Merge branch 'Hotfix/2346-fixPolicy' into 'main'

Fix: Use correct policy (coscine/issues#2346) See merge request !42

Merge branch 'Hotfix/2346-fixPolicy' into 'main'
aeea15d0 · Benedikt Heinrichs · 46b3571e · 6e72c0b6 · aeea15d0 · aeea15d0
Commit aeea15d0 authored 2 years ago by Benedikt Heinrichs
--- a/src/ResourceTypes.RdsS3/BucketWritePolicy.json
+++ b/src/ResourceTypes.RdsS3/BucketWritePolicy.json
@@ -3,16 +3,16 @@
  "Id": "WritePolicy",
  "Statement": [
    {
-      "Sid": "AllowStatement",
+      "Sid": "WriteStatement",
      "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ],
      "Effect": "Allow",
      "Resource": [],
      "Principal": []
    },
    {
-      "Sid": "DenyStatement",
+      "Sid": "ReadStatement",
      "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion" ],
-      "Effect": "Deny",
+      "Effect": "Allow",
      "Resource": [],
      "Principal": []
    }

--- a/src/ResourceTypes.RdsS3/RdsS3ResourceType.cs
+++ b/src/ResourceTypes.RdsS3/RdsS3ResourceType.cs
@@ -231,7 +231,7 @@ public class RdsS3ResourceType : BaseResourceType
            throw new ArgumentException($"{nameof(RdsS3ResourceTypeConfiguration)}.{nameof(RdsS3ResourceTypeConfiguration.AccessKeyWrite)} cannot be null.");
        }
-        var policy = GenerateAccessPolicy(RdsS3ResourceTypeConfiguration.AccessKey, RdsS3ResourceTypeConfiguration.AccessKeyRead, RdsS3ResourceTypeConfiguration.AccessKeyWrite, id, status);
+        var policy = GenerateAccessPolicy(RdsS3ResourceTypeConfiguration.AccessKey, RdsS3ResourceTypeConfiguration.AccessKeyWrite, RdsS3ResourceTypeConfiguration.AccessKeyRead, id, status);
        var putRequest = new PutBucketPolicyRequest
        {
@@ -393,13 +393,13 @@ public class RdsS3ResourceType : BaseResourceType
            var jObject = JsonConvert.DeserializeObject<JObject>(json)
                                  ?? throw new Exception("BucketWritePolicy.json could not be parsed.");
            {
-                var allowStatement = jObject["Statement"]?.First(x => x["Sid"]?.ToString() == "AllowStatement") as JObject;
+                var allowStatement = jObject["Statement"]?.First(x => x["Sid"]?.ToString() == "WriteStatement") as JObject;
                (allowStatement?["Resource"] as JArray)?.Add($"{bucketname}/*");
                (allowStatement?["Principal"] as JArray)?.Add($"{writeKey}");
                (allowStatement?["Principal"] as JArray)?.Add($"{accessKey}");
            }
            {
-                var denyStatement = jObject["Statement"]?.First(x => x["Sid"]?.ToString() == "DenyStatement") as JObject;
+                var denyStatement = jObject["Statement"]?.First(x => x["Sid"]?.ToString() == "ReadStatement") as JObject;
                (denyStatement?["Resource"] as JArray)?.Add($"{bucketname}/*");
                (denyStatement?["Principal"] as JArray)?.Add($"{accessKeyRead}");
            }

--- a/src/ResourceTypes.RdsS3Worm/BucketWritePolicy.json
+++ b/src/ResourceTypes.RdsS3Worm/BucketWritePolicy.json
@@ -3,16 +3,16 @@
  "Id": "WritePolicy",
  "Statement": [
    {
-      "Sid": "AllowStatement",
+      "Sid": "WriteStatement",
      "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ],
      "Effect": "Allow",
      "Resource": [],
      "Principal": []
    },
    {
-      "Sid": "DenyStatement",
+      "Sid": "ReadStatement",
      "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion" ],
-      "Effect": "Deny",
+      "Effect": "Allow",
      "Resource": [],
      "Principal": []
    }

--- a/src/ResourceTypes.RdsS3Worm/RdsS3WormResourceType.cs
+++ b/src/ResourceTypes.RdsS3Worm/RdsS3WormResourceType.cs
@@ -214,7 +214,7 @@ namespace Coscine.ResourceTypes.RdsS3Worm
                throw new ArgumentException($"{nameof(RdsS3WormResourceTypeConfiguration)}.{nameof(RdsS3WormResourceTypeConfiguration.AccessKeyWrite)} cannot be null.");
            }
-            var policy = GenerateAccessPolicy(RdsS3WormResourceTypeConfiguration.AccessKey, RdsS3WormResourceTypeConfiguration.AccessKeyRead, RdsS3WormResourceTypeConfiguration.AccessKeyWrite, id, status);
+            var policy = GenerateAccessPolicy(RdsS3WormResourceTypeConfiguration.AccessKey, RdsS3WormResourceTypeConfiguration.AccessKeyWrite, RdsS3WormResourceTypeConfiguration.AccessKeyRead, id, status);
            var putRequest = new PutBucketPolicyRequest
            {
@@ -399,13 +399,13 @@ namespace Coscine.ResourceTypes.RdsS3Worm
                var jObject = JsonConvert.DeserializeObject<JObject>(json)
                                      ?? throw new Exception("BucketWritePolicy.json could not be parsed.");
                {
-                    var allowStatement = jObject["Statement"]?.First(x => x["Sid"]?.ToString() == "AllowStatement") as JObject;
+                    var allowStatement = jObject["Statement"]?.First(x => x["Sid"]?.ToString() == "WriteStatement") as JObject;
                    (allowStatement?["Resource"] as JArray)?.Add($"{bucketname}/*");
                    (allowStatement?["Principal"] as JArray)?.Add($"{writeKey}");
                    (allowStatement?["Principal"] as JArray)?.Add($"{accessKey}");
                }
                {
-                    var denyStatement = jObject["Statement"]?.First(x => x["Sid"]?.ToString() == "DenyStatement") as JObject;
+                    var denyStatement = jObject["Statement"]?.First(x => x["Sid"]?.ToString() == "ReadStatement") as JObject;
                    (denyStatement?["Resource"] as JArray)?.Add($"{bucketname}/*");
                    (denyStatement?["Principal"] as JArray)?.Add($"{accessKeyRead}");
                }