TrueCloudLab/policy-engine
20
0
Fork 11
generated from TrueCloudLab/basic
Code Issues 5 Pull requests 1 Projects Releases Packages Wiki Activity Actions

[#70] iam: Support aws:MultiFactorAuthPresent key #70

Merged
dkirillov merged 1 commit from mbiryukova/policy-engine:feature/mfa_condition_key into master 2024-04-17 06:36:21 +00:00
Conversation 0 Commits 1 Files changed 4 +91
mbiryukova commented 2024-04-12 11:42:57 +00:00
Member
Copy link
No description provided.
mbiryukova self-assigned this 2024-04-12 11:42:57 +00:00
mbiryukova force-pushed feature/mfa_condition_key from 79a4ea2fe1 to 0033c76a71 2024-04-12 11:43:25 +00:00 Compare
mbiryukova changed title from [#xx] iam: Support aws:MultiFactorAuthPresent key to [#70] iam: Support aws:MultiFactorAuthPresent key 2024-04-12 11:43:44 +00:00
mbiryukova requested review from storage-core-committers 2024-04-12 11:47:13 +00:00
mbiryukova requested review from storage-core-developers 2024-04-12 11:47:14 +00:00
mbiryukova requested review from storage-services-committers 2024-04-12 11:47:14 +00:00
mbiryukova requested review from storage-services-developers 2024-04-12 11:47:14 +00:00
mbiryukova force-pushed feature/mfa_condition_key from 0033c76a71 to a84a6b6691 2024-04-12 11:56:26 +00:00 Compare
dkirillov reviewed 2024-04-12 14:31:30 +00:00
iam/converter.go Outdated
@ -198,6 +201,10 @@ func transformKey(key string) string {
return fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, userClaimTagPrefix+tagName)
}
if key == condKeyAWSMFAPresent {
dkirillov commented 2024-04-12 14:31:30 +00:00
Member
Copy link

I'm not sure we need such tranformation for native policies. AccessBox attributes can be set only in s3/iam services

I'm not sure we need such tranformation for native policies. AccessBox attributes can be set only in s3/iam services
dkirillov marked this conversation as resolved
mbiryukova force-pushed feature/mfa_condition_key from a84a6b6691 to b4b2325716 2024-04-15 11:04:35 +00:00 Compare
fyrchik reviewed 2024-04-15 11:51:41 +00:00
iam/converter_native.go Outdated
@ -218,6 +225,12 @@ func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeRes
func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]GroupedConditions, error) {
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
if slices.ContainsFunc(gr.Conditions, func(c chain.Condition) bool {
fyrchik commented 2024-04-15 11:51:41 +00:00
Owner
Copy link

These 5 lines can be replaced with a simple for loop, do we really need to use an external dependency here?
I see it is already used in another place, but it will be removed after we bumped minimum go version.

These 5 lines can be replaced with a simple `for` loop, do we really need to use an external dependency here? I see it is already used in another place, but it will be removed after we bumped minimum go version.
dstepanov-yadro commented 2024-04-15 12:02:41 +00:00
Member
Copy link

slices package contains this function too.

`slices` package contains this function too.
dkirillov commented 2024-04-15 13:14:50 +00:00
Member
Copy link

Probably we can use already existing for loop below (line 234)

Probably we can use already existing `for` loop below (line 234)
mbiryukova commented 2024-04-15 16:22:49 +00:00
Author
Member
Copy link

I thought to check key before possible arn resolving, but can use loop below if it doesn't make sense to separate

I thought to check key before possible arn resolving, but can use loop below if it doesn't make sense to separate
dkirillov commented 2024-04-16 06:32:59 +00:00
Member
Copy link

I suppose it's ok to use the same loop

I suppose it's ok to use the same loop
👍 1
fyrchik marked this conversation as resolved
dstepanov-yadro requested changes 2024-04-15 12:05:48 +00:00
iam/converter_test.go Outdated
@ -1642,6 +1642,48 @@ func TestTagsConditions(t *testing.T) {
require.ElementsMatch(t, expectedConditions, nativeChain.Rules[0].Condition)
}
func TestMFACondition(t *testing.T) {
dstepanov-yadro commented 2024-04-15 12:04:27 +00:00
Member
Copy link

Could you please add negative test also.

Could you please add negative test also.
mbiryukova commented 2024-04-15 13:07:31 +00:00
Author
Member
Copy link

What do you expect it should check?

What do you expect it should check?
dstepanov-yadro commented 2024-04-16 07:01:51 +00:00
Member
Copy link
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }

 <no condition>
``` "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "false" } ``` ``` <no condition> ```
👍 1
dstepanov-yadro marked this conversation as resolved
mbiryukova force-pushed feature/mfa_condition_key from b4b2325716 to 04a79f57ef 2024-04-16 07:18:19 +00:00 Compare
dkirillov approved these changes 2024-04-16 07:26:47 +00:00
aarifullin approved these changes 2024-04-16 14:34:34 +00:00
fyrchik approved these changes 2024-04-16 15:55:36 +00:00
acid-ant approved these changes 2024-04-16 18:42:29 +00:00
dstepanov-yadro approved these changes 2024-04-17 06:10:52 +00:00
dkirillov merged commit 04a79f57ef into master 2024-04-17 06:36:21 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
dkirillov
aarifullin
fyrchik
acid-ant
dstepanov-yadro
TrueCloudLab/storage-services-developers
Labels
Clear labels
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
mbiryukova
6 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/policy-engine#70
No description provided.
Delete branch "mbiryukova/policy-engine:feature/mfa_condition_key"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?