[#257] Support flag to deny access if policy rules not found

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2023-12-05 15:49:13 +03:00 · 2023-12-05 15:49:13 +03:00 · 43abf58068
commit 43abf58068
parent ca15acf1d3
8 changed files with 64 additions and 11 deletions
--- a/api/router_test.go
+++ b/api/router_test.go
@ -24,8 +24,9 @@ import (
 )

 type routerMock struct {
-	router *chi.Mux
-	cfg    Config
+	router             *chi.Mux
+	cfg                Config
+	middlewareSettings *middlewareSettingsMock
 }

 func (m *routerMock) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@ -33,6 +34,8 @@ func (m *routerMock) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }

 func prepareRouter(t *testing.T) *routerMock {
+	middlewareSettings := &middlewareSettingsMock{}
+
 	cfg := Config{
 		Throttle: middleware.ThrottleOpts{
 			Limit:          10,
@ -42,12 +45,13 @@ func prepareRouter(t *testing.T) *routerMock {
 		Center:             &centerMock{},
 		Log:                zaptest.NewLogger(t),
 		Metrics:            &metrics.AppMetrics{},
-		MiddlewareSettings: &middlewareSettingsMock{},
+		MiddlewareSettings: middlewareSettings,
 		PolicyStorage:      inmemory.NewInMemoryLocalOverrides(),
 	}
 	return &routerMock{
-		router: NewRouter(cfg),
-		cfg:    cfg,
+		router:             NewRouter(cfg),
+		cfg:                cfg,
+		middlewareSettings: middlewareSettings,
 	}
 }

@ -183,6 +187,24 @@ func TestPolicyChecker(t *testing.T) {
 	assertAPIError(t, w, apiErrors.ErrAccessDenied)
 }

+func TestDefaultBehaviorPolicyChecker(t *testing.T) {
+	chiRouter := prepareRouter(t)
+	bktName, objName := "bucket", "object"
+	target := fmt.Sprintf("/%s/%s", bktName, objName)
+
+	// check we can access bucket if rules not found
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
+	chiRouter.ServeHTTP(w, r)
+	resp := readResponse(t, w)
+	require.Equal(t, s3middleware.PutObjectOperation, resp.Method)
+
+	// check we cannot access if rules not found when settings is enabled
+	chiRouter.middlewareSettings.denyByDefault = true
+	w, r = httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
+	chiRouter.ServeHTTP(w, r)
+	assertAPIError(t, w, apiErrors.ErrAccessDenied)
+}
+
 func readResponse(t *testing.T, w *httptest.ResponseRecorder) handlerResult {
 	var res handlerResult