forked from TrueCloudLab/frostfs-s3-gw
[#367] policy: Set IAM-MFA property to false by default
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
87b9e97a80
commit
fb521c7ac6
2 changed files with 21 additions and 0 deletions
|
@ -464,6 +464,7 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
|
||||||
res[k] = v
|
res[k] = v
|
||||||
}
|
}
|
||||||
|
|
||||||
|
res[s3.PropertyKeyAccessBoxAttrMFA] = "false"
|
||||||
attrs, err := GetAccessBoxAttrs(r.Context())
|
attrs, err := GetAccessBoxAttrs(r.Context())
|
||||||
if err == nil {
|
if err == nil {
|
||||||
for _, attr := range attrs {
|
for _, attr := range attrs {
|
||||||
|
|
|
@ -636,6 +636,26 @@ func TestSourceIPCheck(t *testing.T) {
|
||||||
createBucket(router, ns, bktName)
|
createBucket(router, ns, bktName)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestMFAPolicy(t *testing.T) {
|
||||||
|
router := prepareRouter(t)
|
||||||
|
|
||||||
|
ns, bktName := "", "bucket"
|
||||||
|
router.middlewareSettings.denyByDefault = true
|
||||||
|
|
||||||
|
allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
|
||||||
|
denyOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{
|
||||||
|
engineiam.CondBool: engineiam.Condition{s3.PropertyKeyAccessBoxAttrMFA: []string{"false"}},
|
||||||
|
})
|
||||||
|
createBucketErr(router, ns, bktName, nil, apiErrors.ErrAccessDenied)
|
||||||
|
|
||||||
|
var attr object.Attribute
|
||||||
|
attr.SetKey("IAM-MFA")
|
||||||
|
attr.SetValue("true")
|
||||||
|
router.cfg.Center.(*centerMock).attrs = []object.Attribute{attr}
|
||||||
|
|
||||||
|
createBucket(router, ns, bktName)
|
||||||
|
}
|
||||||
|
|
||||||
func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
|
func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
|
||||||
addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
|
addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue