resource matches this policy. resource may be empty, in which case this policy applies as long as the action matches.
type RequestContext ¶
type RequestContext struct { *zap.Logger ID uuid.UUID Bucket string Filesystem fs.FS Request *http.Request Identity *Identity // The client IP address RemoteIP net.IP // Is this connection secure Secure bool // contains filtered or unexported fields }
func (*RequestContext) CheckAccess ¶ added in v0.20.0
func (ctx *RequestContext) CheckAccess(action Action, resource Resource, vars PolicyContextVars) *Error
CheckAccess verifies that the current identity has the appropriate permissions to execute the given access for the given resource. vars are additional PolicyContextVars that will be used in the conditional policy evaluation. CheckAccess will first verify that the request meets the global policy, if that succeeds it will then check the identity specific PolicyStatement.
func (*RequestContext) Get ¶ added in v0.20.0
func (ctx *RequestContext) Get(k string) (string, bool)
Get implements PolicyContextVars for this request.
func (*RequestContext) Header ¶
func (ctx *RequestContext) Header() http.Header
func (*RequestContext) SendKnownError ¶
func (ctx *RequestContext) SendKnownError(err *Error)
SendKnownError replies to the caller with a concrete *Error type using the standard Amazon S3 XML error encoding.
func (*RequestContext) SendXML ¶
func (ctx *RequestContext) SendXML(statusCode int, payload any)
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
func NewServer ¶
func NewServer(opts *ServerOptions) *Server
func (*Server) GetBucketLocation ¶
func (s *Server) GetBucketLocation(ctx *RequestContext) *Error
func (*Server) GetObject ¶
func (s *Server) GetObject(ctx *RequestContext) *Error
func (*Server) HeadBucket ¶
func (s *Server) HeadBucket(ctx *RequestContext) *Error
func (*Server) HeadObject ¶
func (s *Server) HeadObject(ctx *RequestContext) *Error
func (*Server) ListBuckets ¶ added in v0.5.0
func (s *Server) ListBuckets(ctx *RequestContext) *Error
func (*Server) ListObjects ¶ added in v0.6.0
func (s *Server) ListObjects(ctx *RequestContext) *Error
func (*Server) ListObjectsV2 ¶
func (s *Server) ListObjectsV2(ctx *RequestContext) *Error
type ServerOptions ¶ added in v0.21.0
type ServerOptions struct { Log *zap.Logger Signer Signer Identity IdentityProvider Filesystem BucketFilesystemProvider Domain string GlobalPolicy []*PolicyStatement ClientIP security.ClientIP ClientTLS security.ClientTLS }
type SignAWSV4 ¶ added in v0.2.0
type SignAWSV4 struct {
// contains filtered or unexported fields
}
func (SignAWSV4) VerifyHeaders ¶ added in v0.9.0
func (SignAWSV4) VerifyQuery ¶ added in v0.9.0
type Signer ¶
type Signer interface { // Sign computes and signs the given HTTP request using the given request payload and Identity. // payload should be the contents of r.Body. Sign(r *http.Request, identity *Identity, payload []byte) error // Verify verifies the authorization and request signature present in the HTTP request. // Verify should return a non-nil error on verification failure, ideally this should contain the underlying type *Error. // If Verify reads data from r.Body, it must ensure that the data can be re-read from r if Verify returns a nil error. // If the request is not signed using the Signer's algorithm then it shall return nil, nil. Verify(r *http.Request, provider IdentityProvider) (*Identity, error) }
A Signer is a type capable of signing and verifying the authorization and request signature present in an HTTP request.
type SingleBucketFilesystem ¶ added in v0.2.0
SingleBucketFilesystem implements BucketFilesystemProvider that always returns the same filesystem for any bucket name provided.
func (*SingleBucketFilesystem) ListBuckets ¶ added in v0.5.0
func (p *SingleBucketFilesystem) ListBuckets() ([]string, error)
ListBuckets always returns the same bucket name. The actual name doesn't matter, as the provider will always return the same filesystem.
type SubdirBucketFilesystem ¶ added in v0.2.0
func (*SubdirBucketFilesystem) ListBuckets ¶ added in v0.5.0
func (p *SubdirBucketFilesystem) ListBuckets() ([]string, error)
ListBuckets returns all subdirectories of the base filesystem.
func (*SubdirBucketFilesystem) Open ¶ added in v0.5.0
func (p *SubdirBucketFilesystem) Open(bucket string) (fs.FS, error)
Open returns a subdirectory of the base filesystem for each bucket. The error NoSuchBucket is returned if fs.Stat of the bucket path returns an error. The error InvalidBucketState is returned if fs.Sub returns an error.
Source Files ¶
- authorization.go
- context.go
- error.go
- fileystem.go
- host.go
- identity.go
- list_objects.go
- object.go
- policy.go
- server.go
- server_get_bucket_location.go
- server_get_object.go
- server_head_bucket.go
- server_head_object.go
- server_list_buckets.go
- server_list_objects.go
- server_list_objects_v2.go
- sign.go
- sign_v4.go
- statistics.go