use of com.pspace.ifs.ksan.gw.format.Policy in project ksan by infinistor.
the class GWUtils method isPublicPolicyBucket.
public static boolean isPublicPolicyBucket(String policyInfo, S3Parameter s3Parameter) throws GWException {
PublicAccessBlockConfiguration pabc = null;
if (s3Parameter.getBucket() != null && !Strings.isNullOrEmpty(s3Parameter.getBucket().getAccess())) {
try {
pabc = new XmlMapper().readValue(s3Parameter.getBucket().getAccess(), PublicAccessBlockConfiguration.class);
} catch (JsonProcessingException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.SERVER_ERROR, e, s3Parameter);
}
}
boolean effect = false;
if (Strings.isNullOrEmpty(policyInfo)) {
return effect;
}
Policy policy = null;
// read policy
ObjectMapper jsonMapper = new ObjectMapper();
try {
policy = jsonMapper.readValue(policyInfo, Policy.class);
if (policy == null) {
return effect;
}
} catch (JsonMappingException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
} catch (JsonProcessingException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
}
// check policy - loop statement
for (Statement s : policy.statements) {
boolean effectcheck = false;
// check principal (id)
for (String aws : s.principal.aws) {
if (aws.equals(GWConstants.ASTERISK)) {
if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
}
effectcheck = true;
break;
}
}
// check Resource (object path, bucket path)
for (String resource : s.resources) {
if (resource.equals(GWConstants.ASTERISK)) {
if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
}
effectcheck = true;
break;
}
String[] res = resource.split(GWConstants.COLON, -1);
// all resource check
if (!Strings.isNullOrEmpty(res[5]) && res[5].equals(GWConstants.ASTERISK)) {
if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
}
effectcheck = true;
break;
}
}
boolean conditioncheck = false;
if (s.condition == null) {
conditioncheck = false;
} else {
for (Map.Entry<String, JsonNode> entry : s.condition.getUserExtensions().entries()) {
JsonNode jsonNode = entry.getValue();
if (jsonNode.isObject()) {
Iterator<String> fieldNames = jsonNode.fieldNames();
if (fieldNames.hasNext()) {
// read key
String fieldName = fieldNames.next();
String key = fieldName;
logger.info(GWConstants.LOG_UTILS_KEY, key);
if (key.equals(GWConstants.AWS_SOURCE_ARN)) {
conditioncheck = true;
break;
} else if (key.equals(GWConstants.AWS_SOURCE_VPC)) {
conditioncheck = true;
break;
} else if (key.equals(GWConstants.AWS_SOURCE_VPCE)) {
conditioncheck = true;
break;
} else if (key.equals(GWConstants.AWS_SOURCE_OWNER)) {
conditioncheck = true;
break;
} else if (key.equals(GWConstants.AWS_SOURCE_ACCOUNT)) {
conditioncheck = true;
break;
} else if (key.equals(GWConstants.S3_SERVER_SIDE_ENCRYPTION_AWS_KMS_KEY_ID)) {
conditioncheck = true;
break;
} else if (key.equals(GWConstants.S3_DATA_ACCESS_POINT_ARN)) {
conditioncheck = true;
break;
} else if (key.equals(GWConstants.AWS_SOURCE_IP)) {
conditioncheck = true;
break;
}
}
}
}
}
if (s.effect.equals(GWConstants.ALLOW)) {
if (effectcheck == true && conditioncheck == false) {
if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
}
effect = true;
return effect;
}
}
}
return effect;
}
Aggregations