Merge pull request #5 from Project-MONAI/jschofield/addcredentialgeneration

 Add MinIO folder and credential creation to Storage repository #85

Author: jackschofield23

src/Storage/API/IStorageService.cs

@@ -1,6 +1,7 @@
 // SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
 // SPDX-License-Identifier: Apache License 2.0
 
+using Amazon.SecurityToken.Model;
 using Monai.Deploy.Storage.Common;
 
 namespace Monai.Deploy.Storage
@@ -57,7 +58,7 @@ public interface IStorageService
         Task CopyObject(string sourceBucketName, string sourceObjectName, string destinationBucketName, string destinationObjectName, CancellationToken cancellationToken = default);
 
         /// <summary>
-        /// Removes an objects.
+        /// Removes an object.
         /// </summary>
         /// <param name="bucketName">Name of the bucket</param>
         /// <param name="objectName">Name of the object in the bucket</param>
@@ -73,5 +74,102 @@ public interface IStorageService
         /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
         /// <returns>Task</returns>
         Task RemoveObjects(string bucketName, IEnumerable<string> objectNames, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Creates a folder with stub file.
+        /// </summary>
+        /// <param name="bucketName">Name of the bucket</param>
+        /// <param name="folderPath">Name/Path of the folder to be created. A stub file will also be created as this is required for MinIO</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns>Task</returns>
+        Task CreateFolder(string bucketName, string folderPath, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Creates temporary credentials for a specified folder for a specified length of time.
+        /// </summary>
+        /// <param name="bucketName">Name of the bucket</param>
+        /// <param name="folderName">Name/Path of the folder to be allowed access to</param>
+        /// <param name="durationSeconds">Expiration time of the credentials</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns>Task</returns>
+        Task<Credentials> CreateTemporaryCredentials(string bucketName, string folderName, int durationSeconds = 3600, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Copies content of an object from source to destination using temporary credentials.
+        /// </summary>
+        /// <param name="sourceBucketName">Name of the source bucket</param>
+        /// <param name="sourceObjectName">Name of the object in the source bucket</param>
+        /// <param name="destinationBucketName">Name of the destination bucket</param>
+        /// <param name="destinationObjectName">Name of the object in the destination bucket</param>
+        /// <param name="credentials">Temporary credentials used to connect</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns>Task</returns>
+        Task CopyObjectWithCredentials(string sourceBucketName, string sourceObjectName, string destinationBucketName, string destinationObjectName, Credentials credentials, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Downloads an objects as stream using temporary credentials.
+        /// </summary>
+        /// <param name="bucketName">Name of the bucket</param>
+        /// <param name="objectName">Name of the object in the bucket</param>
+        /// <param name="credentials">Temporary credentials used to connect</param>
+        /// <param name="callback">Action to be called when stream is ready</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns>Task</returns>
+        Task GetObjectWithCredentials(string bucketName, string objectName, Credentials credentials, Action<Stream> callback, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Lists objects in a bucket using temporary credentials.
+        /// </summary>
+        /// <param name="bucketName">Name of the bucket</param>
+        /// <param name="credentials">Temporary credentials used to connect</param>
+        /// <param name="prefix">Objects with name starts with prefix</param>
+        /// <param name="recursive">Whether to recurse into subdirectories</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns></returns>
+        IList<VirtualFileInfo> ListObjectsWithCredentials(string bucketName, Credentials credentials, string? prefix = "", bool recursive = false, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Uploads an object using temporary credentials.
+        /// </summary>
+        /// <param name="bucketName">Name of the bucket</param>
+        /// <param name="objectName">Name of the object in the bucket</param>
+        /// <param name="data">Stream to upload</param>
+        /// <param name="size">Size of the stream</param>
+        /// <param name="contentType">Content type of the object</param>
+        /// <param name="metadata">Metadata of the object</param>
+        /// <param name="credentials">Temporary credentials used to connect</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns>Task</returns>
+        Task PutObjectWithCredentials(string bucketName, string objectName, Stream data, long size, string contentType, Dictionary<string, string> metadata, Credentials credentials, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Removes an object with temporary credentials.
+        /// </summary>
+        /// <param name="bucketName">Name of the bucket</param>
+        /// <param name="objectName">Name of the object in the bucket</param>
+        /// <param name="credentials">Temporary credentials used to connect</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns>Task</returns>
+        Task RemoveObjectWithCredentials(string bucketName, string objectName, Credentials credentials, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Removes a list of objects with temporary credentials.
+        /// </summary>
+        /// <param name="bucketName">Name of the bucket</param>
+        /// <param name="objectNames">An enumerable of object names to be removed in the bucket</param>
+        /// <param name="credentials">Temporary credentials used to connect</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns>Task</returns>
+        Task RemoveObjectsWithCredentials(string bucketName, IEnumerable<string> objectNames, Credentials credentials, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Creates a folder using temporary credentials.
+        /// </summary>
+        /// <param name="bucketName">Name of the bucket</param>
+        /// <param name="folderPath">The path of the root folder to assign credentials to</param>
+        /// <param name="credentials">Temporary credentials used to connect</param>
+        /// <param name="cancellationToken">Optional cancellation token. Defaults to default(CancellationToken)</param>
+        /// <returns>Task</returns>
+        Task CreateFolderWithCredentials(string bucketName, string folderPath, Credentials credentials, CancellationToken cancellationToken = default);
     }
 }

src/Storage/Common/Extensions/PolicyExtensions.cs

@@ -0,0 +1,90 @@
+// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+using Ardalis.GuardClauses;
+using Monai.Deploy.Storage.Common.Policies;
+
+namespace Monai.Deploy.Storage.Common.Extensions
+{
+    public static class PolicyExtensions
+    {
+        public static Policy ToPolicy(string bucketName, string folderName)
+        {
+            Guard.Against.NullOrWhiteSpace(bucketName, nameof(bucketName));
+            Guard.Against.NullOrWhiteSpace(folderName, nameof(folderName));
+
+            var pathList = GetPathList(folderName);
+
+            return new Policy
+            {
+                Statement = new List<Statement>
+                {
+                    new Statement
+                    {
+                        Sid = "AllowUserToSeeBucketListInTheConsole",
+                        Action = new string[] {"s3:ListAllMyBuckets", "s3:GetBucketLocation" },
+                        Effect = "Allow",
+                        Resource = new string[] { "arn:aws:s3:::*" }
+                    },
+                    new Statement
+                    {
+                        Sid = "AllowRootAndHomeListingOfBucket",
+                        Action = new string[] { "s3:ListBucket" },
+                        Effect = "Allow",
+                        Resource = new string[] { $"arn:aws:s3:::{bucketName}" },
+                        Condition = new Condition
+                        {
+                            StringEquals = new StringEquals
+                            {
+                                S3Prefix = pathList.ToArray(),
+                                S3Delimiter = new string[] { "/" }
+                            }
+                        }
+                    },
+                    new Statement
+                    {
+                        Sid = "AllowListingOfUserFolder",
+                        Action = new string[] { "s3:ListBucket" },
+                        Effect = "Allow",
+                        Resource = new string[] { $"arn:aws:s3:::{bucketName}" },
+                        Condition = new Condition
+                        {
+                            StringEquals = new StringEquals
+                            {
+                                S3Prefix = new string[] {$"{folderName}/*" }
+                            }
+                        }
+                    },
+                    new Statement
+                    {
+                        Sid = "AllowAllS3ActionsInUserFolder",
+                        Action = new string[] { "s3:*" },
+                        Effect = "Allow",
+                        Resource = new string[] { $"arn:aws:s3:::{bucketName}/{folderName}/*" },
+                    },
+                }
+            };
+        }
+
+        public static List<string> GetPathList(string folderName)
+        {
+            Guard.Against.NullOrWhiteSpace(folderName, nameof(folderName));
+
+            var pathList = new List<string> { folderName };
+
+            var lastPath = folderName;
+
+            while (lastPath.Contains("/"))
+            {
+                var path = lastPath.Substring(0, lastPath.LastIndexOf("/") + 1);
+                pathList.Add(path);
+
+                lastPath = lastPath.Substring(0, lastPath.LastIndexOf("/"));
+            }
+
+            pathList.Add("");
+
+            return pathList;
+        }
+    }
+}

src/Storage/Common/Policies/Condition.cs

@@ -0,0 +1,12 @@
+// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class Condition
+    {
+        public StringLike StringLike { get; set; }
+
+        public StringEquals StringEquals { get; set; }
+    }
+}

src/Storage/Common/Policies/Policy.cs

@@ -0,0 +1,12 @@
+// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class Policy
+    {
+        public string Version { get; set; } = "2012-10-17";
+
+        public IList<Statement> Statement { get; set; } = new List<Statement>();
+    }
+}

src/Storage/Common/Policies/Statement.cs

@@ -0,0 +1,18 @@
+// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class Statement
+    {
+        public string Sid { get; set; }
+
+        public string[] Action { get; set; }
+
+        public string Effect { get; set; }
+
+        public string[] Resource { get; set; }
+
+        public Condition Condition { get; set; }
+    }
+}

src/Storage/Common/Policies/StringEquals.cs

@@ -0,0 +1,16 @@
+// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+using Newtonsoft.Json;
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class StringEquals
+    {
+        [JsonProperty(PropertyName = "s3:prefix")]
+        public string[] S3Prefix { get; set; }
+
+        [JsonProperty(PropertyName = "s3:delimiter")]
+        public string[] S3Delimiter { get; set; }
+    }
+}

src/Storage/Common/Policies/StringLike.cs

@@ -0,0 +1,13 @@
+// SPDX-FileCopyrightText: © 2021-2022 MONAI Consortium
+// SPDX-License-Identifier: Apache License 2.0
+
+using Newtonsoft.Json;
+
+namespace Monai.Deploy.Storage.Common.Policies
+{
+    public class StringLike
+    {
+        [JsonProperty(PropertyName = "s3:prefix")]
+        public string[] S3Prefix { get; set; }
+    }
+}

src/Storage/Configuration/ConfigurationKeys.cs

@@ -9,7 +9,9 @@ internal static class ConfigurationKeys
         public static readonly string AccessKey = "accessKey";
         public static readonly string AccessToken = "accessToken";
         public static readonly string SecuredConnection = "securedConnection";
+        public static readonly string Region = "region";
+        public static readonly string CredentialServiceUrl = "credentialServiceUrl";
 
-        public static readonly string[] RequiredKeys = new[] { EndPoint, AccessKey, AccessToken, SecuredConnection };
+        public static readonly string[] RequiredKeys = new[] { EndPoint, AccessKey, AccessToken, SecuredConnection, Region };
     }
 }