minio
diff --git a/‎portal-ui/tests/permissions/bucketSpecific.ts
Lines changed: 266 additions & 0 deletions b/‎portal-ui/tests/permissions/bucketSpecific.ts
Lines changed: 266 additions & 0 deletions
diff --git a/‎portal-ui/tests/policies/bucketSpecific.json
Lines changed: 43 additions & 0 deletions b/‎portal-ui/tests/policies/bucketSpecific.json
Lines changed: 43 additions & 0 deletions
diff --git a/‎portal-ui/tests/scripts/common.sh
Lines changed: 3 additions & 0 deletions b/‎portal-ui/tests/scripts/common.sh
Lines changed: 3 additions & 0 deletions
@@ -0,0 +1,266 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import * as roles from "../utils/roles";
+import * as elements from "../utils/elements";
+import * as functions from "../utils/functions";
+import { bucketsElement, logoutItem } from "../utils/elements-menu";
+import { namedTestBucketBrowseButtonFor, namedManageButtonFor} from "../utils/functions";
+import { Selector } from "testcafe";
+import * as constants from "../utils/constants";
+
+const TEST_BUCKET_NAME_SPECIFIC = "specific-bucket";
+
+fixture("For user with permissions that only allow specific Buckets").page("http://localhost:9090");
+
+test("Buckets sidebar item exists", async (t) => {
+  const bucketsExist = bucketsElement.with({ boundTestRun: t }).exists;
+  await t.useRole(roles.bucketSpecific).expect(bucketsExist).ok();
+});
+
+// Bucket assign policy tests
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-1`);
+  })("A readonly policy can be assigned to a bucket", async (t) => {
+    await t
+      // We need to log back in after we use the admin account to create bucket,
+      // using the specific role we use in this module
+      .useRole(roles.bucketSpecific)
+      .navigateTo("http://localhost:9090/buckets")
+      .click(namedManageButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-1`))
+      .click(elements.bucketAccessRulesTab)
+      .click(elements.addAccessRuleButton)
+      .typeText(elements.bucketsPrefixInput, "readonlytest")
+      .click(elements.bucketsAccessInput)
+      .click(elements.bucketsAccessReadOnlyInput)
+      .click(elements.saveButton);
+  })
+  .after(async (t) => {
+    // Cleanup created bucket
+    await functions.cleanUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-1`);
+  });
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-2`);
+  })("A writeonly policy can be assigned to a bucket", async (t) => {
+    await t
+      // We need to log back in after we use the admin account to create bucket,
+      // using the specific role we use in this module
+      .useRole(roles.bucketSpecific)
+      .navigateTo("http://localhost:9090/buckets")
+      .click(namedManageButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-2`))
+      .click(elements.bucketAccessRulesTab)
+      .click(elements.addAccessRuleButton)
+      .typeText(elements.bucketsPrefixInput, "writeonlytest")
+      .click(elements.bucketsAccessInput)
+      .click(elements.bucketsAccessWriteOnlyInput)
+      .click(elements.saveButton);
+  })
+  .after(async (t) => {
+    // Cleanup created bucket
+    await functions.cleanUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-2`);
+  });
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-3`);
+  })("A readwrite policy can be assigned to a bucket", async (t) => {
+    await t
+      // We need to log back in after we use the admin account to create bucket,
+      // using the specific role we use in this module
+      .useRole(roles.bucketSpecific)
+      .navigateTo("http://localhost:9090/buckets")
+      .click(namedManageButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-3`))
+      .click(elements.bucketAccessRulesTab)
+      .click(elements.addAccessRuleButton)
+      .typeText(elements.bucketsPrefixInput, "readwritetest")
+      .click(elements.bucketsAccessInput)
+      .click(elements.bucketsAccessReadWriteInput)
+      .click(elements.saveButton);
+  })
+  .after(async (t) => {
+    // Cleanup created bucket
+    await functions.cleanUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-3`);
+  });
+
+// Bucket read tests
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-4`);
+  })("Browse button exists", async (t) => {
+    await new Promise((resolve) => setTimeout(resolve, 2000));
+    await t
+      .useRole(roles.bucketRead)
+      .navigateTo("http://localhost:9090/buckets")
+      .expect(namedTestBucketBrowseButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-4`).exists)
+      .ok();
+  })
+  .after(async (t) => {
+    // Cleanup created bucket and corresponding uploads
+    await functions.cleanUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-4`);
+  });
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-5`);
+  })("Bucket access is set to R", async (t) => {
+    await new Promise((resolve) => setTimeout(resolve, 2000));
+    await t
+      .useRole(roles.bucketRead)
+      .navigateTo("http://localhost:9090/buckets")
+      .expect(
+        Selector("h1")
+          .withText(`${TEST_BUCKET_NAME_SPECIFIC}-5`)
+          .parent(1)
+          .find("p")
+          .nth(-1).innerText
+      )
+      .eql("Access: R");
+  })
+  .after(async (t) => {
+    // Cleanup created bucket and corresponding uploads
+    await functions.cleanUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-5`);
+  });
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-6`);
+    await t
+      .useRole(roles.admin)
+      .navigateTo("http://localhost:9090/buckets")
+      .click(namedTestBucketBrowseButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-6`))
+      // Upload object to bucket
+      .setFilesToUpload(elements.uploadInput, "../uploads/test.txt")
+      .click(logoutItem);
+  })("Object list table is enabled", async (t) => {
+    await new Promise((resolve) => setTimeout(resolve, 2000));
+    await t
+      .useRole(roles.bucketRead)
+      .navigateTo("http://localhost:9090/buckets")
+      .click(namedTestBucketBrowseButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-6`))
+      .expect(elements.table.exists)
+      .ok();
+  })
+  .after(async (t) => {
+    // Cleanup created bucket and corresponding uploads
+    await functions.cleanUpNamedBucketAndUploads(t, `${TEST_BUCKET_NAME_SPECIFIC}-6`);
+  });
+
+// Bucket write tests
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-7`);
+  })("Browse button exists", async (t) => {
+    const testBucketBrowseButton = namedTestBucketBrowseButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-7`);
+    await t
+      .useRole(roles.bucketSpecific)
+      .navigateTo("http://localhost:9090/buckets")
+      .expect(testBucketBrowseButton.exists)
+      .ok();
+  })
+  .after(async (t) => {
+    // Cleanup created bucket and corresponding uploads
+    await functions.cleanUpNamedBucketAndUploads(t, `${TEST_BUCKET_NAME_SPECIFIC}-7`);
+  });
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-8`);
+  })("Bucket access is set to R/W", async (t) => {
+    await new Promise((resolve) => setTimeout(resolve, 2000));
+    await t
+      .useRole(roles.bucketSpecific)
+      .navigateTo("http://localhost:9090/buckets")
+      .expect(
+        Selector("h1")
+          .withText(`${TEST_BUCKET_NAME_SPECIFIC}-8`)
+          .parent(1)
+          .find("p")
+          .nth(-1).innerText
+      )
+      .eql("Access: R/W");
+  })
+  .after(async (t) => {
+    // Cleanup created bucket and corresponding uploads
+    await functions.cleanUpNamedBucketAndUploads(t, `${TEST_BUCKET_NAME_SPECIFIC}-8`);
+  });
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-9`);
+  })("Upload button exists", async (t) => {
+    const uploadExists = elements.uploadButton.exists;
+    const testBucketBrowseButton = namedTestBucketBrowseButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-9`);
+    await t
+      .useRole(roles.bucketSpecific)
+      .navigateTo("http://localhost:9090/buckets")
+      .click(testBucketBrowseButton)
+      .expect(uploadExists)
+      .ok();
+  })
+  .after(async (t) => {
+    // Cleanup created bucket and corresponding uploads
+    await functions.cleanUpNamedBucketAndUploads(t, `${TEST_BUCKET_NAME_SPECIFIC}-9`);
+  });
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-10`);
+  })("Object can be uploaded to a bucket", async (t) => {
+    const testBucketBrowseButton = namedTestBucketBrowseButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-10`);
+    await t
+      .useRole(roles.bucketSpecific)
+      .navigateTo("http://localhost:9090/buckets")
+      .click(testBucketBrowseButton)
+      // Upload object to bucket
+      .setFilesToUpload(elements.uploadInput, "../uploads/test.txt");
+  })
+  .after(async (t) => {
+    // Cleanup created bucket and corresponding uploads
+    await functions.cleanUpNamedBucketAndUploads(t, `${TEST_BUCKET_NAME_SPECIFIC}-10`);
+  });
+
+test
+  .before(async (t) => {
+    // Create a bucket
+    await functions.setUpNamedBucket(t, `${TEST_BUCKET_NAME_SPECIFIC}-11`);
+  })("Object list table is disabled", async (t) => {
+    await t
+      .useRole(roles.bucketSpecific)
+      .navigateTo("http://localhost:9090/buckets")
+      .click(namedTestBucketBrowseButtonFor(`${TEST_BUCKET_NAME_SPECIFIC}-11`))
+      .expect(elements.bucketsTableDisabled.exists)
+      .ok();
+  })
+  .after(async (t) => {
+    // Cleanup created bucket and corresponding uploads
+    await functions.cleanUpNamedBucketAndUploads(t, `${TEST_BUCKET_NAME_SPECIFIC}-11`);
+  });
@@ -0,0 +1,43 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Effect": "Allow",
+          "Action": [
+              "s3:*"
+          ],
+          "Resource": [
+              "arn:aws:s3:::specific-bucket-1/*",
+              "arn:aws:s3:::specific-bucket-2/*",
+              "arn:aws:s3:::specific-bucket-3/*",
+              "arn:aws:s3:::specific-bucket-4/*",
+              "arn:aws:s3:::specific-bucket-5/*",
+              "arn:aws:s3:::specific-bucket-6/*",
+              "arn:aws:s3:::specific-bucket-7/*",
+              "arn:aws:s3:::specific-bucket-8/*",
+              "arn:aws:s3:::specific-bucket-9/*",
+              "arn:aws:s3:::specific-bucket-10/*",
+              "arn:aws:s3:::specific-bucket-11/*"
+          ]
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "s3:CreateBucket"
+          ],
+          "Resource": [
+              "arn:aws:s3:::specific-bucket-1",
+              "arn:aws:s3:::specific-bucket-2",
+              "arn:aws:s3:::specific-bucket-3",
+              "arn:aws:s3:::specific-bucket-4",
+              "arn:aws:s3:::specific-bucket-5",
+              "arn:aws:s3:::specific-bucket-6",
+              "arn:aws:s3:::specific-bucket-7",
+              "arn:aws:s3:::specific-bucket-8",
+              "arn:aws:s3:::specific-bucket-9",
+              "arn:aws:s3:::specific-bucket-10",
+              "arn:aws:s3:::specific-bucket-11"
+          ]
+      }
+  ]
+}
@@ -26,6 +26,7 @@ create_policies() {
   mc admin policy add minio bucketassignpolicy-$TIMESTAMP portal-ui/tests/policies/bucketAssignPolicy.json
   mc admin policy add minio bucketread-$TIMESTAMP portal-ui/tests/policies/bucketRead.json
   mc admin policy add minio bucketwrite-$TIMESTAMP portal-ui/tests/policies/bucketWrite.json
+  mc admin policy add minio bucketspecific-$TIMESTAMP portal-ui/tests/policies/bucketSpecific.json
   mc admin policy add minio dashboard-$TIMESTAMP portal-ui/tests/policies/dashboard.json
   mc admin policy add minio diagnostics-$TIMESTAMP portal-ui/tests/policies/diagnostics.json
   mc admin policy add minio groups-$TIMESTAMP portal-ui/tests/policies/groups.json
@@ -45,6 +46,7 @@ create_users() {
   mc admin user add minio bucketassignpolicy-$TIMESTAMP bucketassignpolicy
   mc admin user add minio bucketread-$TIMESTAMP bucketread
   mc admin user add minio bucketwrite-$TIMESTAMP bucketwrite
+  mc admin user add minio bucketspecific-$TIMESTAMP bucketspecific
   mc admin user add minio dashboard-$TIMESTAMP dashboard
   mc admin user add minio diagnostics-$TIMESTAMP diagnostics
   mc admin user add minio groups-$TIMESTAMP groups1234
@@ -68,6 +70,7 @@ assign_policies() {
   mc admin policy set minio bucketassignpolicy-$TIMESTAMP user=bucketassignpolicy-$TIMESTAMP
   mc admin policy set minio bucketread-$TIMESTAMP user=bucketread-$TIMESTAMP
   mc admin policy set minio bucketwrite-$TIMESTAMP user=bucketwrite-$TIMESTAMP
+  mc admin policy set minio bucketspecific-$TIMESTAMP user=bucketspecific-$TIMESTAMP
   mc admin policy set minio dashboard-$TIMESTAMP user=dashboard-$TIMESTAMP
   mc admin policy set minio diagnostics-$TIMESTAMP user=diagnostics-$TIMESTAMP
   mc admin policy set minio groups-$TIMESTAMP user=groups-$TIMESTAMP