From fb521c7ac6b96ff0954001a1979c405451494d50 Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Wed, 22 May 2024 12:04:06 +0300 Subject: [PATCH] [#367] policy: Set IAM-MFA property to false by default Signed-off-by: Denis Kirillov --- api/middleware/policy.go | 1 + api/router_test.go | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/api/middleware/policy.go b/api/middleware/policy.go index 5953f01..f1c1f32 100644 --- a/api/middleware/policy.go +++ b/api/middleware/policy.go @@ -464,6 +464,7 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes res[k] = v } + res[s3.PropertyKeyAccessBoxAttrMFA] = "false" attrs, err := GetAccessBoxAttrs(r.Context()) if err == nil { for _, attr := range attrs { diff --git a/api/router_test.go b/api/router_test.go index c181c53..6ca91a0 100644 --- a/api/router_test.go +++ b/api/router_test.go @@ -636,6 +636,26 @@ func TestSourceIPCheck(t *testing.T) { createBucket(router, ns, bktName) } +func TestMFAPolicy(t *testing.T) { + router := prepareRouter(t) + + ns, bktName := "", "bucket" + router.middlewareSettings.denyByDefault = true + + allowOperations(router, ns, []string{"s3:CreateBucket"}, nil) + denyOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{ + engineiam.CondBool: engineiam.Condition{s3.PropertyKeyAccessBoxAttrMFA: []string{"false"}}, + }) + createBucketErr(router, ns, bktName, nil, apiErrors.ErrAccessDenied) + + var attr object.Attribute + attr.SetKey("IAM-MFA") + attr.SetValue("true") + router.cfg.Center.(*centerMock).attrs = []object.Attribute{attr} + + createBucket(router, ns, bktName) +} + func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) { addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions) }