Merge pull request #40 from Project-MONAI/vchang/fix-policy

Include the directory in the policy

Author: mocsharp

src/S3Policy/PolicyExtensions.cs

@@ -77,7 +77,7 @@ public static Policy ToPolicy(string? bucketName, string? folderName)
                         Sid = "AllowAllS3ActionsInUserFolder",
                         Action = new string[] { "s3:*" },
                         Effect = "Allow",
-                        Resource = new string[] { $"arn:aws:s3:::{bucketName}/{folderName}/*" },
+                        Resource = new string[] { $"arn:aws:s3:::{bucketName}/{folderName}", $"arn:aws:s3:::{bucketName}/{folderName}/*" },
                     },
                 }
             };
@@ -139,7 +139,7 @@ public static Policy ToPolicy(PolicyRequest[] policyRequests)
                         Action = new string[] { "s3:*" },
                         Effect = "Allow",
                         Resource = policyRequests
-                            .Select(pr => $"{pr.BucketName}/{pr.FolderName}/*")
+                            .SelectMany(pr => new []{ $"{pr.BucketName}/{pr.FolderName}" , $"{pr.BucketName}/{pr.FolderName}/*" } )
                             .Distinct()
                             .ToArray(),
                     },

src/S3Policy/Tests/Extensions/PolicyExtensionsTest.cs

@@ -86,7 +86,7 @@ public void ToPolicy_ValidBucketAndFolder()
 
             var policyString = JsonConvert.SerializeObject(policy, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore });
 
-            Assert.Equal("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowUserToSeeBucketListInTheConsole\",\"Action\":[\"s3:ListAllMyBuckets\",\"s3:GetBucketLocation\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::*\"]},{\"Sid\":\"AllowRootAndHomeListingOfBucket\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"Jack/Is/The/Best\",\"Jack/Is/The/\",\"Jack/Is/\",\"Jack/\",\"\"],\"s3:delimiter\":[\"/\"]}}},{\"Sid\":\"AllowListingOfUserFolder\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"Jack/Is/The/Best/*\"]}}},{\"Sid\":\"AllowAllS3ActionsInUserFolder\",\"Action\":[\"s3:*\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket/Jack/Is/The/Best/*\"]}]}", policyString);
+            Assert.Equal("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowUserToSeeBucketListInTheConsole\",\"Action\":[\"s3:ListAllMyBuckets\",\"s3:GetBucketLocation\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::*\"]},{\"Sid\":\"AllowRootAndHomeListingOfBucket\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"Jack/Is/The/Best\",\"Jack/Is/The/\",\"Jack/Is/\",\"Jack/\",\"\"],\"s3:delimiter\":[\"/\"]}}},{\"Sid\":\"AllowListingOfUserFolder\",\"Action\":[\"s3:ListBucket\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket\"],\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"Jack/Is/The/Best/*\"]}}},{\"Sid\":\"AllowAllS3ActionsInUserFolder\",\"Action\":[\"s3:*\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::test-bucket/Jack/Is/The/Best\",\"arn:aws:s3:::test-bucket/Jack/Is/The/Best/*\"]}]}", policyString);
         }
 
         [Fact]
@@ -111,9 +111,10 @@ public async Task ToPolicy_Should_Set_Correct_Allow_All_Path()
 
             var policyMade = PolicyExtensions.ToPolicy(policys);
 
-            Assert.EndsWith(
-                $"{bucketName}/{payloadId}/*",
-                policyMade.Statement.First(p => p.Sid == "AllowAllS3ActionsInUserFolder").Resource?.First());
+
+            Assert.Collection(policyMade.Statement.First(p => p.Sid == "AllowAllS3ActionsInUserFolder").Resource!,
+                (item) => item.Equals($"{bucketName}/{payloadId}"),
+                (item) => item.Equals($"{bucketName}/{payloadId}/*"));
 
         }