diff --git a/iam/converter_native.go b/iam/converter_native.go index 982feaa..293d966 100644 --- a/iam/converter_native.go +++ b/iam/converter_native.go @@ -11,54 +11,54 @@ import ( const PropertyKeyFilePath = "FilePath" var actionToNativeOpMap = map[string][]string{ - s3ActionAbortMultipartUpload: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodHeadObject}, - s3ActionCreateBucket: {native.MethodGetContainer, native.MethodPutContainer, native.MethodSetContainerEACL}, - s3ActionDeleteBucket: {native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject}, + s3ActionAbortMultipartUpload: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, + s3ActionCreateBucket: {native.MethodGetContainer, native.MethodPutContainer, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodPutObject}, + s3ActionDeleteBucket: {native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodGetObject}, s3ActionDeleteBucketPolicy: {native.MethodGetContainer}, s3ActionDeleteObject: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}, - s3ActionDeleteObjectTagging: {native.MethodGetContainer, native.MethodHeadObject}, + s3ActionDeleteObjectTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, s3ActionDeleteObjectVersion: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}, - s3ActionDeleteObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject}, - s3ActionGetBucketACL: {native.MethodGetContainer, native.MethodGetContainerEACL}, + s3ActionDeleteObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, + s3ActionGetBucketACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodGetObject}, s3ActionGetBucketCORS: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject}, s3ActionGetBucketLocation: {native.MethodGetContainer}, s3ActionGetBucketNotification: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject}, - s3ActionGetBucketObjectLockConfiguration: {native.MethodGetContainer}, + s3ActionGetBucketObjectLockConfiguration: {native.MethodGetContainer, native.MethodGetObject}, s3ActionGetBucketPolicy: {native.MethodGetContainer}, s3ActionGetBucketPolicyStatus: {native.MethodGetContainer}, - s3ActionGetBucketTagging: {native.MethodGetContainer}, - s3ActionGetBucketVersioning: {native.MethodGetContainer}, + s3ActionGetBucketTagging: {native.MethodGetContainer, native.MethodGetObject}, + s3ActionGetBucketVersioning: {native.MethodGetContainer, native.MethodGetObject}, s3ActionGetLifecycleConfiguration: { /*not implemented yet*/ }, s3ActionGetObject: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}, s3ActionGetObjectACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodGetObject, native.MethodHeadObject}, s3ActionGetObjectAttributes: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject}, - s3ActionGetObjectLegalHold: {native.MethodGetContainer, native.MethodHeadObject}, - s3ActionGetObjectRetention: {native.MethodGetContainer, native.MethodHeadObject}, - s3ActionGetObjectTagging: {native.MethodGetContainer, native.MethodHeadObject}, + s3ActionGetObjectLegalHold: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject}, + s3ActionGetObjectRetention: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject}, + s3ActionGetObjectTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject}, s3ActionGetObjectVersion: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}, s3ActionGetObjectVersionACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodGetObject, native.MethodHeadObject}, s3ActionGetObjectVersionAttributes: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject}, - s3ActionGetObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject}, + s3ActionGetObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject}, s3ActionListAllMyBuckets: {native.MethodListContainers, native.MethodGetContainer}, s3ActionListBucket: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}, - s3ActionListBucketMultipartUploads: {native.MethodGetContainer}, + s3ActionListBucketMultipartUploads: {native.MethodGetContainer, native.MethodGetObject}, s3ActionListBucketVersions: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}, - s3ActionListMultipartUploadParts: {native.MethodGetContainer}, - s3ActionPutBucketACL: {native.MethodGetContainer, native.MethodSetContainerEACL}, - s3ActionPutBucketCORS: {native.MethodGetContainer}, - s3ActionPutBucketNotification: {native.MethodGetContainer, native.MethodHeadObject, native.MethodDeleteObject, native.MethodHeadObject}, - s3ActionPutBucketObjectLockConfiguration: {native.MethodGetContainer}, + s3ActionListMultipartUploadParts: {native.MethodGetContainer, native.MethodGetObject}, + s3ActionPutBucketACL: {native.MethodGetContainer, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodPutObject}, + s3ActionPutBucketCORS: {native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject}, + s3ActionPutBucketNotification: {native.MethodGetContainer, native.MethodHeadObject, native.MethodDeleteObject, native.MethodGetObject, native.MethodPutObject}, + s3ActionPutBucketObjectLockConfiguration: {native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject}, s3ActionPutBucketPolicy: {native.MethodGetContainer}, - s3ActionPutBucketTagging: {native.MethodGetContainer}, - s3ActionPutBucketVersioning: {native.MethodGetContainer}, + s3ActionPutBucketTagging: {native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject}, + s3ActionPutBucketVersioning: {native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject}, s3ActionPutLifecycleConfiguration: { /*not implemented yet*/ }, - s3ActionPutObject: {native.MethodGetContainer, native.MethodPutObject}, + s3ActionPutObject: {native.MethodGetContainer, native.MethodPutObject, native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject}, s3ActionPutObjectACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodHeadObject}, - s3ActionPutObjectLegalHold: {native.MethodGetContainer, native.MethodHeadObject}, - s3ActionPutObjectRetention: {native.MethodGetContainer, native.MethodHeadObject}, - s3ActionPutObjectTagging: {native.MethodGetContainer, native.MethodHeadObject}, + s3ActionPutObjectLegalHold: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, + s3ActionPutObjectRetention: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, + s3ActionPutObjectTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, s3ActionPutObjectVersionACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodHeadObject}, - s3ActionPutObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject}, + s3ActionPutObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, } var containerNativeOperations = map[string]struct{}{ diff --git a/iam/converter_test.go b/iam/converter_test.go index bc14a63..4526a75 100644 --- a/iam/converter_test.go +++ b/iam/converter_test.go @@ -137,8 +137,9 @@ func TestConverters(t *testing.T) { expected := &chain.Chain{Rules: []chain.Rule{ { - Status: chain.Allow, - Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodPutObject}}, + Status: chain.Allow, + Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodPutObject, + native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject}}, Resources: chain.Resources{Names: []string{ fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]), fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName])}, @@ -1459,7 +1460,8 @@ func TestFromActions(t *testing.T) { }, { action: "s3:PutObject", - res: []string{native.MethodGetContainer, native.MethodPutObject}, + res: []string{native.MethodGetContainer, native.MethodPutObject, + native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject}, }, { action: "s3:Put*",