Add models for policy generation

jackschofield23 · jackschofield23 · commit 4658e7670423 · 2022-04-27T16:24:24.000+01:00
Signed-off-by: jackschofield23 &lt;jack.schofield@answerdigital.com&gt;
diff --git a/src/Storage/API/IStorageService.cs b/src/Storage/API/IStorageService.cs
@@ -171,6 +171,5 @@ public interface IStorageService
         /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
         /// <returns>Task</returns>
         Task CreateFolderWithCredentials(string bucketName, string folderPath, Credentials credentials, CancellationToken cancellationToken = default);
-
     }
 }
diff --git a/src/Storage/Common/Extensions/PolicyExtensions.cs b/src/Storage/Common/Extensions/PolicyExtensions.cs
@@ -0,0 +1,90 @@
+﻿// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+using Ardalis.GuardClauses;
+using Monai.Deploy.Storage.Common.Policies;
+
+namespace Monai.Deploy.Storage.Common.Extensions
+{
+    public static class PolicyExtensions
+    {
+        public static Policy ToPolicy(string bucketName, string folderName)
+        {
+            Guard.Against.NullOrWhiteSpace(bucketName, nameof(bucketName));
+            Guard.Against.NullOrWhiteSpace(folderName, nameof(folderName));
+
+            var pathList = GetPathList(folderName);
+
+            return new Policy
+            {
+                Statement = new List<Statement>
+                {
+                    new Statement
+                    {
+                        Sid = "AllowUserToSeeBucketListInTheConsole",
+                        Action = new string[] {"s3:ListAllMyBuckets", "s3:GetBucketLocation" },
+                        Effect = "Allow",
+                        Resource = new string[] { "arn:aws:s3:::*" }
+                    },
+                    new Statement
+                    {
+                        Sid = "AllowRootAndHomeListingOfBucket",
+                        Action = new string[] { "s3:ListBucket" },
+                        Effect = "Allow",
+                        Resource = new string[] { $"arn:aws:s3:::{bucketName}" },
+                        Condition = new Condition
+                        {
+                            StringEquals = new StringEquals
+                            {
+                                S3Prefix = pathList.ToArray(),
+                                S3Delimiter = new string[] { "/" }
+                            }
+                        }
+                    },
+                    new Statement
+                    {
+                        Sid = "AllowListingOfUserFolder",
+                        Action = new string[] { "s3:ListBucket" },
+                        Effect = "Allow",
+                        Resource = new string[] { $"arn:aws:s3:::{bucketName}" },
+                        Condition = new Condition
+                        {
+                            StringEquals = new StringEquals
+                            {
+                                S3Prefix = new string[] {$"{folderName}/*" }
+                            }
+                        }
+                    },
+                    new Statement
+                    {
+                        Sid = "AllowAllS3ActionsInUserFolder",
+                        Action = new string[] { "s3:*" },
+                        Effect = "Allow",
+                        Resource = new string[] { $"arn:aws:s3:::{bucketName}/{folderName}/*" },
+                    },
+                }
+            };
+        }
+
+        public static List<string> GetPathList(string folderName)
+        {
+            Guard.Against.NullOrWhiteSpace(folderName, nameof(folderName));
+
+            var pathList = new List<string> { folderName };
+
+            var lastPath = folderName;
+
+            while (lastPath.Contains("/"))
+            {
+                var path = lastPath.Substring(0, lastPath.LastIndexOf("/") + 1);
+                pathList.Add(path);
+
+                lastPath = lastPath.Substring(0, lastPath.LastIndexOf("/"));
+            }
+
+            pathList.Add("");
+
+            return pathList;
+        }
+    }
+}
diff --git a/src/Storage/Common/Policies/Condition.cs b/src/Storage/Common/Policies/Condition.cs
@@ -0,0 +1,12 @@
+﻿// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class Condition
+    {
+        public StringLike StringLike { get; set; }
+
+        public StringEquals StringEquals { get; set; }
+    }
+}
diff --git a/src/Storage/Common/Policies/Policy.cs b/src/Storage/Common/Policies/Policy.cs
@@ -0,0 +1,12 @@
+﻿// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class Policy
+    {
+        public string Version { get; set; } = "2012-10-17";
+
+        public IList<Statement> Statement { get; set; } = new List<Statement>();
+    }
+}
diff --git a/src/Storage/Common/Policies/Statement.cs b/src/Storage/Common/Policies/Statement.cs
@@ -0,0 +1,18 @@
+﻿// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class Statement
+    {
+        public string Sid { get; set; }
+
+        public string[] Action { get; set; }
+
+        public string Effect { get; set; }
+
+        public string[] Resource { get; set; }
+
+        public Condition Condition { get; set; }
+    }
+}
diff --git a/src/Storage/Common/Policies/StringEquals.cs b/src/Storage/Common/Policies/StringEquals.cs
@@ -0,0 +1,16 @@
+﻿// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+using Newtonsoft.Json;
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class StringEquals
+    {
+        [JsonProperty(PropertyName = "s3:prefix")]
+        public string[] S3Prefix { get; set; }
+
+        [JsonProperty(PropertyName = "s3:delimiter")]
+        public string[] S3Delimiter { get; set; }
+    }
+}
diff --git a/src/Storage/Common/Policies/StringLike.cs b/src/Storage/Common/Policies/StringLike.cs
@@ -0,0 +1,13 @@
+﻿// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+using Newtonsoft.Json;
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class StringLike
+    {
+        [JsonProperty(PropertyName = "s3:prefix")]
+        public string[] S3Prefix { get; set; }
+    }
+}
diff --git a/src/Storage/Configuration/ConfigurationKeys.cs b/src/Storage/Configuration/ConfigurationKeys.cs
@@ -10,6 +10,7 @@ internal static class ConfigurationKeys
         public static readonly string AccessToken = "accessToken";
         public static readonly string SecuredConnection = "securedConnection";
         public static readonly string Region = "region";
+        public static readonly string CredentialServiceUrl = "credentialServiceUrl";
 
         public static readonly string[] RequiredKeys = new[] { EndPoint, AccessKey, AccessToken, SecuredConnection, Region };
     }
diff --git a/src/Storage/MinIo/MinIoStorageService.cs b/src/Storage/MinIo/MinIoStorageService.cs
@@ -11,7 +11,9 @@
 using Minio;
 using Minio.DataModel;
 using Monai.Deploy.Storage.Common;
+using Monai.Deploy.Storage.Common.Extensions;
 using Monai.Deploy.Storage.Configuration;
+using Newtonsoft.Json;
 
 namespace Monai.Deploy.Storage.MinIo
 {
@@ -39,6 +41,7 @@ public MinIoStorageService(IOptions<StorageServiceConfiguration> options, ILogge
             var accessKey = configuration.Settings[ConfigurationKeys.AccessKey];
             var accessToken = configuration.Settings[ConfigurationKeys.AccessToken];
             var securedConnection = configuration.Settings[ConfigurationKeys.SecuredConnection];
+            var credentialServiceUrl = configuration.Settings[ConfigurationKeys.CredentialServiceUrl];
 
             _client = new MinioClient(endpoint, accessKey, accessToken);
 
@@ -49,8 +52,8 @@ public MinIoStorageService(IOptions<StorageServiceConfiguration> options, ILogge
 
             var config = new AmazonSecurityTokenServiceConfig
             {
-                AuthenticationRegion = RegionEndpoint.EUWest2.SystemName, // Should match the `MINIO_REGION` environment variable.
-                ServiceURL = "http://" + endpoint, // replace http://localhost:9000 with URL of your MinIO server
+                AuthenticationRegion = RegionEndpoint.EUWest2.SystemName,
+                ServiceURL = credentialServiceUrl
             };
 
             _tokenServiceClient = new AmazonSecurityTokenServiceClient(accessKey, accessToken, config);
@@ -162,11 +165,14 @@ public async Task<Credentials> CreateTemporaryCredentials(string bucketName, str
             Guard.Against.NullOrWhiteSpace(bucketName, nameof(bucketName));
             Guard.Against.NullOrEmpty(folderName, nameof(folderName));
 
+            var policy = PolicyExtensions.ToPolicy(bucketName, folderName);
+
+            var policyString = JsonConvert.SerializeObject(policy, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore });
+
             var assumeRoleRequest = new AssumeRoleRequest
             {
                 DurationSeconds = durationSeconds,
-                Policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowUserToSeeBucketListInTheConsole\",\"Action\":[\"s3:ListAllMyBuckets\",\"s3:GetBucketLocation\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::*\"]},{\"Sid\":\"AllowRootAndHomeListingOfBucket\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::" +
-                bucketName + "\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"\",\"" + folderName + "\"],\"s3:delimiter\":[\"/\"]}}},{\"Sid\":\"AllowListingOfUserFolder\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::" + bucketName + "\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"" + folderName + "/*\"]}}},{\"Sid\":\"AllowAllS3ActionsInUserFolder\",\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::" + $"{bucketName}/{folderName}" + "/*\"]}]}"
+                Policy = policyString
             };
 
             var role = await _tokenServiceClient.AssumeRoleAsync(assumeRoleRequest, cancellationToken: cancellationToken);
diff --git a/src/Storage/Monai.Deploy.Storage.csproj b/src/Storage/Monai.Deploy.Storage.csproj
@@ -48,5 +48,6 @@ SPDX-License-Identifier: Apache License 2.0
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="6.0.1" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="6.0.0" />
     <PackageReference Include="Minio" Version="3.1.13" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
   </ItemGroup>
 </Project>
diff --git a/src/Storage/Test/Extensions/PolicyExtensionsTest.cs b/src/Storage/Test/Extensions/PolicyExtensionsTest.cs
@@ -0,0 +1,62 @@
+﻿// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+using System.Collections.Generic;
+using Monai.Deploy.Storage.Common.Extensions;
+using Xunit;
+
+namespace Monai.Deploy.Storage.Test.Extensions
+{
+    public class PolicyExtensionsTest
+    {
+        #region GetPathList
+
+        [Fact]
+        public void GetPathList_MultiLevelLongPathReturnsValidList()
+        {
+            var actualList = PolicyExtensions.GetPathList("Jack/Is/The/Best");
+
+            var expectedList = new List<string>
+            {
+                "Jack/Is/The/Best",
+                "Jack/Is/The/",
+                "Jack/Is/",
+                "Jack/",
+                ""
+            };
+
+            Assert.Equal(expectedList, actualList);
+        }
+
+        [Fact]
+        public void GetPathList_MultiLevelShortPathReturnsValidList()
+        {
+            var actualList = PolicyExtensions.GetPathList("Home/Jack");
+
+            var expectedList = new List<string>
+            {
+                "Home/Jack",
+                "Home/",
+                ""
+            };
+
+            Assert.Equal(expectedList, actualList);
+        }
+
+        [Fact]
+        public void GetPathList_SingleLevelPathReturnsValidList()
+        {
+            var actualList = PolicyExtensions.GetPathList("Home");
+
+            var expectedList = new List<string>
+            {
+                "Home",
+                ""
+            };
+
+            Assert.Equal(expectedList, actualList);
+        }
+
+        #endregion
+    }
+}
diff --git a/src/Storage/Test/Monai.Deploy.Storage.Test.csproj b/src/Storage/Test/Monai.Deploy.Storage.Test.csproj
@@ -20,4 +20,8 @@
     </PackageReference>
   </ItemGroup>
 
+  <ItemGroup>
+    <ProjectReference Include="..\Monai.Deploy.Storage.csproj" />
+  </ItemGroup>
+
 </Project>

Original file line number	Diff line number	Diff line change
`@@ -171,6 +171,5 @@ public interface IStorageService`
`171`	`171`	`/// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>`
`172`	`172`	`/// <returns>Task</returns>`
`173`	`173`	`Task CreateFolderWithCredentials(string bucketName, string folderPath, Credentials credentials, CancellationToken cancellationToken = default);`
`174`		`-`
`175`	`174`	`}`
`176`	`175`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ internal static class ConfigurationKeys`
`10`	`10`	`public static readonly string AccessToken = "accessToken";`
`11`	`11`	`public static readonly string SecuredConnection = "securedConnection";`
`12`	`12`	`public static readonly string Region = "region";`
	`13`	`+ public static readonly string CredentialServiceUrl = "credentialServiceUrl";`
`13`	`14`
`14`	`15`	`public static readonly string[] RequiredKeys = new[] { EndPoint, AccessKey, AccessToken, SecuredConnection, Region };`
`15`	`16`	`}`