[#365] Include iam user tags in query #365

pogpp · 2024-04-12T09:00:02Z

pogpp commented

2024-04-12 09:00:02 +00:00

Signed-off-by: Pavel Pogodaev p.pogodaev@yadro.com

Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>

pogpp added 1 commit 2024-04-12 09:00:04 +00:00

/ Vulncheck (pull_request) Failing after 1m31s Details

/ DCO (pull_request) Successful in 1m42s Details

/ Builds (1.20) (pull_request) Successful in 2m12s Details

/ Builds (1.21) (pull_request) Successful in 1m39s Details

/ Lint (pull_request) Successful in 4m36s Details

/ Tests (1.20) (pull_request) Successful in 3m46s Details

/ Tests (1.21) (pull_request) Successful in 3m38s Details

80b4809ca5 [#291 ] Include iam user tags in query

Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>

pogpp force-pushed feature/add_user_tags_in_query from 80b4809ca5 to 1b562df3fc

2024-04-12 09:00:49 +00:00

Compare

pogpp changed title from ~~[#291] Include iam user tags in query~~ to [#365] Include iam user tags in query

2024-04-12 09:01:02 +00:00

dkirillov reviewed 2024-04-12 14:24:50 +00:00

api/middleware/policy.go Outdated

													
				@ -385,0 +384,4 @@

					reqInfo := GetReqInfo(ctx)

					queries := reqInfo.URL.Query()

					for _, v := range reqInfo.GetTags() {

dkirillov commented

2024-04-12 14:24:50 +00:00

We must use user claims from frostfsid. Tags from reqInfo contain nothing.

You should extend method FrostFSIDInformer.GetUserGroupIDs that it returns not only groups but also all claims.
Also add tests please

We must use user claims from `frostfsid`. Tags from `reqInfo` contain nothing. You should extend method `FrostFSIDInformer.GetUserGroupIDs` that it returns not only groups but also all claims. Also add tests please

👍 1

dkirillov marked this conversation as resolved

pogpp force-pushed feature/add_user_tags_in_query from 1b562df3fc to f0943fa580

2024-04-17 05:00:21 +00:00

Compare

pogpp force-pushed feature/add_user_tags_in_query from f0943fa580 to 2b15ead7b5

2024-04-17 05:01:55 +00:00

Compare

dkirillov reviewed 2024-04-17 06:44:29 +00:00

api/router_test.go Outdated

													
				@ -250,6 +250,14 @@ func TestDefaultBehaviorPolicyChecker(t *testing.T) {

					createBucketErr(chiRouter, ns, bktName, apiErrors.ErrAccessDenied)

				}

				func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {

dkirillov commented

2024-04-17 06:43:14 +00:00

Could you clarify what this test does?

dkirillov commented

2024-04-17 06:44:25 +00:00

It would be nice to have tests that check if user can have access with certain claims

dkirillov marked this conversation as resolved

internal/frostfs/frostfsid/frostfsid.go Outdated

													
				@ -127,1 +127,3 @@

					return res, nil

					tags := make(map[string]string)

					for k, v := range subjExt.KV {

						if strings.HasPrefix(k, "tag-") {

dkirillov commented

2024-04-17 06:42:12 +00:00

Let's rename this function to GetUserGroupIDsAndClaims and return not only tags but all KV claims

Let's rename this function to `GetUserGroupIDsAndClaims` and return not only tags but all KV claims

dkirillov marked this conversation as resolved

pogpp added 1 commit 2024-04-17 14:21:23 +00:00

/ DCO (pull_request) Successful in 1m23s Details

/ Vulncheck (pull_request) Failing after 2m28s Details

/ Builds (1.20) (pull_request) Failing after 2m44s Details

/ Builds (1.21) (pull_request) Failing after 2m38s Details

/ Lint (pull_request) Failing after 3m5s Details

/ Tests (1.20) (pull_request) Failing after 2m52s Details

/ Tests (1.21) (pull_request) Failing after 2m2s Details

e2e6794605 [#365 ] Include iam user tags in query

Signed-off-by: Pavel Pogodaev <p.pogodaev@yadro.com>

pogpp force-pushed feature/add_user_tags_in_query from e2e6794605 to e33ca77ec8

2024-04-17 14:24:08 +00:00

Compare

dkirillov reviewed 2024-04-18 06:38:34 +00:00

api/router_test.go Outdated

													
				@ -253,0 +255,4 @@

					ns, bktName := "", "bucket"

					router.middlewareSettings.denyByDefault = true

					allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)

					createBucket(router, ns, bktName)

dkirillov commented

2024-04-18 06:38:34 +00:00

The logic should be the following:

make denyByDefault to true
allow bucket creation if and only if user has specific claim
try create bucket (error AccessDenied must be got)
update FrostFSIDMock so it return appropriate tag for user
try create bucket (now it must be successfull)

The logic should be the following: * make denyByDefault to `true` * allow bucket creation if and only if user has specific claim * try create bucket (error `AccessDenied` must be got) * update `FrostFSIDMock` so it return appropriate tag for user * try create bucket (now it must be successfull)

👍 1

dkirillov marked this conversation as resolved

dkirillov commented

2024-04-18 06:38:50 +00:00

Please, rebase

👍 1

pogpp force-pushed feature/add_user_tags_in_query from e33ca77ec8 to 608fc3d09b

2024-04-18 11:25:06 +00:00

Compare

pogpp requested review from alexvanin 2024-04-18 11:32:28 +00:00

pogpp requested review from mbiryukova 2024-04-18 11:32:40 +00:00

pogpp requested review from dkirillov 2024-04-18 11:32:49 +00:00

dkirillov reviewed 2024-04-18 11:40:58 +00:00

api/router_mock_test.go Outdated

													
				@ -125,3 +126,3 @@

				func (h *handlerMock) HeadObjectHandler(http.ResponseWriter, *http.Request) {

					//TODO implement me

					// TODO implement me

dkirillov commented

2024-04-18 11:40:58 +00:00

Do we really need such changes?

pogpp commented

2024-04-18 14:16:04 +00:00

Poster

It's GoLand autoformating - gimme just a moment

dkirillov marked this conversation as resolved

dkirillov commented

2024-04-18 11:44:16 +00:00

Please, beatify commit. Now we have two commits with the same message. Squash them into one commit or separate more logically and mention such separation in commit messages

👀 1

pogpp force-pushed feature/add_user_tags_in_query from 608fc3d09b to e6bdcb4228

2024-04-18 14:23:58 +00:00

Compare

dkirillov commented

2024-04-18 14:47:51 +00:00

Rebase, please

👍 1

pogpp force-pushed feature/add_user_tags_in_query from e6bdcb4228 to e48b46d0ab

2024-04-19 05:57:47 +00:00

Compare

dkirillov reviewed 2024-04-19 06:57:45 +00:00

internal/frostfs/frostfsid/frostfsid.go Outdated

													
				@ -129,0 +130,4 @@

				func (f *FrostFSID) GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error) {

					subjExt, err := f.frostfsid.GetSubjectExtended(userHash)

					if err != nil {

						if strings.Contains(err.Error(), "not found") {

dkirillov commented

2024-04-19 06:57:45 +00:00

What is the purpose of this if ?

What is the purpose of this `if` ?

👍 1

dkirillov marked this conversation as resolved

dkirillov reviewed 2024-04-19 07:00:54 +00:00

internal/frostfs/frostfsid/frostfsid.go Outdated

													
				@ -127,2 +127,4 @@

					return userKey, nil

				}

				func (f *FrostFSID) GetUserGroupIDsAndClaims(userHash util.Uint160) ([]string, map[string]string, error) {

dkirillov commented

2024-04-19 07:00:54 +00:00

It seems we must update GetUserGroupIDs (now it isn't used I suppose)

It seems we must update `GetUserGroupIDs` (now it isn't used I suppose)

👍 1

pogpp commented

2024-04-19 08:29:55 +00:00

Poster

Consequences of bad rebase conflict resolving

dkirillov marked this conversation as resolved

pogpp force-pushed feature/add_user_tags_in_query from e48b46d0ab to 5e1f3a8189

2024-04-19 08:28:24 +00:00

Compare

dkirillov reviewed 2024-04-19 11:10:03 +00:00

internal/frostfs/frostfsid/frostfsid.go Outdated

													
				@ -63,3 +63,3 @@

						if strings.Contains(err.Error(), "not found") {

							f.log.Debug(logs.UserGroupsListIsEmpty, zap.Error(err))

							return nil, nil

							return nil, nil, err