[#362] Check user and groups during policy check
All checks were successful
/ DCO (pull_request) Successful in 4m8s
/ Vulncheck (pull_request) Successful in 4m10s
/ Builds (1.20) (pull_request) Successful in 5m33s
/ Builds (1.21) (pull_request) Successful in 5m24s
/ Lint (pull_request) Successful in 8m32s
/ Tests (1.20) (pull_request) Successful in 5m9s
/ Tests (1.21) (pull_request) Successful in 4m52s

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
Alexey Vanin 2024-04-11 14:31:53 +03:00
parent 2f108c9951
commit 6bf6a3b1a3
2 changed files with 30 additions and 12 deletions

View file

@ -97,7 +97,7 @@ func PolicyCheck(cfg PolicyConfig) Func {
func policyCheck(r *http.Request, cfg PolicyConfig) error { func policyCheck(r *http.Request, cfg PolicyConfig) error {
reqType, bktName, objName := getBucketObject(r, cfg.Domains) reqType, bktName, objName := getBucketObject(r, cfg.Domains)
req, err := getPolicyRequest(r, cfg, reqType, bktName, objName) req, userKey, userGroups, err := getPolicyRequest(r, cfg, reqType, bktName, objName)
if err != nil { if err != nil {
return err return err
} }
@ -117,6 +117,19 @@ func policyCheck(r *http.Request, cfg PolicyConfig) error {
target.Container = &cnrTarget target.Container = &cnrTarget
} }
if userKey != nil {
entityName := fmt.Sprintf("%s:%s", reqInfo.Namespace, userKey.Address())
uTarget := engine.UserTarget(entityName)
target.User = &uTarget
}
gts := make([]engine.Target, len(userGroups))
for i, group := range userGroups {
entityName := fmt.Sprintf("%s:%s", reqInfo.Namespace, group)
gts[i] = engine.GroupTarget(entityName)
}
target.Groups = gts
st, found, err := cfg.Storage.IsAllowed(chain.S3, target, req) st, found, err := cfg.Storage.IsAllowed(chain.S3, target, req)
if err != nil { if err != nil {
return err return err
@ -145,25 +158,26 @@ func policyCheck(r *http.Request, cfg PolicyConfig) error {
return nil return nil
} }
func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktName string, objName string) (*testutil.Request, error) { func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktName string, objName string) (*testutil.Request, *keys.PublicKey, []string, error) {
var ( var (
owner string owner string
groups []string groups []string
tags map[string]string tags map[string]string
pk *keys.PublicKey
) )
ctx := r.Context() ctx := r.Context()
bd, err := GetBoxData(ctx) bd, err := GetBoxData(ctx)
if err == nil && bd.Gate.BearerToken != nil { if err == nil && bd.Gate.BearerToken != nil {
pk, err := keys.NewPublicKeyFromBytes(bd.Gate.BearerToken.SigningKeyBytes(), elliptic.P256()) pk, err = keys.NewPublicKeyFromBytes(bd.Gate.BearerToken.SigningKeyBytes(), elliptic.P256())
if err != nil { if err != nil {
return nil, fmt.Errorf("parse pubclic key from btoken: %w", err) return nil, nil, nil, fmt.Errorf("parse pubclic key from btoken: %w", err)
} }
owner = pk.Address() owner = pk.Address()
groups, tags, err = cfg.FrostfsID.GetUserGroupIDsAndClaims(pk.GetScriptHash()) groups, tags, err = cfg.FrostfsID.GetUserGroupIDsAndClaims(pk.GetScriptHash())
if err != nil { if err != nil {
return nil, fmt.Errorf("get group ids: %w", err) return nil, nil, nil, fmt.Errorf("get group ids: %w", err)
} }
} }
@ -178,13 +192,13 @@ func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktNam
properties, err := determineProperties(r, cfg.Decoder, cfg.BucketResolver, cfg.Tagging, reqType, op, bktName, objName, owner, groups, tags) properties, err := determineProperties(r, cfg.Decoder, cfg.BucketResolver, cfg.Tagging, reqType, op, bktName, objName, owner, groups, tags)
if err != nil { if err != nil {
return nil, fmt.Errorf("determine properties: %w", err) return nil, nil, nil, fmt.Errorf("determine properties: %w", err)
} }
reqLogOrDefault(r.Context(), cfg.Log).Debug(logs.PolicyRequest, zap.String("action", op), reqLogOrDefault(r.Context(), cfg.Log).Debug(logs.PolicyRequest, zap.String("action", op),
zap.String("resource", res), zap.Any("properties", properties)) zap.String("resource", res), zap.Any("properties", properties))
return testutil.NewRequest(op, testutil.NewResource(res, nil), properties), nil return testutil.NewRequest(op, testutil.NewResource(res, nil), properties), pk, groups, nil
} }
type ReqType int type ReqType int

View file

@ -117,12 +117,16 @@ func (c *MorphRuleChainStorage) SaveACLChains(cid string, chains []*chain.Chain)
} }
func getKind(target engine.Target) policycontract.Kind { func getKind(target engine.Target) policycontract.Kind {
var kind policycontract.Kind = policycontract.Container switch target.Type {
if target.Type != engine.Container { case engine.Container:
kind = policycontract.Namespace return policycontract.Container
case engine.User:
return 'u'
case engine.Group:
return 'g'
default:
return policycontract.Namespace
} }
return kind
} }
func getBucketPolicyName(cnrID cid.ID) []byte { func getBucketPolicyName(cnrID cid.ID) []byte {