[#63] iam: Add formatters for resource/request tags #65

Merged
dkirillov merged 1 commit from dkirillov/policy-engine:bugifx/63-fix_request_tag into master 2024-04-10 09:09:26 +00:00
2 changed files with 8 additions and 4 deletions

View file

@ -11,6 +11,7 @@ import (
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
"github.com/stretchr/testify/require"
@ -1585,7 +1586,7 @@ func TestTagsConditions(t *testing.T) {
"StringEquals": {
"aws:PrincipalTag/department": "hr",
"aws:ResourceTag/owner": "hr-admin",
"aws:Request/scope": "*"
"aws:RequestTag/scope": "*"
}
}
}
@ -1597,19 +1598,19 @@ func TestTagsConditions(t *testing.T) {
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: "frostfsid:userClaim/tag-department",
Key: fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, "tag-department"),
Value: "hr",
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: "aws:ResourceTag/owner",
Key: fmt.Sprintf(s3.PropertyKeyFormatResourceTag, "owner"),
Value: "hr-admin",
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: "aws:Request/scope",
Key: fmt.Sprintf(s3.PropertyKeyFormatRequestTag, "scope"),
Value: "*",
},
}

View file

@ -8,6 +8,9 @@ const (
PropertyKeyVersionID = "s3:VersionId"
PropertyKeyMaxKeys = "s3:max-keys"
PropertyKeyFormatResourceTag = "aws:ResourceTag/%s"
PropertyKeyFormatRequestTag = "aws:RequestTag/%s"
ResourceFormatS3All = "arn:aws:s3:::*"
ResourceFormatS3Bucket = "arn:aws:s3:::%s"
ResourceFormatS3BucketObjects = "arn:aws:s3:::%s/*"