[#463] Restrict overriding default location constraint in authmate

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2022-05-30 13:36:42 +03:00 committed by Kirillov Denis
parent 89ff89a32b
commit 80d4d071d8
2 changed files with 6 additions and 2 deletions

View file

@ -28,7 +28,7 @@ type (
const ( const (
attributeLocationConstraint = ".s3-location-constraint" attributeLocationConstraint = ".s3-location-constraint"
defaultLocationConstraint = "default" DefaultLocationConstraint = "default"
AttributeLockEnabled = "LockEnabled" AttributeLockEnabled = "LockEnabled"
) )
@ -125,7 +125,7 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
var err error var err error
ownerID := n.Owner(ctx) ownerID := n.Owner(ctx)
if p.LocationConstraint == "" { if p.LocationConstraint == "" {
p.LocationConstraint = defaultLocationConstraint // s3tests_boto3.functional.test_s3:test_bucket_get_location p.LocationConstraint = DefaultLocationConstraint // s3tests_boto3.functional.test_s3:test_bucket_get_location
} }
bktInfo := &data.BucketInfo{ bktInfo := &data.BucketInfo{
Name: p.Name, Name: p.Name,

View file

@ -12,6 +12,7 @@ import (
"time" "time"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/nspcc-dev/neofs-s3-gw/api/layer"
"github.com/nspcc-dev/neofs-s3-gw/authmate" "github.com/nspcc-dev/neofs-s3-gw/authmate"
"github.com/nspcc-dev/neofs-s3-gw/internal/neofs" "github.com/nspcc-dev/neofs-s3-gw/internal/neofs"
"github.com/nspcc-dev/neofs-s3-gw/internal/version" "github.com/nspcc-dev/neofs-s3-gw/internal/version"
@ -322,6 +323,9 @@ func parsePolicies(val string) (authmate.ContainerPolicies, error) {
if err = json.Unmarshal(data, &policies); err != nil { if err = json.Unmarshal(data, &policies); err != nil {
return nil, err return nil, err
} }
if _, ok := policies[layer.DefaultLocationConstraint]; ok {
return nil, fmt.Errorf("config overrides %s location constraint", layer.DefaultLocationConstraint)
}
return policies, nil return policies, nil
} }