From 9484366844d99280356854a385f4b6f5c2807948 Mon Sep 17 00:00:00 2001
From: alexandre merle <alexandre.merle@scality.com>
Date: Thu, 4 Feb 2021 21:32:51 +0100
Subject: [PATCH] bugfix: S3C-3904: better-s3-action-logs

Introduce a map meant to override default
actionMap values for S3, will be used in logs
to monitor the s3 actions instead of the iam
permissions needed for that action
---
 lib/policyEvaluator/utils/actionMaps.js | 34 +++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/lib/policyEvaluator/utils/actionMaps.js b/lib/policyEvaluator/utils/actionMaps.js
index 95d57f355..c67a89360 100644
--- a/lib/policyEvaluator/utils/actionMaps.js
+++ b/lib/policyEvaluator/utils/actionMaps.js
@@ -29,6 +29,12 @@ const sharedActionMap = {
     objectPutTagging: 's3:PutObjectTagging',
 };
 
+// Meant to override shared action map values with fakes name for monitoring of s3
+const sharedMonitoringMap = {
+    bucketGet: 's3:GetBucket',
+    bucketHead: 's3:HeadBucket',
+};
+
 // action map used for request context
 const actionMapRQ = Object.assign({
     bucketPut: 's3:CreateBucket',
@@ -53,6 +59,15 @@ const actionMapRQ = Object.assign({
     objectReplicate: 's3:ReplicateObject',
 }, sharedActionMap);
 
+// Meant to override shared action map values with fakes name for moniroting of s3
+const actionMonitoringMapRQ = Object.assign({
+    bucketDeleteCors: 's3:DeleteBucketCORS',
+    completeMultipartUpload: 's3:CompleteMultipartUpload',
+    initiateMultipartUpload: 's3:InitiateMultipartUpload',
+    objectHead: 's3:HeadObject',
+    objectPutPart: 's3:PutPartObject',
+}, sharedMonitoringMap);
+
 // action map used for bucket policies
 const actionMapBP = Object.assign({
     bucketDeletePolicy: 's3:DeleteBucketPolicy',
@@ -66,12 +81,28 @@ const actionMapBP = Object.assign({
     objectPutRetention: 's3:PutObjectRetention',
 }, sharedActionMap);
 
+// Meant to override shared action map values with fakes name for moniroting of s3
+const actionMonitoringMapBP = Object.assign(
+    {},
+    sharedMonitoringMap,
+);
+
 // action map for all relevant s3 actions
 const actionMapS3 = Object.assign({
     bucketGetNotification: 's3:GetBucketNotification',
     bucketPutNotification: 's3:PutBucketNotification',
 }, sharedActionMap, actionMapRQ, actionMapBP);
 
+// Meant to override shared action map values with fakes name for moniroting of s3
+const actionMonitoringMapS3 = Object.assign(
+    {},
+    sharedMonitoringMap,
+    actionMonitoringMapRQ,
+    actionMonitoringMapBP,
+);
+
+// Action monitoring
+
 const actionMapIAM = {
     attachGroupPolicy: 'iam:AttachGroupPolicy',
     attachUserPolicy: 'iam:AttachUserPolicy',
@@ -119,8 +150,11 @@ const actionMapMetadata = {
 
 module.exports = {
     actionMapRQ,
+    actionMonitoringMapRQ,
     actionMapBP,
+    actionMonitoringMapBP,
     actionMapS3,
+    actionMonitoringMapS3,
     actionMapIAM,
     actionMapSSO,
     actionMapSTS,