Fix create bucket and list bucket for wildcard statements in policies (#1589)

Signed-off-by: Daniel Valdivia <[email protected]>

Author: dvaldivia

portal-ui/src/common/SecureComponent/__tests__/accessControl.test.ts

@@ -96,6 +96,25 @@ const setPolicy2 = () => {
     },
   });
 };
+const setPolicy3 = () => {
+  store.dispatch({
+    type: SESSION_RESPONSE,
+    message: {
+      distributedMode: true,
+      features: [],
+      permissions: {
+        "arn:aws:s3:::testbucket-*": [
+          "admin:CreateServiceAccount",
+          "s3:*",
+          "admin:CreateUser",
+        ],
+        "console-ui": ["admin:CreateServiceAccount", "admin:CreateUser"],
+      },
+      status: "ok",
+      operator: false,
+    },
+  });
+};
 
 test("Upload button disabled", () => {
   setPolicy1();
@@ -123,3 +142,18 @@ test("Can List Objects In Bucket", () => {
   setPolicy2();
   expect(hasPermission("bucket-svc", [IAM_SCOPES.S3_LIST_BUCKET])).toBe(true);
 });
+
+test("Can create bucket for policy with a wildcard", () => {
+  setPolicy3();
+  expect(hasPermission("*", [IAM_SCOPES.S3_CREATE_BUCKET])).toBe(true);
+});
+
+test("Can browse a bucket for a policy with a wildcard", () => {
+  setPolicy3();
+  expect(
+    hasPermission(
+      "testbucket-0",
+      IAM_PAGES_PERMISSIONS[IAM_PAGES.BUCKETS_BROWSE_VIEW]
+    )
+  ).toBe(true);
+});

portal-ui/src/common/SecureComponent/accessControl.ts

@@ -53,7 +53,7 @@ const hasPermission = (
 
         const replaceWildcard = wildcardItemSection
           .replace("/", "\\/")
-          .replace("\\/*", "($|(\\/.*?))");
+          .replace("*", "($|\\/?(.*?))");
 
         const inRegExp = new RegExp(`${replaceWildcard}$`, "gm");
 
@@ -105,8 +105,26 @@ const hasPermission = (
     });
   }
 
+  let anyResourceGrant: string[] = [];
+  if (resource === "*") {
+    Object.entries(sessionGrants).forEach(([key, values]) => {
+      scopes.forEach((scope) => {
+        values.forEach((val) => {
+          if (val === scope || val === "s3:*") {
+            anyResourceGrant = [...anyResourceGrant, scope];
+          }
+        });
+      });
+    });
+  }
+
   return hasAccessToResource(
-    [...resourceGrants, ...globalGrants, ...containsResourceGrants],
+    [
+      ...resourceGrants,
+      ...globalGrants,
+      ...containsResourceGrants,
+      ...anyResourceGrant,
+    ],
     scopes,
     matchAll
   );

portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx

@@ -51,6 +51,7 @@ import SearchBox from "../../Common/SearchBox";
 import VirtualizedList from "../../Common/VirtualizedList/VirtualizedList";
 import RBIconButton from "../BucketDetails/SummaryItems/RBIconButton";
 import BulkLifecycleModal from "./BulkLifecycleModal";
+import hasPermission from "../../../../common/SecureComponent/accessControl";
 
 const styles = (theme: Theme) =>
   createStyles({
@@ -200,10 +201,7 @@ const ListBuckets = ({
     return null;
   };
 
-  const createBucketButtonResources: string[] =
-    session && session.permissions
-      ? Array.from(Object.keys(session.permissions)) || []
-      : [];
+  const canCreateBucket = hasPermission("*", [IAM_SCOPES.S3_CREATE_BUCKET]);
 
   return (
     <Fragment>
@@ -293,22 +291,17 @@ const ListBuckets = ({
               variant={"outlined"}
             />
 
-            <SecureComponent
-              scopes={[IAM_SCOPES.S3_CREATE_BUCKET]}
-              resource={createBucketButtonResources}
-              errorProps={{ disabled: true }}
-            >
-              <RBIconButton
-                tooltip={"Create Bucket"}
-                onClick={() => {
-                  history.push("/add-bucket");
-                }}
-                text={"Create Bucket"}
-                icon={<AddIcon />}
-                color={"primary"}
-                variant={"contained"}
-              />
-            </SecureComponent>
+            <RBIconButton
+              tooltip={"Create Bucket"}
+              onClick={() => {
+                history.push("/add-bucket");
+              }}
+              text={"Create Bucket"}
+              icon={<AddIcon />}
+              color={"primary"}
+              variant={"contained"}
+              disabled={!canCreateBucket}
+            />
           </Grid>
         </Grid>
 

portal-ui/src/screens/Console/Console.tsx

@@ -219,14 +219,7 @@ const Console = ({
       component: Buckets,
       path: IAM_PAGES.ADD_BUCKETS,
       customPermissionFnc: () => {
-        const createBucketResources: string[] =
-          session && session.permissions
-            ? Array.from(Object.keys(session.permissions)) || []
-            : [];
-        return hasPermission(
-          createBucketResources,
-          IAM_PAGES_PERMISSIONS[IAM_PAGES.ADD_BUCKETS]
-        );
+        return hasPermission("*", IAM_PAGES_PERMISSIONS[IAM_PAGES.ADD_BUCKETS]);
       },
     },
     {