ZKUI-207: Disable the Remove button for Policy Role Pair defined in the

Vault Config
scality · Jul 1, 2022 · 741aaa6 · 741aaa6
1 parent ccc968b
commit 741aaa6
Show file tree

Hide file tree

Showing 7 changed files with 270 additions and 2 deletions.
diff --git a/public/assets/account-seeds.json b/public/assets/account-seeds.json
@@ -0,0 +1,230 @@
+[
+  {
+    "role": {
+      "roleName": "storage-manager-role",
+      "trustPolicy": {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": { "Federated": "keycloak.zenko.local" },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+              "StringEquals": {
+                "keycloak:roles": "StorageManager"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "permissionPolicy": {
+      "policyName": "storage-manager-policy",
+      "policyDocument": {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Sid": "FullAccess",
+            "Effect": "Allow",
+            "Action": ["*"],
+            "Resource": "*"
+          }
+        ]
+      }
+    }
+  },
+  {
+    "role": {
+      "roleName": "storage-account-owner-role",
+      "trustPolicy": {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": { "Federated": "keycloak.zenko.local" },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+              "StringEquals": { "keycloak:groups": "StorageAccountOwner" }
+            }
+          }
+        ]
+      }
+    },
+    "permissionPolicy": {
+      "policyName": "storage-account-owner-policy",
+      "policyDocument": {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Sid": "FullAccess",
+            "Effect": "Allow",
+            "Action": ["s3:*", "iam:*"],
+            "Resource": ["*"]
+          }
+        ]
+      }
+    }
+  },
+  {
+    "role": {
+      "roleName": "data-consumer-role",
+      "trustPolicy": {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": { "Federated": "keycloak.zenko.local" },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+              "StringEquals": { "keycloak:groups": "DataConsumer" }
+            }
+          }
+        ]
+      }
+    },
+    "permissionPolicy": {
+      "policyName": "data-consumer-policy",
+      "policyDocument": {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Action": "s3:ListAllMyBuckets",
+            "Resource": "*"
+          },
+          {
+            "Effect": "Allow",
+            "Action": ["s3:ListBucket", "s3:GetBucketLocation"],
+            "Resource": "*"
+          },
+          {
+            "Effect": "Allow",
+            "Action": [
+              "s3:MetadataSearch",
+              "s3:PutObject",
+              "s3:PutObjectAcl",
+              "s3:GetObject",
+              "s3:GetObjectAcl",
+              "s3:DeleteObject",
+              "s3:RestoreObject",
+              "s3:GetBucketVersioning",
+              "s3:GetBucketCors",
+              "s3:GetBucketAcl",
+              "s3:GetBucketObjectLockConfiguration",
+              "s3:ListObjectsV2",
+              "s3:ListObjectVersions",
+              "s3:PutObjectLockConfiguration",
+              "s3:DeleteObjects",
+              "s3:GetObjectRetention",
+              "s3:GetObjectLegalHold",
+              "s3:PutObjectRetention",
+              "s3:PutObjectLegalHold",
+              "s3:HeadObject",
+              "s3:CopyObject",
+              "s3:GetObjectTagging",
+              "s3:PutObjectTagging",
+              "s3:GetReplicationConfiguration",
+              "s3:GetLifecycleConfiguration",
+              "s3:DeleteObjectVersion",
+              "s3:PutLifecycleConfiguration",
+              "s3:PutReplicationConfiguration",
+              "s3:ListObjectVersion",
+              "s3:GetObjectVersion",
+              "s3:GetObjectVersionRetention",
+              "s3:GetObjectVersionLegalHold",
+              "s3:PutObjectVersionRetention",
+              "s3:PutObjectVersionLegalHold",
+              "s3:GetObjectVersionTagging",
+              "s3:DeleteObjectVersionTagging",
+              "s3:PutObjectVersionTagging",
+              "s3:GetObjectVersionAcl",
+              "s3:PutObjectVersionAcl",
+              "s3:GetBucketTagging",
+              "s3:PutBucketTagging",
+              "s3:DeleteBucketTagging"
+            ],
+            "Resource": "*"
+          }
+        ]
+      }
+    }
+  },
+  {
+    "permissionPolicy": {
+      "policyDocument": {
+        "Statement": [
+          {
+            "Action": [
+              "s3:GetLifecycleConfiguration",
+              "s3:GetBucketVersioning",
+              "s3:ListBucket",
+              "s3:ListBucketVersions",
+              "s3:ListBucketMultipartUploads",
+              "s3:GetObjectTagging",
+              "s3:GetObjectVersionTagging",
+              "s3:GetObject",
+              "s3:GetObjectVersion"
+            ],
+            "Effect": "Allow",
+            "Resource": ["*"],
+            "Sid": "LifecycleExpirationBucketProcessor"
+          }
+        ],
+        "Version": "2012-10-17"
+      },
+      "policyName": "backbeat-lifecycle-bp-1"
+    },
+    "role": {
+      "roleName": "backbeat-lifecycle-bp-1",
+      "trustPolicy": {
+        "Statement": [
+          {
+            "Action": "sts:AssumeRole",
+            "Effect": "Allow",
+            "Principal": {
+              "AWS": "arn:aws:iam::000000000000:user/scality-internal/backbeat-lifecycle-bp-1"
+            }
+          }
+        ],
+        "Version": "2012-10-17"
+      }
+    }
+  },
+  {
+    "permissionPolicy": {
+      "policyDocument": {
+        "Statement": [
+          {
+            "Action": [
+              "s3:GetObject",
+              "s3:GetObjectVersion",
+              "s3:DeleteObject",
+              "s3:DeleteObjectVersion",
+              "s3:AbortMultipartUpload"
+            ],
+            "Effect": "Allow",
+            "Resource": ["*"],
+            "Sid": "LifecycleExpirationObjectProcessor"
+          }
+        ],
+        "Version": "2012-10-17"
+      },
+      "policyName": "backbeat-lifecycle-op-1"
+    },
+    "role": {
+      "roleName": "backbeat-lifecycle-op-1",
+      "trustPolicy": {
+        "Statement": [
+          {
+            "Action": "sts:AssumeRole",
+            "Effect": "Allow",
+            "Principal": {
+              "AWS": "arn:aws:iam::000000000000:user/scality-internal/backbeat-lifecycle-op-1"
+            }
+          }
+        ],
+        "Version": "2012-10-17"
+      }
+    }
+  }
+]
diff --git a/src/js/vault.ts b/src/js/vault.ts
@@ -0,0 +1,11 @@
+// TODO: AccountSeeds should be returned by Vault API
+export function getAccountSeeds() {
+  return fetch('/account-seeds.json', {
+    headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
+  }).then((res) => {
+    if (!res.ok) {
+      throw Error('Can not fetch Account Seeds!!');
+    }
+    return res.json();
+  });
+}
diff --git a/src/react/account/iamAttachment/AttachmentTable.tsx b/src/react/account/iamAttachment/AttachmentTable.tsx
@@ -524,6 +524,7 @@ export const AttachmentTable = <
                   icon={<i className="fas fa-times"></i>}
                   label="Remove"
                   variant="danger"
+                  disabled={!!entity.disableDetach}
                 />
               ),
             },

diff --git a/src/react/account/iamAttachment/AttachmentTabs.tsx b/src/react/account/iamAttachment/AttachmentTabs.tsx
@@ -2,8 +2,10 @@ import { Loader } from '@scality/core-ui';
 import { useReducer } from 'react';
 import { useLocation, useParams } from 'react-router';
 import { useTheme } from 'styled-components';
+import { useQuery } from 'react-query';
 import { useIAMClient } from '../../IAMProvider';
 import {
+  getAccountSeedsQuery,
   getListAttachedUserPoliciesQuery,
   getListEntitiesForPolicyQuery,
   getListGroupsQuery,
@@ -95,10 +97,12 @@ const AttachmentTableProxy = <
 const AttachmentTabs = ({
   resourceType,
   resourceId,
+  resourceName,
   onAttachmentsOperationsChanged,
 }: {
   resourceType: ResourceType;
   resourceId: string;
+  resourceName: string;
   onAttachmentsOperationsChanged: (
     attachmentOperations: AttachmentOperation[],
   ) => void;
@@ -133,6 +137,12 @@ const AttachmentTabs = ({
     tabLineColor: backgroundLevel4,
   };
 
+  const { data: accountSeeds } = useQuery(getAccountSeedsQuery());
+  const policyRolePair =
+    accountSeeds?.filter(
+      (seed) => seed.permissionPolicy.policyName === resourceName,
+    ) || [];
+
   return (
     <CustomTabs {...customTabStyle}>
       {resourceType === 'policy' && (
@@ -289,10 +299,15 @@ const AttachmentTabs = ({
             getAttachedEntitesFromResult={(response) => {
               return (
                 response.PolicyRoles?.map((role) => {
+                  const disableDetach =
+                    !!policyRolePair.find(
+                      (pair) => pair.role.roleName === role.RoleName,
+                    ) !== undefined;
                   return {
                     name: role.RoleName || '',
                     id: role.RoleName || '',
                     type: 'role',
+                    disableDetach,
                   };
                 }) || []
               );

diff --git a/src/react/account/iamAttachment/AttachmentTypes.ts b/src/react/account/iamAttachment/AttachmentTypes.ts
@@ -5,6 +5,7 @@ export type AttachableEntity = {
   name: string;
   id: string;
   type: EntityType;
+  disableDetach?: boolean;
 };
 
 export enum AttachmentAction {

diff --git a/src/react/account/iamAttachment/Attachments.tsx b/src/react/account/iamAttachment/Attachments.tsx
@@ -1,5 +1,4 @@
 import { BasicText, EmphaseText, LargerText } from '@scality/core-ui';
-import { Button } from '@scality/core-ui/dist/next';
 import { useState } from 'react';
 import { useParams, useRouteMatch } from 'react-router';
 import styled from 'styled-components';
@@ -75,6 +74,7 @@ const Attachments = () => {
         <AttachmentTabs
           resourceId={resourceId}
           resourceType={resourceType}
+          resourceName={resourceName}
           onAttachmentsOperationsChanged={setAttachmentOperations}
         />
       </AttachmentContainer>
@@ -84,7 +84,11 @@ const Attachments = () => {
           resourceId={resourceId}
           resourceName={resourceName}
           resourceType={resourceType}
-          redirectUrl={isAttachToPolicy ? `/accounts/${account?.Name}/policies` : `/accounts/${account?.Name}/users`}
+          redirectUrl={
+            isAttachToPolicy
+              ? `/accounts/${account?.Name}/policies`
+              : `/accounts/${account?.Name}/users`
+          }
         />
       </AttachmentFooterContainer>
     </>

diff --git a/src/react/queries.ts b/src/react/queries.ts
@@ -4,6 +4,7 @@ import { APIWorkflows, Workflows, Workflow } from '../types/workflow';
 import { generateExpirationName, generateStreamName } from './workflow/utils';
 import IAMClient from '../js/IAMClient';
 import { QueryFunctionContext } from 'react-query';
+import { getAccountSeeds } from '../js/vault';
 
 // Copy paste form legacy redux workflow
 export const makeWorkflows = (apiWorkflows: APIWorkflows): Workflows => {
@@ -161,3 +162,8 @@ export const getListAttachedUserPoliciesQuery = (
   refetchOnMount: false,
   refetchOnWindowFocus: false,
 });
+
+export const getAccountSeedsQuery = () => ({
+  queryKey: ['AccountSeeds'],
+  queryFn: getAccountSeeds,
+});