Version 0.2.1

Changes: Fixed bug with ACL and Policy
2023-07-03 21:55:26 +05:00 · 2023-07-03 21:55:26 +05:00 · a834c2059a
commit a834c2059a
parent 6d805891f2
2 changed files with 49 additions and 9 deletions
--- a/internal/app/app_verification.go
+++ b/internal/app/app_verification.go
@ -36,7 +36,7 @@ func Run(cfg *config.Config) {

 	minioClient, err := minio.New(cfg.S3Endpoint, &minio.Options{
 		Creds:  credentials.NewStaticV4(cfg.S3AccessKeyID, cfg.S3SecretKey, ""),
-		Secure: false,
+		Secure: true,
 	})
 	if err != nil {
 		logger.Fatal("MinioClient", zap.Error(err))
--- a/internal/repository/verification.go
+++ b/internal/repository/verification.go
@ -7,6 +7,7 @@ import (
 	"fmt"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/policy"
+	"github.com/minio/minio-go/v7/pkg/set"
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/bson/primitive"
 	"go.mongodb.org/mongo-driver/mongo"
@ -24,7 +25,7 @@ type VerificationRepository struct {
 }

 const (
-	VerificationBucket     = "verification"
+	VerificationBucket     = "verification1"
 	VerificationCollection = "verification"
 )

@ -43,14 +44,52 @@ func (r *VerificationRepository) Init(ctx context.Context) error {
 	}

 	if !ok {
-		err = r.s3.MakeBucket(ctx, VerificationBucket, minio.MakeBucketOptions{})
+		err = r.s3.MakeBucket(ctx, VerificationBucket, minio.MakeBucketOptions{ObjectLocking: false})
 		if r.err(err) {
 			return err
 		}

-		p := policy.BucketAccessPolicy{Version: "2012-10-17"}
+		policyConsoleStatement := policy.Statement{
+			Actions: set.CreateStringSet("*"),
+			Conditions: policy.ConditionMap{
+				"StringLike": policy.ConditionKeyMap{
+					"aws:referer": set.CreateStringSet(fmt.Sprintf("https://console.cloud.yandex.*/folders/*/storage/buckets/%s*", VerificationBucket)),
+				},
+			},
+			Effect:    "Allow",
+			Principal: policy.User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet(fmt.Sprintf("arn:aws:s3:::%s/*", VerificationBucket),
+				fmt.Sprintf("arn:aws:s3:::%s", VerificationBucket)),
+			Sid: "console-statement",
+		}

-		p.Statements = policy.SetPolicy(p.Statements, policy.BucketPolicyReadOnly, VerificationBucket, "*/*")
+		policyServiceAccount := policy.Statement{
+			Actions:    set.CreateStringSet("*"),
+			Conditions: nil,
+			Effect:     "Allow",
+			Principal:  policy.User{CanonicalUser: set.CreateStringSet("ajelmc4tjbct675tjdh9")},
+			Resources: set.CreateStringSet(fmt.Sprintf("arn:aws:s3:::%s/*", VerificationBucket),
+				fmt.Sprintf("arn:aws:s3:::%s", VerificationBucket)),
+			Sid: "service-account-statement",
+		}
+
+		policySharingBucket := policy.Statement{
+			Actions: set.CreateStringSet("s3:ListBucket", "s3:GetObject"),
+			Conditions: policy.ConditionMap{
+				"StringEquals": policy.ConditionKeyMap{"s3:prefix": set.CreateStringSet("*/*")},
+			},
+			Effect:    "Allow",
+			Principal: policy.User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet(fmt.Sprintf("arn:aws:s3:::%s/*", VerificationBucket),
+				fmt.Sprintf("arn:aws:s3:::%s", VerificationBucket)),
+			Sid: "sharing-bucket",
+		}
+
+		p := policy.BucketAccessPolicy{Version: "2012-10-17", Statements: []policy.Statement{
+			policyConsoleStatement,
+			policyServiceAccount,
+			policySharingBucket,
+		}}

 		outPolicy, err := json.Marshal(&p)
 		if r.err(err) {
@ -61,6 +100,7 @@ func (r *VerificationRepository) Init(ctx context.Context) error {
 		if r.err(err) {
 			return err
 		}
+
 	}

 	return nil
@ -123,7 +163,7 @@ func (r *VerificationRepository) Insert(
 		record.Files = []models.VerificationFiles{
 			{
 				Name: "certificate",
-				Url:  fmt.Sprintf("%s/verification/%s/%s", r.s3.EndpointURL(), userID, certFH.Filename),
+				Url:  fmt.Sprintf("%s/%s/%s/%s", r.s3.EndpointURL(), VerificationBucket, userID, certFH.Filename),
 			},
 		}
 	}
@ -132,15 +172,15 @@ func (r *VerificationRepository) Insert(
 	record.Files = append(record.Files, []models.VerificationFiles{
 		{
 			Name: "inn",
-			Url:  fmt.Sprintf("%s/verification/%s/%s", r.s3.EndpointURL(), userID, innFH.Filename),
+			Url:  fmt.Sprintf("%s/%s/%s/%s", r.s3.EndpointURL(), VerificationBucket, userID, innFH.Filename),
 		},
 		{
 			Name: "rule",
-			Url:  fmt.Sprintf("%s/verification/%s/%s", r.s3.EndpointURL(), userID, ruleFH.Filename),
+			Url:  fmt.Sprintf("%s/%s/%s/%s", r.s3.EndpointURL(), VerificationBucket, userID, ruleFH.Filename),
 		},
 		{
 			Name: "egrule",
-			Url:  fmt.Sprintf("%s/verification/%s/%s", r.s3.EndpointURL(), userID, egruleFH.Filename),
+			Url:  fmt.Sprintf("%s/%s/%s/%s", r.s3.EndpointURL(), VerificationBucket, userID, egruleFH.Filename),
 		},
 	}...)