Fix Browse Bucket for certain Policy (#1587)

fixes #1320 Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
2022-02-16 13:20:19 -08:00
parent 031ee35a00
commit 24cf6a3ada
2 changed files with 68 additions and 1 deletions
--- a/portal-ui/src/common/SecureComponent/tests/accessControl.test.ts
+++ b/portal-ui/src/common/SecureComponent/tests/accessControl.test.ts
@@ -17,6 +17,7 @@
 import hasPermission from "../accessControl";
 import { store } from "../../../store";
 import { SESSION_RESPONSE } from "../../../screens/Console/actions";
+import { IAM_PAGES, IAM_PAGES_PERMISSIONS, IAM_SCOPES } from "../permissions";

 const setPolicy1 = () => {
  store.dispatch({
@@ -52,6 +53,49 @@ const setPolicy1 = () => {
    },
  });
 };
+const setPolicy2 = () => {
+  store.dispatch({
+    type: SESSION_RESPONSE,
+    message: {
+      distributedMode: true,
+      operator: false,
+      features: [],
+      permissions: {
+        "arn:aws:s3:::bucket-svc": [
+          "admin:CreateServiceAccount",
+          "s3:GetBucketLocation",
+          "s3:ListBucket",
+          "s3:ListBucketMultipartUploads",
+          "s3:ListMultipartUploadParts",
+          "admin:CreateUser",
+        ],
+        "arn:aws:s3:::bucket-svc/prefix1/*": [
+          "admin:CreateUser",
+          "admin:CreateServiceAccount",
+          "s3:GetObject",
+          "s3:PutObject",
+        ],
+        "arn:aws:s3:::bucket-svc/prefix1/ini*": [
+          "admin:CreateServiceAccount",
+          "s3:*",
+          "admin:CreateUser",
+        ],
+        "arn:aws:s3:::bucket-svc/prefix1/jars*": [
+          "admin:CreateUser",
+          "admin:CreateServiceAccount",
+          "s3:*",
+        ],
+        "arn:aws:s3:::bucket-svc/prefix1/logs*": [
+          "admin:CreateUser",
+          "admin:CreateServiceAccount",
+          "s3:*",
+        ],
+        "console-ui": ["admin:CreateServiceAccount", "admin:CreateUser"],
+      },
+      status: "ok",
+    },
+  });
+};

 test("Upload button disabled", () => {
  setPolicy1();
@@ -64,3 +108,18 @@ test("Upload button enabled valid prefix", () => {
    true
  );
 });
+
+test("Can Browse Bucket", () => {
+  setPolicy2();
+  expect(
+    hasPermission(
+      "bucket-svc",
+      IAM_PAGES_PERMISSIONS[IAM_PAGES.BUCKETS_BROWSE_VIEW]
+    )
+  ).toBe(true);
+});
+
+test("Can List Objects In Bucket", () => {
+  setPolicy2();
+  expect(hasPermission("bucket-svc", [IAM_SCOPES.S3_LIST_BUCKET])).toBe(true);
+});
--- a/portal-ui/src/common/SecureComponent/accessControl.ts
+++ b/portal-ui/src/common/SecureComponent/accessControl.ts
@@ -82,8 +82,16 @@ const hasPermission = (

      const simpleResources = get(sessionGrants, rsItem, []);
      const s3Resources = get(sessionGrants, `arn:aws:s3:::${rsItem}/*`, []);
+      const bucketOnly = get(sessionGrants, `arn:aws:s3:::${rsItem}/`, []);
+      const bckOnlyNoSlash = get(sessionGrants, `arn:aws:s3:::${rsItem}`, []);

-      resourceGrants = [...simpleResources, ...s3Resources, ...wildcardGrants];
+      resourceGrants = [
+        ...simpleResources,
+        ...s3Resources,
+        ...wildcardGrants,
+        ...bucketOnly,
+        ...bckOnlyNoSlash,
+      ];

      if (containsResource) {
        const matchResource = `arn:aws:s3:::${rsItem}`;