[#367] policy: Set IAM-MFA property to false by default #390

Merged
alexvanin merged 1 commit from dkirillov/frostfs-s3-gw:feature/mfa_default_property into master 2024-05-22 15:05:10 +00:00
2 changed files with 21 additions and 0 deletions

View file

@ -464,6 +464,7 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
res[k] = v
}
res[s3.PropertyKeyAccessBoxAttrMFA] = "false"
attrs, err := GetAccessBoxAttrs(r.Context())
if err == nil {
for _, attr := range attrs {

View file

@ -636,6 +636,26 @@ func TestSourceIPCheck(t *testing.T) {
createBucket(router, ns, bktName)
}
func TestMFAPolicy(t *testing.T) {
router := prepareRouter(t)
ns, bktName := "", "bucket"
router.middlewareSettings.denyByDefault = true
allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
denyOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{
engineiam.CondBool: engineiam.Condition{s3.PropertyKeyAccessBoxAttrMFA: []string{"false"}},
})
createBucketErr(router, ns, bktName, nil, apiErrors.ErrAccessDenied)
var attr object.Attribute
attr.SetKey("IAM-MFA")
attr.SetValue("true")
router.cfg.Center.(*centerMock).attrs = []object.Attribute{attr}
createBucket(router, ns, bktName)
}
func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
}