From 80d4d071d8f6789fe2b9f265df7e555e08f82f37 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Mon, 30 May 2022 13:36:42 +0300 Subject: [PATCH] [#463] Restrict overriding default location constraint in authmate Signed-off-by: Alex Vanin --- api/layer/container.go | 4 ++-- cmd/authmate/main.go | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/api/layer/container.go b/api/layer/container.go index 64cafb9f6..e726c2e79 100644 --- a/api/layer/container.go +++ b/api/layer/container.go @@ -28,7 +28,7 @@ type ( const ( attributeLocationConstraint = ".s3-location-constraint" - defaultLocationConstraint = "default" + DefaultLocationConstraint = "default" AttributeLockEnabled = "LockEnabled" ) @@ -125,7 +125,7 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da var err error ownerID := n.Owner(ctx) if p.LocationConstraint == "" { - p.LocationConstraint = defaultLocationConstraint // s3tests_boto3.functional.test_s3:test_bucket_get_location + p.LocationConstraint = DefaultLocationConstraint // s3tests_boto3.functional.test_s3:test_bucket_get_location } bktInfo := &data.BucketInfo{ Name: p.Name, diff --git a/cmd/authmate/main.go b/cmd/authmate/main.go index 8eab65fd1..22a168db9 100644 --- a/cmd/authmate/main.go +++ b/cmd/authmate/main.go @@ -12,6 +12,7 @@ import ( "time" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" + "github.com/nspcc-dev/neofs-s3-gw/api/layer" "github.com/nspcc-dev/neofs-s3-gw/authmate" "github.com/nspcc-dev/neofs-s3-gw/internal/neofs" "github.com/nspcc-dev/neofs-s3-gw/internal/version" @@ -322,6 +323,9 @@ func parsePolicies(val string) (authmate.ContainerPolicies, error) { if err = json.Unmarshal(data, &policies); err != nil { return nil, err } + if _, ok := policies[layer.DefaultLocationConstraint]; ok { + return nil, fmt.Errorf("config overrides %s location constraint", layer.DefaultLocationConstraint) + } return policies, nil }