[#357] Add check of request and resource tags #357

mbiryukova · 2024-04-10T07:47:42Z

mbiryukova commented

2024-04-10 07:47:42 +00:00

Signed-off-by: Marina Biryukova m.biryukova@yadro.com

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>

mbiryukova self-assigned this 2024-04-10 07:47:42 +00:00

mbiryukova force-pushed feature/tags_to_policy_check from 84e123a0fb to 1c84cf5ae2

2024-04-10 07:48:14 +00:00

Compare

mbiryukova changed title from ~~[#xxx] Add check of request and resource tags~~ to [#357] Add check of request and resource tags

2024-04-10 07:48:41 +00:00

mbiryukova requested review from storage-services-committers 2024-04-10 08:01:19 +00:00

mbiryukova requested review from storage-services-developers 2024-04-10 08:01:19 +00:00

mbiryukova force-pushed feature/tags_to_policy_check from 1c84cf5ae2 to 0fe50f000d

2024-04-10 08:31:41 +00:00

Compare

mbiryukova force-pushed feature/tags_to_policy_check from 0fe50f000d to 780c329cab

2024-04-10 09:27:35 +00:00

Compare

mbiryukova force-pushed feature/tags_to_policy_check from 780c329cab to 0c47fd4228

2024-04-10 13:25:28 +00:00

Compare

dkirillov reviewed 2024-04-11 06:57:14 +00:00

dkirillov left a comment

Looks good

api/middleware/policy.go Outdated

					
				@ -30,0 +40,4 @@

					CompleteMultipartUploadOperation,

					UploadPartOperation,

					UploadPartCopyOperation,

					ListPartsOperation,

dkirillov commented

2024-04-11 06:39:42 +00:00

Can aws restrict uploadPart/listingParts by resource attribute (that was added during create multipart upload)?

mbiryukova commented

2024-04-11 10:43:08 +00:00

It seems not

👍 1

dkirillov marked this conversation as resolved

api/middleware/policy.go Outdated

					
				@ -39,0 +59,4 @@

				}

				type ResourceTagging interface {

					GetBucketInfo(ctx context.Context, name string) (*data.BucketInfo, error)

dkirillov commented

2024-04-11 06:43:50 +00:00

This duplicates PolicyConfig.BucketResolver.

This duplicates `PolicyConfig.BucketResolver`.

dkirillov marked this conversation as resolved

api/middleware/policy.go Outdated

					
				@ -54,6 +84,7 @@ func PolicyCheck(cfg PolicyConfig) Func {

							ctx := r.Context()

							if err := policyCheck(r, cfg); err != nil {

								reqLogOrDefault(ctx, cfg.Log).Error(logs.PolicyValidationFailed, zap.Error(err))

								err = frostfsErrors.UnwrapErr(err)

dkirillov commented

2024-04-11 06:38:42 +00:00

Why do we need this?

mbiryukova commented

2024-04-11 08:41:00 +00:00

Without this we will return InternalError if requesting tags of non-existent bucket or object, instead of NoSuchBucket or NoSuchKey

Without this we will return `InternalError` if requesting tags of non-existent bucket or object, instead of `NoSuchBucket` or `NoSuchKey`

dkirillov commented

2024-04-11 09:13:59 +00:00

Can we add test for such case then? For now If I remove this line tests still pass

dkirillov marked this conversation as resolved

api/middleware/policy.go Outdated

					
				@ -68,3 +99,3 @@

				func policyCheck(r *http.Request, cfg PolicyConfig) error {

					reqType, bktName, objName := getBucketObject(r, cfg.Domains)

					req, err := getPolicyRequest(r, cfg.FrostfsID, reqType, bktName, objName, cfg.Log)

					req, err := getPolicyRequest(r, cfg.FrostfsID, cfg.Decoder, cfg.Tagging, reqType, bktName, objName, cfg.Log)