[#407] Don't set full_control for bucket owner
All checks were successful
/ DCO (pull_request) Successful in 1m29s
/ Builds (1.20) (pull_request) Successful in 2m14s
/ Builds (1.21) (pull_request) Successful in 1m47s
/ Vulncheck (pull_request) Successful in 1m57s
/ Lint (pull_request) Successful in 4m16s
/ Tests (1.20) (pull_request) Successful in 2m46s
/ Tests (1.21) (pull_request) Successful in 2m29s
All checks were successful
/ DCO (pull_request) Successful in 1m29s
/ Builds (1.20) (pull_request) Successful in 2m14s
/ Builds (1.21) (pull_request) Successful in 1m47s
/ Vulncheck (pull_request) Successful in 1m57s
/ Lint (pull_request) Successful in 4m16s
/ Tests (1.20) (pull_request) Successful in 2m46s
/ Tests (1.21) (pull_request) Successful in 2m29s
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
ed34b2cae4
commit
280d11c794
3 changed files with 21 additions and 68 deletions
|
@ -325,15 +325,6 @@ func (h *handler) encodePrivateCannedACL(ctx context.Context, bktInfo *data.Buck
|
||||||
DisplayName: ownerDisplayName,
|
DisplayName: ownerDisplayName,
|
||||||
}}
|
}}
|
||||||
|
|
||||||
granteeOwner := NewGrantee(acpCanonicalUser)
|
|
||||||
granteeOwner.ID = ownerEncodedID
|
|
||||||
granteeOwner.DisplayName = ownerDisplayName
|
|
||||||
|
|
||||||
res.AccessControlList = []*Grant{{
|
|
||||||
Grantee: granteeOwner,
|
|
||||||
Permission: aclFullControl,
|
|
||||||
}}
|
|
||||||
|
|
||||||
return res
|
return res
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -443,13 +434,7 @@ func (h *handler) putBucketACLAPEHandler(w http.ResponseWriter, r *http.Request,
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
key, err := h.bearerTokenIssuerKey(ctx)
|
chainRules := bucketCannedACLToAPERules(cannedACL, reqInfo, bktInfo.CID)
|
||||||
if err != nil {
|
|
||||||
h.logAndSendError(w, "couldn't get bearer token issuer key", reqInfo, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
chainRules := bucketCannedACLToAPERules(cannedACL, reqInfo, key, bktInfo.CID)
|
|
||||||
if err = h.ape.SaveACLChains(bktInfo.CID.EncodeToString(), chainRules); err != nil {
|
if err = h.ape.SaveACLChains(bktInfo.CID.EncodeToString(), chainRules); err != nil {
|
||||||
h.logAndSendError(w, "failed to add morph rule chains", reqInfo, err)
|
h.logAndSendError(w, "failed to add morph rule chains", reqInfo, err)
|
||||||
return
|
return
|
||||||
|
|
|
@ -1408,38 +1408,32 @@ func TestBucketACLAPE(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkPrivateACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
|
func checkPrivateACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
|
||||||
checkACLOwner(t, aclRes, ownerKey, 1)
|
checkACLOwner(t, aclRes, ownerKey)
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkPublicReadACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
|
func checkPublicReadACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
|
||||||
checkACLOwner(t, aclRes, ownerKey, 2)
|
checkACLOwner(t, aclRes, ownerKey)
|
||||||
|
|
||||||
|
require.Equal(t, allUsersGroup, aclRes.AccessControlList[0].Grantee.URI)
|
||||||
|
require.Equal(t, aclRead, aclRes.AccessControlList[0].Permission)
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkPublicReadWriteACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
|
||||||
|
checkACLOwner(t, aclRes, ownerKey)
|
||||||
|
|
||||||
|
require.Equal(t, allUsersGroup, aclRes.AccessControlList[0].Grantee.URI)
|
||||||
|
require.Equal(t, aclWrite, aclRes.AccessControlList[0].Permission)
|
||||||
|
|
||||||
require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
|
require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
|
||||||
require.Equal(t, aclRead, aclRes.AccessControlList[1].Permission)
|
require.Equal(t, aclRead, aclRes.AccessControlList[1].Permission)
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkPublicReadWriteACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
|
func checkACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
|
||||||
checkACLOwner(t, aclRes, ownerKey, 3)
|
|
||||||
|
|
||||||
require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
|
|
||||||
require.Equal(t, aclWrite, aclRes.AccessControlList[1].Permission)
|
|
||||||
|
|
||||||
require.Equal(t, allUsersGroup, aclRes.AccessControlList[2].Grantee.URI)
|
|
||||||
require.Equal(t, aclRead, aclRes.AccessControlList[2].Permission)
|
|
||||||
}
|
|
||||||
|
|
||||||
func checkACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey, ln int) {
|
|
||||||
ownerIDStr := hex.EncodeToString(ownerKey.Bytes())
|
ownerIDStr := hex.EncodeToString(ownerKey.Bytes())
|
||||||
ownerNameStr := ownerKey.Address()
|
ownerNameStr := ownerKey.Address()
|
||||||
|
|
||||||
require.Equal(t, ownerIDStr, aclRes.Owner.ID)
|
require.Equal(t, ownerIDStr, aclRes.Owner.ID)
|
||||||
require.Equal(t, ownerNameStr, aclRes.Owner.DisplayName)
|
require.Equal(t, ownerNameStr, aclRes.Owner.DisplayName)
|
||||||
|
|
||||||
require.Len(t, aclRes.AccessControlList, ln)
|
|
||||||
|
|
||||||
require.Equal(t, ownerIDStr, aclRes.AccessControlList[0].Grantee.ID)
|
|
||||||
require.Equal(t, ownerNameStr, aclRes.AccessControlList[0].Grantee.DisplayName)
|
|
||||||
require.Equal(t, aclFullControl, aclRes.AccessControlList[0].Permission)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestBucketPolicy(t *testing.T) {
|
func TestBucketPolicy(t *testing.T) {
|
||||||
|
|
|
@ -4,7 +4,6 @@ import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/md5"
|
"crypto/md5"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"encoding/hex"
|
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"encoding/xml"
|
"encoding/xml"
|
||||||
stderrors "errors"
|
stderrors "errors"
|
||||||
|
@ -907,7 +906,7 @@ func (h *handler) createBucketHandlerPolicy(w http.ResponseWriter, r *http.Reque
|
||||||
}
|
}
|
||||||
h.reqLogger(ctx).Info(logs.BucketIsCreated, zap.Stringer("container_id", bktInfo.CID))
|
h.reqLogger(ctx).Info(logs.BucketIsCreated, zap.Stringer("container_id", bktInfo.CID))
|
||||||
|
|
||||||
chains := bucketCannedACLToAPERules(cannedACL, reqInfo, key, bktInfo.CID)
|
chains := bucketCannedACLToAPERules(cannedACL, reqInfo, bktInfo.CID)
|
||||||
if err = h.ape.SaveACLChains(bktInfo.CID.EncodeToString(), chains); err != nil {
|
if err = h.ape.SaveACLChains(bktInfo.CID.EncodeToString(), chains); err != nil {
|
||||||
h.logAndSendError(w, "failed to add morph rule chain", reqInfo, err)
|
h.logAndSendError(w, "failed to add morph rule chain", reqInfo, err)
|
||||||
return
|
return
|
||||||
|
@ -1072,42 +1071,17 @@ var (
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
func bucketCannedACLToAPERules(cannedACL string, reqInfo *middleware.ReqInfo, key *keys.PublicKey, cnrID cid.ID) []*chain.Chain {
|
func bucketCannedACLToAPERules(cannedACL string, reqInfo *middleware.ReqInfo, cnrID cid.ID) []*chain.Chain {
|
||||||
cnrIDStr := cnrID.EncodeToString()
|
cnrIDStr := cnrID.EncodeToString()
|
||||||
|
|
||||||
chains := []*chain.Chain{
|
chains := []*chain.Chain{
|
||||||
{
|
{
|
||||||
ID: getBucketCannedChainID(chain.S3, cnrID),
|
ID: getBucketCannedChainID(chain.S3, cnrID),
|
||||||
Rules: []chain.Rule{{
|
Rules: []chain.Rule{},
|
||||||
Status: chain.Allow,
|
},
|
||||||
Actions: chain.Actions{Names: []string{"s3:*"}},
|
|
||||||
Resources: chain.Resources{Names: []string{
|
|
||||||
fmt.Sprintf(s3.ResourceFormatS3Bucket, reqInfo.BucketName),
|
|
||||||
fmt.Sprintf(s3.ResourceFormatS3BucketObjects, reqInfo.BucketName),
|
|
||||||
}},
|
|
||||||
Condition: []chain.Condition{{
|
|
||||||
Op: chain.CondStringEquals,
|
|
||||||
Kind: chain.KindRequest,
|
|
||||||
Key: s3.PropertyKeyOwner,
|
|
||||||
Value: key.Address(),
|
|
||||||
}},
|
|
||||||
}}},
|
|
||||||
{
|
{
|
||||||
ID: getBucketCannedChainID(chain.Ingress, cnrID),
|
ID: getBucketCannedChainID(chain.Ingress, cnrID),
|
||||||
Rules: []chain.Rule{{
|
Rules: []chain.Rule{},
|
||||||
Status: chain.Allow,
|
|
||||||
Actions: chain.Actions{Names: []string{"*"}},
|
|
||||||
Resources: chain.Resources{Names: []string{
|
|
||||||
fmt.Sprintf(native.ResourceFormatNamespaceContainer, reqInfo.Namespace, cnrIDStr),
|
|
||||||
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, reqInfo.Namespace, cnrIDStr),
|
|
||||||
}},
|
|
||||||
Condition: []chain.Condition{{
|
|
||||||
Op: chain.CondStringEquals,
|
|
||||||
Kind: chain.KindRequest,
|
|
||||||
Key: native.PropertyKeyActorPublicKey,
|
|
||||||
Value: hex.EncodeToString(key.Bytes()),
|
|
||||||
}},
|
|
||||||
}},
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue