Merge branch 'deny_checking' into listbuckets_tooltip_fix

Author: Jillian Inapurapu

portal-ui/src/common/SecureComponent/accessControl.ts

@@ -63,13 +63,12 @@ const hasPermission = (
         }
         return null;
       });
+
       return items.filter((itm) => itm !== null);
     };
-
     resources.forEach((rsItem) => {
       // Validation against inner paths & wildcards
       let wildcardRules = getMatchingWildcards(rsItem);
-
       let wildcardGrants: string[] = [];
 
       wildcardRules.forEach((rule) => {
@@ -78,7 +77,6 @@ const hasPermission = (
           wildcardGrants = [...wildcardGrants, ...wcResources];
         }
       });
-
       let simpleResources = get(sessionGrants, rsItem, []);
       simpleResources = simpleResources || [];
       const s3Resources = get(sessionGrants, `arn:aws:s3:::${rsItem}/*`, []);
@@ -119,7 +117,6 @@ const hasPermission = (
       });
     });
   }
-
   return hasAccessToResource(
     [
       ...resourceGrants,

portal-ui/src/common/SecureComponent/permissions.ts

@@ -27,7 +27,7 @@ export const IAM_SCOPES = {
   S3_GET_BUCKET_POLICY: "s3:GetBucketPolicy",
   S3_PUT_BUCKET_POLICY: "s3:PutBucketPolicy",
   S3_GET_OBJECT: "s3:GetObject",
-  S3_STAR_OBJECT: "s3:*Object",
+  //S3_STAR_OBJECT: "s3:*Object",
   S3_PUT_OBJECT: "s3:PutObject",
   S3_GET_OBJECT_LEGAL_HOLD: "s3:GetObjectLegalHold",
   S3_PUT_OBJECT_LEGAL_HOLD: "s3:PutObjectLegalHold",
@@ -282,7 +282,6 @@ export const IAM_PERMISSIONS = {
     IAM_SCOPES.ADMIN_LIST_USER_POLICIES,
     IAM_SCOPES.ADMIN_LIST_USERS,
     IAM_SCOPES.ADMIN_HEAL,
-    IAM_SCOPES.S3_STAR_BUCKET,
   ],
   [IAM_ROLES.BUCKET_LIFECYCLE]: [
     IAM_SCOPES.S3_GET_LIFECYCLE_CONFIGURATION,
@@ -532,10 +531,6 @@ export const listGroupPermissions = [
 export const deleteBucketPermissions = [
   IAM_SCOPES.S3_DELETE_BUCKET,
   IAM_SCOPES.S3_FORCE_DELETE_BUCKET,
-  IAM_SCOPES.S3_STAR_BUCKET,
 ];
 
-export const browseBucketPermissions = [
-  IAM_SCOPES.S3_LIST_BUCKET,
-  IAM_SCOPES.S3_STAR_BUCKET,
-];
+export const browseBucketPermissions = [IAM_SCOPES.S3_LIST_BUCKET];

portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx

@@ -110,7 +110,6 @@ const BrowserHandler = () => {
     IAM_SCOPES.S3_LIST_BUCKET_VERSIONS,
     IAM_SCOPES.S3_GET_BUCKET_POLICY_STATUS,
     IAM_SCOPES.S3_DELETE_BUCKET_POLICY,
-    IAM_SCOPES.S3_STAR_BUCKET,
   ]);
 
   const searchBar = (

portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx

@@ -217,10 +217,7 @@ const ListBuckets = ({ classes }: IListBucketsProps) => {
     setSelectedBuckets(selectAllBuckets);
   };
 
-  const canCreateBucket = hasPermission("*", [
-    IAM_SCOPES.S3_CREATE_BUCKET,
-    IAM_SCOPES.S3_STAR_BUCKET,
-  ]);
+  const canCreateBucket = hasPermission("*", [IAM_SCOPES.S3_CREATE_BUCKET]);
   const canListBuckets = hasPermission("*", [IAM_SCOPES.S3_LIST_BUCKET]);
 
   return (
@@ -461,10 +458,7 @@ const ListBuckets = ({ classes }: IListBucketsProps) => {
                           </Fragment>
                         )}
                         <SecureComponent
-                          scopes={[
-                            IAM_SCOPES.S3_CREATE_BUCKET,
-                            IAM_SCOPES.S3_STAR_BUCKET,
-                          ]}
+                          scopes={[IAM_SCOPES.S3_CREATE_BUCKET]}
                           resource={CONSOLE_UI_RESOURCE}
                         >
                           <br />

portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjects.tsx

@@ -1236,18 +1236,9 @@ const ListObjects = () => {
     uploadPath = uploadPath.concat(currentPath);
   }
 
-  const canDownload = hasPermission(bucketName, [
-    IAM_SCOPES.S3_GET_OBJECT,
-    IAM_SCOPES.S3_STAR_OBJECT,
-  ]);
-  const canDelete = hasPermission(bucketName, [
-    IAM_SCOPES.S3_DELETE_OBJECT,
-    IAM_SCOPES.S3_STAR_OBJECT,
-  ]);
-  const canUpload = hasPermission(uploadPath, [
-    IAM_SCOPES.S3_PUT_OBJECT,
-    IAM_SCOPES.S3_STAR_OBJECT,
-  ]);
+  const canDownload = hasPermission(bucketName, [IAM_SCOPES.S3_GET_OBJECT]);
+  const canDelete = hasPermission(bucketName, [IAM_SCOPES.S3_DELETE_OBJECT]);
+  const canUpload = hasPermission(uploadPath, [IAM_SCOPES.S3_PUT_OBJECT]);
 
   const onClosePanel = (forceRefresh: boolean) => {
     dispatch(setSelectedObjectView(null));

portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ObjectDetailPanel.tsx

@@ -430,7 +430,6 @@ const ObjectDetailPanel = ({
   ]);
   const canGetObject = hasPermission(objectResources, [
     IAM_SCOPES.S3_GET_OBJECT,
-    IAM_SCOPES.S3_STAR_OBJECT,
   ]);
   const canDelete = hasPermission(
     [bucketName, currentItem, [bucketName, actualInfo.name].join("/")],

portal-ui/src/screens/Console/Buckets/ListBuckets/UploadFilesButton.tsx

@@ -69,11 +69,10 @@ const UploadFilesButton = ({
 
   const uploadObjectAllowed = hasPermission(uploadPath, [
     IAM_SCOPES.S3_PUT_OBJECT,
-    IAM_SCOPES.S3_STAR_OBJECT,
   ]);
   const uploadFolderAllowed = hasPermission(
     bucketName,
-    [IAM_SCOPES.S3_PUT_OBJECT, IAM_SCOPES.S3_STAR_OBJECT],
+    [IAM_SCOPES.S3_PUT_OBJECT],
     false,
     true
   );

restapi/user_session.go

@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"fmt"
 	"strconv"
 	"time"
 
@@ -97,12 +98,13 @@ func getSessionResponse(ctx context.Context, session *models.Principal) (*models
 	}
 	erasure := accountInfo.Server.Type == madmin.Erasure
 	rawPolicy := policies.ReplacePolicyVariables(tokenClaims, accountInfo)
+
 	policy, err := minioIAMPolicy.ParseConfig(bytes.NewReader(rawPolicy))
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err, ErrInvalidSession)
 	}
 	currTime := time.Now().UTC()
-
+	fmt.Println("policy=========", policy)
 	customStyles := session.CustomStyleOb
 	// This actions will be global, meaning has to be attached to all resources
 	conditionValues := map[string][]string{
@@ -136,14 +138,14 @@ func getSessionResponse(ctx context.Context, session *models.Principal) (*models
 		// store all claims from sessionToken
 		conditionValues[k] = []string{vstr}
 	}
-
+	fmt.Println("conditionValues=========", conditionValues)
 	defaultActions := policy.IsAllowedActions("", "", conditionValues)
-
+	fmt.Println("defaultActions=========", defaultActions)
 	permissions := map[string]minioIAMPolicy.ActionSet{
 		ConsoleResourceName: defaultActions,
 	}
-	deniedActions := map[string]minioIAMPolicy.ActionSet{}
 
+	deniedActions := map[string]minioIAMPolicy.ActionSet{}
 	var allowResources []*models.PermissionResource
 
 	for _, statement := range policy.Statements {
@@ -220,6 +222,9 @@ func getSessionResponse(ctx context.Context, session *models.Principal) (*models
 			}
 		}
 	}
+	fmt.Println("permissions=================", permissions)
+
+	fmt.Println("deniedActions================", deniedActions)
 	resourcePermissions := map[string][]string{}
 	for key, val := range permissions {
 		var resourceActions []string