change bucket policy schema to fit AWS json #7389

nadavMiz · 2023-07-10T12:54:00Z

Explain the changes

change bucket policy schema to match AWS schema, according to what we currently support. passing the json as is from the request
change all calling functions to use correct arguments.
add an upgrade script for the bucket policy
add unit tests for upgrade script

Issues: Fixed #xxx / Gap #xxx

gap - anyOf schema changes aren't dealt by decode_json / encode_json functions. since we only use string and sensitiveString in our case it works fine. issue: decode_json / encode_json functions should work with oneOf / anyOf schema options #7448

Testing Instructions:

Doc added/updated
Tests added

src/endpoint/s3/ops/s3_put_bucket_policy.js

aspandey

Looks good to me. I observe that most of the changes are related to lower case to upper case. We need to make sure that this does not break other code wherever it might be using lowercase.

src/endpoint/s3/ops/s3_put_bucket_policy.js

src/endpoint/s3/s3_utils.js

src/upgrade/upgrade_scripts/5.3.0/update_bucket_owner_account.js

romayalon · 2023-07-24T12:15:18Z

src/api/common_api.js

@@ -252,41 +252,66 @@ module.exports = {
            }
        },

+        bucket_policy_principal: {
+            anyOf: [{


I recall we didn't support anyOf/oneOf in postgresClient encode_json/decode_json, @dannyzaken is this valid now?

@dannyzaken ?

I guess you're right. this can be an issue since the values underneath are SensitiveString and will probably not be unwrapped properly when stored. @nadavMiz how does it look in the DB when you store a policy?

in general we should probably handle it. I think there are other places we use anyOf/oneOf that are stores in the DB

@dannyzaken @romayalon

in the database the prefix appears clearly in all case:

{"_id": "64ca177180d3ca00289e9937", "tag": "", "name": "first.bucket", "system": "64ca177180d3ca00289e992f", "tiering": "64ca177180d3ca00289e9936", "s3_policy": {"Version": "20 12-10-17", "Statement": [{"Action": ["s3:PutBucketPolicy", "s3:*"], "Effect": "Allow", "Resource": ["arn:aws:s3:::first.bucket"], "Principal": {"AWS": "*"}}, {"Action": ["s3:PutObject"], *"Effect": "Allow" , "Resource": ["arn:aws:s3:::first.bucket/*"], "Principal": "*"}, {"Sid": "id-1", "Action": ["s3:GetObject"], "Effect": "Allow", "Resource": ["arn:aws:s3:::first.bucket/*"], "Principal": {"AWS": ["nadav", "*"]}}]}, "versioning": "DISABLED", "last_update": 1690977631534, "master_key_id": "64ca177180d3ca00289e9938", "owner_account": "64ca177180d3ca00289e992e", "storage_stats": {"pools": {}, "blocks_size": 0 , "last_update": 1690977537545, "objects_hist": [], "objects_size": 0, "objects_count": 0, "chunks_capacity": 0, "stats_by_content_type": []}, "lambda_triggers": []}

also in logs we print for bucket policy we get the prefix is a sensitive string. for example in policy validation:

principal fit? SENSITIVE-7846cdd4c2b90527 nadav

looks like it is fine in this case

As we discussed, this anyOf doesn't really gets encoded, but since all we have inside the any of is string/sensitive string it works.
@dannyzaken Are you ok with merging it and opening a gap for the anyOf issue?

opened an issue for the anyOf: #7448

I'm fine with the gap.

src/api/common_api.js

src/endpoint/s3/ops/s3_put_bucket_policy.js

src/upgrade/upgrade_scripts/5.14.0/upgrade_bucket_policy.js

src/endpoint/s3/ops/s3_put_bucket_policy.js

src/endpoint/s3/s3_rest.js

src/test/unit_tests/test_upgrade_scripts.js

src/upgrade/upgrade_scripts/5.14.0/upgrade_bucket_policy.js

Signed-off-by: nadav mizrahi <nadav.mizrahi16@gmail.com>

nadavMiz requested review from guymguym, dannyzaken, a team and aspandey and removed request for a team July 10, 2023 12:54

pull-request-size bot added the size/L label Jul 10, 2023

nadavMiz force-pushed the bucket_policy_schema_change branch 2 times, most recently from 34ba9eb to 7a8beb9 Compare July 11, 2023 06:23

dannyzaken reviewed Jul 13, 2023

View reviewed changes

src/endpoint/s3/ops/s3_put_bucket_policy.js Outdated Show resolved Hide resolved

dannyzaken reviewed Jul 13, 2023

View reviewed changes

src/endpoint/s3/ops/s3_put_bucket_policy.js Show resolved Hide resolved

nadavMiz force-pushed the bucket_policy_schema_change branch from 7a8beb9 to 2c0e8a9 Compare July 13, 2023 13:07

pull-request-size bot added size/XL and removed size/L labels Jul 13, 2023

nadavMiz force-pushed the bucket_policy_schema_change branch 2 times, most recently from ae40d7c to ef37a74 Compare July 16, 2023 06:20

nadavMiz requested a review from dannyzaken July 16, 2023 07:28

nimrod-becker requested review from romayalon, a team and achouhan09 and removed request for a team July 18, 2023 09:01

aspandey reviewed Jul 19, 2023

View reviewed changes

dannyzaken reviewed Jul 19, 2023

View reviewed changes

src/endpoint/s3/ops/s3_put_bucket_policy.js Outdated Show resolved Hide resolved

nadavMiz force-pushed the bucket_policy_schema_change branch from ef37a74 to e7817c8 Compare July 23, 2023 10:53

nadavMiz requested a review from dannyzaken July 23, 2023 10:55

romayalon reviewed Jul 24, 2023

View reviewed changes

nadavMiz force-pushed the bucket_policy_schema_change branch from e7817c8 to 147f72c Compare July 26, 2023 15:02

pull-request-size bot added size/L and removed size/XL labels Jul 26, 2023

nadavMiz force-pushed the bucket_policy_schema_change branch 2 times, most recently from 62f670e to 7272b34 Compare July 26, 2023 15:15

nadavMiz force-pushed the bucket_policy_schema_change branch 4 times, most recently from b0eac9c to 9d99b30 Compare July 27, 2023 11:41

nadavMiz requested a review from romayalon July 30, 2023 07:50