IAM | Account Schema Changes for Supporting Inline User Policy

[shirady]

Describe the Problem

Adding the schema for IAM User Policy inline policy.
The API implementation would be in a separate PR.

Explain the Changes

1. Define in common_api iam_user_policy_document based on bucket_policy structure without Principal and NotPrincipal (and Condition), and create iam_user_policy.
2. Add the property iam_user_policies in account schema (which also serves for IAM users).

Note: the explanation why I could not just ref bucket_policy in the comments (link).

Issues:

1. none

Testing Instructions:

1. none

• Doc added/updated
• Tests added

Summary by CodeRabbit

• New Features
  • IAM user policies are now supported, enabling inline policy definition and validation for individual users.
  • Account profiles can store and reference multiple user policies, extending per-user access control options.
  • User policies include configurable statements with action and resource specifications and a simplified schema for common inline policy use.

[coderabbitai]

Walkthrough

Adds new IAM user policy JSON Schema definitions to the common API and exposes an iam_user_policies array on the account schema to store those policies.

Changes

Cohort / File(s)	Summary
API Definitions src/api/common_api.js	Added iam_user_policy_document definition (policy document schema with Version and Statement entries using mutually exclusive Action/NotAction and Resource/NotResource) and iam_user_policy wrapper (fields: policy_name, policy_document referencing iam_user_policy_document).
Account Schema Integration src/server/system_services/schemas/account_schema.js	Added iam_user_policies property to exported account schema: type: 'array', items: { $ref: 'common_api#/definitions/iam_user_policy' }, inserted after iam_path.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Check JSON Schema syntax and $ref paths in src/api/common_api.js.
• Verify mutual-exclusivity (oneOf) in Statement entries enforces Action/NotAction and Resource/NotResource correctly.
• Confirm iam_user_policies placement and export shape in account_schema.js.

Suggested reviewers

• aayushchouhan09
• naveenpaul1
• liranmauda

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding account schema changes to support IAM user inline policies, which aligns with the additions of iam_user_policy definitions and the iam_user_policies property.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/server/system_services/schemas/account_schema.js (1)

37-42: Consider adding validation constraints for the policy array.

While the schema structure is correct, consider adding constraints to align with AWS IAM limits and prevent potential issues:

• maxItems constraint (AWS allows up to 10 inline policies per IAM user)
• Policy name uniqueness validation (though this might be enforced at the application level)

Apply this diff to add a maximum items constraint:

 iam_user_policies: {
     type: 'array',
+    maxItems: 10,
     items: {
         $ref: 'common_api#/definitions/iam_user_policy',
     }
 },

src/api/common_api.js (1)

563-572: Consider adding validation constraints for policy_name.

The policy_name field currently has no length or pattern constraints. To align with AWS IAM requirements and ensure data quality, consider adding validation rules:

• AWS IAM policy names: 1-128 characters
• Allowed characters: alphanumeric and +=,.@-_

Apply this diff to add validation constraints:

 iam_user_policy: {
     type: 'object',
     required: ['policy_name', 'policy_document'],
     properties: {
-        policy_name: { type: 'string' },
+        policy_name: { 
+            type: 'string',
+            minLength: 1,
+            maxLength: 128,
+            pattern: '^[\\w+=,.@-]+$'
+        },
         policy_document: {
             $ref: 'common_api#/definitions/iam_user_policy_document',
         }
     }
 },

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 69e29e1 and acec4d0.

📒 Files selected for processing (2)

• src/api/common_api.js (1 hunks)
• src/server/system_services/schemas/account_schema.js (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (1)

src/api/common_api.js (1)

490-561: LGTM! Schema structure correctly implements IAM user policy document.

The iam_user_policy_document definition correctly adapts the bucket_policy structure for inline user policies by removing Principal, NotPrincipal, and Condition fields. The mutual exclusivity validation using allOf with oneOf schemas properly enforces that statements must have either Action or NotAction, and either Resource or NotResource.

[liranmauda]

LGTM