EliChin/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#553] Do not use user role with public keys in eacl target

Browse source 
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2022-07-06 15:39:15 +03:00 committed by Alex Vanin
parent 36029ca864
commit c7de7d2928
2 changed files with 141 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

90
api/handler/acl.go
View file

@ -122,10 +122,10 @@ func (r *resourceInfo) IsBucket() bool {
} }
type astOperation struct { type astOperation struct {
Users []string Users []string
Role eacl.Role IsGroupGrantee bool
Op eacl.Operation Op eacl.Operation
Action eacl.Action Action eacl.Action
} }
func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) { func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) {
@ -618,14 +618,14 @@ func mergeAst(parent, child *ast) (*ast, bool) {
switch len(ops) { switch len(ops) {
case 2: case 2:
// potential inconsistency // potential inconsistency
if astOp.Role == eacl.RoleOthers { if astOp.IsGroupGrantee {
// it is not likely (such state must be detected early) // it is not likely (such state must be detected early)
// inconsistency // inconsistency
action := eacl.ActionAllow action := eacl.ActionAllow
if astOp.Action == eacl.ActionAllow { if astOp.Action == eacl.ActionAllow {
action = eacl.ActionDeny action = eacl.ActionDeny
} }
removeAstOp(parentResource, astOp.Role, astOp.Op, action) removeAstOp(parentResource, astOp.IsGroupGrantee, astOp.Op, action)
updated = true updated = true
continue continue
} }
@ -641,15 +641,15 @@ func mergeAst(parent, child *ast) (*ast, bool) {
if handleRemoveOperations(parentResource, astOp, opToDelete) { if handleRemoveOperations(parentResource, astOp, opToDelete) {
updated = true updated = true
} }
if opToDelete.Role == eacl.RoleUser && len(opToDelete.Users) == 0 { if !opToDelete.IsGroupGrantee && len(opToDelete.Users) == 0 {
removeAstOp(parentResource, opToDelete.Role, opToDelete.Op, opToDelete.Action) removeAstOp(parentResource, opToDelete.IsGroupGrantee, opToDelete.Op, opToDelete.Action)
} }
case 1: case 1:
if astOp.Action != ops[0].Action { if astOp.Action != ops[0].Action {
// potential inconsistency // potential inconsistency
if astOp.Role == eacl.RoleOthers { if astOp.IsGroupGrantee {
// inconsistency // inconsistency
removeAstOp(parentResource, astOp.Role, astOp.Op, ops[0].Action) removeAstOp(parentResource, astOp.IsGroupGrantee, astOp.Op, ops[0].Action)
parentResource.Operations = append(parentResource.Operations, astOp) parentResource.Operations = append(parentResource.Operations, astOp)
updated = true updated = true
continue continue
@ -658,8 +658,8 @@ func mergeAst(parent, child *ast) (*ast, bool) {
if handleRemoveOperations(parentResource, astOp, ops[0]) { if handleRemoveOperations(parentResource, astOp, ops[0]) {
updated = true updated = true
} }
if ops[0].Role == eacl.RoleUser && len(ops[0].Users) == 0 { if !ops[0].IsGroupGrantee && len(ops[0].Users) == 0 {
removeAstOp(parentResource, ops[0].Role, ops[0].Op, ops[0].Action) removeAstOp(parentResource, ops[0].IsGroupGrantee, ops[0].Op, ops[0].Action)
} }
parentResource.Operations = append(parentResource.Operations, astOp) parentResource.Operations = append(parentResource.Operations, astOp)
continue continue
@ -723,16 +723,16 @@ func containsStr(list []string, element string) bool {
func getAstOps(resource *astResource, childOp *astOperation) []*astOperation { func getAstOps(resource *astResource, childOp *astOperation) []*astOperation {
var res []*astOperation var res []*astOperation
for _, astOp := range resource.Operations { for _, astOp := range resource.Operations {
if astOp.Role == childOp.Role && astOp.Op == childOp.Op { if astOp.IsGroupGrantee == childOp.IsGroupGrantee && astOp.Op == childOp.Op {
res = append(res, astOp) res = append(res, astOp)
} }
} }
return res return res
} }
func removeAstOp(resource *astResource, role eacl.Role, op eacl.Operation, action eacl.Action) { func removeAstOp(resource *astResource, group bool, op eacl.Operation, action eacl.Action) {
for i, astOp := range resource.Operations { for i, astOp := range resource.Operations {
if astOp.Role == role && astOp.Op == op && astOp.Action == action { if astOp.IsGroupGrantee == group && astOp.Op == op && astOp.Action == action {
resource.Operations = append(resource.Operations[:i], resource.Operations[i+1:]...) resource.Operations = append(resource.Operations[:i], resource.Operations[i+1:]...)
return return
} }
@ -741,7 +741,7 @@ func removeAstOp(resource *astResource, role eacl.Role, op eacl.Operation, actio
func addUsers(resource *astResource, astO *astOperation, users []string) { func addUsers(resource *astResource, astO *astOperation, users []string) {
for _, astOp := range resource.Operations { for _, astOp := range resource.Operations {
if astOp.Role == astO.Role && astOp.Op == astO.Op && astOp.Action == astO.Action { if astOp.IsGroupGrantee == astO.IsGroupGrantee && astOp.Op == astO.Op && astOp.Action == astO.Action {
astOp.Users = append(astO.Users, users...) astOp.Users = append(astO.Users, users...)
return return
} }
@ -750,7 +750,7 @@ func addUsers(resource *astResource, astO *astOperation, users []string) {
func removeUsers(resource *astResource, astOperation *astOperation, users []string) { func removeUsers(resource *astResource, astOperation *astOperation, users []string) {
for _, astOp := range resource.Operations { for _, astOp := range resource.Operations {
if astOp.Role == astOperation.Role && astOp.Op == astOperation.Op && astOp.Action == astOperation.Action { if astOp.IsGroupGrantee == astOperation.IsGroupGrantee && astOp.Op == astOperation.Op && astOp.Action == astOperation.Action {
filteredUsers := astOp.Users[:0] // new slice without allocation filteredUsers := astOp.Users[:0] // new slice without allocation
for _, user := range astOp.Users { for _, user := range astOp.Users {
if !containsStr(users, user) { if !containsStr(users, user) {
@ -796,15 +796,17 @@ func formRecords(operations []*astOperation, resource *astResource) ([]*eacl.Rec
record := eacl.NewRecord() record := eacl.NewRecord()
record.SetOperation(astOp.Op) record.SetOperation(astOp.Op)
record.SetAction(astOp.Action) record.SetAction(astOp.Action)
if astOp.Role == eacl.RoleOthers { if astOp.IsGroupGrantee {
eacl.AddFormedTarget(record, eacl.RoleOthers) eacl.AddFormedTarget(record, eacl.RoleOthers)
} else { } else {
// TODO(av): optimize target
for _, user := range astOp.Users { for _, user := range astOp.Users {
pk, err := keys.NewPublicKeyFromString(user) pk, err := keys.NewPublicKeyFromString(user)
if err != nil { if err != nil {
return nil, fmt.Errorf("public key from string: %w", err) return nil, fmt.Errorf("public key from string: %w", err)
} }
eacl.AddFormedTarget(record, eacl.RoleUser, (ecdsa.PublicKey)(*pk)) // Unknown role is used, because it is ignored when keys are set
eacl.AddFormedTarget(record, eacl.RoleUnknown, (ecdsa.PublicKey)(*pk))
} }
} }
if len(resource.Object) != 0 { if len(resource.Object) != 0 {
@ -824,26 +826,30 @@ func formRecords(operations []*astOperation, resource *astResource) ([]*eacl.Rec
} }
func addToList(operations []*astOperation, rec eacl.Record, target eacl.Target) []*astOperation { func addToList(operations []*astOperation, rec eacl.Record, target eacl.Target) []*astOperation {
var found *astOperation var (
found *astOperation
groupTarget = target.Role() == eacl.RoleOthers
)
for _, astOp := range operations { for _, astOp := range operations {
if astOp.Op == rec.Operation() && astOp.Role == target.Role() { if astOp.Op == rec.Operation() && astOp.IsGroupGrantee == groupTarget {
found = astOp found = astOp
} }
} }
if found != nil { if found != nil {
if target.Role() == eacl.RoleUser { if !groupTarget {
for _, key := range target.BinaryKeys() { for _, key := range target.BinaryKeys() {
found.Users = append(found.Users, hex.EncodeToString(key)) found.Users = append(found.Users, hex.EncodeToString(key))
} }
} }
} else { } else {
astOperation := &astOperation{ astOperation := &astOperation{
Role: target.Role(), IsGroupGrantee: groupTarget,
Op: rec.Operation(), Op: rec.Operation(),
Action: rec.Action(), Action: rec.Action(),
} }
if target.Role() == eacl.RoleUser { if !groupTarget {
for _, key := range target.BinaryKeys() { for _, key := range target.BinaryKeys() {
astOperation.Users = append(astOperation.Users, hex.EncodeToString(key)) astOperation.Users = append(astOperation.Users, hex.EncodeToString(key))
} }
@ -865,9 +871,9 @@ func policyToAst(bktPolicy *bucketPolicy) (*ast, error) {
state.Principal.AWS == "" && state.Principal.CanonicalUser == "" { state.Principal.AWS == "" && state.Principal.CanonicalUser == "" {
return nil, fmt.Errorf("unsupported principal: %v", state.Principal) return nil, fmt.Errorf("unsupported principal: %v", state.Principal)
} }
role := eacl.RoleUser var groupGrantee bool
if state.Principal.AWS == allUsersWildcard { if state.Principal.AWS == allUsersWildcard {
role = eacl.RoleOthers groupGrantee = true
} }
for _, resource := range state.Resource { for _, resource := range state.Resource {
@ -882,7 +888,7 @@ func policyToAst(bktPolicy *bucketPolicy) (*ast, error) {
for _, action := range state.Action { for _, action := range state.Action {
for _, op := range actionToOpMap[action] { for _, op := range actionToOpMap[action] {
toAction := effectToAction(state.Effect) toAction := effectToAction(state.Effect)
r.Operations = addTo(r.Operations, state.Principal.CanonicalUser, op, role, toAction) r.Operations = addTo(r.Operations, state.Principal.CanonicalUser, op, groupGrantee, toAction)
} }
} }
@ -916,7 +922,7 @@ func handleResourceOperations(bktPolicy *bucketPolicy, list []*astOperation, eac
userOpsMap := make(map[string][]eacl.Operation) userOpsMap := make(map[string][]eacl.Operation)
for _, op := range list { for _, op := range list {
if op.Role == eacl.RoleUser { if !op.IsGroupGrantee {
for _, user := range op.Users { for _, user := range op.Users {
userOps := userOpsMap[user] userOps := userOpsMap[user]
userOps = append(userOps, op.Op) userOps = append(userOps, op.Op)
@ -967,25 +973,25 @@ func triageOperations(operations []*astOperation) ([]*astOperation, []*astOperat
return allowed, denied return allowed, denied
} }
func addTo(list []*astOperation, userID string, op eacl.Operation, role eacl.Role, action eacl.Action) []*astOperation { func addTo(list []*astOperation, userID string, op eacl.Operation, groupGrantee bool, action eacl.Action) []*astOperation {
var found *astOperation var found *astOperation
for _, astop := range list { for _, astop := range list {
if astop.Op == op && astop.Role == role { if astop.Op == op && astop.IsGroupGrantee == groupGrantee {
found = astop found = astop
} }
} }
if found != nil { if found != nil {
if role == eacl.RoleUser { if !groupGrantee {
found.Users = append(found.Users, userID) found.Users = append(found.Users, userID)
} }
} else { } else {
astoperation := &astOperation{ astoperation := &astOperation{
Role: role, IsGroupGrantee: groupGrantee,
Op: op, Op: op,
Action: action, Action: action,
} }
if role == eacl.RoleUser { if !groupGrantee {
astoperation.Users = append(astoperation.Users, userID) astoperation.Users = append(astoperation.Users, userID)
} }
@ -1008,7 +1014,6 @@ func aclToAst(acl *AccessControlPolicy, resInfo *resourceInfo) (*ast, error) {
for _, op := range ops { for _, op := range ops {
operation := &astOperation{ operation := &astOperation{
Users: []string{acl.Owner.ID}, Users: []string{acl.Owner.ID},
Role: eacl.RoleUser,
Op: op, Op: op,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
} }
@ -1020,16 +1025,16 @@ func aclToAst(acl *AccessControlPolicy, resInfo *resourceInfo) (*ast, error) {
return nil, stderrors.New("unsupported grantee type") return nil, stderrors.New("unsupported grantee type")
} }
role := eacl.RoleUser var groupGrantee bool
if grant.Grantee.Type == acpGroup { if grant.Grantee.Type == acpGroup {
role = eacl.RoleOthers groupGrantee = true
} else if grant.Grantee.ID == acl.Owner.ID { } else if grant.Grantee.ID == acl.Owner.ID {
continue continue
} }
for _, action := range getActions(grant.Permission, resInfo.IsBucket()) { for _, action := range getActions(grant.Permission, resInfo.IsBucket()) {
for _, op := range actionToOpMap[action] { for _, op := range actionToOpMap[action] {
resource.Operations = addTo(resource.Operations, grant.Grantee.ID, op, role, eacl.ActionAllow) resource.Operations = addTo(resource.Operations, grant.Grantee.ID, op, groupGrantee, eacl.ActionAllow)
} }
} }
} }
@ -1317,7 +1322,8 @@ func getAllowRecord(op eacl.Operation, pk *keys.PublicKey) *eacl.Record {
record := eacl.NewRecord() record := eacl.NewRecord()
record.SetOperation(op) record.SetOperation(op)
record.SetAction(eacl.ActionAllow) record.SetAction(eacl.ActionAllow)
eacl.AddFormedTarget(record, eacl.RoleUser, (ecdsa.PublicKey)(*pk)) // Unknown role is used, because it is ignored when keys are set
eacl.AddFormedTarget(record, eacl.RoleUnknown, (ecdsa.PublicKey)(*pk))
return record return record
} }

187
api/handler/acl_test.go
View file

@ -38,8 +38,7 @@ func TestTableToAst(t *testing.T) {
record2 := eacl.NewRecord() record2 := eacl.NewRecord()
record2.SetAction(eacl.ActionDeny) record2.SetAction(eacl.ActionDeny)
record2.SetOperation(eacl.OperationPut) record2.SetOperation(eacl.OperationPut)
eacl.AddFormedTarget(record2, eacl.RoleUser, *(*ecdsa.PublicKey)(key.PublicKey())) eacl.AddFormedTarget(record2, eacl.RoleUnknown, *(*ecdsa.PublicKey)(key.PublicKey()), *((*ecdsa.PublicKey)(key2.PublicKey())))
eacl.AddFormedTarget(record2, eacl.RoleUser, *(*ecdsa.PublicKey)(key2.PublicKey()))
record2.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFileName, "objectName") record2.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFileName, "objectName")
record2.AddObjectIDFilter(eacl.MatchStringEqual, id) record2.AddObjectIDFilter(eacl.MatchStringEqual, id)
table.AddRecord(record2) table.AddRecord(record2)
@ -49,9 +48,9 @@ func TestTableToAst(t *testing.T) {
{ {
resourceInfo: resourceInfo{Bucket: "bucketName"}, resourceInfo: resourceInfo{Bucket: "bucketName"},
Operations: []*astOperation{{ Operations: []*astOperation{{
Role: eacl.RoleOthers, IsGroupGrantee: true,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
}}}, }}},
{ {
resourceInfo: resourceInfo{ resourceInfo: resourceInfo{
@ -64,9 +63,9 @@ func TestTableToAst(t *testing.T) {
hex.EncodeToString(key.PublicKey().Bytes()), hex.EncodeToString(key.PublicKey().Bytes()),
hex.EncodeToString(key2.PublicKey().Bytes()), hex.EncodeToString(key2.PublicKey().Bytes()),
}, },
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}}}, }}},
}, },
} }
@ -112,9 +111,9 @@ func TestPolicyToAst(t *testing.T) {
Bucket: "bucketName", Bucket: "bucketName",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Role: eacl.RoleOthers, IsGroupGrantee: true,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
}}, }},
}, },
{ {
@ -122,7 +121,7 @@ func TestPolicyToAst(t *testing.T) {
Bucket: "bucketName", Bucket: "bucketName",
Object: "object", Object: "object",
}, },
Operations: getReadOps(key, eacl.RoleUser, eacl.ActionDeny), Operations: getReadOps(key, false, eacl.ActionDeny),
}, },
}, },
} }
@ -139,15 +138,15 @@ func TestPolicyToAst(t *testing.T) {
} }
} }
func getReadOps(key *keys.PrivateKey, role eacl.Role, action eacl.Action) []*astOperation { func getReadOps(key *keys.PrivateKey, groupGrantee bool, action eacl.Action) []*astOperation {
var result []*astOperation var result []*astOperation
for _, op := range readOps { for _, op := range readOps {
result = append(result, &astOperation{ result = append(result, &astOperation{
Users: []string{hex.EncodeToString(key.PublicKey().Bytes())}, Users: []string{hex.EncodeToString(key.PublicKey().Bytes())},
Role: role, IsGroupGrantee: groupGrantee,
Op: op, Op: op,
Action: action, Action: action,
}) })
} }
@ -166,10 +165,10 @@ func TestMergeAstUnModified(t *testing.T) {
Object: "objectName", Object: "objectName",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Users: []string{hex.EncodeToString(key.PublicKey().Bytes())}, Users: []string{hex.EncodeToString(key.PublicKey().Bytes())},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}}, }},
}, },
}, },
@ -182,9 +181,9 @@ func TestMergeAstUnModified(t *testing.T) {
Bucket: "bucket", Bucket: "bucket",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Role: eacl.RoleOthers, IsGroupGrantee: true,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
}}, }},
}, },
child.Resources[0], child.Resources[0],
@ -205,14 +204,14 @@ func TestMergeAstModified(t *testing.T) {
Object: "objectName", Object: "objectName",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Role: eacl.RoleOthers, IsGroupGrantee: true,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}, { }, {
Users: []string{"user2"}, Users: []string{"user2"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}}, }},
}, },
}, },
@ -226,10 +225,10 @@ func TestMergeAstModified(t *testing.T) {
Object: "objectName", Object: "objectName",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Users: []string{"user1"}, Users: []string{"user1"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}}, }},
}, },
}, },
@ -245,10 +244,10 @@ func TestMergeAstModified(t *testing.T) {
Operations: []*astOperation{ Operations: []*astOperation{
child.Resources[0].Operations[0], child.Resources[0].Operations[0],
{ {
Users: []string{"user1", "user2"}, Users: []string{"user1", "user2"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}, },
}, },
}, },
@ -269,15 +268,15 @@ func TestMergeAstModifiedConflict(t *testing.T) {
Object: "objectName", Object: "objectName",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Users: []string{"user1"}, Users: []string{"user1"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}, { }, {
Users: []string{"user3"}, Users: []string{"user3"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
}}, }},
}, },
}, },
@ -291,20 +290,20 @@ func TestMergeAstModifiedConflict(t *testing.T) {
Object: "objectName", Object: "objectName",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Users: []string{"user1"}, Users: []string{"user1"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
}, { }, {
Users: []string{"user2"}, Users: []string{"user2"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}, { }, {
Users: []string{"user3"}, Users: []string{"user3"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}}, }},
}, },
}, },
@ -319,15 +318,15 @@ func TestMergeAstModifiedConflict(t *testing.T) {
}, },
Operations: []*astOperation{ Operations: []*astOperation{
{ {
Users: []string{"user2", "user1"}, Users: []string{"user2", "user1"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}, { }, {
Users: []string{"user3"}, Users: []string{"user3"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
}, },
}, },
}, },
@ -350,10 +349,10 @@ func TestAstToTable(t *testing.T) {
Bucket: "bucketName", Bucket: "bucketName",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Users: []string{hex.EncodeToString(key.PublicKey().Bytes())}, Users: []string{hex.EncodeToString(key.PublicKey().Bytes())},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
}}, }},
}, },
{ {
@ -362,9 +361,9 @@ func TestAstToTable(t *testing.T) {
Object: "objectName", Object: "objectName",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Role: eacl.RoleOthers, IsGroupGrantee: true,
Op: eacl.OperationGet, Op: eacl.OperationGet,
Action: eacl.ActionDeny, Action: eacl.ActionDeny,
}}, }},
}, },
}, },
@ -374,7 +373,7 @@ func TestAstToTable(t *testing.T) {
record := eacl.NewRecord() record := eacl.NewRecord()
record.SetAction(eacl.ActionAllow) record.SetAction(eacl.ActionAllow)
record.SetOperation(eacl.OperationPut) record.SetOperation(eacl.OperationPut)
eacl.AddFormedTarget(record, eacl.RoleUser, *(*ecdsa.PublicKey)(key.PublicKey())) eacl.AddFormedTarget(record, eacl.RoleUnknown, *(*ecdsa.PublicKey)(key.PublicKey()))
expectedTable.AddRecord(record) expectedTable.AddRecord(record)
record2 := eacl.NewRecord() record2 := eacl.NewRecord()
record2.SetAction(eacl.ActionDeny) record2.SetAction(eacl.ActionDeny)
@ -394,17 +393,17 @@ func TestRemoveUsers(t *testing.T) {
Bucket: "bucket", Bucket: "bucket",
}, },
Operations: []*astOperation{{ Operations: []*astOperation{{
Users: []string{"user1", "user3", "user4"}, Users: []string{"user1", "user3", "user4"},
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
}}, }},
} }
op := &astOperation{ op := &astOperation{
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: eacl.OperationPut, Op: eacl.OperationPut,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
} }
removeUsers(resource, op, []string{"user1", "user2", "user4"}) removeUsers(resource, op, []string{"user1", "user2", "user4"})
@ -783,9 +782,9 @@ func TestObjectAclToAst(t *testing.T) {
hex.EncodeToString(key.PublicKey().Bytes()), hex.EncodeToString(key.PublicKey().Bytes()),
hex.EncodeToString(key2.PublicKey().Bytes()), hex.EncodeToString(key2.PublicKey().Bytes()),
}, },
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: op, Op: op,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
} }
operations = append(operations, astOp) operations = append(operations, astOp)
} }
@ -846,9 +845,9 @@ func TestBucketAclToAst(t *testing.T) {
astOp := &astOperation{Users: []string{ astOp := &astOperation{Users: []string{
hex.EncodeToString(key.PublicKey().Bytes()), hex.EncodeToString(key.PublicKey().Bytes()),
}, },
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: op, Op: op,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
} }
operations = append(operations, astOp) operations = append(operations, astOp)
} }
@ -857,17 +856,17 @@ func TestBucketAclToAst(t *testing.T) {
hex.EncodeToString(key.PublicKey().Bytes()), hex.EncodeToString(key.PublicKey().Bytes()),
hex.EncodeToString(key2.PublicKey().Bytes()), hex.EncodeToString(key2.PublicKey().Bytes()),
}, },
Role: eacl.RoleUser, IsGroupGrantee: false,
Op: op, Op: op,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
} }
operations = append(operations, astOp) operations = append(operations, astOp)
} }
for _, op := range readOps { for _, op := range readOps {
astOp := &astOperation{ astOp := &astOperation{
Role: eacl.RoleOthers, IsGroupGrantee: true,
Op: op, Op: op,
Action: eacl.ActionAllow, Action: eacl.ActionAllow,
} }
operations = append(operations, astOp) operations = append(operations, astOp)
} }