Merge pull request #285 from grycap/dev-slangarita

fix bug multitenancy
grycap · Jan 16, 2025 · 61de9fb · 61de9fb
2 parents aa0575d + cfb54e6
commit 61de9fb
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 20 deletions.
diff --git a/pkg/handlers/update.go b/pkg/handlers/update.go
@@ -107,7 +107,7 @@ func MakeUpdateHandler(cfg *types.Config, back types.ServerlessBackend) gin.Hand
 				splitPath := strings.SplitN(path, "/", 2)
 				// If isolation level was USER delete all private buckets
 				if oldService.IsolationLevel == "USER" {
-					err = deletePrivateBuckets(oldService, minIOAdminClient, s3Client)
+					err = updatePrivateBuckets(oldService, minIOAdminClient, s3Client)
 					if err != nil {
 						return
 					}
@@ -210,3 +210,25 @@ func updateBuckets(newService, oldService *types.Service, minIOAdminClient *util
 	// Create the input and output buckets/folders from newService
 	return createBuckets(newService, cfg, minIOAdminClient, true)
 }
+
+func updatePrivateBuckets(service *types.Service, minIOAdminClient *utils.MinIOAdminClient, s3Client *s3.S3) error {
+	for i, b := range service.BucketList {
+		// Disable input notifications for user bucket
+		if err := disableInputNotifications(s3Client, service.GetMinIOWebhookARN(), b); err != nil {
+			log.Printf("Error disabling MinIO input notifications for service \"%s\": %v\n", service.Name, err)
+		}
+		//Delete bucket and unset the associated policy
+		err := minIOAdminClient.EmptyPolicy(service.AllowedUsers[i], false)
+		if err != nil {
+			fmt.Println(err)
+		}
+		err = minIOAdminClient.RemoveFromPolicy(b, service.AllowedUsers[i], false)
+		if err != nil {
+			return fmt.Errorf("unable to remove bucket from policy %q, %v", b, err)
+		}
+		/*if err := minIOAdminClient.DeleteBucket(s3Client, b, service.AllowedUsers[i]); err != nil {
+			return fmt.Errorf("unable to delete bucket %q, %v", b, err)
+		}*/
+	}
+	return nil
+}
diff --git a/pkg/utils/minio.go b/pkg/utils/minio.go
@@ -285,33 +285,41 @@ func (minIOAdminClient *MinIOAdminClient) RestartServer() error {
 func (minIOAdminClient *MinIOAdminClient) CreateAddPolicy(bucketName string, policyName string, isGroup bool) error {
 	var jsonErr error
 	var policy []byte
+	var action []string
 
 	rs := "arn:aws:s3:::" + bucketName + "/*"
-
-	_, errInfo := minIOAdminClient.adminClient.InfoCannedPolicyV2(context.TODO(), policyName)
+	getPolicy, errInfo := minIOAdminClient.adminClient.InfoCannedPolicyV2(context.TODO(), policyName)
 	if errInfo != nil {
 		// If the policy does not exist create it
-		p := `{
-			"Version": "2012-10-17",
-			"Statement": [
+		actualPolicy := &Policy{
+			Version: "2012-10-17",
+			Statement: []Statement{
 				{
-					"Effect": "Allow",
-					"Action": [
-						"s3:*"
-					],
-					"Resource": [
-						"arn:aws:s3:::` + bucketName + `/*"
-					]
-				}
-			]
-		}`
-		policy = []byte(p)
+					Resource: []string{rs},
+					Action:   []string{"s3:*"},
+					Effect:   "Allow",
+				},
+			},
+		}
+		policy, jsonErr = json.Marshal(actualPolicy)
+		if jsonErr != nil {
+			return jsonErr
+		}
 	} else {
+		jsonUnmarshal := &Policy{}
+
+		jsonErr = json.Unmarshal(getPolicy.Policy, jsonUnmarshal)
+
+		if len(jsonUnmarshal.Statement) > 0 && jsonErr == nil {
+			action = append(jsonUnmarshal.Statement[0].Resource, rs)
+		} else {
+			action = []string{rs}
+		}
 		actualPolicy := &Policy{
 			Version: "2012-10-17",
 			Statement: []Statement{
 				{
-					Resource: []string{rs},
+					Resource: action,
 					Action:   []string{"s3:*"},
 					Effect:   "Allow",
 				},
@@ -405,8 +413,6 @@ func (minIOAdminClient *MinIOAdminClient) RemoveFromPolicy(bucketName string, po
 	actualPolicy := &Policy{}
 	jsonErr := json.Unmarshal(policyInfo.Policy, actualPolicy)
 	if jsonErr != nil {
-		fmt.Println("here3")
-
 		return jsonErr
 	}
 	if len(actualPolicy.Statement[0].Resource) == 1 {