Fixed an issue with subpaths in resources policies

[bexsoft]

fixes #2835

What does this do?

Fixes an issue where resources policies can return incorrect items in subpaths

How to test

1. In console create a policy with this content and assign it to a user

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","home/", "home/David"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::my-company/home/David/*"]
   }
 ]
}

2. In your local MinIO instance, create a bucket called my-company and create a home folder inside it
3. Inside the home folder, create some folders, one of the must be called David. Add files to them
4. Login as the user with the assigned policy and navigate to home/David inside my-company bucket. Files must be seen
5. Try to navigate to a different folder inside home, an Access Denied error must be seen.

How does it look?

[cesnietor]

We found while testing that if the first time you login, you go to the my-company/home/David/ path and then you go back and try to access other buckets, it for some reasons starts listing the home folder in the other buckets as well. this doesn't happen if you access other buckets first (for some reason).

[bexsoft]

We found while testing that if the first time you login, you go to the my-company/home/David/ path and then you go back and try to access other buckets, it for some reasons starts listing the home folder in the other buckets as well. this doesn't happen if you access other buckets first (for some reason).

This issue is not related to this change, fixed anyway in this PR

cc @cesnietor @prakashsvmx

[prakashsvmx]

Once we refresh the page, the path objects are not loaded but the breadcrumb displays the path. @bexsoft

Path_Load_issue.webm

[cesnietor]

Once we refresh the page, the path objects are not loaded but the breadcrumb displays the path. @bexsoft

Path_Load_issue.webm

@prakashsvmx I couldn't reproduce it. I even used an Incognito browser but no. Could you please share your steps to reproduce it? Also probably verify that you have the latest changes (it has happened to me 😄 )

[cesnietor]

LGTM

[prakashsvmx]

Interestingly, it happens with the user who has full (e.g root user) access
@cesnietor @bexsoft

• As an admin user, Create bucket my-company -> Browse the bucket -> Create path home/David upload files under David.
• Note: Clicking the Refresh button works as expected at this point.
• Now just refresh the page (Browser reload) and observe the breadcrumb and the object/folder list.
• Also uploading the a file at this point navigates to the object list at the correct path.

It is not happening with this user where the resource policy is applied.

As a user with full access, create the policy as specified in description,
create a user (user1) and associate the policy

root_user_try.mp4

[bexsoft]

Interestingly, it happens with the user who has full (e.g root user) access @cesnietor @bexsoft

• As an admin user, Create bucket my-company -> Browse the bucket -> Create path home/David upload files under David.
• Note: Clicking the Refresh button works as expected at this point.
• Now just refresh the page (Browser reload) and observe the breadcrumb and the object/folder list.
• Also uploading the a file at this point navigates to the object list at the correct path.

It is not happening with this user where the resource policy is applied.

As a user with full access, create the policy as specified in description, create a user (user1) and associate the policy

root_user_try.mp4

I was. able to reproduce this issue with provided steps, this is also happening in master right now so it is not related to this change. Will fix it in an upcoming PR