Merge pull request #9263 from shirady/iam-user-policy-api

IAM | IAM User Policy API (Skeleton Only)

Author: shirady

src/endpoint/iam/iam_constants.js

@@ -12,7 +12,11 @@ const IAM_ACTIONS = Object.freeze({
     GET_ACCESS_KEY_LAST_USED: 'get_access_key_last_used',
     UPDATE_ACCESS_KEY: 'update_access_key',
     DELETE_ACCESS_KEY: 'delete_access_key',
-    LIST_ACCESS_KEYS: 'list_access_keys'
+    LIST_ACCESS_KEYS: 'list_access_keys',
+    PUT_USER_POLICY: 'put_user_policy',
+    GET_USER_POLICY: 'get_user_policy',
+    DELETE_USER_POLICY: 'delete_user_policy',
+    LIST_USER_POLICIES: 'list_user_policies',
 });
 
 // key: action - the function name on accountspace_fs (snake case style)
@@ -29,6 +33,10 @@ const ACTION_MESSAGE_TITLE_MAP = Object.freeze({
     'update_access_key': 'UpdateAccessKey',
     'delete_access_key': 'DeleteAccessKey',
     'list_access_keys': 'ListAccessKeys',
+    'put_user_policy': 'PutUserPolicy',
+    'get_user_policy': 'GetUserPolicy',
+    'delete_user_policy': 'DeleteUserPolicy',
+    'list_user_policies': 'ListUserPolicies',
 });
 
 const ACCESS_KEY_STATUS_ENUM = Object.freeze({
@@ -56,6 +64,8 @@ const IAM_PARAMETER_NAME = Object.freeze({
     IAM_PATH_PREFIX: 'PathPrefix',
     USERNAME: 'UserName',
     NEW_USERNAME: 'NewUserName',
+    POLICY_NAME: 'PolicyName',
+    POLICY_DOCUMENT: 'PolicyDocument',
 });
 
 const IAM_SPLIT_CHARACTERS = ':';

src/endpoint/iam/iam_errors.js

@@ -140,6 +140,11 @@ IamError.NotImplemented = Object.freeze({
 // UpdateAccessKey      errors https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html
 // DeleteAccessKey      errors https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccessKey.html
 // ListAccessKeys       errors https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html
+// user policy
+// PutUserPolicy    errors https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
+// GetUserPolicy    errors https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html
+// DeleteUserPolicy errors https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html
+// ListUserPolicies errors https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html
 IamError.ConcurrentModification = Object.freeze({
     code: 'ConcurrentModification',
     message: 'The request was rejected because multiple requests to change this object were submitted simultaneously. Wait a few minutes and submit your request again.',
@@ -188,6 +193,13 @@ IamError.EntityTemporarilyUnmodifiable = Object.freeze({
     http_code: 409,
     type: error_type_enum.SENDER,
 });
+IamError.MalformedPolicyDocument = Object.freeze({
+    code: 'MalformedPolicyDocument',
+    message: 'The request was rejected because the policy document was malformed',
+    http_code: 400,
+    type: error_type_enum.SENDER,
+});
+
 
 // These errors were copied from STS errors
 IamError.InvalidParameterValue = Object.freeze({

src/endpoint/iam/iam_rest.js

@@ -21,6 +21,7 @@ const RPC_ERRORS_TO_IAM = Object.freeze({
     NO_SUCH_ACCOUNT: IamError.AccessDeniedException,
     NO_SUCH_ROLE: IamError.AccessDeniedException,
     VALIDATION_ERROR: IamError.ValidationError,
+    MALFORMED_POLICY_DOCUMENT: IamError.MalformedPolicyDocument,
 });
 
 const ACTIONS = Object.freeze({
@@ -34,6 +35,10 @@ const ACTIONS = Object.freeze({
     'UpdateAccessKey': 'update_access_key',
     'DeleteAccessKey': 'delete_access_key',
     'ListAccessKeys': 'list_access_keys',
+    'PutUserPolicy': 'put_user_policy',
+    'GetUserPolicy': 'get_user_policy',
+    'DeleteUserPolicy': 'delete_user_policy',
+    'ListUserPolicies': 'list_user_policies',
     'ListGroupsForUser': 'list_groups_for_user',
     'ListAccountAliases': 'list_account_aliases',
     'ListAttachedGroupPolicies': 'list_attached_group_policies',
@@ -60,7 +65,6 @@ const ACTIONS = Object.freeze({
     'ListServiceSpecificCredentials': 'list_service_specific_credentials',
     'ListSigningCertificates': 'list_signing_certificates',
     'ListSSHPublicKeys': 'list_ssh_public_keys',
-    'ListUserPolicies': 'list_user_policies',
     'ListUserTags': 'list_user_tags',
     'ListVirtualMFADevices': 'list_virtual_mfa_devices',
 });
@@ -79,6 +83,11 @@ const IAM_OPS = js_utils.deep_freeze({
     post_update_access_key: require('./ops/iam_update_access_key'),
     post_delete_access_key: require('./ops/iam_delete_access_key'),
     post_list_access_keys: require('./ops/iam_list_access_keys'),
+    // user policy
+    post_put_user_policy: require('./ops/iam_put_user_policy'),
+    post_get_user_policy: require('./ops/iam_get_user_policy'),
+    post_delete_user_policy: require('./ops/iam_delete_user_policy'),
+    post_list_user_policies: require('./ops/iam_list_user_policies'),
     // other (currently ops that return empty or NoSuchEntity error - just not to fail them)
     post_list_groups_for_user: require('./ops/iam_list_groups_for_user.js'),
     post_list_account_aliases: require('./ops/iam_list_account_aliases.js'),
@@ -106,7 +115,6 @@ const IAM_OPS = js_utils.deep_freeze({
     post_list_service_specific_credentials: require('./ops/iam_list_service_specific_credentials.js'),
     post_list_signing_certificates: require('./ops/iam_list_signing_certificates.js'),
     post_list_ssh_public_keys: require('./ops/iam_list_ssh_public_keys.js'),
-    post_list_user_policies: require('./ops/iam_list_user_policies.js'),
     post_list_user_tags: require('./ops/iam_list_user_tags.js'),
     post_list_virtual_mfa_devices: require('./ops/iam_list_virtual_mfa_devices.js'),
 });

src/endpoint/iam/iam_utils.js

@@ -86,7 +86,9 @@ function parse_max_items(input_max_items) {
  * @param {object} params
  */
 function validate_params(action, params) {
-        if (action.includes('user')) {
+        if (action.includes('policy') || action.includes('policies')) {
+            validate_policy_params(action, params);
+        } else if (action.includes('user')) {
             validate_user_params(action, params);
         } else if (action.includes('access_key')) {
             validate_access_keys_params(action, params);
@@ -149,6 +151,30 @@ function validate_access_keys_params(action, params) {
       }
 }
 
+/**
+ * validate_policy_params will call the aquivalent function for each action in user policy API
+ * @param {string} action
+ * @param {object} params
+ */
+function validate_policy_params(action, params) {
+    switch (action) {
+        case iam_constants.IAM_ACTIONS.PUT_USER_POLICY:
+            validate_put_user_policy(params);
+            break;
+        case iam_constants.IAM_ACTIONS.GET_USER_POLICY:
+            validate_get_user_policy(params);
+            break;
+        case iam_constants.IAM_ACTIONS.DELETE_USER_POLICY:
+            validate_delete_user_policy(params);
+            break;
+        case iam_constants.IAM_ACTIONS.LIST_USER_POLICIES:
+            validate_list_user_policies(params);
+            break;
+        default:
+          throw new RpcError('INTERNAL_ERROR', `${action} is not supported`);
+      }
+}
+
 /**
  * check_required_username checks if the username was set
  * @param {object} params
@@ -173,6 +199,22 @@ function check_required_status(params) {
     check_required_key(params.status, 'status');
 }
 
+/**
+ * check_required_policy_name checks if the policy name was set
+ * @param {object} params
+ */
+function check_required_policy_name(params) {
+    check_required_key(params.policy_name, 'policy-name');
+}
+
+/**
+ * check_required_policy_document checks if the policy document was set
+ * @param {object} params
+ */
+function check_required_policy_document(params) {
+    check_required_key(params.policy_document, 'policy-document');
+}
+
 /**
  * check_required_key checks if a required key was set
  * @param {any} value
@@ -324,6 +366,68 @@ function validate_list_access_keys(params) {
     }
 }
 
+/**
+ * validate_put_user_policy checks the params for put_user_policy action
+ * @param {object} params
+ */
+function validate_put_user_policy(params) {
+    try {
+        check_required_username(params);
+        validation_utils.validate_username(params.username, iam_constants.IAM_PARAMETER_NAME.USERNAME);
+        check_required_policy_name(params);
+        validation_utils.validate_policy_name(params.policy_name, iam_constants.IAM_PARAMETER_NAME.POLICY_NAME);
+        check_required_policy_document(params);
+        validation_utils.validate_policy_document(params.policy_document, iam_constants.IAM_PARAMETER_NAME.POLICY_DOCUMENT);
+    } catch (err) {
+        translate_rpc_error(err);
+    }
+}
+
+/**
+ * validate_get_user_policy checks the params for get_user_policy action
+ * @param {object} params
+ */
+function validate_get_user_policy(params) {
+    try {
+        check_required_username(params);
+        validation_utils.validate_username(params.username, iam_constants.IAM_PARAMETER_NAME.USERNAME);
+        check_required_policy_name(params);
+        validation_utils.validate_policy_name(params.policy_name, iam_constants.IAM_PARAMETER_NAME.POLICY_NAME);
+    } catch (err) {
+        translate_rpc_error(err);
+    }
+}
+
+/**
+ * validate_delete_user_policy checks the params for delete_user_policy action
+ * @param {object} params
+ */
+function validate_delete_user_policy(params) {
+    try {
+        check_required_username(params);
+        validation_utils.validate_username(params.username, iam_constants.IAM_PARAMETER_NAME.USERNAME);
+        check_required_policy_name(params);
+        validation_utils.validate_policy_name(params.policy_name, iam_constants.IAM_PARAMETER_NAME.POLICY_NAME);
+    } catch (err) {
+        translate_rpc_error(err);
+    }
+}
+
+/**
+ * validate_list_user_policies checks the params for list_user_policies action
+ * @param {object} params
+ */
+function validate_list_user_policies(params) {
+    try {
+        validate_marker(params.marker);
+        validate_max_items(params.max_items);
+        check_required_username(params);
+        validation_utils.validate_username(params.username, iam_constants.IAM_PARAMETER_NAME.USERNAME);
+    } catch (err) {
+        translate_rpc_error(err);
+    }
+}
+
 /**
  * validate_iam_path will validate:
  * 1. type

src/endpoint/iam/ops/iam_delete_user_policy.js

@@ -0,0 +1,39 @@
+/* Copyright (C) 2024 NooBaa */
+'use strict';
+
+const dbg = require('../../../util/debug_module')(__filename);
+const iam_utils = require('../iam_utils');
+const iam_constants = require('../iam_constants');
+const { CONTENT_TYPE_APP_FORM_URLENCODED } = require('../../../util/http_utils');
+
+/**
+ * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html
+ */
+async function delete_user_policy(req, res) {
+
+    const params = {
+        username: req.body.user_name,
+        policy_name: req.body.policy_name,
+    };
+    dbg.log1('IAM DELETE USER POLICY', params);
+    iam_utils.validate_params(iam_constants.IAM_ACTIONS.DELETE_USER_POLICY, params);
+    await req.account_sdk.delete_user_policy(params);
+
+    return {
+        DeleteUserPolicyResponse: {
+            ResponseMetadata: {
+                RequestId: req.request_id,
+            }
+        }
+    };
+}
+
+module.exports = {
+    handler: delete_user_policy,
+    body: {
+        type: CONTENT_TYPE_APP_FORM_URLENCODED,
+    },
+    reply: {
+        type: 'xml',
+    },
+};

src/endpoint/iam/ops/iam_get_user_policy.js

@@ -0,0 +1,45 @@
+/* Copyright (C) 2024 NooBaa */
+'use strict';
+
+const dbg = require('../../../util/debug_module')(__filename);
+const iam_utils = require('../iam_utils');
+const iam_constants = require('../iam_constants');
+const { CONTENT_TYPE_APP_FORM_URLENCODED } = require('../../../util/http_utils');
+
+/**
+ * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html
+ */
+async function get_user_policy(req, res) {
+
+    const params = {
+        username: req.body.user_name,
+        policy_name: req.body.policy_name,
+    };
+    dbg.log1('IAM GET USER POLICY', params);
+    iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER_POLICY, params);
+    const reply = await req.account_sdk.get_user_policy(params);
+    dbg.log2('get_user_policy reply', reply);
+
+    return {
+        GetUserPolicyResponse: {
+            GetUserPolicyResult: {
+                UserName: reply.username,
+                PolicyName: reply.policy_name,
+                PolicyDocument: reply.policy_document,
+            },
+            ResponseMetadata: {
+                RequestId: req.request_id,
+            }
+        },
+    };
+}
+
+module.exports = {
+    handler: get_user_policy,
+    body: {
+        type: CONTENT_TYPE_APP_FORM_URLENCODED,
+    },
+    reply: {
+        type: 'xml',
+    },
+};

src/endpoint/iam/ops/iam_list_user_policies.js

@@ -17,17 +17,16 @@ async function list_user_policies(req, res) {
         max_items: iam_utils.parse_max_items(req.body.max_items) ?? iam_constants.DEFAULT_MAX_ITEMS,
     };
 
-    dbg.log1('To check that we have the user we will run the IAM GET USER', params);
-    iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);
-    await req.account_sdk.get_user(params);
-
-    dbg.log1('IAM LIST USER POLICIES (returns empty list on every request)', params);
+    dbg.log1('IAM LIST USER POLICIES', params);
+    iam_utils.validate_params(iam_constants.IAM_ACTIONS.LIST_USER_POLICIES, params);
+    const reply = await req.account_sdk.list_user_policies(params);
+    dbg.log2('list_user_policies reply', reply);
 
     return {
         ListUserPoliciesResponse: {
             ListUserPoliciesResult: {
-                PolicyNames: [],
-                IsTruncated: false,
+                PolicyNames: reply.members,
+                IsTruncated: reply.is_truncated,
             },
             ResponseMetadata: {
                 RequestId: req.request_id,