api-get-object-acl.go 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  1. /*
  2. * MinIO Go Library for Amazon S3 Compatible Cloud Storage
  3. * Copyright 2018 MinIO, Inc.
  4. *
  5. * Licensed under the Apache License, Version 2.0 (the "License");
  6. * you may not use this file except in compliance with the License.
  7. * You may obtain a copy of the License at
  8. *
  9. * http://www.apache.org/licenses/LICENSE-2.0
  10. *
  11. * Unless required by applicable law or agreed to in writing, software
  12. * distributed under the License is distributed on an "AS IS" BASIS,
  13. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14. * See the License for the specific language governing permissions and
  15. * limitations under the License.
  16. */
  17. package minio
  18. import (
  19. "context"
  20. "encoding/xml"
  21. "net/http"
  22. "net/url"
  23. )
  24. // Grantee represents the person being granted permissions.
  25. type Grantee struct {
  26. XMLName xml.Name `xml:"Grantee"`
  27. ID string `xml:"ID"`
  28. DisplayName string `xml:"DisplayName"`
  29. URI string `xml:"URI"`
  30. }
  31. // Grant holds grant information
  32. type Grant struct {
  33. XMLName xml.Name `xml:"Grant"`
  34. Grantee Grantee
  35. Permission string `xml:"Permission"`
  36. }
  37. // AccessControlList contains the set of grantees and the permissions assigned to each grantee.
  38. type AccessControlList struct {
  39. XMLName xml.Name `xml:"AccessControlList"`
  40. Grant []Grant
  41. Permission string `xml:"Permission"`
  42. }
  43. type accessControlPolicy struct {
  44. Owner
  45. AccessControlList
  46. }
  47. // GetObjectACL get object ACLs
  48. func (c Client) GetObjectACL(ctx context.Context, bucketName, objectName string) (*ObjectInfo, error) {
  49. resp, err := c.executeMethod(ctx, http.MethodGet, requestMetadata{
  50. bucketName: bucketName,
  51. objectName: objectName,
  52. queryValues: url.Values{
  53. "acl": []string{""},
  54. },
  55. })
  56. if err != nil {
  57. return nil, err
  58. }
  59. defer closeResponse(resp)
  60. if resp.StatusCode != http.StatusOK {
  61. return nil, httpRespToErrorResponse(resp, bucketName, objectName)
  62. }
  63. res := &accessControlPolicy{}
  64. if err := xmlDecoder(resp.Body, res); err != nil {
  65. return nil, err
  66. }
  67. objInfo, err := c.statObject(ctx, bucketName, objectName, StatObjectOptions{})
  68. if err != nil {
  69. return nil, err
  70. }
  71. objInfo.Owner.DisplayName = res.Owner.DisplayName
  72. objInfo.Owner.ID = res.Owner.ID
  73. objInfo.Grant = append(objInfo.Grant, res.AccessControlList.Grant...)
  74. cannedACL := getCannedACL(res)
  75. if cannedACL != "" {
  76. objInfo.Metadata.Add("X-Amz-Acl", cannedACL)
  77. return &objInfo, nil
  78. }
  79. grantACL := getAmzGrantACL(res)
  80. for k, v := range grantACL {
  81. objInfo.Metadata[k] = v
  82. }
  83. return &objInfo, nil
  84. }
  85. func getCannedACL(aCPolicy *accessControlPolicy) string {
  86. grants := aCPolicy.AccessControlList.Grant
  87. switch {
  88. case len(grants) == 1:
  89. if grants[0].Grantee.URI == "" && grants[0].Permission == "FULL_CONTROL" {
  90. return "private"
  91. }
  92. case len(grants) == 2:
  93. for _, g := range grants {
  94. if g.Grantee.URI == "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" && g.Permission == "READ" {
  95. return "authenticated-read"
  96. }
  97. if g.Grantee.URI == "http://acs.amazonaws.com/groups/global/AllUsers" && g.Permission == "READ" {
  98. return "public-read"
  99. }
  100. if g.Permission == "READ" && g.Grantee.ID == aCPolicy.Owner.ID {
  101. return "bucket-owner-read"
  102. }
  103. }
  104. case len(grants) == 3:
  105. for _, g := range grants {
  106. if g.Grantee.URI == "http://acs.amazonaws.com/groups/global/AllUsers" && g.Permission == "WRITE" {
  107. return "public-read-write"
  108. }
  109. }
  110. }
  111. return ""
  112. }
  113. func getAmzGrantACL(aCPolicy *accessControlPolicy) map[string][]string {
  114. grants := aCPolicy.AccessControlList.Grant
  115. res := map[string][]string{}
  116. for _, g := range grants {
  117. switch {
  118. case g.Permission == "READ":
  119. res["X-Amz-Grant-Read"] = append(res["X-Amz-Grant-Read"], "id="+g.Grantee.ID)
  120. case g.Permission == "WRITE":
  121. res["X-Amz-Grant-Write"] = append(res["X-Amz-Grant-Write"], "id="+g.Grantee.ID)
  122. case g.Permission == "READ_ACP":
  123. res["X-Amz-Grant-Read-Acp"] = append(res["X-Amz-Grant-Read-Acp"], "id="+g.Grantee.ID)
  124. case g.Permission == "WRITE_ACP":
  125. res["X-Amz-Grant-Write-Acp"] = append(res["X-Amz-Grant-Write-Acp"], "id="+g.Grantee.ID)
  126. case g.Permission == "FULL_CONTROL":
  127. res["X-Amz-Grant-Full-Control"] = append(res["X-Amz-Grant-Full-Control"], "id="+g.Grantee.ID)
  128. }
  129. }
  130. return res
  131. }