Improved error handling in Object Browser

Signed-off-by: Benjamin Perez <benjamin@bexsoft.net>

Author: Benjamin Perez

portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/types.tsx

@@ -38,13 +38,19 @@ export interface WebsocketRequest {
 
 export interface WebsocketResponse {
   request_id: number;
-  error?: string;
+  error?: WebsocketErrorResponse;
   request_end?: boolean;
   data?: ObjectResponse[];
   prefix?: string;
   bucketName?: string;
 }
 
+export interface WebsocketErrorResponse {
+  status: number;
+  message?: string;
+  detailedMessage?: string;
+}
+
 export interface ObjectResponse {
   name: string;
   last_modified: string;

portal-ui/src/websockets/objectBrowserWSMiddleware.ts

@@ -94,13 +94,10 @@ export const objectBrowserWSMiddleware = (
               return;
             }
 
-            if (
-              response.error ===
-              "The Access Key Id you provided does not exist in our records."
-            ) {
-              // Session expired.
+            if (response.error?.status === 401) {
+              // Session expired. We reload this page
               window.location.reload();
-            } else if (response.error === "Access Denied.") {
+            } else if (response.error?.status === 403) {
               const internalPathsPrefix = response.prefix;
               let pathPrefix = "";
 
@@ -121,8 +118,11 @@ export const objectBrowserWSMiddleware = (
               if (!permitItems || permitItems.length === 0) {
                 dispatch(
                   setErrorSnackMessage({
-                    errorMessage: response.error,
-                    detailedError: response.error,
+                    errorMessage:
+                      response.error?.message || "An error occurred",
+                    detailedError:
+                      response.error?.detailedMessage ||
+                      "An unknown error occurred. Please refer to MinIO logs to get more information.",
                   }),
                 );
               } else {
@@ -131,6 +131,16 @@ export const objectBrowserWSMiddleware = (
               }
 
               return;
+            } else if (response.error) {
+              dispatch(setRequestInProgress(false));
+              dispatch(
+                setErrorSnackMessage({
+                  errorMessage: response.error?.message || "An error occurred",
+                  detailedError:
+                    response.error?.detailedMessage ||
+                    "An unknown error occurred. Please refer to MinIO logs to get more information.",
+                }),
+              );
             }
 
             // This indicates final messages is received.

portal-ui/tests/permissions-7/errorsVisibleOB.ts

@@ -0,0 +1,116 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2023 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import * as roles from "../utils/roles";
+import { Selector } from "testcafe";
+import * as functions from "../utils/functions";
+import { namedTestBucketBrowseButtonFor } from "../utils/functions";
+
+fixture("Test error visibility in Object Browser Navigation").page(
+  "http://localhost:9090/",
+);
+
+const bucketName = "my-company";
+const bucketName2 = "my-company2";
+const bucketBrowseButton = namedTestBucketBrowseButtonFor(bucketName);
+const bucketBrowseButton2 = namedTestBucketBrowseButtonFor(bucketName2);
+export const file = Selector(".ReactVirtualized__Table__rowColumn").withText(
+  "test.txt",
+);
+export const deniedError = Selector(".message-text").withText("Access Denied.");
+
+test
+  .before(async (t) => {
+    await functions.setUpNamedBucket(t, bucketName);
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucketName,
+      "test.txt",
+      "portal-ui/tests/uploads/test.txt",
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucketName,
+      "home/UserY/test.txt",
+      "portal-ui/tests/uploads/test.txt",
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucketName,
+      "home/UserX/test.txt",
+      "portal-ui/tests/uploads/test.txt",
+    );
+  })(
+    "Error Notification is shown in Object Browser when no privileges are set",
+    async (t) => {
+      await t
+        .useRole(roles.conditions3)
+        .navigateTo(`http://localhost:9090/browser`)
+        .click(bucketBrowseButton)
+        .click(Selector(".ReactVirtualized__Table__rowColumn").withText("home"))
+        .click(
+          Selector(".ReactVirtualized__Table__rowColumn").withText("UserX"),
+        )
+        .expect(deniedError.exists)
+        .ok();
+    },
+  )
+  .after(async (t) => {
+    await functions.cleanUpNamedBucketAndUploads(t, bucketName);
+  });
+
+test
+  .before(async (t) => {
+    await functions.setUpNamedBucket(t, bucketName2);
+    await functions.setVersionedBucket(t, bucketName2);
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucketName2,
+      "test.txt",
+      "portal-ui/tests/uploads/test.txt",
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucketName2,
+      "home/UserY/test.txt",
+      "portal-ui/tests/uploads/test.txt",
+    );
+    await functions.uploadNamedObjectToBucket(
+      t,
+      bucketName2,
+      "home/UserX/test.txt",
+      "portal-ui/tests/uploads/test.txt",
+    );
+  })(
+    "Error Notification is shown in Object Browser with Rewind request set",
+    async (t) => {
+      await t
+        .useRole(roles.conditions4)
+        .navigateTo(`http://localhost:9090/browser`)
+        .click(bucketBrowseButton2)
+        .click(Selector("label").withText("Show deleted objects"))
+        .wait(1500)
+        .click(Selector(".ReactVirtualized__Table__rowColumn").withText("home"))
+        .click(
+          Selector(".ReactVirtualized__Table__rowColumn").withText("UserX"),
+        )
+        .expect(deniedError.exists)
+        .ok();
+    },
+  )
+  .after(async (t) => {
+    await functions.cleanUpNamedBucketAndUploads(t, bucketName2);
+  });

portal-ui/tests/policies/conditionsPolicy4.json

@@ -0,0 +1,44 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowUserToSeeBucketListInTheConsole",
+      "Action": [
+        "s3:ListAllMyBuckets",
+        "s3:GetBucketLocation",
+        "s3:GetBucketVersioning"
+      ],
+      "Effect": "Allow",
+      "Resource": ["arn:aws:s3:::*"]
+    },
+    {
+      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
+      "Action": ["s3:ListBucket", "s3:List*"],
+      "Effect": "Allow",
+      "Resource": ["arn:aws:s3:::my-company2"],
+      "Condition": {
+        "StringEquals": {
+          "s3:prefix": ["", "home/", "home/User"],
+          "s3:delimiter": ["/"]
+        }
+      }
+    },
+    {
+      "Sid": "AllowListingOfUserFolder",
+      "Action": ["s3:ListBucket", "s3:List*"],
+      "Effect": "Allow",
+      "Resource": ["arn:aws:s3:::my-company2"],
+      "Condition": {
+        "StringLike": {
+          "s3:prefix": ["home/User/*"]
+        }
+      }
+    },
+    {
+      "Sid": "AllowAllS3ActionsInUserFolder",
+      "Effect": "Allow",
+      "Action": ["s3:*"],
+      "Resource": ["arn:aws:s3:::my-company2/home/User/*"]
+    }
+  ]
+}

portal-ui/tests/scripts/cleanup-env.sh

@@ -31,6 +31,7 @@ remove_users() {
   mc admin user remove minio conditions-$TIMESTAMP
   mc admin user remove minio conditions-2-$TIMESTAMP
   mc admin user remove minio conditions-3-$TIMESTAMP
+  mc admin user remove minio conditions-4-$TIMESTAMP
 }
 
 remove_policies() {
@@ -56,6 +57,7 @@ remove_policies() {
   mc admin policy remove minio conditions-policy-$TIMESTAMP
   mc admin policy remove minio conditions-policy-2-$TIMESTAMP
   mc admin policy remove minio conditions-policy-3-$TIMESTAMP
+  mc admin policy remove minio conditions-policy-4-$TIMESTAMP
 }
 
 __init__() {

portal-ui/tests/scripts/common.sh

@@ -49,6 +49,7 @@ create_policies() {
   mc admin policy create minio conditions-policy-$TIMESTAMP portal-ui/tests/policies/conditionsPolicy.json
   mc admin policy create minio conditions-policy-2-$TIMESTAMP portal-ui/tests/policies/conditionsPolicy2.json
   mc admin policy create minio conditions-policy-3-$TIMESTAMP portal-ui/tests/policies/conditionsPolicy3.json
+  mc admin policy create minio conditions-policy-4-$TIMESTAMP portal-ui/tests/policies/conditionsPolicy4.json
 }
 
 create_users() {
@@ -79,6 +80,7 @@ create_users() {
   mc admin user add minio conditions-$TIMESTAMP conditions1234
   mc admin user add minio conditions-2-$TIMESTAMP conditions1234
   mc admin user add minio conditions-3-$TIMESTAMP conditions1234
+  mc admin user add minio conditions-4-$TIMESTAMP conditions1234
 }
 
 create_buckets() {
@@ -114,4 +116,5 @@ assign_policies() {
   mc admin policy attach minio conditions-policy-$TIMESTAMP --user conditions-$TIMESTAMP
   mc admin policy attach minio conditions-policy-2-$TIMESTAMP --user conditions-2-$TIMESTAMP
   mc admin policy attach minio conditions-policy-3-$TIMESTAMP --user conditions-3-$TIMESTAMP
+  mc admin policy attach minio conditions-policy-4-$TIMESTAMP --user conditions-4-$TIMESTAMP
 }

portal-ui/tests/scripts/permissions.sh

@@ -39,6 +39,7 @@ remove_users() {
   mc admin user remove minio conditions-"$TIMESTAMP"
   mc admin user remove minio conditions-2-"$TIMESTAMP"
   mc admin user remove minio conditions-3-"$TIMESTAMP"
+  mc admin user remove minio conditions-4-"$TIMESTAMP"
 }
 
 remove_policies() {
@@ -65,6 +66,7 @@ remove_policies() {
   mc admin policy remove conditions-policy-"$TIMESTAMP"
   mc admin policy remove conditions-policy-2-"$TIMESTAMP"
   mc admin policy remove conditions-policy-3-"$TIMESTAMP"
+  mc admin policy remove conditions-policy-4-"$TIMESTAMP"
 }
 
 remove_buckets() {

portal-ui/tests/utils/roles.ts

@@ -283,3 +283,14 @@ export const conditions3 = Role(
   },
   { preserveUrl: true },
 );
+
+export const conditions4 = Role(
+  loginUrl,
+  async (t) => {
+    await t
+      .typeText("#accessKey", "conditions-4-" + unixTimestamp)
+      .typeText("#secretKey", "conditions1234")
+      .click(submitButton);
+  },
+  { preserveUrl: true },
+);

restapi/admin_objects.go

@@ -41,13 +41,19 @@ type ObjectsRequest struct {
 
 type WSResponse struct {
 	RequestID  int64            `json:"request_id,omitempty"`
-	Error      string           `json:"error,omitempty"`
+	Error      *WSErrorResponse `json:"error,omitempty"`
 	RequestEnd bool             `json:"request_end,omitempty"`
 	Prefix     string           `json:"prefix,omitempty"`
 	BucketName string           `json:"bucketName,omitempty"`
 	Data       []ObjectResponse `json:"data,omitempty"`
 }
 
+type WSErrorResponse struct {
+	Status          int    `json:"status,omitempty"`
+	Message         string `json:"message,omitempty"`
+	DetailedMessage string `json:"detailedMessage,omitempty"`
+}
+
 type ObjectResponse struct {
 	Name         string `json:"name,omitempty"`
 	LastModified string `json:"last_modified,omitempty"`

restapi/errors.go

@@ -108,6 +108,10 @@ func ErrorWithContext(ctx context.Context, err ...interface{}) *CodedAPIError {
 				errorCode = 401
 				errorMessage = ErrInvalidLogin.Error()
 			}
+			if strings.Contains(strings.ToLower(err1.Error()), ErrAccessDenied.Error()) {
+				errorCode = 403
+				errorMessage = err1.Error()
+			}
 			// If the last error is ErrInvalidLogin, this is a login failure
 			if errors.Is(lastError, ErrInvalidLogin) {
 				errorCode = 401