Returns statements containing removed actions/statements for given policy, bucket name and prefix.
(statements []Statement, bucketName, prefix string)
| 343 | // Returns statements containing removed actions/statements for given |
| 344 | // policy, bucket name and prefix. |
| 345 | func removeStatements(statements []Statement, bucketName, prefix string) []Statement { |
| 346 | bucketResource := awsResourcePrefix + bucketName |
| 347 | objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*" |
| 348 | readOnlyInUse, writeOnlyInUse := getInUsePolicy(statements, bucketName, prefix) |
| 349 | |
| 350 | out := []Statement{} |
| 351 | readOnlyBucketStatements := []Statement{} |
| 352 | s3PrefixValues := set.NewStringSet() |
| 353 | |
| 354 | for _, statement := range statements { |
| 355 | if !isValidStatement(statement, bucketName) { |
| 356 | out = append(out, statement) |
| 357 | continue |
| 358 | } |
| 359 | |
| 360 | if statement.Resources.Contains(bucketResource) { |
| 361 | if statement.Conditions != nil { |
| 362 | statement = removeBucketActions(statement, prefix, bucketResource, false, false) |
| 363 | } else { |
| 364 | statement = removeBucketActions(statement, prefix, bucketResource, readOnlyInUse, writeOnlyInUse) |
| 365 | } |
| 366 | } else if statement.Resources.Contains(objectResource) { |
| 367 | statement = removeObjectActions(statement, objectResource) |
| 368 | } |
| 369 | |
| 370 | if !statement.Actions.IsEmpty() { |
| 371 | if statement.Resources.Contains(bucketResource) && |
| 372 | statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) && |
| 373 | statement.Effect == "Allow" && |
| 374 | statement.Principal.AWS.Contains("*") { |
| 375 | if statement.Conditions != nil { |
| 376 | stringEqualsValue := statement.Conditions["StringEquals"] |
| 377 | values := set.NewStringSet() |
| 378 | if stringEqualsValue != nil { |
| 379 | values = stringEqualsValue["s3:prefix"] |
| 380 | if values == nil { |
| 381 | values = set.NewStringSet() |
| 382 | } |
| 383 | } |
| 384 | s3PrefixValues = s3PrefixValues.Union(values.ApplyFunc(func(v string) string { |
| 385 | return bucketResource + "/" + v + "*" |
| 386 | })) |
| 387 | } else if !s3PrefixValues.IsEmpty() { |
| 388 | readOnlyBucketStatements = append(readOnlyBucketStatements, statement) |
| 389 | continue |
| 390 | } |
| 391 | } |
| 392 | out = append(out, statement) |
| 393 | } |
| 394 | } |
| 395 | |
| 396 | skipBucketStatement := true |
| 397 | resourcePrefix := awsResourcePrefix + bucketName + "/" |
| 398 | for _, statement := range out { |
| 399 | if !statement.Resources.FuncMatch(startsWithFunc, resourcePrefix).IsEmpty() && |
| 400 | s3PrefixValues.Intersection(statement.Resources).IsEmpty() { |
| 401 | skipBucketStatement = false |
| 402 | break |