Display temporal paths when a policy has prefixes to allow navigation (#2011)

Signed-off-by: Benjamin Perez <benjamin@bexsoft.net>

Co-authored-by: Benjamin Perez <benjamin@bexsoft.net>
Co-authored-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>

Author: 3 people

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/minio/cli v1.22.0
 	github.com/minio/highwayhash v1.0.2
 	github.com/minio/kes v0.19.2
-	github.com/minio/madmin-go v1.3.13
+	github.com/minio/madmin-go v1.3.14
 	github.com/minio/mc v0.0.0-20220512134321-aa60a8db1e4d
 	github.com/minio/minio-go/v7 v7.0.26
 	github.com/minio/operator v0.0.0-20220414212219-ba4c097324b2

go.sum

@@ -50,9 +50,12 @@ import {
 } from "../../../../Common/FormComponents/common/styleLibrary";
 import { Badge, Typography } from "@mui/material";
 import BrowserBreadcrumbs from "../../../../ObjectBrowser/BrowserBreadcrumbs";
-
-import { download, extensionPreview, sortListObjects } from "../utils";
-
+import {
+  download,
+  extensionPreview,
+  permissionItems,
+  sortListObjects,
+} from "../utils";
 import {
   BucketInfo,
   BucketObjectLocking,
@@ -87,6 +90,7 @@ import ActionsListSection from "./ActionsListSection";
 import { listModeColumns, rewindModeColumns } from "./ListObjectsHelpers";
 import VersionsNavigator from "../ObjectDetails/VersionsNavigator";
 import CheckboxWrapper from "../../../../Common/FormComponents/CheckboxWrapper/CheckboxWrapper";
+
 import {
   setErrorSnackMessage,
   setSnackBarMessage,
@@ -305,6 +309,9 @@ const ListObjects = ({ match, history }: IListObjectsProps) => {
   const bucketInfo = useSelector(
     (state: AppState) => state.buckets.bucketDetails.bucketInfo
   );
+  const allowResources = useSelector(
+    (state: AppState) => state.console.session.allowResources
+  );
 
   const [records, setRecords] = useState<BucketObjectItem[]>([]);
   const [deleteMultipleOpen, setDeleteMultipleOpen] = useState<boolean>(false);
@@ -673,8 +680,19 @@ const ListObjects = ({ match, history }: IListObjectsProps) => {
             }
           })
           .catch((err: ErrorResponseHandler) => {
+            const permitItems = permissionItems(
+              bucketName,
+              pathPrefix,
+              allowResources || []
+            );
+
+            if (!permitItems || permitItems.length === 0) {
+              dispatch(setErrorSnackMessage(err));
+            } else {
+              setRecords(permitItems);
+            }
+
             dispatch(setLoadingObjectsList(false));
-            dispatch(setErrorSnackMessage(err));
           });
       } else {
         dispatch(setLoadingObjectsList(false));
@@ -692,6 +710,7 @@ const ListObjects = ({ match, history }: IListObjectsProps) => {
     showDeleted,
     displayListObjects,
     bucketToRewind,
+    allowResources,
   ]);
 
   // bucket info

models/permission_resource.go

@@ -15,6 +15,7 @@
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import { BucketObjectItem } from "./ListObjects/types";
+import { IAllowResources } from "../../../types";
 
 export const download = (
   bucketName: string,
@@ -161,3 +162,100 @@ export const sortListObjects = (fieldSort: string) => {
         (a.size || -1) - (b.size || -1);
   }
 };
+
+export const permissionItems = (
+  bucketName: string,
+  currentPath: string,
+  permissionsArray: IAllowResources[]
+): BucketObjectItem[] | null => {
+  if (permissionsArray.length === 0) {
+    return null;
+  }
+
+  // We get permissions applied to the current bucket
+  const filteredPermissionsForBucket = permissionsArray.filter(
+    (permissionItem) =>
+      permissionItem.resource.endsWith(`:${bucketName}`) ||
+      permissionItem.resource.includes(`:${bucketName}/`)
+  );
+
+  // No permissions for this bucket. we can throw the error message at this point
+  if (filteredPermissionsForBucket.length === 0) {
+    return null;
+  }
+
+  const returnElements: BucketObjectItem[] = [];
+
+  // We split current path
+  const splitCurrentPath = currentPath.split("/");
+
+  filteredPermissionsForBucket.forEach((permissionElement) => {
+    // We review paths in resource address
+
+    // We split ARN & get the last item to check the URL
+    const splitARN = permissionElement.resource.split(":");
+    const url = splitARN.pop() || "";
+
+    // We split the paths of the URL & compare against current location to see if there are more items to include. In case current level is a wildcard or is the last one, we omit this validation
+
+    const splitURL = url.split("/");
+
+    // splitURL has more items than bucket name, we can continue validating
+    if (splitURL.length > 1) {
+      splitURL.every((currentElementInPath, index) => {
+        // It is a wildcard element. We can stor the verification as value should be included (?)
+        if (currentElementInPath === "*") {
+          return false;
+        }
+
+        // Element is not included in the path. The user is trying to browse something else.
+        if (
+          splitCurrentPath[index] &&
+          splitCurrentPath[index] !== currentElementInPath
+        ) {
+          return false;
+        }
+
+        // This element is not included by index in the current paths list. We add it so user can browse into it
+        if (!splitCurrentPath[index]) {
+          returnElements.push({
+            name: `${currentElementInPath}/`,
+            size: 0,
+            last_modified: new Date(),
+            version_id: "",
+          });
+        }
+
+        return true;
+      });
+    }
+
+    // We review prefixes in allow resources for StringEquals variant only.
+    if (permissionElement.conditionOperator === "StringEquals" || permissionElement.conditionOperator === "StringLike") {
+      permissionElement.prefixes.forEach((prefixItem) => {
+        // Prefix Item is not empty?
+        if (prefixItem !== "") {
+          const splitItems = prefixItem.split("/");
+
+          splitItems.every((splitElement, index) => {
+            if (!splitElement.includes("*")) {
+              if (splitElement !== splitURL[index]) {
+                returnElements.push({
+                  name: `${splitElement}/`,
+                  size: 0,
+                  last_modified: new Date(),
+                  version_id: "",
+                });
+                return false;
+              }
+              return true;
+            }
+            return false;
+          });
+        }
+      });
+    }
+  });
+
+  return returnElements;
+};

models/session_response.go

@@ -28,6 +28,7 @@ const initialState: ConsoleState = {
     features: [],
     distributedMode: false,
     permissions: {},
+    allowResources: null,
   },
 };
 

portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjects.tsx

@@ -18,10 +18,17 @@ export interface ISessionPermissions {
   [key: string]: string[];
 }
 
+export interface IAllowResources {
+  conditionOperator: string;
+  prefixes: string[];
+  resource: string;
+}
+
 export interface ISessionResponse {
   status: string;
   features: string[];
   operator: boolean;
   distributedMode: boolean;
   permissions: ISessionPermissions;
+  allowResources: IAllowResources[] | null;
 }