set-json to fail on custom policies without .json (#4745)

minio · Nov 27, 2023 · 5e6ae21 · 5e6ae21
1 parent 2178568
commit 5e6ae21
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/cmd/access-perms.go b/cmd/access-perms.go
@@ -17,7 +17,12 @@
 
 package cmd
 
-import "path/filepath"
+import (
+	"os"
+
+	json "github.com/minio/colorjson"
+	"github.com/minio/minio-go/v7/pkg/policy"
+)
 
 // isValidAccessPERM - is provided access perm string supported.
 func (b accessPerms) isValidAccessPERM() bool {
@@ -29,7 +34,32 @@ func (b accessPerms) isValidAccessPERM() bool {
 }
 
 func (b accessPerms) isValidAccessFile() bool {
-	return filepath.Ext(string(b)) == ".json"
+	file, err := os.Open(string(b))
+	if err != nil {
+		fatalIf(errDummy().Trace(), "Unable to open access file.")
+		return false
+	}
+	defer file.Close()
+
+	var policy policy.BucketAccessPolicy
+	if json.NewDecoder(file).Decode(&policy) != nil {
+		fatalIf(errDummy().Trace(), "Unable to parse access file.")
+		return false
+	}
+
+	if policy.Version != "2012-10-17" {
+		fatalIf(errDummy().Trace(), "Invalid policy version. Only 2012-10-17 is supported.")
+		return false
+	}
+
+	for _, statement := range policy.Statements {
+		if statement.Effect != "Allow" && statement.Effect != "Deny" {
+			fatalIf(errDummy().Trace(), "Invalid policy effect. Only Allow and Deny are supported.")
+			return false
+		}
+	}
+
+	return true
 }
 
 // accessPerms - access level.

diff --git a/cmd/anonymous-main.go b/cmd/anonymous-main.go
@@ -52,7 +52,7 @@ var anonymousCmd = cli.Command{
 
 USAGE:
   {{.HelpName}} [FLAGS] set PERMISSION TARGET
-  {{.HelpName}} [FLAGS] set-json TARGET FILE
+  {{.HelpName}} [FLAGS] set-json FILE TARGET
   {{.HelpName}} [FLAGS] get TARGET
   {{.HelpName}} [FLAGS] get-json TARGET
   {{.HelpName}} [FLAGS] list TARGET