Simplify admin actions calculations on list buckets (#1233)

* Simplify admin actions calculations on list buckets

* adding license to file

portal-ui/src/common/Copyright.tsx

@@ -1,3 +1,19 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 import React from "react";
 import Typography from "@mui/material/Typography";
 import Link from "@mui/material/Link";

portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ObjectDetails/ShareFile.tsx

@@ -141,7 +141,9 @@ const ShareFile = ({
       const slDate = new Date(`${selectedDate}`);
       const currDate = new Date();
 
-      const diffDate = Math.ceil((slDate.getTime() - currDate.getTime()) / 1000);
+      const diffDate = Math.ceil(
+        (slDate.getTime() - currDate.getTime()) / 1000
+      );
 
       if (diffDate > 0) {
         api

restapi/admin_remote_buckets.go

@@ -458,7 +458,7 @@ func listExternalBucketsResponse(params user_api.ListExternalBucketsParams) (*mo
 	// create a minioClient interface implementation
 	// defining the client to be used
 	remoteClient := AdminClient{Client: remoteAdmin}
-	buckets, err := getAccountBuckets(ctx, remoteClient)
+	buckets, err := getAccountBuckets(ctx, remoteClient, *params.Body.AccessKey)
 	if err != nil {
 		return nil, prepareError(err)
 	}

restapi/user_buckets.go

@@ -290,43 +290,25 @@ func getBucketVersionedResponse(session *models.Principal, bucketName string) (*
 }
 
 // getAccountBuckets fetches a list of all buckets allowed to that particular client from MinIO Servers
-func getAccountBuckets(ctx context.Context, client MinioAdmin) ([]*models.Bucket, error) {
+func getAccountBuckets(ctx context.Context, client MinioAdmin, accessKey string) ([]*models.Bucket, error) {
 	info, err := client.AccountInfo(ctx)
 	if err != nil {
 		return []*models.Bucket{}, err
 	}
-
 	policyInfo, err := getAccountPolicy(ctx, client)
 	if err != nil {
 		return nil, err
 	}
-
-	bucketsPolicies := map[string]minioIAMPolicy.ActionSet{}
-	for _, statement := range policyInfo.Statements {
-		if statement.Effect == "Allow" {
-			for _, resource := range statement.Resources.ToSlice() {
-				resourceName := resource.String()
-				if actions, ok := bucketsPolicies[resourceName]; ok {
-					mergedActions := append(actions.ToSlice(), statement.Actions.ToSlice()...)
-					bucketsPolicies[resourceName] = minioIAMPolicy.NewActionSet(mergedActions...)
-				} else {
-					bucketsPolicies[resourceName] = statement.Actions
-				}
-			}
-		}
-	}
 	var bucketInfos []*models.Bucket
 	for _, bucket := range info.Buckets {
 		var bucketAdminRole bool
-		bucketNameARN := fmt.Sprintf("arn:aws:s3:::%s/*", bucket.Name)
-		// match bucket name against policy that allows admin actions
-		if bucketPolicyActions, ok := bucketsPolicies[bucketNameARN]; ok {
-			bucketAdminRoleActions := bucketPolicyActions.Intersection(acl.BucketAdminRole)
-			bucketAdminRole = len(bucketAdminRoleActions) > 0
-		} else if bucketPolicyActions, ok := bucketsPolicies["arn:aws:s3:::*"]; ok {
-			bucketAdminRoleActions := bucketPolicyActions.Intersection(acl.BucketAdminRole)
-			bucketAdminRole = len(bucketAdminRoleActions) > 0
+		conditionValues := map[string][]string{
+			condition.AWSUsername.Name(): {accessKey},
 		}
+		bucketActions := policyInfo.IsAllowedActions(bucket.Name, "", conditionValues)
+		bucketAdminRoleActions := bucketActions.Intersection(acl.BucketAdminRole)
+		bucketAdminRole = len(bucketAdminRoleActions) > 0
+
 		bucketElem := &models.Bucket{
 			CreationDate: bucket.Created.Format(time.RFC3339),
 			Details: &models.BucketDetails{
@@ -376,7 +358,7 @@ func getListBucketsResponse(session *models.Principal) (*models.ListBucketsRespo
 	// create a minioClient interface implementation
 	// defining the client to be used
 	adminClient := AdminClient{Client: mAdmin}
-	buckets, err := getAccountBuckets(ctx, adminClient)
+	buckets, err := getAccountBuckets(ctx, adminClient, session.AccountAccessKey)
 	if err != nil {
 		return nil, prepareError(err)
 	}
@@ -486,7 +468,7 @@ func setBucketAccessPolicy(ctx context.Context, client MinioClient, bucketName s
 
 	bucketAccessPolicy := policy.BucketAccessPolicy{Version: minioIAMPolicy.DefaultVersion}
 	bucketAccessPolicy.Statements = policy.SetPolicy(bucketAccessPolicy.Statements,
-		policy.BucketPolicy(bucketPolicy), bucketName, "")
+		bucketPolicy, bucketName, "")
 	// implemented like minio/mc/ s3Client.SetAccess()
 	if len(bucketAccessPolicy.Statements) == 0 {
 		return client.setBucketPolicyWithContext(ctx, bucketName, "")

restapi/user_buckets_test.go

@@ -180,7 +180,7 @@ func TestListBucket(t *testing.T) {
 	// get list buckets response this response should have Name, CreationDate, Size and Access
 	// as part of of each bucket
 	function := "getaAcountUsageInfo()"
-	bucketList, err := getAccountBuckets(ctx, adminClient)
+	bucketList, err := getAccountBuckets(ctx, adminClient, "")
 	if err != nil {
 		t.Errorf("Failed on %s:, error occurred: %s", function, err.Error())
 	}
@@ -197,7 +197,7 @@ func TestListBucket(t *testing.T) {
 	minioAccountInfoMock = func(ctx context.Context) (madmin.AccountInfo, error) {
 		return madmin.AccountInfo{}, errors.New("error")
 	}
-	_, err = getAccountBuckets(ctx, adminClient)
+	_, err = getAccountBuckets(ctx, adminClient, "")
 	if assert.Error(err) {
 		assert.Equal("error", err.Error())
 	}