feat: add getBucketPolicy, putBucketPolicy & deleteBucketPolicy

Author: c4spar

deps.ts

@@ -13,6 +13,11 @@ export function sha256Hex(data: string | Uint8Array): string {
   hasher.update(data);
   return hasher.toString("hex");
 }
+export function md5(data: string | Uint8Array): string {
+  const hasher = createHash("md5");
+  hasher.update(data);
+  return hasher.toString("base64");
+}
 export { default as parseXML } from "https://raw.githubusercontent.com/nekobato/deno-xml-parser/0bc4c2bd2f5fad36d274279978ca57eec57c680c/index.ts";
 export { decode as decodeXMLEntities } from "https://deno.land/x/[email protected]/lib/xml-entities.js";
 export { pooledMap } from "https://deno.land/[email protected]/async/pool.ts";

src/client.ts

@@ -1,5 +1,12 @@
-import { AWSSignerV4 } from "../deps.ts";
-import type { CreateBucketOptions } from "./types.ts";
+import { AWSSignerV4, md5 } from "../deps.ts";
+import type {
+  CreateBucketOptions,
+  DeleteBucketPolicyOptions,
+  GetBucketPolicyOptions,
+  Policy,
+  PutBucketPolicyOptions,
+  Statement,
+} from "./types.ts";
 import { S3Error } from "./error.ts";
 import { S3Bucket } from "./bucket.ts";
 import { doRequest, encoder } from "./request.ts";
@@ -88,4 +95,142 @@ export class S3 {
       bucket,
     });
   }
+
+  async putBucketPolicy(
+    bucket: string,
+    options: PutBucketPolicyOptions,
+  ): Promise<void> {
+    const headers: Params = {};
+    const params: Params = {};
+    const json = JSON.stringify(options.policy);
+    const body = encoder.encode(json);
+
+    headers["Content-MD5"] = md5(json);
+
+    if (typeof options.confirmRemoveSelfBucketAccess !== "undefined") {
+      headers["x-amz-confirm-remove-self-bucket-access"] = options
+        .confirmRemoveSelfBucketAccess.toString();
+    }
+    if (options.expectedBucketOwner) {
+      headers["x-amz-expected-bucket-owner"] = options.expectedBucketOwner;
+    }
+
+    params["policy"] = "true";
+
+    const resp = await doRequest({
+      host: this.#host,
+      signer: this.#signer,
+      path: bucket,
+      method: "PUT",
+      headers,
+      params,
+      body,
+    });
+
+    if (resp.status !== 204) {
+      throw new S3Error(
+        `Failed to create policy for bucket "${bucket}": ${resp.status} ${resp.statusText}`,
+        await resp.text(),
+      );
+    }
+
+    // clean up http body
+    await resp.arrayBuffer();
+  }
+
+  async getBucketPolicy(
+    bucket: string,
+    options?: GetBucketPolicyOptions,
+  ): Promise<Policy> {
+    const headers: Params = {};
+    const params: Params = {};
+
+    if (options?.expectedBucketOwner) {
+      headers["x-amz-expected-bucket-owner"] = options.expectedBucketOwner;
+    }
+
+    params["policy"] = "true";
+
+    const resp = await doRequest({
+      host: this.#host,
+      signer: this.#signer,
+      path: bucket,
+      method: "GET",
+      headers,
+      params,
+    });
+
+    if (resp.status !== 200) {
+      throw new S3Error(
+        `Failed to get policy for bucket "${bucket}": ${resp.status} ${resp.statusText}`,
+        await resp.text(),
+      );
+    }
+
+    const result = JSON.parse(await resp.text());
+
+    return this.#parseGetBucketPolicyResult(result);
+  }
+
+  async deleteBucketPolicy(
+    bucket: string,
+    options?: DeleteBucketPolicyOptions,
+  ): Promise<void> {
+    const headers: Params = {};
+    const params: Params = {};
+
+    if (options?.expectedBucketOwner) {
+      headers["x-amz-expected-bucket-owner"] = options.expectedBucketOwner;
+    }
+
+    params["policy"] = "true";
+
+    const resp = await doRequest({
+      host: this.#host,
+      signer: this.#signer,
+      path: bucket,
+      method: "DELETE",
+      headers,
+      params,
+    });
+
+    if (resp.status !== 204) {
+      throw new S3Error(
+        `Failed to delete policy for bucket "${bucket}": ${resp.status} ${resp.statusText}`,
+        await resp.text(),
+      );
+    }
+
+    // clean up http body
+    await resp.arrayBuffer();
+  }
+
+  // deno-lint-ignore no-explicit-any
+  #parseGetBucketPolicyResult(result: Record<string, any>): Policy {
+    const policy: Policy = {
+      statement: Array.isArray(result.Statement)
+        ? result.Statement.map(mapKeys) as Array<Statement>
+        : mapKeys(result.Statement) as Statement,
+    };
+
+    if (result.ID) {
+      policy.id = result.ID;
+    }
+
+    if (result.Version) {
+      policy.version = result.Version;
+    }
+
+    return policy;
+
+    // deno-lint-ignore no-explicit-any
+    function mapKeys(obj: Record<string, unknown>): Record<string, any> {
+      const mapped: Record<string, unknown> = {};
+      for (const key in obj) {
+        const mappedKey = key.slice(0, 1).toLowerCase() + key.slice(1);
+        mapped[mappedKey] = obj[key];
+      }
+      return mapped;
+    }
+  }
 }

src/client_test.ts

@@ -3,6 +3,7 @@ import { S3Error } from "./error.ts";
 import { S3Bucket } from "./bucket.ts";
 import { S3 } from "./client.ts";
 import { encoder } from "./request.ts";
+import { Policy } from "./types.ts";
 
 const s3 = new S3({
   accessKeyID: Deno.env.get("AWS_ACCESS_KEY_ID")!,
@@ -11,6 +12,25 @@ const s3 = new S3({
   endpointURL: Deno.env.get("S3_ENDPOINT_URL"),
 });
 
+const policy: Policy = {
+  version: "2012-10-17",
+  id: "test",
+  statement: [
+    {
+      effect: "Allow",
+      principal: {
+        AWS: ["111122223333", "444455556666"],
+      },
+      action: [
+        "s3:PutObject",
+      ],
+      resource: [
+        "arn:aws:s3:::*",
+      ],
+    },
+  ],
+};
+
 Deno.test({
   name: "[client] should create a new bucket",
   async fn() {
@@ -42,3 +62,40 @@ Deno.test({
     );
   },
 });
+
+Deno.test({
+  name: "[client] should put a bucket policy",
+  async fn() {
+    await s3.putBucketPolicy("test.bucket", { policy });
+
+    // teardown
+    await s3.deleteBucketPolicy("test.bucket");
+  },
+});
+
+Deno.test({
+  name: "[client] should get a bucket policy",
+  async fn() {
+    await s3.putBucketPolicy("test.bucket", { policy });
+    const resp = await s3.getBucketPolicy("test.bucket");
+    assertEquals(resp, policy);
+
+    // teardown
+    await s3.deleteBucketPolicy("test.bucket");
+  },
+});
+
+Deno.test({
+  name: "[client] should delete a bucket policy",
+  async fn() {
+    await s3.putBucketPolicy("test.bucket", { policy });
+    const resp = await s3.getBucketPolicy("test.bucket");
+    assert(resp);
+    await s3.deleteBucketPolicy("test.bucket");
+    await assertThrowsAsync(
+      () => s3.getBucketPolicy("test.bucket"),
+      S3Error,
+      'Failed to get policy for bucket "test.bucket": 404 Not Found',
+    );
+  },
+});

src/types.ts

@@ -566,3 +566,150 @@ export interface CreateBucketOptions {
   /** Allows grantee to write the ACL for the applicable bucket. */
   grantWriteAcp?: string;
 }
+
+/**
+ * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html
+ */
+export interface Statement {
+  /**
+   * You can provide an optional identifier, Sid (statement ID) for the policy statement.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html
+   */
+  sid?: string;
+
+  /**
+   * The Effect element is required and specifies whether the statement results
+   * an allow or an explicit deny.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html
+   */
+  effect: "Allow" | "Deny";
+
+  /**
+   * The account or user who is allowed access to the actions and resources in
+   * the statement. In a bucket policy, the principal is the user, account,
+   * service, or other entity that is the recipient of this permission.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
+   */
+  principal?: string | Record<string, string | Array<string>>;
+
+  /**
+   * Use the NotPrincipal element to specify the IAM user, federated user,
+   * IAM role, AWS account, AWS service, or other principal that is not allowed
+   * or denied access to a resource.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
+   */
+  notPrincipal?: string | Record<string, string | Array<string>>;
+
+  /**
+   * The Action element describes the specific action or actions that will be
+   * allowed or denied. Statements must include either an Action or NotAction
+   * element.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
+   */
+  action?: string | Array<string>;
+
+  /**
+   * NotAction is an advanced policy element that explicitly matches everything
+   * except the specified list of actions. Using NotAction can result in a
+   * shorter policy by listing only a few actions that should not match, rather
+   * than including a long list of actions that will match.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
+   */
+  notAction?: string | Array<string>;
+
+  /**
+   * The Resource element specifies the object or objects that the statement covers.
+   * Statements must include either a Resource or a NotResource element.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
+   */
+  resource?: string | Array<string>;
+
+  /**
+   * NotResource is an advanced policy element that explicitly matches every
+   * resource except those specified. Using NotResource can result in a shorter
+   * policy by listing only a few resources that should not match, rather than
+   * including a long list of resources that will match.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
+   */
+  notResource?: string | Array<string>;
+
+  /**
+   * The Condition element (or Condition block) lets you specify conditions for
+   * when a policy is in effect.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
+   */
+  condition?: Record<string, Record<string, string | Array<string>>>;
+}
+
+/**
+ * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html
+ */
+export interface Policy {
+  /**
+   * The Version policy element specifies the language syntax rules that are to
+   * be used to process a policy.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html
+   */
+  version?: "2012-10-17" | "2008-10-17";
+
+  /**
+   * The id element specifies an optional identifier for the policy. The ID is
+   * used differently in different services.
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_id.html
+   */
+  id?: string;
+
+  /**
+   * The policy statement(s).
+   *
+   * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_statement.html
+   */
+  statement: Statement | Array<Statement>;
+}
+
+export interface PutBucketPolicyOptions {
+  /**
+   * Set this parameter to true to confirm that you want to remove your
+   * permissions to change this bucket policy in the future.
+   */
+  confirmRemoveSelfBucketAccess?: boolean;
+
+  /**
+   * The account ID of the expected bucket owner. If the bucket is owned by a
+   * different account, the request will fail with an HTTP 403 (Access Denied)
+   * error.
+   */
+  expectedBucketOwner?: string;
+
+  /** The bucket policy. */
+  policy: Policy;
+}
+
+export interface GetBucketPolicyOptions {
+  /**
+   * The account ID of the expected bucket owner. If the bucket is owned by a
+   * different account, the request will fail with an HTTP 403 (Access Denied)
+   * error.
+   */
+  expectedBucketOwner?: string;
+}
+
+export interface DeleteBucketPolicyOptions {
+  /**
+   * The account ID of the expected bucket owner. If the bucket is owned by a
+   * different account, the request will fail with an HTTP 403 (Access Denied)
+   * error.
+   */
+  expectedBucketOwner?: string;
+}