Merge pull request ceph#55062 from rhcs-dashboard/set-bucket-policy

mgr/dashboard: set bucket policies

Reviewed-by: Ankush Behl <cloudbehl@gmail.com>
Reviewed-by: Nizamudeen A <nia@redhat.com>

Author: Pegonzal

src/pybind/mgr/dashboard/controllers/rgw.py

@@ -291,6 +291,10 @@ def _get_policy(self, bucket: str):
         rgw_client = RgwClient.admin_instance()
         return rgw_client.get_bucket_policy(bucket)
 
+    def _set_policy(self, bucket_name: str, policy: str, daemon_name, owner):
+        rgw_client = RgwClient.instance(owner, daemon_name)
+        return rgw_client.set_bucket_policy(bucket_name, policy)
+
     def _set_tags(self, bucket_name, tags, daemon_name, owner):
         rgw_client = RgwClient.instance(owner, daemon_name)
         return rgw_client.set_tags(bucket_name, tags)
@@ -347,7 +351,7 @@ def get(self, bucket, daemon_name=None):
         result['encryption'] = encryption['Status']
         result['versioning'] = versioning['Status']
         result['mfa_delete'] = versioning['MfaDelete']
-        result['policy'] = self._get_policy(bucket_name)
+        result['bucket_policy'] = self._get_policy(bucket_name)
 
         # Append the locking configuration.
         locking = self._get_locking(result['owner'], daemon_name, bucket_name)
@@ -360,7 +364,8 @@ def create(self, bucket, uid, zonegroup=None, placement_target=None,
                lock_enabled='false', lock_mode=None,
                lock_retention_period_days=None,
                lock_retention_period_years=None, encryption_state='false',
-               encryption_type=None, key_id=None, tags=None, daemon_name=None):
+               encryption_type=None, key_id=None, tags=None,
+               bucket_policy=None, daemon_name=None):
         lock_enabled = str_to_bool(lock_enabled)
         encryption_state = str_to_bool(encryption_state)
         try:
@@ -379,6 +384,9 @@ def create(self, bucket, uid, zonegroup=None, placement_target=None,
             if tags:
                 self._set_tags(bucket, tags, daemon_name, uid)
 
+            if bucket_policy:
+                self._set_policy(bucket, bucket_policy, daemon_name, uid)
+
             return result
         except RequestException as e:  # pragma: no cover - handling is too obvious
             raise DashboardException(e, http_status_code=500, component='rgw')
@@ -388,7 +396,7 @@ def set(self, bucket, bucket_id, uid, versioning_state=None,
             encryption_state='false', encryption_type=None, key_id=None,
             mfa_delete=None, mfa_token_serial=None, mfa_token_pin=None,
             lock_mode=None, lock_retention_period_days=None,
-            lock_retention_period_years=None, tags=None, daemon_name=None):
+            lock_retention_period_years=None, tags=None, bucket_policy=None, daemon_name=None):
         encryption_state = str_to_bool(encryption_state)
         # When linking a non-tenant-user owned bucket to a tenanted user, we
         # need to prefix bucket name with '/'. e.g. photos -> /photos
@@ -430,6 +438,8 @@ def set(self, bucket, bucket_id, uid, versioning_state=None,
             self._delete_encryption(bucket_name, daemon_name, uid)
         if tags:
             self._set_tags(bucket_name, tags, daemon_name, uid)
+        if bucket_policy:
+            self._set_policy(bucket, bucket_policy, daemon_name, uid)
         return self._append_bid(result)
 
     def delete(self, bucket, purge_objects='true', daemon_name=None):

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-bucket-details/rgw-bucket-details.component.html

@@ -102,7 +102,7 @@
         </table>
 
       <!-- Tags -->
-      <ng-container *ngIf="selection.tagset">
+      <ng-container *ngIf="(selection.tagset | keyvalue)?.length">
         <legend i18n>Tags</legend>
         <table class="table table-striped table-bordered">
           <tbody>
@@ -120,15 +120,15 @@
 
     <ng-container ngbNavItem="permissions">
       <a ngbNavLink
-         i18n>Permissions</a>
+         i18n>Policies</a>
       <ng-template ngbNavContent>
 
         <table class="table table-striped table-bordered">
           <tbody>
             <tr>
               <td i18n
-                  class="bold w-25">Policy</td>
-              <td><pre>{{ selection.policy | json}}</pre></td>
+                  class="bold w-25">Bucket policy</td>
+              <td><pre>{{ selection.bucket_policy | json}}</pre></td>
             </tr>
           </tbody>
         </table>

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-bucket-details/rgw-bucket-details.component.ts

@@ -18,7 +18,7 @@ export class RgwBucketDetailsComponent implements OnChanges {
       this.rgwBucketService.get(this.selection.bid).subscribe((bucket: object) => {
         bucket['lock_retention_period_days'] = this.rgwBucketService.getLockDays(bucket);
         this.selection = bucket;
-        this.selection.policy = JSON.parse(this.selection.policy) || {};
+        this.selection.bucket_policy = JSON.parse(this.selection.bucket_policy) || {};
       });
     }
   }

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-bucket-form/rgw-bucket-form.component.html

@@ -410,6 +410,50 @@
           </div>
         </div>
 
+        <!-- Policies -->
+        <legend class="cd-header"
+                i18n>Policies
+        </legend>
+        <div class="row">
+          <div class="col-12">
+            <div class="form-group row">
+              <label i18n
+                     class="cd-col-form-label"
+                     for="id">Bucket policy</label>
+              <div class="cd-col-form-input">
+                <textarea #bucketPolicyTextArea
+                          class="form-control resize-vertical"
+                          id="bucket_policy"
+                          formControlName="bucket_policy"
+                          (change)="bucketPolicyOnChange()">
+                </textarea>
+                <span class="invalid-feedback"
+                      *ngIf="bucketForm.showError('bucket_policy', frm, 'invalidJson')"
+                      i18n>Invalid json text</span>
+                <div class="btn-group float-end"
+                     role="group"
+                     aria-label="bucket-policy-helpers">
+                  <button type="button"
+                          id="example-generator-button"
+                          class="btn btn-light my-3"
+                          (click)="openUrl('https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html?icmpid=docs_amazons3_console')"
+                          i18n>
+                    <i [ngClass]="[icons.externalUrl]"></i>
+                    Policy examples
+                  </button>
+                  <button type="button"
+                          id="example-generator-button"
+                          class="btn btn-light my-3"
+                          (click)="openUrl('https://awspolicygen.s3.amazonaws.com/policygen.html')"
+                          i18n>
+                    <i [ngClass]="[icons.externalUrl]"></i>
+                    Policy generator
+                  </button>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
 
       </div>
       <div class="card-footer">

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-bucket-form/rgw-bucket-form.component.ts

@@ -1,4 +1,11 @@
-import { AfterViewChecked, ChangeDetectorRef, Component, OnInit } from '@angular/core';
+import {
+  AfterViewChecked,
+  ChangeDetectorRef,
+  Component,
+  OnInit,
+  ViewChild,
+  ElementRef
+} from '@angular/core';
 import { AbstractControl, Validators } from '@angular/forms';
 import { ActivatedRoute, Router } from '@angular/router';
 
@@ -22,6 +29,7 @@ import { RgwBucketMfaDelete } from '../models/rgw-bucket-mfa-delete';
 import { RgwBucketVersioning } from '../models/rgw-bucket-versioning';
 import { RgwConfigModalComponent } from '../rgw-config-modal/rgw-config-modal.component';
 import { BucketTagModalComponent } from '../bucket-tag-modal/bucket-tag-modal.component';
+import { TextAreaJsonFormatterService } from '~/app/shared/services/text-area-json-formatter.service';
 
 @Component({
   selector: 'cd-rgw-bucket-form',
@@ -30,6 +38,9 @@ import { BucketTagModalComponent } from '../bucket-tag-modal/bucket-tag-modal.co
   providers: [RgwBucketEncryptionModel]
 })
 export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewChecked {
+  @ViewChild('bucketPolicyTextArea')
+  public bucketPolicyTextArea: ElementRef<any>;
+
   bucketForm: CdFormGroup;
   editing = false;
   owners: string[] = null;
@@ -70,6 +81,7 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
     private rgwUserService: RgwUserService,
     private notificationService: NotificationService,
     private rgwEncryptionModal: RgwBucketEncryptionModel,
+    private textAreaJsonFormatterService: TextAreaJsonFormatterService,
     public actionLabels: ActionLabelsI18n,
     private readonly changeDetectorRef: ChangeDetectorRef
   ) {
@@ -82,6 +94,7 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
 
   ngAfterViewChecked(): void {
     this.changeDetectorRef.detectChanges();
+    this.bucketPolicyOnChange();
   }
 
   createForm() {
@@ -129,7 +142,8 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
         ]
       ],
       lock_mode: ['COMPLIANCE'],
-      lock_retention_period_days: [0, [CdValidators.number(false), lockDaysValidator]]
+      lock_retention_period_days: [0, [CdValidators.number(false), lockDaysValidator]],
+      bucket_policy: ['{}', CdValidators.json()]
     });
   }
 
@@ -217,6 +231,11 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
             if (value['lock_enabled']) {
               this.bucketForm.controls['versioning'].disable();
             }
+            if (value['bucket_policy']) {
+              this.bucketForm
+                .get('bucket_policy')
+                .setValue(JSON.stringify(value['bucket_policy'], null, 2));
+            }
           }
         }
         this.loadingReady();
@@ -240,6 +259,7 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
     }
     const values = this.bucketForm.value;
     const xmlStrTags = this.tagsToXML(this.tags);
+    const bucketPolicy = this.getBucketPolicy();
     if (this.editing) {
       // Edit
       const versioning = this.getVersioningStatus();
@@ -258,7 +278,8 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
           values['mfa-token-pin'],
           values['lock_mode'],
           values['lock_retention_period_days'],
-          xmlStrTags
+          xmlStrTags,
+          bucketPolicy
         )
         .subscribe(
           () => {
@@ -287,7 +308,8 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
           values['encryption_enabled'],
           values['encryption_type'],
           values['keyId'],
-          xmlStrTags
+          xmlStrTags,
+          bucketPolicy
         )
         .subscribe(
           () => {
@@ -337,6 +359,10 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
     return this.isMfaDeleteEnabled ? RgwBucketMfaDelete.ENABLED : RgwBucketMfaDelete.DISABLED;
   }
 
+  getBucketPolicy() {
+    return this.bucketForm.getValue('bucket_policy') || '{}';
+  }
+
   fileUpload(files: FileList, controlName: string) {
     const file: File = files[0];
     const reader = new FileReader();
@@ -349,6 +375,16 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
     });
   }
 
+  bucketPolicyOnChange() {
+    if (this.bucketPolicyTextArea) {
+      this.textAreaJsonFormatterService.format(this.bucketPolicyTextArea);
+    }
+  }
+
+  openUrl(url: string) {
+    window.open(url, '_blank');
+  }
+
   openConfigModal() {
     const modalRef = this.modalService.show(RgwConfigModalComponent, null, { size: 'lg' });
     modalRef.componentInstance.configForm
@@ -374,6 +410,8 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
 
   deleteTag(index: number) {
     this.tags.splice(index, 1);
+    this.bucketForm.markAsDirty();
+    this.bucketForm.updateValueAndValidity();
   }
 
   private setTag(tag: Record<string, string>, index?: number) {

src/pybind/mgr/dashboard/frontend/src/app/shared/api/rgw-bucket.service.spec.ts

@@ -60,11 +60,12 @@ describe('RgwBucketService', () => {
         true,
         'aws:kms',
         'qwerty1',
+        null,
         null
       )
       .subscribe();
     const req = httpTesting.expectOne(
-      `api/rgw/bucket?bucket=foo&uid=bar&zonegroup=default&placement_target=default-placement&lock_enabled=false&lock_mode=COMPLIANCE&lock_retention_period_days=5&encryption_state=true&encryption_type=aws%253Akms&key_id=qwerty1&tags=null&${RgwHelper.DAEMON_QUERY_PARAM}`
+      `api/rgw/bucket?bucket=foo&uid=bar&zonegroup=default&placement_target=default-placement&lock_enabled=false&lock_mode=COMPLIANCE&lock_retention_period_days=5&encryption_state=true&encryption_type=aws%253Akms&key_id=qwerty1&tags=null&bucket_policy=null&${RgwHelper.DAEMON_QUERY_PARAM}`
     );
     expect(req.request.method).toBe('POST');
   });
@@ -84,11 +85,12 @@ describe('RgwBucketService', () => {
         '223344',
         'GOVERNANCE',
         '10',
+        null,
         null
       )
       .subscribe();
     const req = httpTesting.expectOne(
-      `api/rgw/bucket/foo?${RgwHelper.DAEMON_QUERY_PARAM}&bucket_id=bar&uid=baz&versioning_state=Enabled&encryption_state=true&encryption_type=aws%253Akms&key_id=qwerty1&mfa_delete=Enabled&mfa_token_serial=1&mfa_token_pin=223344&lock_mode=GOVERNANCE&lock_retention_period_days=10&tags=null`
+      `api/rgw/bucket/foo?${RgwHelper.DAEMON_QUERY_PARAM}&bucket_id=bar&uid=baz&versioning_state=Enabled&encryption_state=true&encryption_type=aws%253Akms&key_id=qwerty1&mfa_delete=Enabled&mfa_token_serial=1&mfa_token_pin=223344&lock_mode=GOVERNANCE&lock_retention_period_days=10&tags=null&bucket_policy=null`
     );
     expect(req.request.method).toBe('PUT');
   });

src/pybind/mgr/dashboard/frontend/src/app/shared/api/rgw-bucket.service.ts

@@ -60,7 +60,8 @@ export class RgwBucketService extends ApiClient {
     encryption_state: boolean,
     encryption_type: string,
     key_id: string,
-    tags: string
+    tags: string,
+    bucketPolicy: string
   ) {
     return this.rgwDaemonService.request((params: HttpParams) => {
       return this.http.post(this.url, null, {
@@ -77,6 +78,7 @@ export class RgwBucketService extends ApiClient {
             encryption_type,
             key_id,
             tags: tags,
+            bucket_policy: bucketPolicy,
             daemon_name: params.get('daemon_name')
           }
         })
@@ -97,7 +99,8 @@ export class RgwBucketService extends ApiClient {
     mfaTokenPin: string,
     lockMode: 'GOVERNANCE' | 'COMPLIANCE',
     lockRetentionPeriodDays: string,
-    tags: string
+    tags: string,
+    bucketPolicy: string
   ) {
     return this.rgwDaemonService.request((params: HttpParams) => {
       params = params.appendAll({
@@ -112,7 +115,8 @@ export class RgwBucketService extends ApiClient {
         mfa_token_pin: mfaTokenPin,
         lock_mode: lockMode,
         lock_retention_period_days: lockRetentionPeriodDays,
-        tags: tags
+        tags: tags,
+        bucket_policy: bucketPolicy
       });
       return this.http.put(`${this.url}/${bucket}`, null, { params: params });
     });

src/pybind/mgr/dashboard/frontend/src/app/shared/enum/icons.enum.ts

@@ -82,6 +82,7 @@ export enum Icons {
   navicon = 'fa fa-navicon', // Navigation
   areaChart = 'fa fa-area-chart', // Area Chart, dashboard
   eye = 'fa fa-eye', // Observability
+  externalUrl = 'fa fa-external-link', // links to external page
 
   /* Icons for special effect */
   large = 'fa fa-lg', // icon becomes 33% larger

src/pybind/mgr/dashboard/frontend/src/app/shared/forms/cd-validators.ts

@@ -610,4 +610,16 @@ export class CdValidators {
         );
     };
   }
+
+  static json(): ValidatorFn {
+    return (control: AbstractControl): Record<string, any> | null => {
+      if (!control.value) return null;
+      try {
+        JSON.parse(control.value);
+        return null;
+      } catch (e) {
+        return { invalidJson: true };
+      }
+    };
+  }
 }

src/pybind/mgr/dashboard/frontend/src/app/shared/forms/crud-form/formly-textarea-type/formly-textarea-type.component.ts

@@ -1,5 +1,6 @@
 import { Component, ViewChild, ElementRef } from '@angular/core';
 import { FieldType, FieldTypeConfig } from '@ngx-formly/core';
+import { TextAreaJsonFormatterService } from '~/app/shared/services/text-area-json-formatter.service';
 
 @Component({
   selector: 'cd-formly-textarea-type',
@@ -10,16 +11,11 @@ export class FormlyTextareaTypeComponent extends FieldType<FieldTypeConfig> {
   @ViewChild('textArea')
   public textArea: ElementRef<any>;
 
+  constructor(private textAreaJsonFormatterService: TextAreaJsonFormatterService) {
+    super();
+  }
+
   onChange() {
-    const value = this.textArea.nativeElement.value;
-    try {
-      const formatted = JSON.stringify(JSON.parse(value), null, 2);
-      this.textArea.nativeElement.value = formatted;
-      this.textArea.nativeElement.style.height = 'auto';
-      const lineNumber = formatted.split('\n').length;
-      const pixelPerLine = 25;
-      const pixels = lineNumber * pixelPerLine;
-      this.textArea.nativeElement.style.height = pixels + 'px';
-    } catch (e) {}
+    this.textAreaJsonFormatterService.format(this.textArea);
   }
 }