From 3285a2e105804ec883cb5d40dc52c9e353c09618 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <d.kirillov@yadro.com>
Date: Tue, 27 Feb 2024 12:45:37 +0300
Subject: [PATCH] [#306] policy: Change default access strategy

Use access strategy based on bucket type and/or config flags.

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
---
 api/middleware/policy.go | 122 +++++++++++-------
 api/router.go            |   9 +-
 api/router_mock_test.go  |  36 +++++-
 api/router_test.go       | 265 ++++++++++++++++++++++++++++++++-------
 4 files changed, 334 insertions(+), 98 deletions(-)

diff --git a/api/middleware/policy.go b/api/middleware/policy.go
index da69a0e..bb64783 100644
--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@@ -1,6 +1,7 @@
 package middleware
 
 import (
+	"context"
 	"crypto/elliptic"
 	"fmt"
 	"net/http"
@@ -19,27 +20,29 @@ import (
 )
 
 type PolicySettings interface {
-	ResolveNamespaceAlias(ns string) string
 	PolicyDenyByDefault() bool
+	ACLEnabled() bool
 }
 
 type FrostFSIDInformer interface {
 	GetUserGroupIDs(userHash util.Uint160) ([]string, error)
 }
 
-func PolicyCheck(storage engine.ChainRouter, frostfsid FrostFSIDInformer, settings PolicySettings, domains []string, log *zap.Logger) Func {
+type PolicyConfig struct {
+	Storage        engine.ChainRouter
+	FrostfsID      FrostFSIDInformer
+	Settings       PolicySettings
+	Domains        []string
+	Log            *zap.Logger
+	BucketResolver BucketResolveFunc
+}
+
+func PolicyCheck(cfg PolicyConfig) Func {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-
-			st, err := policyCheck(storage, frostfsid, settings, domains, r)
-			if err == nil {
-				if st != chain.Allow && (st != chain.NoRuleFound || settings.PolicyDenyByDefault()) {
-					err = apiErr.GetAPIErrorWithError(apiErr.ErrAccessDenied, fmt.Errorf("policy check: %s", st.String()))
-				}
-			}
-			if err != nil {
-				reqLogOrDefault(ctx, log).Error(logs.PolicyValidationFailed, zap.Error(err))
+			if err := policyCheck(r, cfg); err != nil {
+				reqLogOrDefault(ctx, cfg.Log).Error(logs.PolicyValidationFailed, zap.Error(err))
 				WriteErrorResponse(w, GetReqInfo(ctx), err)
 				return
 			}
@@ -49,27 +52,58 @@ func PolicyCheck(storage engine.ChainRouter, frostfsid FrostFSIDInformer, settin
 	}
 }
 
-func policyCheck(storage engine.ChainRouter, frostfsid FrostFSIDInformer, settings PolicySettings, domains []string, r *http.Request) (chain.Status, error) {
-	req, err := getPolicyRequest(r, frostfsid, domains)
+func policyCheck(r *http.Request, cfg PolicyConfig) error {
+	reqType, bktName, objName := getBucketObject(r, cfg.Domains)
+	req, err := getPolicyRequest(r, cfg.FrostfsID, reqType, bktName, objName)
 	if err != nil {
-		return 0, err
+		return err
 	}
 
 	reqInfo := GetReqInfo(r.Context())
-	target := engine.NewRequestTargetWithNamespace(settings.ResolveNamespaceAlias(reqInfo.Namespace))
-	st, found, err := storage.IsAllowed(chain.S3, target, req)
+	target := engine.NewRequestTargetWithNamespace(reqInfo.Namespace)
+	st, found, err := cfg.Storage.IsAllowed(chain.S3, target, req)
 	if err != nil {
-		return 0, err
+		return err
 	}
 
 	if !found {
 		st = chain.NoRuleFound
 	}
 
-	return st, nil
+	switch {
+	case st == chain.Allow:
+		return nil
+	case st != chain.NoRuleFound:
+		return apiErr.GetAPIErrorWithError(apiErr.ErrAccessDenied, fmt.Errorf("policy check: %s", st.String()))
+	}
+
+	isAPE, err := isAPEBehavior(r.Context(), req, cfg, reqType, bktName)
+	if err != nil {
+		return err
+	}
+
+	if isAPE && cfg.Settings.PolicyDenyByDefault() {
+		return apiErr.GetAPIErrorWithError(apiErr.ErrAccessDenied, fmt.Errorf("policy check: %s", st.String()))
+	}
+
+	return nil
 }
 
-func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, domains []string) (*testutil.Request, error) {
+func isAPEBehavior(ctx context.Context, req *testutil.Request, cfg PolicyConfig, reqType ReqType, bktName string) (bool, error) {
+	if reqType == noneType ||
+		strings.HasSuffix(req.Operation(), CreateBucketOperation) {
+		return !cfg.Settings.ACLEnabled(), nil
+	}
+
+	bktInfo, err := cfg.BucketResolver(ctx, bktName) // we cannot use reqInfo.BucketName because it hasn't been set yet
+	if err != nil {
+		return false, err
+	}
+
+	return bktInfo.APEEnabled, nil
+}
+
+func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, reqType ReqType, bktName string, objName string) (*testutil.Request, error) {
 	var (
 		owner  string
 		groups []string
@@ -90,7 +124,14 @@ func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, domains []st
 		}
 	}
 
-	op, res := determineOperationAndResource(r, domains)
+	op := determineOperation(r, reqType)
+	var res string
+	switch reqType {
+	case objectType:
+		res = fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName, objName)
+	default:
+		res = fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName)
+	}
 
 	return testutil.NewRequest(op, testutil.NewResource(res, nil),
 		map[string]string{
@@ -108,45 +149,34 @@ const (
 	objectType
 )
 
-func determineOperationAndResource(r *http.Request, domains []string) (operation string, resource string) {
-	var (
-		reqType     ReqType
-		matchDomain bool
-	)
-
+func getBucketObject(r *http.Request, domains []string) (reqType ReqType, bktName string, objName string) {
 	for _, domain := range domains {
 		ind := strings.Index(r.Host, "."+domain)
 		if ind == -1 {
 			continue
 		}
 
-		matchDomain = true
-		reqType = bucketType
 		bkt := r.Host[:ind]
 		if obj := strings.TrimPrefix(r.URL.Path, "/"); obj != "" {
-			reqType = objectType
-			resource = fmt.Sprintf(s3.ResourceFormatS3BucketObject, bkt, obj)
-		} else {
-			resource = fmt.Sprintf(s3.ResourceFormatS3Bucket, bkt)
+			return objectType, bkt, obj
 		}
 
-		break
+		return bucketType, bkt, ""
 	}
 
-	if !matchDomain {
-		bktObj := strings.TrimPrefix(r.URL.Path, "/")
-		if ind := strings.IndexByte(bktObj, '/'); ind == -1 {
-			reqType = bucketType
-			resource = fmt.Sprintf(s3.ResourceFormatS3Bucket, bktObj)
-			if bktObj == "" {
-				reqType = noneType
-			}
-		} else {
-			reqType = objectType
-			resource = fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktObj[:ind], bktObj[ind+1:])
-		}
+	bktObj := strings.TrimPrefix(r.URL.Path, "/")
+	if bktObj == "" {
+		return noneType, "", ""
 	}
 
+	if ind := strings.IndexByte(bktObj, '/'); ind != -1 {
+		return objectType, bktObj[:ind], bktObj[ind+1:]
+	}
+
+	return bucketType, bktObj, ""
+}
+
+func determineOperation(r *http.Request, reqType ReqType) (operation string) {
 	switch reqType {
 	case objectType:
 		operation = determineObjectOperation(r)
@@ -156,7 +186,7 @@ func determineOperationAndResource(r *http.Request, domains []string) (operation
 		operation = determineGeneralOperation(r)
 	}
 
-	return "s3:" + operation, resource
+	return "s3:" + operation
 }
 
 func determineBucketOperation(r *http.Request) string {
diff --git a/api/router.go b/api/router.go
index 1e7cf80..398f773 100644
--- a/api/router.go
+++ b/api/router.go
@@ -136,7 +136,14 @@ func NewRouter(cfg Config) *chi.Mux {
 		api.Use(s3middleware.FrostfsIDValidation(cfg.FrostfsID, cfg.Log))
 	}
 
-	api.Use(s3middleware.PolicyCheck(cfg.PolicyChecker, cfg.FrostfsID, cfg.MiddlewareSettings, cfg.Domains, cfg.Log))
+	api.Use(s3middleware.PolicyCheck(s3middleware.PolicyConfig{
+		Storage:        cfg.PolicyChecker,
+		FrostfsID:      cfg.FrostfsID,
+		Settings:       cfg.MiddlewareSettings,
+		Domains:        cfg.Domains,
+		Log:            cfg.Log,
+		BucketResolver: cfg.Handler.ResolveBucket,
+	}))
 
 	defaultRouter := chi.NewRouter()
 	defaultRouter.Mount(fmt.Sprintf("/{%s}", s3middleware.BucketURLPrm), bucketRouter(cfg.Handler, cfg.Log))
diff --git a/api/router_mock_test.go b/api/router_mock_test.go
index 7f62997..f29dcf2 100644
--- a/api/router_mock_test.go
+++ b/api/router_mock_test.go
@@ -3,6 +3,7 @@ package api
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"net/http"
 	"testing"
 
@@ -53,6 +54,7 @@ func (c *centerMock) Authenticate(*http.Request) (*middleware.Box, error) {
 
 type middlewareSettingsMock struct {
 	denyByDefault bool
+	aclEnabled    bool
 }
 
 func (r *middlewareSettingsMock) NamespaceHeader() string {
@@ -67,6 +69,10 @@ func (r *middlewareSettingsMock) PolicyDenyByDefault() bool {
 	return r.denyByDefault
 }
 
+func (r *middlewareSettingsMock) ACLEnabled() bool {
+	return r.aclEnabled
+}
+
 type frostFSIDMock struct {
 }
 
@@ -79,7 +85,9 @@ func (f *frostFSIDMock) GetUserGroupIDs(util.Uint160) ([]string, error) {
 }
 
 type handlerMock struct {
-	t *testing.T
+	t       *testing.T
+	cfg     *middlewareSettingsMock
+	buckets map[string]*data.BucketInfo
 }
 
 type handlerResult struct {
@@ -339,9 +347,20 @@ func (h *handlerMock) PutBucketNotificationHandler(http.ResponseWriter, *http.Re
 	panic("implement me")
 }
 
-func (h *handlerMock) CreateBucketHandler(http.ResponseWriter, *http.Request) {
-	//TODO implement me
-	panic("implement me")
+func (h *handlerMock) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
+	reqInfo := middleware.GetReqInfo(r.Context())
+
+	h.buckets[reqInfo.Namespace+reqInfo.BucketName] = &data.BucketInfo{
+		Name:       reqInfo.BucketName,
+		APEEnabled: !h.cfg.ACLEnabled(),
+	}
+
+	res := &handlerResult{
+		Method:  middleware.CreateBucketOperation,
+		ReqInfo: middleware.GetReqInfo(r.Context()),
+	}
+
+	h.writeResponse(w, res)
 }
 
 func (h *handlerMock) HeadBucketHandler(w http.ResponseWriter, r *http.Request) {
@@ -443,8 +462,13 @@ func (h *handlerMock) ListMultipartUploadsHandler(w http.ResponseWriter, r *http
 	h.writeResponse(w, res)
 }
 
-func (h *handlerMock) ResolveBucket(context.Context, string) (*data.BucketInfo, error) {
-	return &data.BucketInfo{}, nil
+func (h *handlerMock) ResolveBucket(ctx context.Context, name string) (*data.BucketInfo, error) {
+	reqInfo := middleware.GetReqInfo(ctx)
+	bktInfo, ok := h.buckets[reqInfo.Namespace+name]
+	if !ok {
+		return nil, errors.New("not found")
+	}
+	return bktInfo, nil
 }
 
 func (h *handlerMock) writeResponse(w http.ResponseWriter, resp *handlerResult) {
diff --git a/api/router_test.go b/api/router_test.go
index 8b2b720..5954311 100644
--- a/api/router_test.go
+++ b/api/router_test.go
@@ -11,6 +11,7 @@ import (
 	"testing"
 	"time"
 
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apiErrors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	s3middleware "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/metrics"
@@ -27,6 +28,7 @@ import (
 )
 
 type routerMock struct {
+	t                  *testing.T
 	router             *chi.Mux
 	cfg                Config
 	middlewareSettings *middlewareSettingsMock
@@ -55,7 +57,7 @@ func prepareRouter(t *testing.T) *routerMock {
 			Limit:          10,
 			BacklogTimeout: 30 * time.Second,
 		},
-		Handler:            &handlerMock{t: t},
+		Handler:           &handlerMock{t: t, cfg: middlewareSettings, buckets: map[string]*data.BucketInfo{}},
 		Center:             &centerMock{t: t},
 		Log:                logger,
 		Metrics:            metrics.NewAppMetrics(metricsConfig),
@@ -65,6 +67,7 @@ func prepareRouter(t *testing.T) *routerMock {
 		FrostfsID:          &frostFSIDMock{},
 	}
 	return &routerMock{
+		t:                  t,
 		router:             NewRouter(cfg),
 		cfg:                cfg,
 		middlewareSettings: middlewareSettings,
@@ -75,6 +78,8 @@ func prepareRouter(t *testing.T) *routerMock {
 func TestRouterUploadPart(t *testing.T) {
 	chiRouter := prepareRouter(t)
 
+	createBucket(chiRouter, "", "dkirillov")
+
 	w := httptest.NewRecorder()
 	r := httptest.NewRequest(http.MethodPut, "/dkirillov/fix-object", nil)
 	query := make(url.Values)
@@ -90,6 +95,8 @@ func TestRouterUploadPart(t *testing.T) {
 func TestRouterListMultipartUploads(t *testing.T) {
 	chiRouter := prepareRouter(t)
 
+	createBucket(chiRouter, "", "test-bucket")
+
 	w := httptest.NewRecorder()
 	r := httptest.NewRequest(http.MethodGet, "/test-bucket", nil)
 	query := make(url.Values)
@@ -104,22 +111,18 @@ func TestRouterListMultipartUploads(t *testing.T) {
 func TestRouterObjectWithSlashes(t *testing.T) {
 	chiRouter := prepareRouter(t)
 
-	bktName, objName := "dkirillov", "/fix/object"
-	target := fmt.Sprintf("/%s/%s", bktName, objName)
+	ns, bktName, objName := "", "dkirillov", "/fix/object"
 
-	w := httptest.NewRecorder()
-	r := httptest.NewRequest(http.MethodPut, target, nil)
-
-	chiRouter.ServeHTTP(w, r)
-	resp := readResponse(t, w)
-	require.Equal(t, "PutObject", resp.Method)
+	createBucket(chiRouter, ns, bktName)
+	resp := putObject(chiRouter, ns, bktName, objName)
 	require.Equal(t, objName, resp.ReqInfo.ObjectName)
 }
 
 func TestRouterObjectEscaping(t *testing.T) {
 	chiRouter := prepareRouter(t)
 
-	bktName := "dkirillov"
+	ns, bktName := "", "dkirillov"
+	createBucket(chiRouter, ns, bktName)
 
 	for _, tc := range []struct {
 		name            string
@@ -153,14 +156,7 @@ func TestRouterObjectEscaping(t *testing.T) {
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			target := fmt.Sprintf("/%s/%s", bktName, tc.objName)
-
-			w := httptest.NewRecorder()
-			r := httptest.NewRequest(http.MethodPut, target, nil)
-
-			chiRouter.ServeHTTP(w, r)
-			resp := readResponse(t, w)
-			require.Equal(t, "PutObject", resp.Method)
+			resp := putObject(chiRouter, ns, bktName, tc.objName)
 			require.Equal(t, tc.expectedObjName, resp.ReqInfo.ObjectName)
 		})
 	}
@@ -168,40 +164,33 @@ func TestRouterObjectEscaping(t *testing.T) {
 
 func TestPolicyChecker(t *testing.T) {
 	chiRouter := prepareRouter(t)
-	namespace := "custom-ns"
-	bktName, objName := "bucket", "object"
-	target := fmt.Sprintf("/%s/%s", bktName, objName)
+	ns1, bktName1, objName1 := "", "bucket", "object"
+	ns2, bktName2, objName2 := "custom-ns", "other-bucket", "object"
+
+	createBucket(chiRouter, ns1, bktName1)
+	createBucket(chiRouter, ns2, bktName1)
+	createBucket(chiRouter, ns2, bktName2)
 
 	ruleChain := &chain.Chain{
 		ID: chain.ID("id"),
 		Rules: []chain.Rule{{
 			Status:    chain.AccessDenied,
 			Actions:   chain.Actions{Names: []string{"*"}},
-			Resources: chain.Resources{Names: []string{fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName)}},
+			Resources: chain.Resources{Names: []string{fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName1)}},
 		}},
 	}
 
-	_, _, err := chiRouter.policyChecker.MorphRuleChainStorage().AddMorphRuleChain(chain.S3, engine.NamespaceTarget(namespace), ruleChain)
+	_, _, err := chiRouter.policyChecker.MorphRuleChainStorage().AddMorphRuleChain(chain.S3, engine.NamespaceTarget(ns2), ruleChain)
 	require.NoError(t, err)
 
 	// check we can access 'bucket' in default namespace
-	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
-	chiRouter.ServeHTTP(w, r)
-	resp := readResponse(t, w)
-	require.Equal(t, s3middleware.PutObjectOperation, resp.Method)
+	putObject(chiRouter, ns1, bktName1, objName1)
 
 	// check we can access 'other-bucket' in custom namespace
-	w, r = httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, "/other-bucket/object", nil)
-	r.Header.Set(FrostfsNamespaceHeader, namespace)
-	chiRouter.ServeHTTP(w, r)
-	resp = readResponse(t, w)
-	require.Equal(t, s3middleware.PutObjectOperation, resp.Method)
+	putObject(chiRouter, ns2, bktName2, objName2)
 
 	// check we cannot access 'bucket' in custom namespace
-	w, r = httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
-	r.Header.Set(FrostfsNamespaceHeader, namespace)
-	chiRouter.ServeHTTP(w, r)
-	assertAPIError(t, w, apiErrors.ErrAccessDenied)
+	putObjectErr(chiRouter, ns2, bktName1, objName2, apiErrors.ErrAccessDenied)
 }
 
 func TestPolicyCheckerReqTypeDetermination(t *testing.T) {
@@ -248,20 +237,206 @@ func TestPolicyCheckerReqTypeDetermination(t *testing.T) {
 
 func TestDefaultBehaviorPolicyChecker(t *testing.T) {
 	chiRouter := prepareRouter(t)
-	bktName, objName := "bucket", "object"
-	target := fmt.Sprintf("/%s/%s", bktName, objName)
+	ns, bktName := "", "bucket"
 
 	// check we can access bucket if rules not found
-	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
-	chiRouter.ServeHTTP(w, r)
-	resp := readResponse(t, w)
-	require.Equal(t, s3middleware.PutObjectOperation, resp.Method)
+	createBucket(chiRouter, ns, bktName)
 
 	// check we cannot access if rules not found when settings is enabled
 	chiRouter.middlewareSettings.denyByDefault = true
-	w, r = httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
-	chiRouter.ServeHTTP(w, r)
-	assertAPIError(t, w, apiErrors.ErrAccessDenied)
+	createBucketErr(chiRouter, ns, bktName, apiErrors.ErrAccessDenied)
+}
+
+func TestACLAPE(t *testing.T) {
+	t.Run("acl disabled, ape deny by default", func(t *testing.T) {
+		router := prepareRouter(t)
+
+		ns, bktName, objName := "", "bucket", "object"
+		bktNameOld, bktNameNew := "old-bucket", "new-bucket"
+		createOldBucket(router, bktNameOld)
+		createNewBucket(router, bktNameNew)
+
+		router.middlewareSettings.aclEnabled = false
+		router.middlewareSettings.denyByDefault = true
+
+		// Allow because of using old bucket
+		putObject(router, ns, bktNameOld, objName)
+		// Deny because of deny by default
+		putObjectErr(router, ns, bktNameNew, objName, apiErrors.ErrAccessDenied)
+
+		// Deny because of deny by default
+		createBucketErr(router, ns, bktName, apiErrors.ErrAccessDenied)
+		listBucketsErr(router, ns, apiErrors.ErrAccessDenied)
+
+		// Allow operations and check
+		allowOperations(router, ns, []string{"s3:CreateBucket", "s3:ListBuckets"})
+		createBucket(router, ns, bktName)
+		listBuckets(router, ns)
+	})
+
+	t.Run("acl disabled, ape allow by default", func(t *testing.T) {
+		router := prepareRouter(t)
+
+		ns, bktName, objName := "", "bucket", "object"
+		bktNameOld, bktNameNew := "old-bucket", "new-bucket"
+		createOldBucket(router, bktNameOld)
+		createNewBucket(router, bktNameNew)
+
+		router.middlewareSettings.aclEnabled = false
+		router.middlewareSettings.denyByDefault = false
+
+		// Allow because of using old bucket
+		putObject(router, ns, bktNameOld, objName)
+		// Allow because of allow by default
+		putObject(router, ns, bktNameNew, objName)
+
+		// Allow because of deny by default
+		createBucket(router, ns, bktName)
+		listBuckets(router, ns)
+
+		// Deny operations and check
+		denyOperations(router, ns, []string{"s3:CreateBucket", "s3:ListBuckets"})
+		createBucketErr(router, ns, bktName, apiErrors.ErrAccessDenied)
+		listBucketsErr(router, ns, apiErrors.ErrAccessDenied)
+	})
+
+	t.Run("acl enabled, ape deny by default", func(t *testing.T) {
+		router := prepareRouter(t)
+
+		ns, bktName, objName := "", "bucket", "object"
+		bktNameOld, bktNameNew := "old-bucket", "new-bucket"
+		createOldBucket(router, bktNameOld)
+		createNewBucket(router, bktNameNew)
+
+		router.middlewareSettings.aclEnabled = true
+		router.middlewareSettings.denyByDefault = true
+
+		// Allow because of using old bucket
+		putObject(router, ns, bktNameOld, objName)
+		// Deny because of deny by default
+		putObjectErr(router, ns, bktNameNew, objName, apiErrors.ErrAccessDenied)
+
+		// Allow because of old behavior
+		createBucket(router, ns, bktName)
+		listBuckets(router, ns)
+	})
+
+	t.Run("acl enabled, ape allow by default", func(t *testing.T) {
+		router := prepareRouter(t)
+
+		ns, bktName, objName := "", "bucket", "object"
+		bktNameOld, bktNameNew := "old-bucket", "new-bucket"
+		createOldBucket(router, bktNameOld)
+		createNewBucket(router, bktNameNew)
+
+		router.middlewareSettings.aclEnabled = true
+		router.middlewareSettings.denyByDefault = false
+
+		// Allow because of using old bucket
+		putObject(router, ns, bktNameOld, objName)
+		// Allow because of allow by default
+		putObject(router, ns, bktNameNew, objName)
+
+		// Allow because of old behavior
+		createBucket(router, ns, bktName)
+		listBuckets(router, ns)
+	})
+}
+
+func allowOperations(router *routerMock, ns string, operations []string) {
+	addPolicy(router, ns, "allow", engineiam.AllowEffect, operations)
+}
+
+func denyOperations(router *routerMock, ns string, operations []string) {
+	addPolicy(router, ns, "deny", engineiam.DenyEffect, operations)
+}
+
+func addPolicy(router *routerMock, ns string, id string, effect engineiam.Effect, operations []string) {
+	policy := engineiam.Policy{
+		Statement: []engineiam.Statement{{
+			Principal: map[engineiam.PrincipalType][]string{engineiam.Wildcard: {}},
+			Effect:    effect,
+			Action:    engineiam.Action(operations),
+			Resource:  engineiam.Resource{fmt.Sprintf(s3.ResourceFormatS3All)},
+		}},
+	}
+
+	ruleChain, err := engineiam.ConvertToS3Chain(policy, nil)
+	require.NoError(router.t, err)
+	ruleChain.ID = chain.ID(id)
+
+	_, _, err = router.policyChecker.MorphRuleChainStorage().AddMorphRuleChain(chain.S3, engine.NamespaceTarget(ns), ruleChain)
+	require.NoError(router.t, err)
+}
+
+func createOldBucket(router *routerMock, bktName string) {
+	createSpecificBucket(router, bktName, true)
+}
+
+func createNewBucket(router *routerMock, bktName string) {
+	createSpecificBucket(router, bktName, false)
+}
+
+func createSpecificBucket(router *routerMock, bktName string, old bool) {
+	aclEnabled := router.middlewareSettings.ACLEnabled()
+	router.middlewareSettings.aclEnabled = old
+	createBucket(router, "", bktName)
+	router.middlewareSettings.aclEnabled = aclEnabled
+}
+
+func createBucket(router *routerMock, namespace, bktName string) {
+	w := createBucketBase(router, namespace, bktName)
+	resp := readResponse(router.t, w)
+	require.Equal(router.t, s3middleware.CreateBucketOperation, resp.Method)
+}
+
+func createBucketErr(router *routerMock, namespace, bktName string, errCode apiErrors.ErrorCode) {
+	w := createBucketBase(router, namespace, bktName)
+	assertAPIError(router.t, w, errCode)
+}
+
+func createBucketBase(router *routerMock, namespace, bktName string) *httptest.ResponseRecorder {
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, "/"+bktName, nil)
+	r.Header.Set(FrostfsNamespaceHeader, namespace)
+	router.ServeHTTP(w, r)
+	return w
+}
+
+func listBuckets(router *routerMock, namespace string) {
+	w := listBucketsBase(router, namespace)
+	resp := readResponse(router.t, w)
+	require.Equal(router.t, s3middleware.ListBucketsOperation, resp.Method)
+}
+
+func listBucketsErr(router *routerMock, namespace string, errCode apiErrors.ErrorCode) {
+	w := listBucketsBase(router, namespace)
+	assertAPIError(router.t, w, errCode)
+}
+
+func listBucketsBase(router *routerMock, namespace string) *httptest.ResponseRecorder {
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/", nil)
+	r.Header.Set(FrostfsNamespaceHeader, namespace)
+	router.ServeHTTP(w, r)
+	return w
+}
+
+func putObject(router *routerMock, namespace, bktName, objName string) handlerResult {
+	w := putObjectBase(router, namespace, bktName, objName)
+	resp := readResponse(router.t, w)
+	require.Equal(router.t, s3middleware.PutObjectOperation, resp.Method)
+	return resp
+}
+
+func putObjectErr(router *routerMock, namespace, bktName, objName string, errCode apiErrors.ErrorCode) {
+	w := putObjectBase(router, namespace, bktName, objName)
+	assertAPIError(router.t, w, errCode)
+}
+
+func putObjectBase(router *routerMock, namespace, bktName, objName string) *httptest.ResponseRecorder {
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, "/"+bktName+"/"+objName, nil)
+	r.Header.Set(FrostfsNamespaceHeader, namespace)
+	router.ServeHTTP(w, r)
+	return w
 }
 
 func TestOwnerIDRetrieving(t *testing.T) {