[#80] iam: Move resource tag to resource property
All checks were successful
DCO action / DCO (pull_request) Successful in 1m8s
Tests and linters / Tests (1.21) (pull_request) Successful in 1m3s
Tests and linters / Tests (1.20) (pull_request) Successful in 1m19s
Tests and linters / Staticcheck (pull_request) Successful in 1m27s
Tests and linters / Tests with -race (pull_request) Successful in 1m45s
Tests and linters / Lint (pull_request) Successful in 2m15s

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-06-11 11:25:28 +03:00
parent 64e06f5b7c
commit ac965e8d17
3 changed files with 9 additions and 4 deletions

View file

@ -243,6 +243,7 @@ func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]Gro
res.Conditions = append(res.Conditions, gr.Conditions[i]) res.Conditions = append(res.Conditions, gr.Conditions[i])
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) || case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) ||
strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix): strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
// Tags exist only in S3 requests, so native protocol should not process such conditions.
continue continue
default: default:
res.Conditions = append(res.Conditions, gr.Conditions[i]) res.Conditions = append(res.Conditions, gr.Conditions[i])

View file

@ -2,6 +2,7 @@ package iam
import ( import (
"fmt" "fmt"
"strings"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3" "git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
@ -169,16 +170,19 @@ func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) (
func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) { func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) { return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
for i := range gr.Conditions { for i := range gr.Conditions {
if gr.Conditions[i].Key == condKeyAWSPrincipalARN { switch {
case gr.Conditions[i].Key == condKeyAWSPrincipalARN:
gr.Conditions[i].Key = s3.PropertyKeyOwner gr.Conditions[i].Key = s3.PropertyKeyOwner
val, err := formPrincipalOwner(gr.Conditions[i].Value, resolver) val, err := formPrincipalOwner(gr.Conditions[i].Value, resolver)
if err != nil { if err != nil {
return GroupedConditions{}, err return GroupedConditions{}, err
} }
gr.Conditions[i].Value = val gr.Conditions[i].Value = val
}
if gr.Conditions[i].Key == condKeyAWSMFAPresent { case gr.Conditions[i].Key == condKeyAWSMFAPresent:
gr.Conditions[i].Key = s3.PropertyKeyAccessBoxAttrMFA gr.Conditions[i].Key = s3.PropertyKeyAccessBoxAttrMFA
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
gr.Conditions[i].Kind = chain.KindResource
} }
} }

View file

@ -1705,7 +1705,7 @@ func TestTagsConditions(t *testing.T) {
}, },
{ {
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
Kind: chain.KindRequest, Kind: chain.KindResource,
Key: fmt.Sprintf(s3.PropertyKeyFormatResourceTag, "owner"), Key: fmt.Sprintf(s3.PropertyKeyFormatResourceTag, "owner"),
Value: "hr-admin", Value: "hr-admin",
}, },