[#282] policy: Use prefixes to distinguish s3/iam actions/resources

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

api/middleware/policy.go

@@ -91,30 +91,41 @@ const (
 )
 
 func determineOperationAndResource(r *http.Request, domains []string) (operation string, resource string) {
-	reqType := noneType
+	var (
+		reqType     ReqType
+		matchDomain bool
+	)
 
-	var matchDomain bool
 	for _, domain := range domains {
-		if ind := strings.Index(r.Host, "."+domain); ind != -1 {
-			matchDomain = true
-			reqType = bucketType
-			resource = r.Host[:ind]
-			trimmedObj := strings.TrimPrefix(r.URL.Path, "/")
-			if trimmedObj != "" {
-				reqType = objectType
-				resource += "/" + trimmedObj
-			}
+		ind := strings.Index(r.Host, "."+domain)
+		if ind == -1 {
+			continue
 		}
+
+		matchDomain = true
+		reqType = bucketType
+		bkt := r.Host[:ind]
+		if obj := strings.TrimPrefix(r.URL.Path, "/"); obj != "" {
+			reqType = objectType
+			resource = fmt.Sprintf(s3.ResourceFormatS3BucketObject, bkt, obj)
+		} else {
+			resource = fmt.Sprintf(s3.ResourceFormatS3Bucket, bkt)
+		}
+
+		break
 	}
 
 	if !matchDomain {
-		resource = strings.TrimPrefix(r.URL.Path, "/")
-		if resource != "" {
-			if arr := strings.Split(resource, "/"); len(arr) == 1 {
-				reqType = bucketType
-			} else {
-				reqType = objectType
+		bktObj := strings.TrimPrefix(r.URL.Path, "/")
+		if ind := strings.IndexByte(bktObj, '/'); ind == -1 {
+			reqType = bucketType
+			resource = fmt.Sprintf(s3.ResourceFormatS3Bucket, bktObj)
+			if bktObj == "" {
+				reqType = noneType
 			}
+		} else {
+			reqType = objectType
+			resource = fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktObj[:ind], bktObj[ind+1:])
 		}
 	}
 
@@ -127,7 +138,7 @@ func determineOperationAndResource(r *http.Request, domains []string) (operation
 		operation = determineGeneralOperation(r)
 	}
 
-	return operation, resource
+	return "s3:" + operation, resource
 }
 
 func determineBucketOperation(r *http.Request) string {