work on s3client

InseeFrLab · Oct 24, 2024 · 3268092 · 3268092
1 parent a70b3da
commit 3268092
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 4 deletions.
diff --git a/web/src/core/adapters/s3Client/s3Client.ts b/web/src/core/adapters/s3Client/s3Client.ts
@@ -479,6 +479,21 @@ export function createS3Client(
 
             return [...directories, ...files];
         },
+        "putBucketPolicy": async ({ path, policy }) => {
+            const { getAwsS3Client } = await prApi;
+            const { awsS3Client } = await getAwsS3Client();
+
+            const { bucketName } = bucketNameAndObjectNameFromS3Path(path);
+
+            const command = new (
+                await import("@aws-sdk/client-s3")
+            ).PutBucketPolicyCommand({
+                "Bucket": bucketName,
+                "Policy": JSON.stringify(policy)
+            });
+
+            await awsS3Client.send(command);
+        },
         "uploadFile": async ({ blob, path, onUploadProgress }) => {
             const { getAwsS3Client } = await prApi;
 

diff --git a/web/src/core/adapters/s3Client/utils/policySchema.ts b/web/src/core/adapters/s3Client/utils/policySchema.ts
@@ -0,0 +1,45 @@
+import { S3BucketPolicy } from "core/ports/S3Client";
+import { assert, Equals } from "tsafe";
+import { z } from "zod";
+
+const s3ActionSchema = z.enum([
+    "s3:AbortMultipartUpload",
+    "s3:BypassGovernanceRetention",
+    "s3:CreateBucket",
+    "s3:DeleteBucket",
+    "s3:DeleteBucketPolicy",
+    "s3:DeleteObject",
+    "s3:DeleteObjectTagging",
+    "s3:GetBucketAcl",
+    "s3:GetBucketPolicy",
+    "s3:GetObject",
+    "s3:GetObjectTagging",
+    "s3:ListBucket",
+    "s3:PutObject",
+    "s3:PutObjectAcl",
+    "s3:PutBucketPolicy",
+    "s3:ReplicateObject",
+    "s3:RestoreObject",
+    "s3:ListMultipartUploadParts",
+    "s3:ListBucketVersions",
+    "s3:ListBucketMultipartUploads",
+    "s3:PutBucketVersioning",
+    "s3:PutBucketTagging",
+    "s3:GetBucketTagging",
+    "s3:*"
+]);
+
+const s3PolicyStatementSchema = z.object({
+    Effect: z.enum(["Allow", "Deny"]),
+    Principal: z.union([z.string(), z.object({ AWS: z.string().array() })]),
+    Action: z.union([s3ActionSchema, s3ActionSchema.array()]),
+    Resource: z.union([z.string(), z.string().array()]),
+    Condition: z.record(z.any()).optional()
+});
+
+const s3BucketPolicySchema = z.object({
+    Version: z.literal("2012-10-17"),
+    Statement: z.array(s3PolicyStatementSchema)
+});
+
+assert<Equals<z.infer<typeof s3BucketPolicySchema>, S3BucketPolicy>>(true);
diff --git a/web/src/core/ports/S3Client.ts b/web/src/core/ports/S3Client.ts
@@ -38,9 +38,10 @@ export type S3Client = {
         directories: string[];
         files: string[];
     }>;
-
     listObjects: (params: { path: string }) => Promise<S3Object[]>;
 
+    putBucketPolicy: (params: { path: string; policy: S3BucketPolicy }) => Promise<void>;
+
     /** Completed when 100% uploaded */
     uploadFile: (params: {
         blob: Blob;
@@ -55,3 +56,40 @@ export type S3Client = {
         validityDurationSecond: number;
     }) => Promise<string>;
 };
+
+type S3Actions =
+    | "s3:AbortMultipartUpload"
+    | "s3:BypassGovernanceRetention"
+    | "s3:CreateBucket"
+    | "s3:DeleteBucket"
+    | "s3:DeleteBucketPolicy"
+    | "s3:DeleteObject"
+    | "s3:DeleteObjectTagging"
+    | "s3:GetBucketAcl"
+    | "s3:GetBucketPolicy"
+    | "s3:GetObject"
+    | "s3:GetObjectTagging"
+    | "s3:ListBucket"
+    | "s3:PutObject"
+    | "s3:PutObjectAcl"
+    | "s3:PutBucketPolicy"
+    | "s3:ReplicateObject"
+    | "s3:RestoreObject"
+    | "s3:ListMultipartUploadParts"
+    | "s3:ListBucketVersions"
+    | "s3:ListBucketMultipartUploads"
+    | "s3:PutBucketVersioning"
+    | "s3:PutBucketTagging"
+    | "s3:GetBucketTagging"
+    | "s3:*";
+
+export type S3BucketPolicy = {
+    Version: "2012-10-17";
+    Statement: Array<{
+        Effect: "Allow" | "Deny";
+        Principal: string | { AWS: string[] };
+        Action: S3Actions | S3Actions[];
+        Resource: string | string[];
+        Condition?: Record<string, any>;
+    }>;
+};
diff --git a/web/src/core/usecases/fileExplorer/state.ts b/web/src/core/usecases/fileExplorer/state.ts
@@ -3,7 +3,7 @@ import { relative as pathRelative } from "pathe";
 import { assert } from "tsafe/assert";
 import { createUsecaseActions } from "clean-architecture";
 import type { WritableDraft } from "clean-architecture/immer";
-import { S3Object } from "core/ports/S3Client";
+import { S3BucketPolicy, S3Object } from "core/ports/S3Client";
 
 //All explorer path are expected to be absolute (start with /)
 
@@ -29,6 +29,7 @@ export type State = {
         cmd: string;
         resp: string | undefined;
     }[];
+    bucketPolicy: S3BucketPolicy | undefined;
 };
 
 export const name = "fileExplorer";
@@ -42,7 +43,8 @@ export const { reducer, actions } = createUsecaseActions({
         "isNavigationOngoing": false,
         "ongoingOperations": [],
         "s3FilesBeingUploaded": [],
-        "commandLogsEntries": []
+        "commandLogsEntries": [],
+        "bucketPolicy": undefined
     }),
     "reducers": {
         "fileUploadStarted": (

diff --git a/web/src/core/usecases/s3ConfigConnectionTest/thunks.ts b/web/src/core/usecases/s3ConfigConnectionTest/thunks.ts
@@ -31,7 +31,7 @@ export const protectedThunks = {
                 const s3Client = createS3Client(paramsOfCreateS3Client, getOidc);
 
                 try {
-                    await s3Client.list({
+                    await s3Client.listObjects({
                         "path": workingDirectoryPath
                     });
                 } catch (error) {