[#365] Include iam user tags in query
/ Vulncheck (pull_request) Successful in 1m25s
Details
/ DCO (pull_request) Successful in 1m28s
Details
/ Builds (1.20) (pull_request) Successful in 2m38s
Details
/ Builds (1.21) (pull_request) Successful in 1m53s
Details
/ Lint (pull_request) Successful in 3m23s
Details
/ Tests (1.20) (pull_request) Successful in 2m25s
Details
/ Tests (1.21) (pull_request) Successful in 2m6s
Details
/ Vulncheck (pull_request) Successful in 1m25s
Details
/ DCO (pull_request) Successful in 1m28s
Details
/ Builds (1.20) (pull_request) Successful in 2m38s
Details
/ Builds (1.21) (pull_request) Successful in 1m53s
Details
/ Lint (pull_request) Successful in 3m23s
Details
/ Tests (1.20) (pull_request) Successful in 2m25s
Details
/ Tests (1.21) (pull_request) Successful in 2m6s
Details
Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>
parent
9cc7d1f21c
commit
608fc3d09b
|
@ -51,7 +51,7 @@ type PolicySettings interface {
|
||||||
}
|
}
|
||||||
|
|
||||||
type FrostFSIDInformer interface {
|
type FrostFSIDInformer interface {
|
||||||
GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error)
|
GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
type XMLDecoder interface {
|
type XMLDecoder interface {
|
||||||
|
@ -161,7 +161,7 @@ func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktNam
|
||||||
}
|
}
|
||||||
owner = pk.Address()
|
owner = pk.Address()
|
||||||
|
|
||||||
groups, err = cfg.FrostfsID.GetUserGroupIDsAndTags(pk.GetScriptHash())
|
groups, tags, err = cfg.FrostfsID.GetUserGroupIDsAndClaims(pk.GetScriptHash())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("get group ids: %w", err)
|
return nil, fmt.Errorf("get group ids: %w", err)
|
||||||
}
|
}
|
||||||
|
@ -422,7 +422,6 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
|
||||||
res[fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, k)] = v
|
res[fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, k)] = v
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if reqType == objectType {
|
if reqType == objectType {
|
||||||
if versionID := queries.Get(QueryVersionID); len(versionID) > 0 {
|
if versionID := queries.Get(QueryVersionID); len(versionID) > 0 {
|
||||||
res[s3.PropertyKeyVersionID] = versionID
|
res[s3.PropertyKeyVersionID] = versionID
|
||||||
|
|
|
@ -78,17 +78,15 @@ func (r *middlewareSettingsMock) ACLEnabled() bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
type frostFSIDMock struct {
|
type frostFSIDMock struct {
|
||||||
|
tags map[string]string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *frostFSIDMock) ValidatePublicKey(*keys.PublicKey) error {
|
func (f *frostFSIDMock) ValidatePublicKey(*keys.PublicKey) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *frostFSIDMock) GetUserGroupIDsAndTags(util.Uint160) ([]string, map[string]string, error) {
|
func (f *frostFSIDMock) GetUserGroupIDsAndClaims(util.Uint160) ([]string, map[string]string, error) {
|
||||||
tags := make(map[string]string)
|
return []string{}, f.tags, nil
|
||||||
tags["test"] = "user"
|
|
||||||
tags["tag-test"] = "test"
|
|
||||||
return []string{}, tags, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type xmlMock struct {
|
type xmlMock struct {
|
||||||
|
|
|
@ -21,6 +21,7 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
||||||
|
"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
|
||||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
|
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
|
||||||
"github.com/go-chi/chi/v5"
|
"github.com/go-chi/chi/v5"
|
||||||
"github.com/go-chi/chi/v5/middleware"
|
"github.com/go-chi/chi/v5/middleware"
|
||||||
|
@ -256,11 +257,19 @@ func TestDefaultBehaviorPolicyChecker(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {
|
func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {
|
||||||
chiRouter := prepareRouter(t)
|
router := prepareRouter(t)
|
||||||
ns, bktName := "", "bucket"
|
ns, bktName := "", "bucket"
|
||||||
|
router.middlewareSettings.denyByDefault = true
|
||||||
|
|
||||||
// check we can access bucket if rules not found
|
allowOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{
|
||||||
createBucket(chiRouter, ns, bktName)
|
engineiam.CondStringEquals: engineiam.Condition{fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, "tag-test"): []string{"test"}},
|
||||||
|
})
|
||||||
|
createBucketErr(router, ns, bktName, apiErrors.ErrAccessDenied)
|
||||||
|
|
||||||
|
tags := make(map[string]string)
|
||||||
|
tags["tag-test"] = "test"
|
||||||
|
router.cfg.FrostfsID.(*frostFSIDMock).tags = tags
|
||||||
|
createBucket(router, ns, bktName)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestACLAPE(t *testing.T) {
|
func TestACLAPE(t *testing.T) {
|
||||||
|
|
|
@ -110,7 +110,7 @@ func (f *FrostFSID) GetUserKey(account, name string) (string, error) {
|
||||||
return hex.EncodeToString(key.Bytes()), nil
|
return hex.EncodeToString(key.Bytes()), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error) {
|
func (f *FrostFSID) GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error) {
|
||||||
subjExt, err := f.cli.GetSubjectExtended(userHash)
|
subjExt, err := f.cli.GetSubjectExtended(userHash)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if strings.Contains(err.Error(), "not found") {
|
if strings.Contains(err.Error(), "not found") {
|
||||||
|
@ -124,12 +124,5 @@ func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map
|
||||||
res[i] = strconv.FormatInt(group.ID, 10)
|
res[i] = strconv.FormatInt(group.ID, 10)
|
||||||
}
|
}
|
||||||
|
|
||||||
tags := make(map[string]string)
|
return res, subjExt.KV, nil
|
||||||
for k, v := range subjExt.KV {
|
|
||||||
if strings.HasPrefix(k, "tag-") {
|
|
||||||
tags[k] = v
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return res, tags, nil
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue