Rename restapi to api (#3176)

Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>

api/policy/policies.go

@@ -0,0 +1,86 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package policy
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+
+	"github.com/minio/madmin-go/v3"
+)
+
+// ReplacePolicyVariables replaces known variables from policies with known values
+func ReplacePolicyVariables(claims map[string]interface{}, accountInfo *madmin.AccountInfo) json.RawMessage {
+	// AWS Variables
+	rawPolicy := bytes.ReplaceAll(accountInfo.Policy, []byte("${aws:username}"), []byte(accountInfo.AccountName))
+	rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${aws:userid}"), []byte(accountInfo.AccountName))
+	// JWT Variables
+	rawPolicy = replaceJwtVariables(rawPolicy, claims)
+	// LDAP Variables
+	rawPolicy = replaceLDAPVariables(rawPolicy, claims)
+	return rawPolicy
+}
+
+func replaceJwtVariables(rawPolicy []byte, claims map[string]interface{}) json.RawMessage {
+	// list of valid JWT fields we will replace in policy if they are in the response
+	jwtFields := []string{
+		"sub",
+		"iss",
+		"aud",
+		"jti",
+		"upn",
+		"name",
+		"groups",
+		"given_name",
+		"family_name",
+		"middle_name",
+		"nickname",
+		"preferred_username",
+		"profile",
+		"picture",
+		"website",
+		"email",
+		"gender",
+		"birthdate",
+		"phone_number",
+		"address",
+		"scope",
+		"client_id",
+	}
+	// check which fields are in the claims and replace as variable by casting the value to string
+	for _, field := range jwtFields {
+		if val, ok := claims[field]; ok {
+			variable := fmt.Sprintf("${jwt:%s}", field)
+			rawPolicy = bytes.ReplaceAll(rawPolicy, []byte(variable), []byte(fmt.Sprintf("%v", val)))
+		}
+	}
+	return rawPolicy
+}
+
+// ReplacePolicyVariables replaces known variables from policies with known values
+func replaceLDAPVariables(rawPolicy []byte, claims map[string]interface{}) json.RawMessage {
+	// replace ${ldap:user}
+	if val, ok := claims["ldapUser"]; ok {
+		rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${ldap:user}"), []byte(fmt.Sprintf("%v", val)))
+	}
+	// replace ${ldap:username}
+	if val, ok := claims["ldapUsername"]; ok {
+		rawPolicy = bytes.ReplaceAll(rawPolicy, []byte("${ldap:username}"), []byte(fmt.Sprintf("%v", val)))
+	}
+	return rawPolicy
+}

api/policy/policies_test.go

@@ -0,0 +1,112 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package policy
+
+import (
+	"bytes"
+	"reflect"
+	"testing"
+
+	"github.com/minio/madmin-go/v3"
+	minioIAMPolicy "github.com/minio/pkg/v2/policy"
+)
+
+func TestReplacePolicyVariables(t *testing.T) {
+	type args struct {
+		claims      map[string]interface{}
+		accountInfo *madmin.AccountInfo
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "Bad Policy",
+			args: args{
+				claims: nil,
+				accountInfo: &madmin.AccountInfo{
+					AccountName: "test",
+					Server:      madmin.BackendInfo{},
+					Policy:      []byte(""),
+					Buckets:     nil,
+				},
+			},
+			want:    "",
+			wantErr: true,
+		},
+		{
+			name: "Replace basic AWS",
+			args: args{
+				claims: nil,
+				accountInfo: &madmin.AccountInfo{
+					AccountName: "test",
+					Server:      madmin.BackendInfo{},
+					Policy: []byte(`{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${aws:username}",
+        "arn:aws:s3:::${aws:userid}"
+      ]
+    }
+  ]
+}`),
+					Buckets: nil,
+				},
+			},
+			want: `{
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": [
+                "s3:ListBucket"
+              ],
+              "Resource": [
+                "arn:aws:s3:::test",
+                "arn:aws:s3:::test"
+              ]
+            }
+          ]
+        }`,
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := ReplacePolicyVariables(tt.args.claims, tt.args.accountInfo)
+			policy, err := minioIAMPolicy.ParseConfig(bytes.NewReader(got))
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ReplacePolicyVariables() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			wantPolicy, err := minioIAMPolicy.ParseConfig(bytes.NewReader([]byte(tt.want)))
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ReplacePolicyVariables() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !reflect.DeepEqual(policy, wantPolicy) {
+				t.Errorf("ReplacePolicyVariables() = %s, want %v", got, tt.want)
+			}
+		})
+	}
+}