package shell import ( "context" "encoding/json" "flag" "fmt" "io" "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb" ) func init() { Commands = append(Commands, &commandS3PolicyAttach{}) } type commandS3PolicyAttach struct { } func (c *commandS3PolicyAttach) Name() string { return "s3.policy.attach" } func (c *commandS3PolicyAttach) Help() string { return `attach a policy to an S3 IAM user s3.policy.attach -policy -user The policy must already exist (create it with s3.policy -put). ` } func (c *commandS3PolicyAttach) HasTag(CommandTag) bool { return false } func (c *commandS3PolicyAttach) Do(args []string, commandEnv *CommandEnv, writer io.Writer) error { f := flag.NewFlagSet(c.Name(), flag.ContinueOnError) policy := f.String("policy", "", "policy name") user := f.String("user", "", "user name") if err := f.Parse(args); err != nil { return err } if *policy == "" { return fmt.Errorf("-policy is required") } if *user == "" { return fmt.Errorf("-user is required") } return commandEnv.withIamClient(func(ctx context.Context, client iam_pb.SeaweedIdentityAccessManagementClient) error { // Verify the policy exists _, err := client.GetPolicy(ctx, &iam_pb.GetPolicyRequest{Name: *policy}) if err != nil { return fmt.Errorf("get policy %q: %w", *policy, err) } // Get the user resp, err := client.GetUser(ctx, &iam_pb.GetUserRequest{Username: *user}) if err != nil { return fmt.Errorf("get user %q: %w", *user, err) } if resp.Identity == nil { return fmt.Errorf("user %q returned empty identity", *user) } // Check if already attached for _, p := range resp.Identity.PolicyNames { if p == *policy { return json.NewEncoder(writer).Encode(map[string]string{"policy": *policy, "user": *user}) } } resp.Identity.PolicyNames = append(resp.Identity.PolicyNames, *policy) _, err = client.UpdateUser(ctx, &iam_pb.UpdateUserRequest{ Username: *user, Identity: resp.Identity, }) if err != nil { return err } return json.NewEncoder(writer).Encode(map[string]string{"policy": *policy, "user": *user}) }) }