[#367] policy: Set IAM-MFA property to false by default

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-05-22 12:04:06 +03:00 · 2024-05-22 12:04:06 +03:00 · fb521c7ac6
parent 87b9e97a80
commit fb521c7ac6
2 changed files with 21 additions and 0 deletions
--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@ -464,6 +464,7 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
 		res[k] = v
 	}

+	res[s3.PropertyKeyAccessBoxAttrMFA] = "false"
 	attrs, err := GetAccessBoxAttrs(r.Context())
 	if err == nil {
 		for _, attr := range attrs {
--- a/api/router_test.go
+++ b/api/router_test.go
@ -636,6 +636,26 @@ func TestSourceIPCheck(t *testing.T) {
 	createBucket(router, ns, bktName)
 }

+func TestMFAPolicy(t *testing.T) {
+	router := prepareRouter(t)
+
+	ns, bktName := "", "bucket"
+	router.middlewareSettings.denyByDefault = true
+
+	allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
+	denyOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{
+		engineiam.CondBool: engineiam.Condition{s3.PropertyKeyAccessBoxAttrMFA: []string{"false"}},
+	})
+	createBucketErr(router, ns, bktName, nil, apiErrors.ErrAccessDenied)
+
+	var attr object.Attribute
+	attr.SetKey("IAM-MFA")
+	attr.SetValue("true")
+	router.cfg.Center.(*centerMock).attrs = []object.Attribute{attr}
+
+	createBucket(router, ns, bktName)
+}
+
 func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
 	addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
 }