forked from TrueCloudLab/policy-engine
[#69] iam: Extend native actions with tree service methods
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
b6a6816800
commit
530248de75
2 changed files with 31 additions and 29 deletions
|
|
@ -11,54 +11,54 @@ import (
|
||||||
const PropertyKeyFilePath = "FilePath"
|
const PropertyKeyFilePath = "FilePath"
|
||||||
|
|
||||||
var actionToNativeOpMap = map[string][]string{
|
var actionToNativeOpMap = map[string][]string{
|
||||||
s3ActionAbortMultipartUpload: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodHeadObject},
|
s3ActionAbortMultipartUpload: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionCreateBucket: {native.MethodGetContainer, native.MethodPutContainer, native.MethodSetContainerEACL},
|
s3ActionCreateBucket: {native.MethodGetContainer, native.MethodPutContainer, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionDeleteBucket: {native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject},
|
s3ActionDeleteBucket: {native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodGetObject},
|
||||||
s3ActionDeleteBucketPolicy: {native.MethodGetContainer},
|
s3ActionDeleteBucketPolicy: {native.MethodGetContainer},
|
||||||
s3ActionDeleteObject: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject},
|
s3ActionDeleteObject: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject},
|
||||||
s3ActionDeleteObjectTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionDeleteObjectTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionDeleteObjectVersion: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject},
|
s3ActionDeleteObjectVersion: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject},
|
||||||
s3ActionDeleteObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionDeleteObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionGetBucketACL: {native.MethodGetContainer, native.MethodGetContainerEACL},
|
s3ActionGetBucketACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodGetObject},
|
||||||
s3ActionGetBucketCORS: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionGetBucketCORS: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
||||||
s3ActionGetBucketLocation: {native.MethodGetContainer},
|
s3ActionGetBucketLocation: {native.MethodGetContainer},
|
||||||
s3ActionGetBucketNotification: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionGetBucketNotification: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
||||||
s3ActionGetBucketObjectLockConfiguration: {native.MethodGetContainer},
|
s3ActionGetBucketObjectLockConfiguration: {native.MethodGetContainer, native.MethodGetObject},
|
||||||
s3ActionGetBucketPolicy: {native.MethodGetContainer},
|
s3ActionGetBucketPolicy: {native.MethodGetContainer},
|
||||||
s3ActionGetBucketPolicyStatus: {native.MethodGetContainer},
|
s3ActionGetBucketPolicyStatus: {native.MethodGetContainer},
|
||||||
s3ActionGetBucketTagging: {native.MethodGetContainer},
|
s3ActionGetBucketTagging: {native.MethodGetContainer, native.MethodGetObject},
|
||||||
s3ActionGetBucketVersioning: {native.MethodGetContainer},
|
s3ActionGetBucketVersioning: {native.MethodGetContainer, native.MethodGetObject},
|
||||||
s3ActionGetLifecycleConfiguration: { /*not implemented yet*/ },
|
s3ActionGetLifecycleConfiguration: { /*not implemented yet*/ },
|
||||||
s3ActionGetObject: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
s3ActionGetObject: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
||||||
s3ActionGetObjectACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionGetObjectACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
|
||||||
s3ActionGetObjectAttributes: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionGetObjectAttributes: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
||||||
s3ActionGetObjectLegalHold: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionGetObjectLegalHold: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject},
|
||||||
s3ActionGetObjectRetention: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionGetObjectRetention: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject},
|
||||||
s3ActionGetObjectTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionGetObjectTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject},
|
||||||
s3ActionGetObjectVersion: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
s3ActionGetObjectVersion: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
||||||
s3ActionGetObjectVersionACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionGetObjectVersionACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
|
||||||
s3ActionGetObjectVersionAttributes: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionGetObjectVersionAttributes: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
||||||
s3ActionGetObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionGetObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject},
|
||||||
s3ActionListAllMyBuckets: {native.MethodListContainers, native.MethodGetContainer},
|
s3ActionListAllMyBuckets: {native.MethodListContainers, native.MethodGetContainer},
|
||||||
s3ActionListBucket: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
s3ActionListBucket: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
||||||
s3ActionListBucketMultipartUploads: {native.MethodGetContainer},
|
s3ActionListBucketMultipartUploads: {native.MethodGetContainer, native.MethodGetObject},
|
||||||
s3ActionListBucketVersions: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
s3ActionListBucketVersions: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
||||||
s3ActionListMultipartUploadParts: {native.MethodGetContainer},
|
s3ActionListMultipartUploadParts: {native.MethodGetContainer, native.MethodGetObject},
|
||||||
s3ActionPutBucketACL: {native.MethodGetContainer, native.MethodSetContainerEACL},
|
s3ActionPutBucketACL: {native.MethodGetContainer, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutBucketCORS: {native.MethodGetContainer},
|
s3ActionPutBucketCORS: {native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutBucketNotification: {native.MethodGetContainer, native.MethodHeadObject, native.MethodDeleteObject, native.MethodHeadObject},
|
s3ActionPutBucketNotification: {native.MethodGetContainer, native.MethodHeadObject, native.MethodDeleteObject, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutBucketObjectLockConfiguration: {native.MethodGetContainer},
|
s3ActionPutBucketObjectLockConfiguration: {native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutBucketPolicy: {native.MethodGetContainer},
|
s3ActionPutBucketPolicy: {native.MethodGetContainer},
|
||||||
s3ActionPutBucketTagging: {native.MethodGetContainer},
|
s3ActionPutBucketTagging: {native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutBucketVersioning: {native.MethodGetContainer},
|
s3ActionPutBucketVersioning: {native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutLifecycleConfiguration: { /*not implemented yet*/ },
|
s3ActionPutLifecycleConfiguration: { /*not implemented yet*/ },
|
||||||
s3ActionPutObject: {native.MethodGetContainer, native.MethodPutObject},
|
s3ActionPutObject: {native.MethodGetContainer, native.MethodPutObject, native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject},
|
||||||
s3ActionPutObjectACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionPutObjectACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
|
||||||
s3ActionPutObjectLegalHold: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionPutObjectLegalHold: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutObjectRetention: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionPutObjectRetention: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutObjectTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionPutObjectTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
|
||||||
s3ActionPutObjectVersionACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionPutObjectVersionACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
|
||||||
s3ActionPutObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionPutObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
|
||||||
}
|
}
|
||||||
|
|
||||||
var containerNativeOperations = map[string]struct{}{
|
var containerNativeOperations = map[string]struct{}{
|
||||||
|
|
|
||||||
|
|
@ -137,8 +137,9 @@ func TestConverters(t *testing.T) {
|
||||||
|
|
||||||
expected := &chain.Chain{Rules: []chain.Rule{
|
expected := &chain.Chain{Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.Allow,
|
Status: chain.Allow,
|
||||||
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodPutObject}},
|
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodPutObject,
|
||||||
|
native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject}},
|
||||||
Resources: chain.Resources{Names: []string{
|
Resources: chain.Resources{Names: []string{
|
||||||
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
|
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
|
||||||
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName])},
|
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName])},
|
||||||
|
|
@ -1459,7 +1460,8 @@ func TestFromActions(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
action: "s3:PutObject",
|
action: "s3:PutObject",
|
||||||
res: []string{native.MethodGetContainer, native.MethodPutObject},
|
res: []string{native.MethodGetContainer, native.MethodPutObject,
|
||||||
|
native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
action: "s3:Put*",
|
action: "s3:Put*",
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue