generated from TrueCloudLab/basic
[#80] iam: Skip unsupported conditions in native chains #80
3 changed files with 9 additions and 4 deletions
|
|
@ -243,6 +243,7 @@ func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]Gro
|
||||||
res.Conditions = append(res.Conditions, gr.Conditions[i])
|
res.Conditions = append(res.Conditions, gr.Conditions[i])
|
||||||
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) ||
|
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) ||
|
||||||
strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
|
strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
|
||||||
|
// Tags exist only in S3 requests, so native protocol should not process such conditions.
|
||||||
|
alexvanin marked this conversation as resolved
Outdated
|
|||||||
continue
|
continue
|
||||||
default:
|
default:
|
||||||
res.Conditions = append(res.Conditions, gr.Conditions[i])
|
res.Conditions = append(res.Conditions, gr.Conditions[i])
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,7 @@ package iam
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
|
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
|
||||||
|
|
@ -169,16 +170,19 @@ func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) (
|
||||||
func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
|
func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
|
||||||
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
|
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
|
||||||
for i := range gr.Conditions {
|
for i := range gr.Conditions {
|
||||||
if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
|
switch {
|
||||||
|
case gr.Conditions[i].Key == condKeyAWSPrincipalARN:
|
||||||
gr.Conditions[i].Key = s3.PropertyKeyOwner
|
gr.Conditions[i].Key = s3.PropertyKeyOwner
|
||||||
val, err := formPrincipalOwner(gr.Conditions[i].Value, resolver)
|
val, err := formPrincipalOwner(gr.Conditions[i].Value, resolver)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return GroupedConditions{}, err
|
return GroupedConditions{}, err
|
||||||
}
|
}
|
||||||
gr.Conditions[i].Value = val
|
gr.Conditions[i].Value = val
|
||||||
}
|
|
||||||
if gr.Conditions[i].Key == condKeyAWSMFAPresent {
|
case gr.Conditions[i].Key == condKeyAWSMFAPresent:
|
||||||
gr.Conditions[i].Key = s3.PropertyKeyAccessBoxAttrMFA
|
gr.Conditions[i].Key = s3.PropertyKeyAccessBoxAttrMFA
|
||||||
|
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
|
||||||
|
alexvanin marked this conversation as resolved
Outdated
alexvanin
commented
We don't check We don't check `condKeyAWSRequestTagPrefix` unlike native converter because by default it goes to request condition?
dkirillov
commented
Yes Yes
|
|||||||
|
gr.Conditions[i].Kind = chain.KindResource
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1705,7 +1705,7 @@ func TestTagsConditions(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Op: chain.CondStringEquals,
|
Op: chain.CondStringEquals,
|
||||||
Kind: chain.KindRequest,
|
Kind: chain.KindResource,
|
||||||
Key: fmt.Sprintf(s3.PropertyKeyFormatResourceTag, "owner"),
|
Key: fmt.Sprintf(s3.PropertyKeyFormatResourceTag, "owner"),
|
||||||
Value: "hr-admin",
|
Value: "hr-admin",
|
||||||
},
|
},
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue
Small comment about the reason we skip these conditions will be nice, e.g.