diff --git a/src/S3Policy/PolicyExtensions.cs b/src/S3Policy/PolicyExtensions.cs index 1774ea2..df33815 100644 --- a/src/S3Policy/PolicyExtensions.cs +++ b/src/S3Policy/PolicyExtensions.cs @@ -77,7 +77,7 @@ public static Policy ToPolicy(string? bucketName, string? folderName) Sid = "AllowAllS3ActionsInUserFolder", Action = new string[] { "s3:*" }, Effect = "Allow", - Resource = new string[] { $"arn:aws:s3:::{bucketName}/{folderName}/*" }, + Resource = new string[] { $"arn:aws:s3:::{bucketName}/{folderName}", $"arn:aws:s3:::{bucketName}/{folderName}/*" }, }, } }; @@ -139,7 +139,7 @@ public static Policy ToPolicy(PolicyRequest[] policyRequests) Action = new string[] { "s3:*" }, Effect = "Allow", Resource = policyRequests - .Select(pr => $"{pr.BucketName}/{pr.FolderName}/*") + .SelectMany(pr => new []{ $"{pr.BucketName}/{pr.FolderName}" , $"{pr.BucketName}/{pr.FolderName}/*" } ) .Distinct() .ToArray(), }, diff --git a/src/S3Policy/Tests/Extensions/PolicyExtensionsTest.cs b/src/S3Policy/Tests/Extensions/PolicyExtensionsTest.cs index 03ec530..0f2a92f 100644 --- a/src/S3Policy/Tests/Extensions/PolicyExtensionsTest.cs +++ b/src/S3Policy/Tests/Extensions/PolicyExtensionsTest.cs @@ -86,7 +86,7 @@ public void ToPolicy_ValidBucketAndFolder() var policyString = JsonConvert.SerializeObject(policy, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore }); - Assert.Equal("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowUserToSeeBucketListInTheConsole\",\"Action\":[\"s3:ListAllMyBuckets\",\"s3:GetBucketLocation\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::*\"]},{\"Sid\":\"AllowRootAndHomeListingOfBucket\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"Jack/Is/The/Best\",\"Jack/Is/The/\",\"Jack/Is/\",\"Jack/\",\"\"],\"s3:delimiter\":[\"/\"]}}},{\"Sid\":\"AllowListingOfUserFolder\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"Jack/Is/The/Best/*\"]}}},{\"Sid\":\"AllowAllS3ActionsInUserFolder\",\"Action\":[\"s3:*\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket/Jack/Is/The/Best/*\"]}]}", policyString); + Assert.Equal("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowUserToSeeBucketListInTheConsole\",\"Action\":[\"s3:ListAllMyBuckets\",\"s3:GetBucketLocation\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::*\"]},{\"Sid\":\"AllowRootAndHomeListingOfBucket\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"Jack/Is/The/Best\",\"Jack/Is/The/\",\"Jack/Is/\",\"Jack/\",\"\"],\"s3:delimiter\":[\"/\"]}}},{\"Sid\":\"AllowListingOfUserFolder\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"Jack/Is/The/Best/*\"]}}},{\"Sid\":\"AllowAllS3ActionsInUserFolder\",\"Action\":[\"s3:*\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket/Jack/Is/The/Best\",\"arn:aws:s3:::test-bucket/Jack/Is/The/Best/*\"]}]}", policyString); } [Fact] @@ -111,9 +111,10 @@ public async Task ToPolicy_Should_Set_Correct_Allow_All_Path() var policyMade = PolicyExtensions.ToPolicy(policys); - Assert.EndsWith( - $"{bucketName}/{payloadId}/*", - policyMade.Statement.First(p => p.Sid == "AllowAllS3ActionsInUserFolder").Resource?.First()); + + Assert.Collection(policyMade.Statement.First(p => p.Sid == "AllowAllS3ActionsInUserFolder").Resource!, + (item) => item.Equals($"{bucketName}/{payloadId}"), + (item) => item.Equals($"{bucketName}/{payloadId}/*")); }