[#365] Include iam user tags in query

Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>

api/middleware/policy.go

@@ -51,7 +51,7 @@ type PolicySettings interface {
 }
 
 type FrostFSIDInformer interface {
-	GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error)
+	GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error)
 }
 
 type XMLDecoder interface {
@@ -161,7 +161,7 @@ func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktNam
 		}
 		owner = pk.Address()
 
-		groups, err = cfg.FrostfsID.GetUserGroupIDsAndTags(pk.GetScriptHash())
+		groups, tags, err = cfg.FrostfsID.GetUserGroupIDsAndClaims(pk.GetScriptHash())
 		if err != nil {
 			return nil, fmt.Errorf("get group ids: %w", err)
 		}
@@ -422,7 +422,6 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
 		res[fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, k)] = v
 	}
 
-
 	if reqType == objectType {
 		if versionID := queries.Get(QueryVersionID); len(versionID) > 0 {
 			res[s3.PropertyKeyVersionID] = versionID

api/router_mock_test.go

@@ -78,17 +78,15 @@ func (r *middlewareSettingsMock) ACLEnabled() bool {
 }
 
 type frostFSIDMock struct {
+	tags map[string]string
 }
 
 func (f *frostFSIDMock) ValidatePublicKey(*keys.PublicKey) error {
 	return nil
 }
 
-func (f *frostFSIDMock) GetUserGroupIDsAndTags(util.Uint160) ([]string, map[string]string, error) {
-	tags := make(map[string]string)
-	tags["test"] = "user"
-	tags["tag-test"] = "test"
-	return []string{}, tags, nil
+func (f *frostFSIDMock) GetUserGroupIDsAndClaims(util.Uint160) ([]string, map[string]string, error) {
+	return []string{}, f.tags, nil
 }
 
 type xmlMock struct {

api/router_test.go

@@ -21,6 +21,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
@@ -256,11 +257,19 @@ func TestDefaultBehaviorPolicyChecker(t *testing.T) {
 }
 
 func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	router := prepareRouter(t)
 	ns, bktName := "", "bucket"
+	router.middlewareSettings.denyByDefault = true
 
-	// check we can access bucket if rules not found
-	createBucket(chiRouter, ns, bktName)
+	allowOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{
+		engineiam.CondStringEquals: engineiam.Condition{fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, "tag-test"): []string{"test"}},
+	})
+	createBucketErr(router, ns, bktName, apiErrors.ErrAccessDenied)
+
+	tags := make(map[string]string)
+	tags["tag-test"] = "test"
+	router.cfg.FrostfsID.(*frostFSIDMock).tags = tags
+	createBucket(router, ns, bktName)
 }
 
 func TestACLAPE(t *testing.T) {

internal/frostfs/frostfsid/frostfsid.go

@@ -110,7 +110,7 @@ func (f *FrostFSID) GetUserKey(account, name string) (string, error) {
 	return hex.EncodeToString(key.Bytes()), nil
 }
 
-func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error) {
+func (f *FrostFSID) GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error) {
 	subjExt, err := f.cli.GetSubjectExtended(userHash)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
@@ -124,12 +124,5 @@ func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map
 		res[i] = strconv.FormatInt(group.ID, 10)
 	}
 
-	tags := make(map[string]string)
-	for k, v := range subjExt.KV {
-		if strings.HasPrefix(k, "tag-") {
-			tags[k] = v
-		}
-	}
-
-	return res, tags, nil
+	return res, subjExt.KV, nil
 }