Multiple fixes in resources browsing (#2019)

- Fixed subpaths search & browsing
- Fixed a regression in object browser for object details panel reset
- Added a test for these cases

Signed-off-by: Benjamin Perez <benjamin@bexsoft.net>

Author: bexsoft

.github/workflows/jobs.yaml

@@ -808,6 +808,75 @@ jobs:
         with:
           args: '"chrome:headless" portal-ui/tests/permissions-6/ --skip-js-errors'
 
+  all-permissions-7:
+    name: Permissions Tests Part 7
+    needs:
+      - lint-job
+      - no-warnings-and-make-assets
+      - reuse-golang-dependencies
+      - vulnerable-dependencies-checks
+      - semgrep-static-code-analysis
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go-version: [ 1.17.x ]
+        os: [ ubuntu-latest ]
+    steps:
+      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+        id: go
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '16'
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - uses: actions/cache@v2
+        id: yarn-cache
+        name: Yarn Cache
+        with:
+          path: |
+            ${{ steps.yarn-cache-dir-path.outputs.dir }}
+            ./portal-ui/node_modules/
+            ./portal-ui/build/
+          key: ${{ runner.os }}-yarn-${{ hashFiles('./portal-ui/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - uses: actions/cache@v2
+        id: assets-cache
+        name: Assets Cache
+        with:
+          path: |
+            ./portal-ui/build/
+          key: ${{ runner.os }}-assets-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-assets-
+      - uses: actions/cache@v2
+        name: Go Mod Cache
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+      - name: Build Console on ${{ matrix.os }}
+        env:
+          GO111MODULE: on
+          GOOS: linux
+        run: |
+          make console
+      - name: Start Console, front-end app and initialize users/policies
+        run: |
+          (./console server) & (make initialize-permissions)
+      - name: Run TestCafe Tests
+        timeout-minutes: 5
+        uses: DevExpress/testcafe-action@latest
+        with:
+          args: '"chrome:headless" portal-ui/tests/permissions-7/ --skip-js-errors'
+
   all-operator-tests:
     name: Operator UI Tests
     needs:

portal-ui/package.json

@@ -40,7 +40,7 @@
     "kbar": "^0.1.0-beta.27",
     "local-storage-fallback": "^4.1.1",
     "lodash": "^4.17.21",
-    "minio": "^7.0.26",
+    "minio": "^7.0.28",
     "moment": "^2.29.2",
     "react": "^17.0.2",
     "react-chartjs-2": "^2.9.0",

portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjects.tsx

@@ -496,7 +496,7 @@ const ListObjects = ({ match, history }: IListObjectsProps) => {
 
     if (decodedIPaths.endsWith("/") || decodedIPaths === "") {
       dispatch(setObjectDetailsView(false));
-      dispatch(setSelectedObjectView(""));
+      dispatch(setSelectedObjectView(null));
       dispatch(
         setSimplePathHandler(decodedIPaths === "" ? "/" : decodedIPaths)
       );
@@ -1113,7 +1113,7 @@ const ListObjects = ({ match, history }: IListObjectsProps) => {
       elements = elements.filter((element) => element !== value);
     }
     setSelectedObjects(elements);
-    dispatch(setSelectedObjectView(""));
+    dispatch(setSelectedObjectView(null));
 
     return elements;
   };
@@ -1140,7 +1140,7 @@ const ListObjects = ({ match, history }: IListObjectsProps) => {
   }
 
   const selectAllItems = () => {
-    dispatch(setSelectedObjectView(""));
+    dispatch(setSelectedObjectView(null));
 
     if (selectedObjects.length === payload.length) {
       setSelectedObjects([]);
@@ -1171,7 +1171,7 @@ const ListObjects = ({ match, history }: IListObjectsProps) => {
   }
 
   const onClosePanel = (forceRefresh: boolean) => {
-    dispatch(setSelectedObjectView(""));
+    dispatch(setSelectedObjectView(null));
     dispatch(setVersionsModeEnabled({ status: false }));
     if (detailsOpen && selectedInternalPaths !== null) {
       // We change URL to be the contained folder

portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ObjectDetailPanel.tsx

@@ -71,7 +71,6 @@ import { displayFileIconName } from "./utils";
 import TagsModal from "../ObjectDetails/TagsModal";
 import InspectObject from "./InspectObject";
 import Loader from "../../../../Common/Loader/Loader";
-import { setErrorSnackMessage } from "../../../../../../systemSlice";
 import {
   makeid,
   storeCallForObjectWithID,
@@ -239,7 +238,7 @@ const ObjectDetailPanel = ({
           dispatch(setLoadingObjectInfo(false));
         })
         .catch((error: ErrorResponseHandler) => {
-          dispatch(setErrorSnackMessage(error));
+          console.error("Error loading object details", error);
           dispatch(setLoadingObjectInfo(false));
         });
     }

portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/utils.ts

@@ -194,15 +194,15 @@ export const permissionItems = (
 
     // We split ARN & get the last item to check the URL
     const splitARN = permissionElement.resource.split(":");
-    const url = splitARN.pop() || "";
+    const urlARN = splitARN.pop() || "";
 
     // We split the paths of the URL & compare against current location to see if there are more items to include. In case current level is a wildcard or is the last one, we omit this validation
 
-    const splitURL = url.split("/");
+    const splitURLARN = urlARN.split("/");
 
     // splitURL has more items than bucket name, we can continue validating
-    if (splitURL.length > 1) {
-      splitURL.every((currentElementInPath, index) => {
+    if (splitURLARN.length > 1) {
+      splitURLARN.every((currentElementInPath, index) => {
         // It is a wildcard element. We can stor the verification as value should be included (?)
         if (currentElementInPath === "*") {
           return false;
@@ -240,17 +240,25 @@ export const permissionItems = (
         if (prefixItem !== "") {
           const splitItems = prefixItem.split("/");
 
+          let pathToRouteElements: string[] = [];
+
           splitItems.every((splitElement, index) => {
-            if (!splitElement.includes("*")) {
-              if (splitElement !== splitURL[index]) {
+            if (!splitElement.includes("*") && splitElement !== "") {
+              if (splitElement !== splitCurrentPath[index]) {
                 returnElements.push({
-                  name: `${splitElement}/`,
+                  name: `${pathToRouteElements.join("/")}${
+                    pathToRouteElements.length > 0 ? "/" : ""
+                  }${splitElement}/`,
                   size: 0,
                   last_modified: new Date(),
                   version_id: "",
                 });
                 return false;
               }
+              if (splitElement !== "") {
+                pathToRouteElements.push(splitElement);
+              }
+
               return true;
             }
             return false;

portal-ui/src/screens/Console/ObjectBrowser/objectBrowserSlice.ts

@@ -195,7 +195,7 @@ export const objectBrowserSlice = createSlice({
         ? state.selectedInternalPaths
         : null;
     },
-    setSelectedObjectView: (state, action: PayloadAction<string>) => {
+    setSelectedObjectView: (state, action: PayloadAction<string | null>) => {
       state.selectedInternalPaths = action.payload;
     },
     setSimplePathHandler: (state, action: PayloadAction<string>) => {

portal-ui/tests/constants/timestamp.txt

@@ -1 +1 @@
-1652244779
+1653008276

portal-ui/tests/permissions-7/resourceTesting.ts

@@ -0,0 +1,134 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import * as roles from "../utils/roles";
+import { Selector } from "testcafe";
+import * as functions from "../utils/functions";
+import {
+  cleanUpNamedBucketAndUploads,
+  namedTestBucketBrowseButtonFor,
+} from "../utils/functions";
+
+fixture("Test resources policy").page("http://localhost:9090/");
+
+const bucket1 = "testcondition";
+const test1BucketBrowseButton = namedTestBucketBrowseButtonFor(bucket1);
+export const file = Selector(".ReactVirtualized__Table__rowColumn").withText(
+  "test.txt"
+);
+test
+  .before(async (t) => {
+    await functions.setUpNamedBucket(t, bucket1);
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucket1,
+      "test.txt",
+      "portal-ui/tests/uploads/test.txt"
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucket1,
+      "firstlevel/test.txt",
+      "portal-ui/tests/uploads/test.txt"
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucket1,
+      "firstlevel/secondlevel/test.txt",
+      "portal-ui/tests/uploads/test.txt"
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucket1,
+      "firstlevel/secondlevel/thirdlevel/test.txt",
+      "portal-ui/tests/uploads/test.txt"
+    );
+  })(
+    "User can only see permitted files in last path as expected",
+    async (t) => {
+      await t
+        .useRole(roles.conditions2)
+        .navigateTo(`http://localhost:9090/buckets`)
+        .click(test1BucketBrowseButton)
+        .click(
+          Selector(".ReactVirtualized__Table__rowColumn").withText("firstlevel")
+        )
+        .expect(file.exists)
+        .notOk()
+        .click(
+          Selector(".ReactVirtualized__Table__rowColumn").withText(
+            "secondlevel"
+          )
+        )
+        .expect(file.exists)
+        .notOk();
+    }
+  )
+  .after(async (t) => {
+    await functions.cleanUpNamedBucketAndUploads(t, bucket1);
+  });
+
+test
+  .before(async (t) => {
+    await functions.setUpNamedBucket(t, bucket1);
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucket1,
+      "test.txt",
+      "portal-ui/tests/uploads/test.txt"
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucket1,
+      "firstlevel/test.txt",
+      "portal-ui/tests/uploads/test.txt"
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucket1,
+      "firstlevel/secondlevel/test.txt",
+      "portal-ui/tests/uploads/test.txt"
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucket1,
+      "firstlevel/secondlevel/thirdlevel/test.txt",
+      "portal-ui/tests/uploads/test.txt"
+    );
+  })("User can browse from first level as policy has wildcard", async (t) => {
+    await t
+      .useRole(roles.conditions1)
+      .navigateTo(`http://localhost:9090/buckets`)
+      .click(test1BucketBrowseButton)
+      .click(
+        Selector(".ReactVirtualized__Table__rowColumn").withText("firstlevel")
+      )
+      .expect(file.exists)
+      .ok()
+      .click(
+        Selector(".ReactVirtualized__Table__rowColumn").withText("secondlevel")
+      )
+      .expect(file.exists)
+      .ok()
+      .click(
+        Selector(".ReactVirtualized__Table__rowColumn").withText("thirdlevel")
+      )
+      .expect(file.exists)
+      .ok();
+  })
+  .after(async (t) => {
+    await functions.cleanUpNamedBucketAndUploads(t, bucket1);
+  });

portal-ui/tests/policies/conditionsPolicy.json

@@ -0,0 +1,28 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "read-only",
+      "Effect": "Allow",
+      "Action": ["s3:GetBucketLocation"],
+      "Resource": ["arn:aws:s3:::testcondition"]
+    },
+    {
+      "Sid": "read",
+      "Effect": "Allow",
+      "Action": ["s3:GetObject"],
+      "Resource": ["arn:aws:s3:::testcondition/firstlevel/*"]
+    },
+    {
+      "Sid": "statement2",
+      "Effect": "Allow",
+      "Action": ["s3:ListBucket"],
+      "Resource": ["arn:aws:s3:::testcondition"],
+      "Condition": {
+        "StringLike": {
+          "s3:prefix": ["firstlevel/*"]
+        }
+      }
+    }
+  ]
+}

portal-ui/tests/policies/conditionsPolicy2.json

@@ -0,0 +1,28 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "read-only",
+      "Effect": "Allow",
+      "Action": ["s3:GetBucketLocation"],
+      "Resource": ["arn:aws:s3:::testcondition"]
+    },
+    {
+      "Sid": "read",
+      "Effect": "Allow",
+      "Action": ["s3:GetObject"],
+      "Resource": ["arn:aws:s3:::testcondition/firstlevel/*"]
+    },
+    {
+      "Sid": "statement2",
+      "Effect": "Allow",
+      "Action": ["s3:ListBucket"],
+      "Resource": ["arn:aws:s3:::testcondition"],
+      "Condition": {
+        "StringLike": {
+          "s3:prefix": ["firstlevel/secondlevel/thirdlevel/*"]
+        }
+      }
+    }
+  ]
+}