[#367] policy: Set IAM-MFA property to false by default #390
2 changed files with 21 additions and 0 deletions
|
@ -464,6 +464,7 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
|
|||
res[k] = v
|
||||
}
|
||||
|
||||
res[s3.PropertyKeyAccessBoxAttrMFA] = "false"
|
||||
attrs, err := GetAccessBoxAttrs(r.Context())
|
||||
if err == nil {
|
||||
for _, attr := range attrs {
|
||||
|
|
|
@ -636,6 +636,26 @@ func TestSourceIPCheck(t *testing.T) {
|
|||
createBucket(router, ns, bktName)
|
||||
}
|
||||
|
||||
func TestMFAPolicy(t *testing.T) {
|
||||
router := prepareRouter(t)
|
||||
|
||||
ns, bktName := "", "bucket"
|
||||
router.middlewareSettings.denyByDefault = true
|
||||
|
||||
allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
|
||||
denyOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{
|
||||
engineiam.CondBool: engineiam.Condition{s3.PropertyKeyAccessBoxAttrMFA: []string{"false"}},
|
||||
})
|
||||
createBucketErr(router, ns, bktName, nil, apiErrors.ErrAccessDenied)
|
||||
|
||||
var attr object.Attribute
|
||||
attr.SetKey("IAM-MFA")
|
||||
attr.SetValue("true")
|
||||
router.cfg.Center.(*centerMock).attrs = []object.Attribute{attr}
|
||||
|
||||
createBucket(router, ns, bktName)
|
||||
}
|
||||
|
||||
func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
|
||||
addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue