From e33ca77ec86ed51941dfb080b023a3ff3e65ec6c Mon Sep 17 00:00:00 2001
From: Pavel Pogodaev
Date: Fri, 12 Apr 2024 11:59:05 +0300
Subject: [PATCH] [#365] Include iam user tags in query
Signed-off-by: Pavel Pogodaev
---
api/middleware/policy.go | 4 ++--
api/router_mock_test.go | 8 +++-----
api/router_test.go | 12 +++++++++---
internal/frostfs/frostfsid/frostfsid.go | 11 ++---------
4 files changed, 16 insertions(+), 19 deletions(-)
diff --git a/api/middleware/policy.go b/api/middleware/policy.go
index 9001820..d4db782 100644
--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@@ -33,7 +33,7 @@ type PolicySettings interface {
}
type FrostFSIDInformer interface {
- GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error)
+ GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error)
}
// BucketResolveFunc is a func to resolve bucket info by name.
@@ -131,7 +131,7 @@ func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqT
}
owner = pk.Address()
- groups, tags, err = frostfsid.GetUserGroupIDsAndTags(pk.GetScriptHash())
+ groups, tags, err = frostfsid.GetUserGroupIDsAndClaims(pk.GetScriptHash())
if err != nil {
return nil, fmt.Errorf("get group ids: %w", err)
}
diff --git a/api/router_mock_test.go b/api/router_mock_test.go
index 6eff1d6..2b73ce4 100644
--- a/api/router_mock_test.go
+++ b/api/router_mock_test.go
@@ -76,17 +76,15 @@ func (r *middlewareSettingsMock) ACLEnabled() bool {
}
type frostFSIDMock struct {
+ tags map[string]string
}
func (f *frostFSIDMock) ValidatePublicKey(*keys.PublicKey) error {
return nil
}
-func (f *frostFSIDMock) GetUserGroupIDsAndTags(util.Uint160) ([]string, map[string]string, error) {
- tags := make(map[string]string)
- tags["test"] = "user"
- tags["tag-test"] = "test"
- return []string{}, tags, nil
+func (f *frostFSIDMock) GetUserGroupIDsAndClaims(u util.Uint160) ([]string, map[string]string, error) {
+ return []string{}, f.tags, nil
}
type handlerMock struct {
diff --git a/api/router_test.go b/api/router_test.go
index 9760169..7f2a8d6 100644
--- a/api/router_test.go
+++ b/api/router_test.go
@@ -251,11 +251,17 @@ func TestDefaultBehaviorPolicyChecker(t *testing.T) {
}
func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {
- chiRouter := prepareRouter(t)
+ router := prepareRouter(t)
ns, bktName := "", "bucket"
+ router.middlewareSettings.denyByDefault = true
+ allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
+ createBucket(router, ns, bktName)
+ denyOperations(router, ns, []string{"s3:CreateBucket"}, nil)
- // check we can access bucket if rules not found
- createBucket(chiRouter, ns, bktName)
+ tags := make(map[string]string)
+ tags["tag-test"] = "test"
+ router.cfg.FrostfsID.(*frostFSIDMock).tags = tags
+ createBucket(router, ns, bktName)
}
func TestACLAPE(t *testing.T) {
diff --git a/internal/frostfs/frostfsid/frostfsid.go b/internal/frostfs/frostfsid/frostfsid.go
index cb5a9eb..6db6668 100644
--- a/internal/frostfs/frostfsid/frostfsid.go
+++ b/internal/frostfs/frostfsid/frostfsid.go
@@ -110,7 +110,7 @@ func (f *FrostFSID) GetUserKey(account, name string) (string, error) {
return hex.EncodeToString(key.Bytes()), nil
}
-func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map[string]string, error) {
+func (f *FrostFSID) GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error) {
subjExt, err := f.cli.GetSubjectExtended(userHash)
if err != nil {
if strings.Contains(err.Error(), "not found") {
@@ -124,12 +124,5 @@ func (f *FrostFSID) GetUserGroupIDsAndTags(userHash util.Uint160) ([]string, map
res[i] = strconv.FormatInt(group.ID, 10)
}
- tags := make(map[string]string)
- for k, v := range subjExt.KV {
- if strings.HasPrefix(k, "tag-") {
- tags[k] = v
- }
- }
-
- return res, tags, nil
+ return res, subjExt.KV, nil
}