Apply policy resource restrictions for file extensions

[prakashsvmx]

Fixes #2838

Sample policy to test:
( Allow and deny both actions are used)

Policy 1

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*.jpg",
                "arn:aws:s3:::mybucket/anything/*",
                "arn:aws:s3:::mybucket/jpg/*.jpg",
                "arn:aws:s3:::mybucket/l1/l2/*.txt",
                "arn:aws:s3:::mybucket/png/*.png",
                "arn:aws:s3:::mybucket/txt/*.doc",
                "arn:aws:s3:::mybucket/txt/*.txt"
            ]
        }
    ]
}

Policy 2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:ListAllMyBuckets",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/txt/*.txt",
                "arn:aws:s3:::mybucket/*.jpg",
                "arn:aws:s3:::mybucket/anything/*",
                "arn:aws:s3:::mybucket/jpg/*.jpg",
                "arn:aws:s3:::mybucket/l1/l2/*.txt",
                "arn:aws:s3:::mybucket/png/*.png",
                "arn:aws:s3:::mybucket/txt/*.doc"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/txt/*.doc",
                "arn:aws:s3:::mybucket/txt/*.txt"
            ]
        }
    ]
}

Testing:

CI=true MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD=minio123 minio server /tmp/site1{1...4} --address ":22000" --console-address ":9025"

CONSOLE_DEV_MODE=on CONSOLE_MINIO_SERVER=http://localhost:22000 ./console server

• Allow/Deny file extensions on a root level,
• Allow/Deny at prefix level
• Drag and Drop individual files
• Drag and drop folders ( only allowed extensions are uploaded )

[bexsoft]

There is an issue if I try to upload a file using drag and drop:

[prakashsvmx]

Thank you @bexsoft 👍 . I have added logs and improved the dnd handling to accept one or more files.

[dvaldivia]

there's a warning @prakashsvmx

[prakashsvmx]

@dvaldivia thank you, i have updated the type reference.

[bexsoft]

If I try to upload a file with the extension .JPG (Uppercase), an error is thrown

Trying to do drag and drop, I see the following issue in any case:

If I try to create a new subpath inside anything folder, button is not enabled

[prakashsvmx]

@bexsoft

1. If I try to upload a file with the extension .JPG (Uppercase), an error is thrown

it is working as expected. test with mc

2. Trying to do drag and drop, I see the following issue in any case:

Fixed

3. If I try to create a new subpath inside anything folder, button is not enabled

it is working as per master/release. ( in master/release as well it is disabled)

➜ mc cp 1.png fxt/mybucket/png                 
...-file-types/1.png: 4 B / 4 B ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 501 B/s 0s 

# Copy PNG ( uppercase extension)

 ➜ mc cp 2.PNG fxt/mybucket/png/       
mc: <ERROR> Failed to copy `/home/prakash/Downloads/test-all-file-types/2.PNG`. Insufficient permissions to access this path `http://localhost:22000/mybucket/png/2.PNG`

 ➜ mc ls fxt/mybucket/png/          
[2023-06-15 09:48:22 IST]     4B STANDARD 1.png
[2023-06-15 08:50:22 IST] 9.5KiB STANDARD image (4).png

[bexsoft]

LGTM

[cesnietor]

reviewing

[cesnietor]

@prakashsvmx I was also expecing a similar thing as @bexsoft.
And I think we should solve the following:
Since JPG (uppercase) is not allowed, it shouldn't allow you to select the file in the browser, similar to how others are not allowed (to keep consistency), otherwise it's letting me know that it's allowed but then the app fails. This however can be an enhancement.

[cesnietor]

LGTM

[cesnietor]

@prakashsvmx I was also expecing a similar thing as @bexsoft. And I think we should solve the following: Since JPG (uppercase) is not allowed, it shouldn't allow you to select the file in the browser, similar to how others are not allowed (to keep consistency), otherwise it's letting me know that it's allowed but then the app fails. This however can be an enhancement.

So yes I was verifying also with AWS and they do allow to select all types of files but then it would only be failing at server level once it actually tries to upload it.

[prakashsvmx]

Thank you @cesnietor 👍