api/middleware/policy.go

@@ -190,15 +190,16 @@ func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktNam
 		res = fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName)
 	}
 
-	properties, err := determineProperties(r, cfg.Decoder, cfg.BucketResolver, cfg.Tagging, reqType, op, bktName, objName, owner, groups, tags)
+	requestProps, resourceProps, err := determineProperties(r, cfg.Decoder, cfg.BucketResolver, cfg.Tagging, reqType, op, bktName, objName, owner, groups, tags)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("determine properties: %w", err)
 	}
 
 	reqLogOrDefault(r.Context(), cfg.Log).Debug(logs.PolicyRequest, zap.String("action", op),
-		zap.String("resource", res), zap.Any("properties", properties))
+		zap.String("resource", res), zap.Any("request properties", requestProps),
+		zap.Any("resource properties", resourceProps))
 
-	return testutil.NewRequest(op, testutil.NewResource(res, nil), properties), pk, groups, nil
+	return testutil.NewRequest(op, testutil.NewResource(res, resourceProps), requestProps), pk, groups, nil
 }
 
 type ReqType int
@@ -427,72 +428,59 @@ func determineGeneralOperation(r *http.Request) string {
 }
 
 func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketResolveFunc, tagging ResourceTagging, reqType ReqType,
-	op, bktName, objName, owner string, groups []string, tags map[string]string) (map[string]string, error) {
+	op, bktName, objName, owner string, groups []string, userClaims map[string]string) (requestProperties map[string]string, resourceProperties map[string]string, err error) {
-	res := map[string]string{
+	requestProperties = map[string]string{
 		s3.PropertyKeyOwner:                owner,
 		common.PropertyKeyFrostFSIDGroupID: chain.FormCondSliceContainsValue(groups),
 		common.PropertyKeyFrostFSSourceIP:  GetReqInfo(r.Context()).RemoteHost,
 	}
 	queries := GetReqInfo(r.Context()).URL.Query()
 
-	for k, v := range tags {
+	for k, v := range userClaims {
-		res[fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, k)] = v
+		requestProperties[fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, k)] = v
 	}
 
 	if reqType == objectType {
 		if versionID := queries.Get(QueryVersionID); len(versionID) > 0 {
-			res[s3.PropertyKeyVersionID] = versionID
+			requestProperties[s3.PropertyKeyVersionID] = versionID
 		}
 	}
 
 	if reqType == bucketType && (strings.HasSuffix(op, ListObjectsV1Operation) || strings.HasSuffix(op, ListObjectsV2Operation) ||
 		strings.HasSuffix(op, ListBucketObjectVersionsOperation) || strings.HasSuffix(op, ListMultipartUploadsOperation)) {
 		if prefix := queries.Get(QueryPrefix); len(prefix) > 0 {
-			res[s3.PropertyKeyPrefix] = prefix
+			requestProperties[s3.PropertyKeyPrefix] = prefix
 		}
 		if delimiter := queries.Get(QueryDelimiter); len(delimiter) > 0 {
-			res[s3.PropertyKeyDelimiter] = delimiter
+			requestProperties[s3.PropertyKeyDelimiter] = delimiter
 		}
 		if maxKeys := queries.Get(QueryMaxKeys); len(maxKeys) > 0 {
-			res[s3.PropertyKeyMaxKeys] = maxKeys
+			requestProperties[s3.PropertyKeyMaxKeys] = maxKeys
 		}
 	}
 
-	tags, err := determineTags(r, decoder, resolver, tagging, reqType, op, bktName, objName, queries.Get(QueryVersionID))
+	requestProperties[s3.PropertyKeyAccessBoxAttrMFA] = "false"
-	if err != nil {
-		return nil, fmt.Errorf("determine tags: %w", err)
-	}
-	for k, v := range tags {
-		res[k] = v
-	}
-
-	res[s3.PropertyKeyAccessBoxAttrMFA] = "false"
 	attrs, err := GetAccessBoxAttrs(r.Context())
 	if err == nil {
 		for _, attr := range attrs {
-			res[fmt.Sprintf(s3.PropertyKeyFormatAccessBoxAttr, attr.Key())] = attr.Value()
+			requestProperties[fmt.Sprintf(s3.PropertyKeyFormatAccessBoxAttr, attr.Key())] = attr.Value()
 		}
 	}
 
-	return res, nil
+	reqTags, err := determineRequestTags(r, decoder, op)
-}
-
-func determineTags(r *http.Request, decoder XMLDecoder, resolver BucketResolveFunc, tagging ResourceTagging, reqType ReqType,
-	op, bktName, objName, versionID string) (map[string]string, error) {
-	res, err := determineRequestTags(r, decoder, op)
 	if err != nil {
-		return nil, fmt.Errorf("determine request tags: %w", err)
+		return nil, nil, fmt.Errorf("determine request tags: %w", err)
+	}
+	for k, v := range reqTags {
+		requestProperties[k] = v
 	}
 
-	tags, err := determineResourceTags(r.Context(), reqType, op, bktName, objName, versionID, resolver, tagging)
+	resourceProperties, err = determineResourceTags(r.Context(), reqType, op, bktName, objName, queries.Get(QueryVersionID), resolver, tagging)
 	if err != nil {
-		return nil, fmt.Errorf("determine resource tags: %w", err)
+		return nil, nil, fmt.Errorf("determine resource tags: %w", err)
-	}
-	for k, v := range tags {
-		res[k] = v
 	}
 
-	return res, nil
+	return requestProperties, resourceProperties, nil
 }
 
 func determineRequestTags(r *http.Request, decoder XMLDecoder, op string) (map[string]string, error) {

go.mod

@@ -7,7 +7,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.3-0.20240409115729-6eb492025bdd
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20230531082742-c97d21411eb6
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240531132048-ebd8fcd1685f
-	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240527065402-303a81cdc6db
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240611102930-ac965e8d176a
 	git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02
 	github.com/aws/aws-sdk-go v1.44.6
 	github.com/aws/aws-sdk-go-v2 v1.18.1

go.sum

@@ -48,8 +48,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240531132048-ebd8fcd1685f
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240531132048-ebd8fcd1685f/go.mod h1:4AObM67VUqkXQJlODTFThFnuMGEuK8h9DrAXHDZqvCU=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240527065402-303a81cdc6db h1:SVtRixp8gYn4orflpXaq3m7ET284kF8dogczIxbQRWs=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240611102930-ac965e8d176a h1:Bk1fB4cQASPKgAVGCdlBOEp5ohZfDxqK6fZM8eP+Emo=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240527065402-303a81cdc6db/go.mod h1:SgioiGhQNWqiV5qpFAXRDJF81SEFRBhtwGEiU0FViyA=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240611102930-ac965e8d176a/go.mod h1:SgioiGhQNWqiV5qpFAXRDJF81SEFRBhtwGEiU0FViyA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=