From 8d7cddc20a4d43c746e76483dbc3aa9dea72095a Mon Sep 17 00:00:00 2001 From: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com> Date: Wed, 16 Feb 2022 15:58:34 -0800 Subject: [PATCH] Fix create bucket and list bucket for wildcard statements in policies (#1589) Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com> --- .../__tests__/accessControl.test.ts | 34 +++++++++++++++++++ .../common/SecureComponent/accessControl.ts | 22 ++++++++++-- .../Buckets/ListBuckets/ListBuckets.tsx | 33 +++++++----------- portal-ui/src/screens/Console/Console.tsx | 9 +---- 4 files changed, 68 insertions(+), 30 deletions(-) diff --git a/portal-ui/src/common/SecureComponent/__tests__/accessControl.test.ts b/portal-ui/src/common/SecureComponent/__tests__/accessControl.test.ts index 71095aa0d..399bc70e0 100644 --- a/portal-ui/src/common/SecureComponent/__tests__/accessControl.test.ts +++ b/portal-ui/src/common/SecureComponent/__tests__/accessControl.test.ts @@ -96,6 +96,25 @@ const setPolicy2 = () => { }, }); }; +const setPolicy3 = () => { + store.dispatch({ + type: SESSION_RESPONSE, + message: { + distributedMode: true, + features: [], + permissions: { + "arn:aws:s3:::testbucket-*": [ + "admin:CreateServiceAccount", + "s3:*", + "admin:CreateUser", + ], + "console-ui": ["admin:CreateServiceAccount", "admin:CreateUser"], + }, + status: "ok", + operator: false, + }, + }); +}; test("Upload button disabled", () => { setPolicy1(); @@ -123,3 +142,18 @@ test("Can List Objects In Bucket", () => { setPolicy2(); expect(hasPermission("bucket-svc", [IAM_SCOPES.S3_LIST_BUCKET])).toBe(true); }); + +test("Can create bucket for policy with a wildcard", () => { + setPolicy3(); + expect(hasPermission("*", [IAM_SCOPES.S3_CREATE_BUCKET])).toBe(true); +}); + +test("Can browse a bucket for a policy with a wildcard", () => { + setPolicy3(); + expect( + hasPermission( + "testbucket-0", + IAM_PAGES_PERMISSIONS[IAM_PAGES.BUCKETS_BROWSE_VIEW] + ) + ).toBe(true); +}); diff --git a/portal-ui/src/common/SecureComponent/accessControl.ts b/portal-ui/src/common/SecureComponent/accessControl.ts index a6b40910c..e3300ad2c 100644 --- a/portal-ui/src/common/SecureComponent/accessControl.ts +++ b/portal-ui/src/common/SecureComponent/accessControl.ts @@ -53,7 +53,7 @@ const hasPermission = ( const replaceWildcard = wildcardItemSection .replace("/", "\\/") - .replace("\\/*", "($|(\\/.*?))"); + .replace("*", "($|\\/?(.*?))"); const inRegExp = new RegExp(`${replaceWildcard}$`, "gm"); @@ -105,8 +105,26 @@ const hasPermission = ( }); } + let anyResourceGrant: string[] = []; + if (resource === "*") { + Object.entries(sessionGrants).forEach(([key, values]) => { + scopes.forEach((scope) => { + values.forEach((val) => { + if (val === scope || val === "s3:*") { + anyResourceGrant = [...anyResourceGrant, scope]; + } + }); + }); + }); + } + return hasAccessToResource( - [...resourceGrants, ...globalGrants, ...containsResourceGrants], + [ + ...resourceGrants, + ...globalGrants, + ...containsResourceGrants, + ...anyResourceGrant, + ], scopes, matchAll ); diff --git a/portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx b/portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx index 4f155eac3..9c2a03572 100644 --- a/portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx +++ b/portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx @@ -51,6 +51,7 @@ import SearchBox from "../../Common/SearchBox"; import VirtualizedList from "../../Common/VirtualizedList/VirtualizedList"; import RBIconButton from "../BucketDetails/SummaryItems/RBIconButton"; import BulkLifecycleModal from "./BulkLifecycleModal"; +import hasPermission from "../../../../common/SecureComponent/accessControl"; const styles = (theme: Theme) => createStyles({ @@ -200,10 +201,7 @@ const ListBuckets = ({ return null; }; - const createBucketButtonResources: string[] = - session && session.permissions - ? Array.from(Object.keys(session.permissions)) || [] - : []; + const canCreateBucket = hasPermission("*", [IAM_SCOPES.S3_CREATE_BUCKET]); return ( @@ -293,22 +291,17 @@ const ListBuckets = ({ variant={"outlined"} /> - - { - history.push("/add-bucket"); - }} - text={"Create Bucket"} - icon={} - color={"primary"} - variant={"contained"} - /> - + { + history.push("/add-bucket"); + }} + text={"Create Bucket"} + icon={} + color={"primary"} + variant={"contained"} + disabled={!canCreateBucket} + /> diff --git a/portal-ui/src/screens/Console/Console.tsx b/portal-ui/src/screens/Console/Console.tsx index 6d8bd557e..fdb8d6d9c 100644 --- a/portal-ui/src/screens/Console/Console.tsx +++ b/portal-ui/src/screens/Console/Console.tsx @@ -219,14 +219,7 @@ const Console = ({ component: Buckets, path: IAM_PAGES.ADD_BUCKETS, customPermissionFnc: () => { - const createBucketResources: string[] = - session && session.permissions - ? Array.from(Object.keys(session.permissions)) || [] - : []; - return hasPermission( - createBucketResources, - IAM_PAGES_PERMISSIONS[IAM_PAGES.ADD_BUCKETS] - ); + return hasPermission("*", IAM_PAGES_PERMISSIONS[IAM_PAGES.ADD_BUCKETS]); }, }, {