[#365] Include iam user tags in query
/ DCO (pull_request) Successful in 1m23s
Details
/ Vulncheck (pull_request) Failing after 2m28s
Details
/ Builds (1.20) (pull_request) Failing after 2m44s
Details
/ Builds (1.21) (pull_request) Failing after 2m38s
Details
/ Lint (pull_request) Failing after 3m5s
Details
/ Tests (1.20) (pull_request) Failing after 2m52s
Details
/ Tests (1.21) (pull_request) Failing after 2m2s
Details
/ DCO (pull_request) Successful in 1m23s
Details
/ Vulncheck (pull_request) Failing after 2m28s
Details
/ Builds (1.20) (pull_request) Failing after 2m44s
Details
/ Builds (1.21) (pull_request) Failing after 2m38s
Details
/ Lint (pull_request) Failing after 3m5s
Details
/ Tests (1.20) (pull_request) Failing after 2m52s
Details
/ Tests (1.21) (pull_request) Failing after 2m2s
Details
Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>
parent
2b15ead7b5
commit
e2e6794605
|
@ -33,7 +33,7 @@ type PolicySettings interface {
|
|||
}
|
||||
|
||||
type FrostFSIDInformer interface {
|
||||
GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error)
|
||||
GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error)
|
||||
}
|
||||
|
||||
// BucketResolveFunc is a func to resolve bucket info by name.
|
||||
|
@ -131,7 +131,7 @@ func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqT
|
|||
}
|
||||
owner = pk.Address()
|
||||
|
||||
groups, tags, err = frostfsid.GetUserGroupIDsAndTags(pk.GetScriptHash())
|
||||
groups, tags, err = frostfsid.GetUserGroupIDsAndClaims(pk.GetScriptHash())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("get group ids: %w", err)
|
||||
}
|
||||
|
|
|
@ -76,17 +76,15 @@ func (r *middlewareSettingsMock) ACLEnabled() bool {
|
|||
}
|
||||
|
||||
type frostFSIDMock struct {
|
||||
tags map[string]string
|
||||
}
|
||||
|
||||
func (f *frostFSIDMock) ValidatePublicKey(*keys.PublicKey) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *frostFSIDMock) GetUserGroupIDsAndTags(util.Uint160) ([]string, map[string]string, error) {
|
||||
tags := make(map[string]string)
|
||||
tags["test"] = "user"
|
||||
tags["tag-test"] = "test"
|
||||
return []string{}, tags, nil
|
||||
func (f *frostFSIDMock) GetUserGroupIDsAndClaims(u util.Uint160) ([]string, map[string]string, error) {
|
||||
return []string{}, f.tags, nil
|
||||
}
|
||||
|
||||
type handlerMock struct {
|
||||
|
|
|
@ -251,11 +251,17 @@ func TestDefaultBehaviorPolicyChecker(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {
|
||||
chiRouter := prepareRouter(t)
|
||||
router := prepareRouter(t)
|
||||
ns, bktName := "", "bucket"
|
||||
router.middlewareSettings.denyByDefault = true
|
||||
allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
|
||||
createBucket(router, ns, bktName)
|
||||
denyOperations(router, ns, []string{"s3:CreateBucket"}, nil)
|
||||
|
||||
// check we can access bucket if rules not found
|
||||
createBucket(chiRouter, ns, bktName)
|
||||
tags := make(map[string]string)
|
||||
tags["tag-test"] = "test"
|
||||
router.cfg.FrostfsID.(*frostFSIDMock).tags = tags
|
||||
createBucket(router, ns, bktName)
|
||||
}
|
||||
|
||||
func TestACLAPE(t *testing.T) {
|
||||
|
|
|
@ -110,11 +110,11 @@ func (f *FrostFSID) GetUserKey(account, name string) (string, error) {
|
|||
return hex.EncodeToString(key.Bytes()), nil
|
||||
}
|
||||
|
||||
func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error) {
|
||||
func (f *FrostFSID) GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error) {
|
||||
subjExt, err := f.cli.GetSubjectExtended(userHash)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "not found") {
|
||||
return nil, nil, err
|
||||
return nil, nil
|
||||
}
|
||||
return nil, nil, err
|
||||
}
|
||||
|
@ -124,12 +124,5 @@ func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map
|
|||
res[i] = strconv.FormatInt(group.ID, 10)
|
||||
}
|
||||
|
||||
tags := make(map[string]string)
|
||||
for k, v := range subjExt.KV {
|
||||
if strings.HasPrefix(k, "tag-") {
|
||||
tags[k] = v
|
||||
}
|
||||
}
|
||||
|
||||
return res, tags, nil
|
||||
return res, subjExt.KV, nil
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue