This repository has been archived by the owner on Jan 15, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
policy.go
140 lines (133 loc) · 3.15 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
package awsconsoleauth
import (
"bytes"
"encoding/json"
)
// PolicyRecord represents a single policy record. Each record has a `Name` that
// identifies it and a `Policy` which is the text of the policy record.
type PolicyRecord struct {
Name string
Policy string
}
// PolicyRecords is the ordered list of policy records
var PolicyRecords = []PolicyRecord{
{
Name: "aws-admin",
Policy: mustMinifyJSON(`{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Stmt1",
"Effect": "Allow",
"Action":"*",
"Resource":"*"
}]
}`),
},
{
Name: "aws-users",
Policy: mustMinifyJSON(`{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["iam:List*","iam:Get*","iam:PassRole"],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}`),
},
{
Name: "aws-read-only",
Policy: mustMinifyJSON(`{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"dynamodb:Get*",
"dynamodb:BatchGet*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:Describe*",
"dynamodb:List*",
"ec2:Describe*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"elastictranscoder:Read*",
"elastictranscoder:List*",
"iam:List*",
"iam:Get*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"route53:Get*",
"route53:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:Get*",
"s3:List*",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"tag:get*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}`),
},
}
func mustMinifyJSON(input string) string {
output := bytes.NewBuffer(nil)
if err := json.Compact(output, []byte(input)); err != nil {
panic(err)
}
return output.String()
}
// MapUserAndGroupsToPolicy returns the policy for the specified user and
// groups.
//
// This PolicyRecords list is examined in order. For each record here we check
// if the user is a memeber of the corresponding group. If she is, then the
// associated policy is applied.
//
// If no policy matches, this function returns (nil, nil).
func MapUserAndGroupsToPolicy(user string, groups []string) (*PolicyRecord, error) {
groupNames := map[string]struct{}{}
for _, groupName := range groups {
groupNames[groupName] = struct{}{}
}
for _, policyRecord := range PolicyRecords {
_, ok := groupNames[policyRecord.Name]
if !ok {
continue
}
return &policyRecord, nil
}
return nil, nil
}