[#365] Include iam user tags in query
/ DCO (pull_request) Successful in 2m10s
Details
/ Builds (1.20) (pull_request) Successful in 2m48s
Details
/ Builds (1.21) (pull_request) Successful in 2m46s
Details
/ Vulncheck (pull_request) Failing after 2m57s
Details
/ Lint (pull_request) Successful in 3m50s
Details
/ Tests (1.20) (pull_request) Successful in 2m40s
Details
/ Tests (1.21) (pull_request) Successful in 2m37s
Details
/ DCO (pull_request) Successful in 2m10s
Details
/ Builds (1.20) (pull_request) Successful in 2m48s
Details
/ Builds (1.21) (pull_request) Successful in 2m46s
Details
/ Vulncheck (pull_request) Failing after 2m57s
Details
/ Lint (pull_request) Successful in 3m50s
Details
/ Tests (1.20) (pull_request) Successful in 2m40s
Details
/ Tests (1.21) (pull_request) Successful in 2m37s
Details
Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>
parent
9f29fcbd52
commit
2b15ead7b5
|
@ -33,7 +33,7 @@ type PolicySettings interface {
|
||||||
}
|
}
|
||||||
|
|
||||||
type FrostFSIDInformer interface {
|
type FrostFSIDInformer interface {
|
||||||
GetUserGroupIDs(userHash util.Uint160) ([]string, error)
|
GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// BucketResolveFunc is a func to resolve bucket info by name.
|
// BucketResolveFunc is a func to resolve bucket info by name.
|
||||||
|
@ -119,6 +119,7 @@ func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqT
|
||||||
var (
|
var (
|
||||||
owner string
|
owner string
|
||||||
groups []string
|
groups []string
|
||||||
|
tags map[string]string
|
||||||
)
|
)
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
|
@ -130,7 +131,7 @@ func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqT
|
||||||
}
|
}
|
||||||
owner = pk.Address()
|
owner = pk.Address()
|
||||||
|
|
||||||
groups, err = frostfsid.GetUserGroupIDs(pk.GetScriptHash())
|
groups, tags, err = frostfsid.GetUserGroupIDsAndTags(pk.GetScriptHash())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("get group ids: %w", err)
|
return nil, fmt.Errorf("get group ids: %w", err)
|
||||||
}
|
}
|
||||||
|
@ -145,7 +146,7 @@ func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqT
|
||||||
res = fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName)
|
res = fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName)
|
||||||
}
|
}
|
||||||
|
|
||||||
properties := determineProperties(ctx, reqType, op, owner, groups)
|
properties := determineProperties(ctx, reqType, op, owner, groups, tags)
|
||||||
|
|
||||||
reqLogOrDefault(r.Context(), log).Debug(logs.PolicyRequest, zap.String("action", op),
|
reqLogOrDefault(r.Context(), log).Debug(logs.PolicyRequest, zap.String("action", op),
|
||||||
zap.String("resource", res), zap.Any("properties", properties))
|
zap.String("resource", res), zap.Any("properties", properties))
|
||||||
|
@ -376,12 +377,17 @@ func determineGeneralOperation(r *http.Request) string {
|
||||||
return "UnmatchedOperation"
|
return "UnmatchedOperation"
|
||||||
}
|
}
|
||||||
|
|
||||||
func determineProperties(ctx context.Context, reqType ReqType, op, owner string, groups []string) map[string]string {
|
func determineProperties(ctx context.Context, reqType ReqType, op, owner string, groups []string, tags map[string]string) map[string]string {
|
||||||
res := map[string]string{
|
res := map[string]string{
|
||||||
s3.PropertyKeyOwner: owner,
|
s3.PropertyKeyOwner: owner,
|
||||||
common.PropertyKeyFrostFSIDGroupID: chain.FormCondSliceContainsValue(groups),
|
common.PropertyKeyFrostFSIDGroupID: chain.FormCondSliceContainsValue(groups),
|
||||||
}
|
}
|
||||||
queries := GetReqInfo(ctx).URL.Query()
|
reqInfo := GetReqInfo(ctx)
|
||||||
|
queries := reqInfo.URL.Query()
|
||||||
|
|
||||||
|
for k, v := range tags {
|
||||||
|
res[fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, k)] = v
|
||||||
|
}
|
||||||
|
|
||||||
if reqType == objectType {
|
if reqType == objectType {
|
||||||
if versionID := queries.Get(QueryVersionID); len(versionID) > 0 {
|
if versionID := queries.Get(QueryVersionID); len(versionID) > 0 {
|
||||||
|
|
|
@ -82,8 +82,11 @@ func (f *frostFSIDMock) ValidatePublicKey(*keys.PublicKey) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *frostFSIDMock) GetUserGroupIDs(util.Uint160) ([]string, error) {
|
func (f *frostFSIDMock) GetUserGroupIDsAndTags(util.Uint160) ([]string, map[string]string, error) {
|
||||||
return []string{}, nil
|
tags := make(map[string]string)
|
||||||
|
tags["test"] = "user"
|
||||||
|
tags["tag-test"] = "test"
|
||||||
|
return []string{}, tags, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type handlerMock struct {
|
type handlerMock struct {
|
||||||
|
|
|
@ -250,6 +250,14 @@ func TestDefaultBehaviorPolicyChecker(t *testing.T) {
|
||||||
createBucketErr(chiRouter, ns, bktName, apiErrors.ErrAccessDenied)
|
createBucketErr(chiRouter, ns, bktName, apiErrors.ErrAccessDenied)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {
|
||||||
|
chiRouter := prepareRouter(t)
|
||||||
|
ns, bktName := "", "bucket"
|
||||||
|
|
||||||
|
// check we can access bucket if rules not found
|
||||||
|
createBucket(chiRouter, ns, bktName)
|
||||||
|
}
|
||||||
|
|
||||||
func TestACLAPE(t *testing.T) {
|
func TestACLAPE(t *testing.T) {
|
||||||
t.Run("acl disabled, ape deny by default", func(t *testing.T) {
|
t.Run("acl disabled, ape deny by default", func(t *testing.T) {
|
||||||
router := prepareRouter(t)
|
router := prepareRouter(t)
|
||||||
|
|
|
@ -110,13 +110,13 @@ func (f *FrostFSID) GetUserKey(account, name string) (string, error) {
|
||||||
return hex.EncodeToString(key.Bytes()), nil
|
return hex.EncodeToString(key.Bytes()), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *FrostFSID) GetUserGroupIDs(userHash util.Uint160) ([]string, error) {
|
func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error) {
|
||||||
subjExt, err := f.cli.GetSubjectExtended(userHash)
|
subjExt, err := f.cli.GetSubjectExtended(userHash)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if strings.Contains(err.Error(), "not found") {
|
if strings.Contains(err.Error(), "not found") {
|
||||||
return nil, nil
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
return nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
res := make([]string, len(subjExt.Groups))
|
res := make([]string, len(subjExt.Groups))
|
||||||
|
@ -124,5 +124,12 @@ func (f *FrostFSID) GetUserGroupIDs(userHash util.Uint160) ([]string, error) {
|
||||||
res[i] = strconv.FormatInt(group.ID, 10)
|
res[i] = strconv.FormatInt(group.ID, 10)
|
||||||
}
|
}
|
||||||
|
|
||||||
return res, nil
|
tags := make(map[string]string)
|
||||||
|
for k, v := range subjExt.KV {
|
||||||
|
if strings.HasPrefix(k, "tag-") {
|
||||||
|
tags[k] = v
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return res, tags, nil
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue