From ac965e8d176a74cc501a1d20cd89b6ee7feaaca5 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <d.kirillov@yadro.com>
Date: Tue, 11 Jun 2024 11:25:28 +0300
Subject: [PATCH] [#80] iam: Move resource tag to resource property

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
---
 iam/converter_native.go |  1 +
 iam/converter_s3.go     | 10 +++++++---
 iam/converter_test.go   |  2 +-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/iam/converter_native.go b/iam/converter_native.go
index 0f22f88..4f3ab18 100644
--- a/iam/converter_native.go
+++ b/iam/converter_native.go
@@ -243,6 +243,7 @@ func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]Gro
 				res.Conditions = append(res.Conditions, gr.Conditions[i])
 			case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) ||
 				strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
+				// Tags exist only in S3 requests, so native protocol should not process such conditions.
 				continue
 			default:
 				res.Conditions = append(res.Conditions, gr.Conditions[i])
diff --git a/iam/converter_s3.go b/iam/converter_s3.go
index 28192fa..d109ca7 100644
--- a/iam/converter_s3.go
+++ b/iam/converter_s3.go
@@ -2,6 +2,7 @@ package iam
 
 import (
 	"fmt"
+	"strings"
 
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
@@ -169,16 +170,19 @@ func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) (
 func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
 	return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
 		for i := range gr.Conditions {
-			if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
+			switch {
+			case gr.Conditions[i].Key == condKeyAWSPrincipalARN:
 				gr.Conditions[i].Key = s3.PropertyKeyOwner
 				val, err := formPrincipalOwner(gr.Conditions[i].Value, resolver)
 				if err != nil {
 					return GroupedConditions{}, err
 				}
 				gr.Conditions[i].Value = val
-			}
-			if gr.Conditions[i].Key == condKeyAWSMFAPresent {
+
+			case gr.Conditions[i].Key == condKeyAWSMFAPresent:
 				gr.Conditions[i].Key = s3.PropertyKeyAccessBoxAttrMFA
+			case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
+				gr.Conditions[i].Kind = chain.KindResource
 			}
 		}
 
diff --git a/iam/converter_test.go b/iam/converter_test.go
index c31bf50..5a57fd7 100644
--- a/iam/converter_test.go
+++ b/iam/converter_test.go
@@ -1705,7 +1705,7 @@ func TestTagsConditions(t *testing.T) {
 		},
 		{
 			Op:    chain.CondStringEquals,
-			Kind:  chain.KindRequest,
+			Kind:  chain.KindResource,
 			Key:   fmt.Sprintf(s3.PropertyKeyFormatResourceTag, "owner"),
 			Value: "hr-admin",
 		},