[#357] Add check of request and resource tags

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
2024-04-10 09:41:07 +03:00 · 2024-04-10 09:41:07 +03:00 · 3ff027587c
commit 3ff027587c
parent 9f29fcbd52
24 changed files with 506 additions and 155 deletions
--- a/api/router_test.go
+++ b/api/router_test.go
@ -1,6 +1,7 @@
 package api

 import (
+	"bytes"
 	"encoding/json"
 	"encoding/xml"
 	"fmt"
@ -66,6 +67,8 @@ func prepareRouter(t *testing.T) *routerMock {
 		PolicyChecker:      policyChecker,
 		Domains:            []string{"domain1", "domain2"},
 		FrostfsID:          &frostFSIDMock{},
+		XMLDecoder:         &xmlMock{},
+		Tagging:            &resourceTaggingMock{},
 	}
 	return &routerMock{
 		t:                  t,
@ -115,7 +118,7 @@ func TestRouterObjectWithSlashes(t *testing.T) {
 	ns, bktName, objName := "", "dkirillov", "/fix/object"

 	createBucket(chiRouter, ns, bktName)
-	resp := putObject(chiRouter, ns, bktName, objName)
+	resp := putObject(chiRouter, ns, bktName, objName, nil)
 	require.Equal(t, objName, resp.ReqInfo.ObjectName)
 }

@ -157,7 +160,7 @@ func TestRouterObjectEscaping(t *testing.T) {
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			resp := putObject(chiRouter, ns, bktName, tc.objName)
+			resp := putObject(chiRouter, ns, bktName, tc.objName, nil)
 			require.Equal(t, tc.expectedObjName, resp.ReqInfo.ObjectName)
 		})
 	}
@ -185,13 +188,13 @@ func TestPolicyChecker(t *testing.T) {
 	require.NoError(t, err)

 	// check we can access 'bucket' in default namespace
-	putObject(chiRouter, ns1, bktName1, objName1)
+	putObject(chiRouter, ns1, bktName1, objName1, nil)

 	// check we can access 'other-bucket' in custom namespace
-	putObject(chiRouter, ns2, bktName2, objName2)
+	putObject(chiRouter, ns2, bktName2, objName2, nil)

 	// check we cannot access 'bucket' in custom namespace
-	putObjectErr(chiRouter, ns2, bktName1, objName2, apiErrors.ErrAccessDenied)
+	putObjectErr(chiRouter, ns2, bktName1, objName2, nil, apiErrors.ErrAccessDenied)
 }

 func TestPolicyCheckerReqTypeDetermination(t *testing.T) {
@ -215,6 +218,8 @@ func TestPolicyCheckerReqTypeDetermination(t *testing.T) {
 	_, _, err = chiRouter.policyChecker.MorphRuleChainStorage().AddMorphRuleChain(chain.S3, engine.NamespaceTarget(""), ruleChain)
 	require.NoError(t, err)

+	createBucket(chiRouter, "", bktName)
+
 	chiRouter.middlewareSettings.denyByDefault = true
 	t.Run("can list buckets", func(t *testing.T) {
 		w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/", nil)
@ -263,9 +268,9 @@ func TestACLAPE(t *testing.T) {
 		router.middlewareSettings.denyByDefault = true

 		// Allow because of using old bucket
-		putObject(router, ns, bktNameOld, objName)
+		putObject(router, ns, bktNameOld, objName, nil)
 		// Deny because of deny by default
-		putObjectErr(router, ns, bktNameNew, objName, apiErrors.ErrAccessDenied)
+		putObjectErr(router, ns, bktNameNew, objName, nil, apiErrors.ErrAccessDenied)

 		// Deny because of deny by default
 		createBucketErr(router, ns, bktName, apiErrors.ErrAccessDenied)
@ -289,9 +294,9 @@ func TestACLAPE(t *testing.T) {
 		router.middlewareSettings.denyByDefault = false

 		// Allow because of using old bucket
-		putObject(router, ns, bktNameOld, objName)
+		putObject(router, ns, bktNameOld, objName, nil)
 		// Allow because of allow by default
-		putObject(router, ns, bktNameNew, objName)
+		putObject(router, ns, bktNameNew, objName, nil)

 		// Allow because of deny by default
 		createBucket(router, ns, bktName)
@ -315,9 +320,9 @@ func TestACLAPE(t *testing.T) {
 		router.middlewareSettings.denyByDefault = true

 		// Allow because of using old bucket
-		putObject(router, ns, bktNameOld, objName)
+		putObject(router, ns, bktNameOld, objName, nil)
 		// Deny because of deny by default
-		putObjectErr(router, ns, bktNameNew, objName, apiErrors.ErrAccessDenied)
+		putObjectErr(router, ns, bktNameNew, objName, nil, apiErrors.ErrAccessDenied)

 		// Allow because of old behavior
 		createBucket(router, ns, bktName)
@ -336,9 +341,9 @@ func TestACLAPE(t *testing.T) {
 		router.middlewareSettings.denyByDefault = false

 		// Allow because of using old bucket
-		putObject(router, ns, bktNameOld, objName)
+		putObject(router, ns, bktNameOld, objName, nil)
 		// Allow because of allow by default
-		putObject(router, ns, bktNameNew, objName)
+		putObject(router, ns, bktNameNew, objName, nil)

 		// Allow because of old behavior
 		createBucket(router, ns, bktName)
@ -459,6 +464,118 @@ func TestRequestParametersCheck(t *testing.T) {
 	})
 }

+func TestRequestTagsCheck(t *testing.T) {
+	t.Run("put bucket tagging", func(t *testing.T) {
+		router := prepareRouter(t)
+
+		ns, bktName, tagKey, tagValue := "", "bucket", "tag", "value"
+		router.middlewareSettings.denyByDefault = true
+
+		allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
+		createBucket(router, ns, bktName)
+
+		// Add policies and check
+		allowOperations(router, ns, []string{"s3:PutBucketTagging"}, engineiam.Conditions{
+			engineiam.CondStringEquals: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatRequestTag, tagKey): []string{tagValue}},
+		})
+		denyOperations(router, ns, []string{"s3:PutBucketTagging"}, engineiam.Conditions{
+			engineiam.CondStringNotEquals: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatRequestTag, tagKey): []string{tagValue}},
+		})
+
+		tagging, err := xml.Marshal(data.Tagging{TagSet: []data.Tag{{Key: tagKey, Value: tagValue}}})
+		require.NoError(t, err)
+		putBucketTagging(router, ns, bktName, tagging)
+
+		tagging, err = xml.Marshal(data.Tagging{TagSet: []data.Tag{{Key: "key", Value: tagValue}}})
+		require.NoError(t, err)
+		putBucketTaggingErr(router, ns, bktName, tagging, apiErrors.ErrAccessDenied)
+	})
+
+	t.Run("put object with tag", func(t *testing.T) {
+		router := prepareRouter(t)
+
+		ns, bktName, objName, tagKey, tagValue := "", "bucket", "object", "tag", "value"
+		router.middlewareSettings.denyByDefault = true
+
+		allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
+		createBucket(router, ns, bktName)
+
+		// Add policies and check
+		allowOperations(router, ns, []string{"s3:PutObject"}, engineiam.Conditions{
+			engineiam.CondStringEquals: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatRequestTag, tagKey): []string{tagValue}},
+		})
+		denyOperations(router, ns, []string{"s3:PutObject"}, engineiam.Conditions{
+			engineiam.CondStringNotEquals: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatRequestTag, tagKey): []string{tagValue}},
+		})
+
+		putObject(router, ns, bktName, objName, &data.Tag{Key: tagKey, Value: tagValue})
+
+		putObjectErr(router, ns, bktName, objName, &data.Tag{Key: "key", Value: tagValue}, apiErrors.ErrAccessDenied)
+	})
+}
+
+func TestResourceTagsCheck(t *testing.T) {
+	t.Run("bucket tagging", func(t *testing.T) {
+		router := prepareRouter(t)
+
+		ns, bktName, tagKey, tagValue := "", "bucket", "tag", "value"
+		router.middlewareSettings.denyByDefault = true
+
+		allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
+		createBucket(router, ns, bktName)
+
+		// Add policies and check
+		allowOperations(router, ns, []string{"s3:ListBucket"}, engineiam.Conditions{
+			engineiam.CondStringEquals: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatResourceTag, tagKey): []string{tagValue}},
+		})
+		denyOperations(router, ns, []string{"s3:ListBucket"}, engineiam.Conditions{
+			engineiam.CondStringNotEquals: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatResourceTag, tagKey): []string{tagValue}},
+		})
+
+		router.cfg.Tagging.(*resourceTaggingMock).bucketTags = map[string]string{tagKey: tagValue}
+		listObjectsV1(router, ns, bktName, "", "", "")
+
+		router.cfg.Tagging.(*resourceTaggingMock).bucketTags = map[string]string{}
+		listObjectsV1Err(router, ns, bktName, "", "", "", apiErrors.ErrAccessDenied)
+	})
+
+	t.Run("object tagging", func(t *testing.T) {
+		router := prepareRouter(t)
+
+		ns, bktName, objName, tagKey, tagValue := "", "bucket", "object", "tag", "value"
+		router.middlewareSettings.denyByDefault = true
+
+		allowOperations(router, ns, []string{"s3:CreateBucket", "s3:PutObject"}, nil)
+		createBucket(router, ns, bktName)
+		putObject(router, ns, bktName, objName, nil)
+
+		// Add policies and check
+		allowOperations(router, ns, []string{"s3:GetObject"}, engineiam.Conditions{
+			engineiam.CondStringEquals: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatResourceTag, tagKey): []string{tagValue}},
+		})
+		denyOperations(router, ns, []string{"s3:GetObject"}, engineiam.Conditions{
+			engineiam.CondStringNotEquals: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatResourceTag, tagKey): []string{tagValue}},
+		})
+
+		router.cfg.Tagging.(*resourceTaggingMock).objectTags = map[string]string{tagKey: tagValue}
+		getObject(router, ns, bktName, objName)
+
+		router.cfg.Tagging.(*resourceTaggingMock).objectTags = map[string]string{}
+		getObjectErr(router, ns, bktName, objName, apiErrors.ErrAccessDenied)
+	})
+
+	t.Run("non-existent resources", func(t *testing.T) {
+		router := prepareRouter(t)
+		ns, bktName, objName := "", "bucket", "object"
+
+		listObjectsV1Err(router, ns, bktName, "", "", "", apiErrors.ErrNoSuchBucket)
+
+		router.cfg.Tagging.(*resourceTaggingMock).noSuchKey = true
+		createBucket(router, ns, bktName)
+		getObjectErr(router, ns, bktName, objName, apiErrors.ErrNoSuchKey)
+	})
+}
+
 func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
 	addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
 }
@ -538,20 +655,68 @@ func listBucketsBase(router *routerMock, namespace string) *httptest.ResponseRec
 	return w
 }

-func putObject(router *routerMock, namespace, bktName, objName string) handlerResult {
-	w := putObjectBase(router, namespace, bktName, objName)
+func putObject(router *routerMock, namespace, bktName, objName string, tag *data.Tag) handlerResult {
+	w := putObjectBase(router, namespace, bktName, objName, tag)
 	resp := readResponse(router.t, w)
 	require.Equal(router.t, s3middleware.PutObjectOperation, resp.Method)
 	return resp
 }

-func putObjectErr(router *routerMock, namespace, bktName, objName string, errCode apiErrors.ErrorCode) {
-	w := putObjectBase(router, namespace, bktName, objName)
+func putObjectErr(router *routerMock, namespace, bktName, objName string, tag *data.Tag, errCode apiErrors.ErrorCode) {
+	w := putObjectBase(router, namespace, bktName, objName, tag)
 	assertAPIError(router.t, w, errCode)
 }

-func putObjectBase(router *routerMock, namespace, bktName, objName string) *httptest.ResponseRecorder {
+func putObjectBase(router *routerMock, namespace, bktName, objName string, tag *data.Tag) *httptest.ResponseRecorder {
 	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, "/"+bktName+"/"+objName, nil)
+	if tag != nil {
+		queries := url.Values{
+			tag.Key: []string{tag.Value},
+		}
+		r.Header.Set(AmzTagging, queries.Encode())
+	}
+	r.Header.Set(FrostfsNamespaceHeader, namespace)
+	router.ServeHTTP(w, r)
+	return w
+}
+
+func putBucketTagging(router *routerMock, namespace, bktName string, tagging []byte) handlerResult {
+	w := putBucketTaggingBase(router, namespace, bktName, tagging)
+	resp := readResponse(router.t, w)
+	require.Equal(router.t, s3middleware.PutBucketTaggingOperation, resp.Method)
+	return resp
+}
+
+func putBucketTaggingErr(router *routerMock, namespace, bktName string, tagging []byte, errCode apiErrors.ErrorCode) {
+	w := putBucketTaggingBase(router, namespace, bktName, tagging)
+	assertAPIError(router.t, w, errCode)
+}
+
+func putBucketTaggingBase(router *routerMock, namespace, bktName string, tagging []byte) *httptest.ResponseRecorder {
+	queries := url.Values{}
+	queries.Add(s3middleware.TaggingQuery, "")
+
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, "/"+bktName, bytes.NewBuffer(tagging))
+	r.URL.RawQuery = queries.Encode()
+	r.Header.Set(FrostfsNamespaceHeader, namespace)
+	router.ServeHTTP(w, r)
+	return w
+}
+
+func getObject(router *routerMock, namespace, bktName, objName string) handlerResult {
+	w := getObjectBase(router, namespace, bktName, objName)
+	resp := readResponse(router.t, w)
+	require.Equal(router.t, s3middleware.GetObjectOperation, resp.Method)
+	return resp
+}
+
+func getObjectErr(router *routerMock, namespace, bktName, objName string, errCode apiErrors.ErrorCode) {
+	w := getObjectBase(router, namespace, bktName, objName)
+	assertAPIError(router.t, w, errCode)
+}
+
+func getObjectBase(router *routerMock, namespace, bktName, objName string) *httptest.ResponseRecorder {
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/"+bktName+"/"+objName, nil)
 	r.Header.Set(FrostfsNamespaceHeader, namespace)
 	router.ServeHTTP(w, r)
 	return w
@ -596,11 +761,11 @@ func TestOwnerIDRetrieving(t *testing.T) {

 	createBucket(chiRouter, ns, bktName)

-	resp := putObject(chiRouter, ns, bktName, objName)
+	resp := putObject(chiRouter, ns, bktName, objName, nil)
 	require.NotEqual(t, "anon", resp.ReqInfo.User)

 	chiRouter.cfg.Center.(*centerMock).anon = true
-	resp = putObject(chiRouter, ns, bktName, objName)
+	resp = putObject(chiRouter, ns, bktName, objName, nil)
 	require.Equal(t, "anon", resp.ReqInfo.User)
 }

@ -618,7 +783,7 @@ func TestBillingMetrics(t *testing.T) {
 	require.Equal(t, 1, dump.Requests[0].Requests)

 	chiRouter.cfg.Center.(*centerMock).anon = true
-	putObject(chiRouter, ns, bktName, objName)
+	putObject(chiRouter, ns, bktName, objName, nil)
 	dump = chiRouter.cfg.Metrics.UsersAPIStats().DumpMetrics()
 	require.Len(t, dump.Requests, 1)
 	require.Equal(t, "anon", dump.Requests[0].User)