{ "s3:PutPublicAccessBlock", s3PutPublicAccessBlock },
{ "s3:PutReplicationConfiguration", s3PutReplicationConfiguration },
{ "s3:RestoreObject", s3RestoreObject },
+ { "s3:DescribeJob", s3DescribeJob },
+ { "s3-object-lambda:GetObject", s3objectlambdaGetObject },
+ { "s3-object-lambda:ListBucket", s3objectlambdaListBucket },
{ "iam:PutUserPolicy", iamPutUserPolicy },
{ "iam:GetUserPolicy", iamGetUserPolicy },
{ "iam:DeleteUserPolicy", iamDeleteUserPolicy },
{ "iam:UpdateAccessKey", iamUpdateAccessKey},
{ "iam:DeleteAccessKey", iamDeleteAccessKey},
{ "iam:ListAccessKeys", iamListAccessKeys},
+ { "iam:GenerateCredentialReport", iamGenerateCredentialReport},
+ { "iam:GenerateServiceLastAccessedDetails", iamGenerateServiceLastAccessedDetails},
+ { "iam:SimulateCustomPolicy", iamSimulateCustomPolicy},
+ { "iam:SimulatePrincipalPolicy", iamSimulatePrincipalPolicy},
{ "sts:AssumeRole", stsAssumeRole},
{ "sts:AssumeRoleWithWebIdentity", stsAssumeRoleWithWebIdentity},
{ "sts:GetSessionToken", stsGetSessionToken},
{ "sns:Publish", snsPublish},
{ "sns:SetTopicAttributes", snsSetTopicAttributes},
{ "sns:CreateTopic", snsCreateTopic},
+ { "sns:ListTopics", snsListTopics},
+ { "organizations:DescribeAccount", organizationsDescribeAccount},
+ { "organizations:DescribeOrganization", organizationsDescribeOrganization},
+ { "organizations:DescribeOrganizationalUnit", organizationsDescribeOrganizationalUnit},
+ { "organizations:DescribePolicy", organizationsDescribePolicy},
+ { "organizations:ListChildren", organizationsListChildren},
+ { "organizations:ListParents", organizationsListParents},
+ { "organizations:ListPoliciesForTarget", organizationsListPoliciesForTarget},
+ { "organizations:ListRoots", organizationsListRoots},
+ { "organizations:ListPolicies", organizationsListPolicies},
+ { "organizations:ListTargetsForPolicy", organizationsListTargetsForPolicy},
};
struct PolicyParser;
if ((t->notaction & s3AllValue) == s3AllValue) {
t->notaction[s3All] = 1;
}
+ if ((t->action & s3objectlambdaAllValue) == s3objectlambdaAllValue) {
+ t->action[s3objectlambdaAll] = 1;
+ }
+ if ((t->notaction & s3objectlambdaAllValue) == s3objectlambdaAllValue) {
+ t->notaction[s3objectlambdaAll] = 1;
+ }
if ((t->action & iamAllValue) == iamAllValue) {
t->action[iamAll] = 1;
}
if ((t->notaction & snsAllValue) == snsAllValue) {
t->notaction[snsAll] = 1;
}
+ if ((t->action & organizationsAllValue) == organizationsAllValue) {
+ t->action[organizationsAll] = 1;
+ }
+ if ((t->notaction & organizationsAllValue) == organizationsAllValue) {
+ t->notaction[organizationsAll] = 1;
+ }
}
}
} else if (w->id == TokenID::Resource || w->id == TokenID::NotResource) {
case s3BypassGovernanceRetention:
return "s3:BypassGovernanceRetention";
+ case s3DescribeJob:
+ return "s3:DescribeJob";
+
+ case s3objectlambdaGetObject:
+ return "s3-object-lambda:GetObject";
+
+ case s3objectlambdaListBucket:
+ return "s3-object-lambda:ListBucket";
+
case iamPutUserPolicy:
return "iam:PutUserPolicy";
case iamListAccessKeys:
return "iam:ListAccessKeys";
+ case iamGenerateCredentialReport:
+ return "iam:GenerateCredentialReport";
+
+ case iamGenerateServiceLastAccessedDetails:
+ return "iam:GenerateServiceLastAccessedDetails";
+
+ case iamSimulateCustomPolicy:
+ return "iam:SimulateCustomPolicy";
+
+ case iamSimulatePrincipalPolicy:
+ return "iam:SimulatePrincipalPolicy";
+
case stsAssumeRole:
return "sts:AssumeRole";
case snsCreateTopic:
return "sns:CreateTopic";
+
+ case snsListTopics:
+ return "sns:ListTopics";
+
+ case organizationsDescribeAccount:
+ return "organizations:DescribeAccount";
+
+ case organizationsDescribeOrganization:
+ return "organizations:DescribeOrganization";
+
+ case organizationsDescribeOrganizationalUnit:
+ return "organizations:DescribeOrganizationalUnit";
+
+ case organizationsDescribePolicy:
+ return "organizations:DescribePolicy";
+
+ case organizationsListChildren:
+ return "organizations:ListChildren";
+
+ case organizationsListParents:
+ return "organizations:ListParents";
+
+ case organizationsListPoliciesForTarget:
+ return "organizations:ListPoliciesForTarget";
+
+ case organizationsListRoots:
+ return "organizations:ListRoots";
+
+ case organizationsListPolicies:
+ return "organizations:ListPolicies";
+
+ case organizationsListTargetsForPolicy:
+ return "organizations:ListTargetsForPolicy";
}
return "s3Invalid";
}
s3DeleteBucketPublicAccessBlock,
s3GetBucketEncryption,
s3PutBucketEncryption,
+ s3DescribeJob,
s3All,
+ s3objectlambdaGetObject,
+ s3objectlambdaListBucket,
+ s3objectlambdaAll,
+
iamPutUserPolicy,
iamGetUserPolicy,
iamDeleteUserPolicy,
iamUpdateAccessKey,
iamDeleteAccessKey,
iamListAccessKeys,
+ iamGenerateCredentialReport,
+ iamGenerateServiceLastAccessedDetails,
+ iamSimulateCustomPolicy,
+ iamSimulatePrincipalPolicy,
iamAll,
stsAssumeRole,
snsPublish,
snsSetTopicAttributes,
snsCreateTopic,
+ snsListTopics,
snsAll,
+ organizationsDescribeAccount,
+ organizationsDescribeOrganization,
+ organizationsDescribeOrganizationalUnit,
+ organizationsDescribePolicy,
+ organizationsListChildren,
+ organizationsListParents,
+ organizationsListPoliciesForTarget,
+ organizationsListRoots,
+ organizationsListPolicies,
+ organizationsListTargetsForPolicy,
+ organizationsAll,
+
allCount
};
static const Action_t None(0);
static const Action_t s3AllValue = set_cont_bits<allCount>(0,s3All);
-static const Action_t iamAllValue = set_cont_bits<allCount>(s3All+1,iamAll);
+static const Action_t s3objectlambdaAllValue = set_cont_bits<allCount>(s3All+1,s3objectlambdaAll);
+static const Action_t iamAllValue = set_cont_bits<allCount>(s3objectlambdaAll+1,iamAll);
static const Action_t stsAllValue = set_cont_bits<allCount>(iamAll+1,stsAll);
-static const Action_t snsAllValue = set_cont_bits<allCount>(stsAll + 1, snsAll);
+static const Action_t snsAllValue = set_cont_bits<allCount>(stsAll+1, snsAll);
+static const Action_t organizationsAllValue = set_cont_bits<allCount>(snsAll+1,organizationsAll);
static const Action_t allValue = set_cont_bits<allCount>(0,allCount);
namespace {
using rgw::Partition;
using rgw::IAM::Policy;
using rgw::IAM::s3All;
-using rgw::IAM::s3All;
+using rgw::IAM::s3objectlambdaAll;
using rgw::IAM::s3GetAccelerateConfiguration;
using rgw::IAM::s3GetBucketAcl;
using rgw::IAM::s3GetBucketOwnershipControls;
using rgw::IAM::s3GetBucketObjectLockConfiguration;
using rgw::IAM::s3GetObjectRetention;
using rgw::IAM::s3GetObjectLegalHold;
+using rgw::IAM::s3DescribeJob;
+using rgw::IAM::s3objectlambdaGetObject;
+using rgw::IAM::s3objectlambdaListBucket;
+using rgw::IAM::iamGenerateCredentialReport;
+using rgw::IAM::iamGenerateServiceLastAccessedDetails;
+using rgw::IAM::iamGetUserPolicy;
+using rgw::IAM::iamGetRole;
+using rgw::IAM::iamGetRolePolicy;
+using rgw::IAM::iamGetOIDCProvider;
+using rgw::IAM::iamGetUser;
+using rgw::IAM::iamListUserPolicies;
+using rgw::IAM::iamListRoles;
+using rgw::IAM::iamListRolePolicies;
+using rgw::IAM::iamListOIDCProviders;
+using rgw::IAM::iamListRoleTags;
+using rgw::IAM::iamListUsers;
+using rgw::IAM::iamListAccessKeys;
+using rgw::IAM::iamSimulateCustomPolicy;
+using rgw::IAM::iamSimulatePrincipalPolicy;
+using rgw::IAM::snsGetTopicAttributes;
+using rgw::IAM::snsListTopics;
using rgw::Service;
using rgw::IAM::TokenID;
using rgw::IAM::Version;
using rgw::IAM::iamAll;
using rgw::IAM::stsAll;
using rgw::IAM::snsAll;
+using rgw::IAM::organizationsAll;
using rgw::IAM::allCount;
+using rgw::IAM::s3AllValue;
+using rgw::IAM::s3objectlambdaAllValue;
+using rgw::IAM::iamAllValue;
+using rgw::IAM::stsAllValue;
+using rgw::IAM::snsAllValue;
+using rgw::IAM::organizationsAllValue;
+using rgw::IAM::allValue;
+
class FakeIdentity : public Identity {
const Principal id;
public:
EXPECT_TRUE(p->statements[0].noprinc.empty());
EXPECT_EQ(p->statements[0].effect, Effect::Allow);
Action_t act;
- for (auto i = s3All+1; i <= iamAll; i++)
+ for (auto i = s3objectlambdaAll+1; i <= iamAll; i++)
act[i] = 1;
EXPECT_EQ(p->statements[0].action, act);
EXPECT_EQ(p->statements[0].notaction, None);
EXPECT_TRUE(p->statements[0].noprinc.empty());
EXPECT_EQ(p->statements[0].effect, Effect::Allow);
Action_t act;
- for (auto i = 0U; i <= snsAll; i++)
+ for (auto i = 0U; i <= organizationsAll; i++)
act[i] = 1;
EXPECT_EQ(p->statements[0].action, act);
EXPECT_EQ(p->statements[0].notaction, None);
return result;
}
-using rgw::IAM::s3AllValue;
-using rgw::IAM::stsAllValue;
-using rgw::IAM::allValue;
-using rgw::IAM::iamAllValue;
TEST(set_cont_bits, iamconsts)
{
EXPECT_EQ(s3AllValue, set_range_bits(0, s3All));
- EXPECT_EQ(iamAllValue, set_range_bits(s3All+1, iamAll));
+ EXPECT_EQ(s3objectlambdaAllValue, set_range_bits(s3All+1, s3objectlambdaAll));
+ EXPECT_EQ(iamAllValue, set_range_bits(s3objectlambdaAll+1, iamAll));
EXPECT_EQ(stsAllValue, set_range_bits(iamAll+1, stsAll));
+ EXPECT_EQ(snsAllValue, set_range_bits(stsAll+1, snsAll));
+ EXPECT_EQ(organizationsAllValue, set_range_bits(snsAll+1, organizationsAll));
EXPECT_EQ(allValue , set_range_bits(0, allCount));
}
projects / ceph.git / commitdiff