github.com/minio/console@v1.4.1/web-app/src/common/SecureComponent/__tests__/accessControl.test.ts (about) 1 // This file is part of MinIO Console Server 2 // Copyright (c) 2022 MinIO, Inc. 3 // 4 // This program is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Affero General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // This program is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Affero General Public License for more details. 13 // 14 // You should have received a copy of the GNU Affero General Public License 15 // along with this program. If not, see <http://www.gnu.org/licenses/>. 16 17 import "../../../utils/matchMedia"; 18 import hasPermission from "../accessControl"; 19 import { store } from "../../../store"; 20 import { IAM_PAGES, IAM_PAGES_PERMISSIONS, IAM_SCOPES } from "../permissions"; 21 import { saveSessionResponse } from "../../../screens/Console/consoleSlice"; 22 23 const setPolicy1 = () => { 24 store.dispatch( 25 saveSessionResponse({ 26 distributedMode: true, 27 features: ["log-search"], 28 permissions: { 29 "arn:aws:s3:::testcafe": [ 30 "admin:CreateUser", 31 "s3:GetBucketLocation", 32 "s3:ListBucket", 33 "admin:CreateServiceAccount", 34 ], 35 "arn:aws:s3:::testcafe/*": [ 36 "admin:CreateServiceAccount", 37 "admin:CreateUser", 38 "s3:GetObject", 39 "s3:ListBucket", 40 ], 41 "arn:aws:s3:::testcafe/write/*": [ 42 "admin:CreateServiceAccount", 43 "admin:CreateUser", 44 "s3:PutObject", 45 "s3:DeleteObject", 46 "s3:GetObject", 47 "s3:ListBucket", 48 ], 49 "console-ui": ["admin:CreateServiceAccount", "admin:CreateUser"], 50 }, 51 status: "ok", 52 }), 53 ); 54 }; 55 const setPolicy2 = () => { 56 store.dispatch( 57 saveSessionResponse({ 58 distributedMode: true, 59 features: [], 60 permissions: { 61 "arn:aws:s3:::bucket-svc": [ 62 "admin:CreateServiceAccount", 63 "s3:GetBucketLocation", 64 "s3:ListBucket", 65 "s3:ListBucketMultipartUploads", 66 "s3:ListMultipartUploadParts", 67 "admin:CreateUser", 68 ], 69 "arn:aws:s3:::bucket-svc/prefix1/*": [ 70 "admin:CreateUser", 71 "admin:CreateServiceAccount", 72 "s3:GetObject", 73 "s3:PutObject", 74 ], 75 "arn:aws:s3:::bucket-svc/prefix1/ini*": [ 76 "admin:CreateServiceAccount", 77 "s3:*", 78 "admin:CreateUser", 79 ], 80 "arn:aws:s3:::bucket-svc/prefix1/jars*": [ 81 "admin:CreateUser", 82 "admin:CreateServiceAccount", 83 "s3:*", 84 ], 85 "arn:aws:s3:::bucket-svc/prefix1/logs*": [ 86 "admin:CreateUser", 87 "admin:CreateServiceAccount", 88 "s3:*", 89 ], 90 "console-ui": ["admin:CreateServiceAccount", "admin:CreateUser"], 91 }, 92 status: "ok", 93 }), 94 ); 95 }; 96 const setPolicy3 = () => { 97 store.dispatch( 98 saveSessionResponse({ 99 distributedMode: true, 100 features: [], 101 permissions: { 102 "arn:aws:s3:::testbucket-*": [ 103 "admin:CreateServiceAccount", 104 "s3:*", 105 "admin:CreateUser", 106 ], 107 "console-ui": ["admin:CreateServiceAccount", "admin:CreateUser"], 108 }, 109 status: "ok", 110 }), 111 ); 112 }; 113 114 const setPolicy4 = () => { 115 store.dispatch( 116 saveSessionResponse({ 117 distributedMode: true, 118 features: [], 119 permissions: { 120 "arn:aws:s3:::test/*": ["s3:ListBucket"], 121 "arn:aws:s3:::test": ["s3:GetBucketLocation"], 122 "arn:aws:s3:::test/digitalinsights/xref_cust_guid_actd*": ["s3:*"], 123 }, 124 status: "ok", 125 }), 126 ); 127 }; 128 129 test("Upload button disabled", () => { 130 setPolicy1(); 131 expect(hasPermission("testcafe", ["s3:PutObject"])).toBe(false); 132 }); 133 134 test("Upload button enabled valid prefix", () => { 135 setPolicy1(); 136 expect(hasPermission("testcafe/write", ["s3:PutObject"], false, true)).toBe( 137 true, 138 ); 139 }); 140 141 test("Can Browse Bucket", () => { 142 setPolicy2(); 143 expect( 144 hasPermission( 145 "bucket-svc", 146 IAM_PAGES_PERMISSIONS[IAM_PAGES.OBJECT_BROWSER_VIEW], 147 ), 148 ).toBe(true); 149 }); 150 151 test("Can List Objects In Bucket", () => { 152 setPolicy2(); 153 expect(hasPermission("bucket-svc", [IAM_SCOPES.S3_LIST_BUCKET])).toBe(true); 154 }); 155 156 test("Can create bucket for policy with a wildcard", () => { 157 setPolicy3(); 158 expect(hasPermission("*", [IAM_SCOPES.S3_CREATE_BUCKET])).toBe(true); 159 }); 160 161 test("Can browse a bucket for a policy with a wildcard", () => { 162 setPolicy3(); 163 expect( 164 hasPermission( 165 "testbucket-0", 166 IAM_PAGES_PERMISSIONS[IAM_PAGES.OBJECT_BROWSER_VIEW], 167 ), 168 ).toBe(true); 169 }); 170 171 test("Can delete an object inside a bucket prefix", () => { 172 setPolicy4(); 173 expect( 174 hasPermission( 175 [ 176 "xref_cust_guid_actd-v1.jpg", 177 "test/digitalinsights/xref_cust_guid_actd-v1.jpg", 178 ], 179 [IAM_SCOPES.S3_DELETE_OBJECT], 180 ), 181 ).toBe(true); 182 }); 183 184 test("Can't delete an object inside a bucket prefix", () => { 185 setPolicy4(); 186 expect( 187 hasPermission( 188 ["xref_cust_guid_actd-v1.jpg", "test/xref_cust_guid_actd-v1.jpg"], 189 [IAM_SCOPES.S3_DELETE_OBJECT], 190 ), 191 ).toBe(false); 192 });