[#367] policy: Set IAM-MFA property to false by default

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-05-22 12:04:06 +03:00
parent 87b9e97a80
commit fb521c7ac6
2 changed files with 21 additions and 0 deletions

View file

@ -464,6 +464,7 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
res[k] = v
}
res[s3.PropertyKeyAccessBoxAttrMFA] = "false"
attrs, err := GetAccessBoxAttrs(r.Context())
if err == nil {
for _, attr := range attrs {

View file

@ -636,6 +636,26 @@ func TestSourceIPCheck(t *testing.T) {
createBucket(router, ns, bktName)
}
func TestMFAPolicy(t *testing.T) {
router := prepareRouter(t)
ns, bktName := "", "bucket"
router.middlewareSettings.denyByDefault = true
allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
denyOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{
engineiam.CondBool: engineiam.Condition{s3.PropertyKeyAccessBoxAttrMFA: []string{"false"}},
})
createBucketErr(router, ns, bktName, nil, apiErrors.ErrAccessDenied)
var attr object.Attribute
attr.SetKey("IAM-MFA")
attr.SetValue("true")
router.cfg.Center.(*centerMock).attrs = []object.Attribute{attr}
createBucket(router, ns, bktName)
}
func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
}