Fix Browse Bucket for certain Policy (#1587)
fixes #1320 Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
This commit is contained in:
Daniel Valdivia
GitHub
@@ -17,6 +17,7 @@
|
|||||||
import hasPermission from "../accessControl";
|
import hasPermission from "../accessControl";
|
||||||
import { store } from "../../../store";
|
import { store } from "../../../store";
|
||||||
import { SESSION_RESPONSE } from "../../../screens/Console/actions";
|
import { SESSION_RESPONSE } from "../../../screens/Console/actions";
|
||||||
|
import { IAM_PAGES, IAM_PAGES_PERMISSIONS, IAM_SCOPES } from "../permissions";
|
||||||
|
|
||||||
const setPolicy1 = () => {
|
const setPolicy1 = () => {
|
||||||
store.dispatch({
|
store.dispatch({
|
||||||
@@ -52,6 +53,49 @@ const setPolicy1 = () => {
|
|||||||
},
|
},
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
const setPolicy2 = () => {
|
||||||
|
store.dispatch({
|
||||||
|
type: SESSION_RESPONSE,
|
||||||
|
message: {
|
||||||
|
distributedMode: true,
|
||||||
|
operator: false,
|
||||||
|
features: [],
|
||||||
|
permissions: {
|
||||||
|
"arn:aws:s3:::bucket-svc": [
|
||||||
|
"admin:CreateServiceAccount",
|
||||||
|
"s3:GetBucketLocation",
|
||||||
|
"s3:ListBucket",
|
||||||
|
"s3:ListBucketMultipartUploads",
|
||||||
|
"s3:ListMultipartUploadParts",
|
||||||
|
"admin:CreateUser",
|
||||||
|
],
|
||||||
|
"arn:aws:s3:::bucket-svc/prefix1/*": [
|
||||||
|
"admin:CreateUser",
|
||||||
|
"admin:CreateServiceAccount",
|
||||||
|
"s3:GetObject",
|
||||||
|
"s3:PutObject",
|
||||||
|
],
|
||||||
|
"arn:aws:s3:::bucket-svc/prefix1/ini*": [
|
||||||
|
"admin:CreateServiceAccount",
|
||||||
|
"s3:*",
|
||||||
|
"admin:CreateUser",
|
||||||
|
],
|
||||||
|
"arn:aws:s3:::bucket-svc/prefix1/jars*": [
|
||||||
|
"admin:CreateUser",
|
||||||
|
"admin:CreateServiceAccount",
|
||||||
|
"s3:*",
|
||||||
|
],
|
||||||
|
"arn:aws:s3:::bucket-svc/prefix1/logs*": [
|
||||||
|
"admin:CreateUser",
|
||||||
|
"admin:CreateServiceAccount",
|
||||||
|
"s3:*",
|
||||||
|
],
|
||||||
|
"console-ui": ["admin:CreateServiceAccount", "admin:CreateUser"],
|
||||||
|
},
|
||||||
|
status: "ok",
|
||||||
|
},
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
test("Upload button disabled", () => {
|
test("Upload button disabled", () => {
|
||||||
setPolicy1();
|
setPolicy1();
|
||||||
@@ -64,3 +108,18 @@ test("Upload button enabled valid prefix", () => {
|
|||||||
true
|
true
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
test("Can Browse Bucket", () => {
|
||||||
|
setPolicy2();
|
||||||
|
expect(
|
||||||
|
hasPermission(
|
||||||
|
"bucket-svc",
|
||||||
|
IAM_PAGES_PERMISSIONS[IAM_PAGES.BUCKETS_BROWSE_VIEW]
|
||||||
|
)
|
||||||
|
).toBe(true);
|
||||||
|
});
|
||||||
|
|
||||||
|
test("Can List Objects In Bucket", () => {
|
||||||
|
setPolicy2();
|
||||||
|
expect(hasPermission("bucket-svc", [IAM_SCOPES.S3_LIST_BUCKET])).toBe(true);
|
||||||
|
});
|
||||||
|
|||||||
@@ -82,8 +82,16 @@ const hasPermission = (
|
|||||||
|
|
||||||
const simpleResources = get(sessionGrants, rsItem, []);
|
const simpleResources = get(sessionGrants, rsItem, []);
|
||||||
const s3Resources = get(sessionGrants, `arn:aws:s3:::${rsItem}/*`, []);
|
const s3Resources = get(sessionGrants, `arn:aws:s3:::${rsItem}/*`, []);
|
||||||
|
const bucketOnly = get(sessionGrants, `arn:aws:s3:::${rsItem}/`, []);
|
||||||
|
const bckOnlyNoSlash = get(sessionGrants, `arn:aws:s3:::${rsItem}`, []);
|
||||||
|
|
||||||
resourceGrants = [...simpleResources, ...s3Resources, ...wildcardGrants];
|
resourceGrants = [
|
||||||
|
...simpleResources,
|
||||||
|
...s3Resources,
|
||||||
|
...wildcardGrants,
|
||||||
|
...bucketOnly,
|
||||||
|
...bckOnlyNoSlash,
|
||||||
|
];
|
||||||
|
|
||||||
if (containsResource) {
|
if (containsResource) {
|
||||||
const matchResource = `arn:aws:s3:::${rsItem}`;
|
const matchResource = `arn:aws:s3:::${rsItem}`;
|
||||||
|
|||||||
Reference in New Issue
Block a user