generated from TrueCloudLab/basic
[#80] iam: Skip unsupported conditions in native chains #80
3 changed files with 9 additions and 4 deletions
|
@ -243,6 +243,7 @@ func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]Gro
|
|||
res.Conditions = append(res.Conditions, gr.Conditions[i])
|
||||
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) ||
|
||||
strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
|
||||
// Tags exist only in S3 requests, so native protocol should not process such conditions.
|
||||
continue
|
||||
default:
|
||||
res.Conditions = append(res.Conditions, gr.Conditions[i])
|
||||
|
|
|
@ -2,6 +2,7 @@ package iam
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
|
||||
|
@ -169,16 +170,19 @@ func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) (
|
|||
func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
|
||||
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
|
||||
for i := range gr.Conditions {
|
||||
if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
|
||||
switch {
|
||||
case gr.Conditions[i].Key == condKeyAWSPrincipalARN:
|
||||
gr.Conditions[i].Key = s3.PropertyKeyOwner
|
||||
val, err := formPrincipalOwner(gr.Conditions[i].Value, resolver)
|
||||
if err != nil {
|
||||
return GroupedConditions{}, err
|
||||
}
|
||||
gr.Conditions[i].Value = val
|
||||
}
|
||||
if gr.Conditions[i].Key == condKeyAWSMFAPresent {
|
||||
|
||||
case gr.Conditions[i].Key == condKeyAWSMFAPresent:
|
||||
gr.Conditions[i].Key = s3.PropertyKeyAccessBoxAttrMFA
|
||||
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
|
||||
gr.Conditions[i].Kind = chain.KindResource
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1705,7 +1705,7 @@ func TestTagsConditions(t *testing.T) {
|
|||
},
|
||||
{
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Kind: chain.KindResource,
|
||||
Key: fmt.Sprintf(s3.PropertyKeyFormatResourceTag, "owner"),
|
||||
Value: "hr-admin",
|
||||
},
|
||||
|
|
Loading…
Reference in a new issue