build: update S3 policy configuration (#2022)

Author: raphodn

app/settings.py

@@ -291,6 +291,7 @@
 S3_BUCKET_REGION = os.getenv("S3_BUCKET_REGION", "set-s3-bucket-region")
 S3_ACCESS_KEY = os.getenv("S3_ACCESS_KEY", "set-s3-access-key")
 S3_SECRET_KEY = os.getenv("S3_SECRET_KEY", "set-s3-secret-key")
+S3_USER_ID = os.getenv("S3_USER_ID", "set-s3-user-id")
 
 QUESTION_FOLDER_NAME = "questions"
 QUIZ_FOLDER_NAME = "quizs"

core/utils/s3.py

@@ -1,14 +1,19 @@
+"""
+boto3 doc
+https://boto3.amazonaws.com/v1/documentation/api/latest/guide/collections.html
+
+bucket = s3.get_bucket()
+s3.get_bucket_cors(bucket)
+s3.get_bucket_policy(bucket)
+"""
+
 import json
 
 import boto3
 from botocore.client import Config
 from django.conf import settings
 
 
-# boto3 doc
-# https://boto3.amazonaws.com/v1/documentation/api/latest/guide/collections.html
-
-
 API_CONNECTION_DICT = {
     "endpoint_url": settings.S3_ENDPOINT,
     "aws_access_key_id": settings.S3_ACCESS_KEY,
@@ -32,7 +37,7 @@
 }
 
 DEFAULT_POLICY_CONFIGURATION = {
-    "Version": "2012-10-17",
+    "Version": "2023-04-17",
     "Statement": [
         {
             "Sid": "AllowPublicRead",
@@ -42,18 +47,11 @@
             "Resource": f"{settings.S3_BUCKET_NAME}/*",
         },
         {
-            "Sid": "DenyPublicUpdate",
-            "Effect": "Deny",
-            "Principal": "*",
-            "Action": "s3:PutObject",
-            "Resource": f"{settings.S3_BUCKET_NAME}/*",
-        },
-        {
-            "Sid": "DenyPublicDelete",
-            "Effect": "Deny",
-            "Principal": "*",
-            "Action": "s3:DeleteObject",
-            "Resource": f"{settings.S3_BUCKET_NAME}/*",
+            "Sid": "AllowPrivateReadAndUpdate",
+            "Effect": "Allow",
+            "Principal": {"SCW": f"user_id:{settings.S3_USER_ID}"},
+            "Action": "*",
+            "Resource": [f"{settings.S3_BUCKET_NAME}", f"{settings.S3_BUCKET_NAME}/*"],
         },
     ],
 }