forked from TrueCloudLab/frostfs-s3-gw
[#362] Check user and groups during policy check
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
parent
13d00dd7ce
commit
f02bad65a8
2 changed files with 29 additions and 11 deletions
|
|
@ -60,7 +60,7 @@ func PolicyCheck(cfg PolicyConfig) Func {
|
||||||
|
|
||||||
func policyCheck(r *http.Request, cfg PolicyConfig) error {
|
func policyCheck(r *http.Request, cfg PolicyConfig) error {
|
||||||
reqType, bktName, objName := getBucketObject(r, cfg.Domains)
|
reqType, bktName, objName := getBucketObject(r, cfg.Domains)
|
||||||
req, err := getPolicyRequest(r, cfg.FrostfsID, reqType, bktName, objName, cfg.Log)
|
req, userKey, userGroups, err := getPolicyRequest(r, cfg.FrostfsID, reqType, bktName, objName, cfg.Log)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
@ -80,6 +80,19 @@ func policyCheck(r *http.Request, cfg PolicyConfig) error {
|
||||||
target.Container = &cnrTarget
|
target.Container = &cnrTarget
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if userKey != nil {
|
||||||
|
entityName := fmt.Sprintf("%s:%s", reqInfo.Namespace, userKey.Address())
|
||||||
|
uTarget := engine.UserTarget(entityName)
|
||||||
|
target.User = &uTarget
|
||||||
|
}
|
||||||
|
|
||||||
|
gts := make([]engine.Target, len(userGroups))
|
||||||
|
for i, group := range userGroups {
|
||||||
|
entityName := fmt.Sprintf("%s:%s", reqInfo.Namespace, group)
|
||||||
|
gts[i] = engine.GroupTarget(entityName)
|
||||||
|
}
|
||||||
|
target.Groups = gts
|
||||||
|
|
||||||
st, found, err := cfg.Storage.IsAllowed(chain.S3, target, req)
|
st, found, err := cfg.Storage.IsAllowed(chain.S3, target, req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
@ -108,24 +121,25 @@ func policyCheck(r *http.Request, cfg PolicyConfig) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqType, bktName string, objName string, log *zap.Logger) (*testutil.Request, error) {
|
func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqType, bktName string, objName string, log *zap.Logger) (*testutil.Request, *keys.PublicKey, []string, error) {
|
||||||
var (
|
var (
|
||||||
owner string
|
owner string
|
||||||
groups []string
|
groups []string
|
||||||
|
pk *keys.PublicKey
|
||||||
)
|
)
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
bd, err := GetBoxData(ctx)
|
bd, err := GetBoxData(ctx)
|
||||||
if err == nil && bd.Gate.BearerToken != nil {
|
if err == nil && bd.Gate.BearerToken != nil {
|
||||||
pk, err := keys.NewPublicKeyFromBytes(bd.Gate.BearerToken.SigningKeyBytes(), elliptic.P256())
|
pk, err = keys.NewPublicKeyFromBytes(bd.Gate.BearerToken.SigningKeyBytes(), elliptic.P256())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("parse pubclic key from btoken: %w", err)
|
return nil, nil, nil, fmt.Errorf("parse pubclic key from btoken: %w", err)
|
||||||
}
|
}
|
||||||
owner = pk.Address()
|
owner = pk.Address()
|
||||||
|
|
||||||
groups, err = frostfsid.GetUserGroupIDs(pk.GetScriptHash())
|
groups, err = frostfsid.GetUserGroupIDs(pk.GetScriptHash())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("get group ids: %w", err)
|
return nil, nil, nil, fmt.Errorf("get group ids: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -146,7 +160,7 @@ func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqT
|
||||||
s3.PropertyKeyOwner: owner,
|
s3.PropertyKeyOwner: owner,
|
||||||
common.PropertyKeyFrostFSIDGroupID: chain.FormCondSliceContainsValue(groups),
|
common.PropertyKeyFrostFSIDGroupID: chain.FormCondSliceContainsValue(groups),
|
||||||
},
|
},
|
||||||
), nil
|
), pk, groups, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type ReqType int
|
type ReqType int
|
||||||
|
|
|
||||||
|
|
@ -117,12 +117,16 @@ func (c *MorphRuleChainStorage) SaveACLChains(cid string, chains []*chain.Chain)
|
||||||
}
|
}
|
||||||
|
|
||||||
func getKind(target engine.Target) policycontract.Kind {
|
func getKind(target engine.Target) policycontract.Kind {
|
||||||
var kind policycontract.Kind = policycontract.Container
|
switch target.Type {
|
||||||
if target.Type != engine.Container {
|
case engine.Container:
|
||||||
kind = policycontract.Namespace
|
return policycontract.Container
|
||||||
|
case engine.User:
|
||||||
|
return 'u'
|
||||||
|
case engine.Group:
|
||||||
|
return 'g'
|
||||||
|
default:
|
||||||
|
return policycontract.Namespace
|
||||||
}
|
}
|
||||||
|
|
||||||
return kind
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func getBucketPolicyName(cnrID cid.ID) []byte {
|
func getBucketPolicyName(cnrID cid.ID) []byte {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue