MCPcopy
hub / github.com/minio/minio-go / removeStatements

Function removeStatements

pkg/policy/bucket-policy.go:345–430  ·  view source on GitHub ↗

Returns statements containing removed actions/statements for given policy, bucket name and prefix.

(statements []Statement, bucketName, prefix string)

Source from the content-addressed store, hash-verified

343// Returns statements containing removed actions/statements for given
344// policy, bucket name and prefix.
345func removeStatements(statements []Statement, bucketName, prefix string) []Statement {
346 bucketResource := awsResourcePrefix + bucketName
347 objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*"
348 readOnlyInUse, writeOnlyInUse := getInUsePolicy(statements, bucketName, prefix)
349
350 out := []Statement{}
351 readOnlyBucketStatements := []Statement{}
352 s3PrefixValues := set.NewStringSet()
353
354 for _, statement := range statements {
355 if !isValidStatement(statement, bucketName) {
356 out = append(out, statement)
357 continue
358 }
359
360 if statement.Resources.Contains(bucketResource) {
361 if statement.Conditions != nil {
362 statement = removeBucketActions(statement, prefix, bucketResource, false, false)
363 } else {
364 statement = removeBucketActions(statement, prefix, bucketResource, readOnlyInUse, writeOnlyInUse)
365 }
366 } else if statement.Resources.Contains(objectResource) {
367 statement = removeObjectActions(statement, objectResource)
368 }
369
370 if !statement.Actions.IsEmpty() {
371 if statement.Resources.Contains(bucketResource) &&
372 statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) &&
373 statement.Effect == "Allow" &&
374 statement.Principal.AWS.Contains("*") {
375 if statement.Conditions != nil {
376 stringEqualsValue := statement.Conditions["StringEquals"]
377 values := set.NewStringSet()
378 if stringEqualsValue != nil {
379 values = stringEqualsValue["s3:prefix"]
380 if values == nil {
381 values = set.NewStringSet()
382 }
383 }
384 s3PrefixValues = s3PrefixValues.Union(values.ApplyFunc(func(v string) string {
385 return bucketResource + "/" + v + "*"
386 }))
387 } else if !s3PrefixValues.IsEmpty() {
388 readOnlyBucketStatements = append(readOnlyBucketStatements, statement)
389 continue
390 }
391 }
392 out = append(out, statement)
393 }
394 }
395
396 skipBucketStatement := true
397 resourcePrefix := awsResourcePrefix + bucketName + "/"
398 for _, statement := range out {
399 if !statement.Resources.FuncMatch(startsWithFunc, resourcePrefix).IsEmpty() &&
400 s3PrefixValues.Intersection(statement.Resources).IsEmpty() {
401 skipBucketStatement = false
402 break

Callers 2

SetPolicyFunction · 0.85
TestRemoveStatementsFunction · 0.85

Calls 14

UnionMethod · 0.95
ApplyFuncMethod · 0.95
IsEmptyMethod · 0.95
IntersectionMethod · 0.95
NewStringSetFunction · 0.92
getInUsePolicyFunction · 0.85
isValidStatementFunction · 0.85
removeBucketActionsFunction · 0.85
removeObjectActionsFunction · 0.85
ContainsMethod · 0.45
IsEmptyMethod · 0.45
EqualsMethod · 0.45

Tested by 1

TestRemoveStatementsFunction · 0.68