From 526ddc1243a3e8e34dbea447fea13f50757f08fb Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Mon, 7 Apr 2025 17:15:55 +0300 Subject: [PATCH] [#680] Drop GetContainer operation from policy converter Signed-off-by: Denis Kirillov --- pkg/policy-engine/v2/iam/converter_native.go | 190 ++++++++++--------- pkg/policy-engine/v2/iam/converter_test.go | 14 +- 2 files changed, 103 insertions(+), 101 deletions(-) diff --git a/pkg/policy-engine/v2/iam/converter_native.go b/pkg/policy-engine/v2/iam/converter_native.go index 085f1009e..3cbf8d6e3 100644 --- a/pkg/policy-engine/v2/iam/converter_native.go +++ b/pkg/policy-engine/v2/iam/converter_native.go @@ -1,7 +1,6 @@ package iam import ( - "errors" "fmt" "strings" @@ -13,62 +12,62 @@ import ( const PropertyKeyFilePath = "FilePath" type nativeOperationInfo struct { - operations []string - needTreeWrite bool + operations []string + treeOperations []string } var actionToNativeOpMap = map[string]nativeOperationInfo{ - s3common.S3ActionAbortMultipartUpload: {operations: []string{native.MethodGetContainer, native.MethodDeleteObject, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, needTreeWrite: true}, - s3common.S3ActionCreateBucket: {operations: []string{native.MethodGetContainer, native.MethodPutContainer, native.MethodSetContainerEACL}, needTreeWrite: true}, - s3common.S3ActionDeleteBucket: {operations: []string{native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, needTreeWrite: true}, - s3common.S3ActionDeleteBucketPolicy: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionDeleteObject: {operations: []string{native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}, needTreeWrite: true}, - s3common.S3ActionDeleteObjectTagging: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionDeleteObjectVersion: {operations: []string{native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}, needTreeWrite: true}, - s3common.S3ActionDeleteObjectVersionTagging: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionGetBucketACL: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetBucketCORS: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject}}, - s3common.S3ActionGetBucketLocation: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetBucketNotification: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject}}, // not supported - s3common.S3ActionGetBucketObjectLockConfiguration: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetBucketPolicy: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetBucketPolicyStatus: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetBucketTagging: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetBucketVersioning: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetLifecycleConfiguration: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject}}, - s3common.S3ActionGetObject: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}}, - s3common.S3ActionGetObjectACL: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetObjectAttributes: {operations: []string{native.MethodGetContainer, native.MethodHeadObject}}, - s3common.S3ActionGetObjectLegalHold: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetObjectRetention: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetObjectTagging: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetObjectVersion: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}}, - s3common.S3ActionGetObjectVersionACL: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionGetObjectVersionAttributes: {operations: []string{native.MethodGetContainer, native.MethodHeadObject}}, - s3common.S3ActionGetObjectVersionTagging: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionListAllMyBuckets: {operations: []string{native.MethodListContainers, native.MethodGetContainer}}, - s3common.S3ActionListBucket: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}}, - s3common.S3ActionListBucketMultipartUploads: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionListBucketVersions: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}}, - s3common.S3ActionListMultipartUploadParts: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionPutBucketACL: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionPutBucketCORS: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodPutObject}, needTreeWrite: true}, - s3common.S3ActionPutBucketNotification: {operations: []string{native.MethodGetContainer, native.MethodHeadObject, native.MethodDeleteObject, native.MethodGetObject, native.MethodPutObject}, needTreeWrite: true}, // not supported - s3common.S3ActionPutBucketObjectLockConfiguration: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionPutBucketPolicy: {operations: []string{native.MethodGetContainer}}, - s3common.S3ActionPutBucketTagging: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionPutBucketVersioning: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionPutLifecycleConfiguration: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodPutObject, native.MethodDeleteObject}, needTreeWrite: true}, - s3common.S3ActionPutObject: {operations: []string{native.MethodGetContainer, native.MethodPutObject, native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject}, needTreeWrite: true}, - s3common.S3ActionPutObjectACL: {operations: []string{native.MethodGetContainer}}, // not supported - s3common.S3ActionPutObjectLegalHold: {operations: []string{native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, needTreeWrite: true}, - s3common.S3ActionPutObjectRetention: {operations: []string{native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, needTreeWrite: true}, - s3common.S3ActionPutObjectTagging: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionPutObjectVersionACL: {operations: []string{native.MethodGetContainer}}, // not supported - s3common.S3ActionPutObjectVersionTagging: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionPatchObject: {operations: []string{native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodPatchObject, native.MethodPutObject, native.MethodRangeObject}, needTreeWrite: true}, - s3common.S3ActionPutBucketPublicAccessBlock: {operations: []string{native.MethodGetContainer}, needTreeWrite: true}, - s3common.S3ActionGetBucketPublicAccessBlock: {operations: []string{native.MethodGetContainer}}, + s3common.S3ActionAbortMultipartUpload: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionCreateBucket: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodPutContainer, native.MethodSetContainerEACL}}, + s3common.S3ActionDeleteBucket: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionDeleteBucketPolicy: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionDeleteObject: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}}, + s3common.S3ActionDeleteObjectTagging: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionDeleteObjectVersion: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}}, + s3common.S3ActionDeleteObjectVersionTagging: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionGetBucketACL: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetBucketCORS: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject}}, + s3common.S3ActionGetBucketLocation: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetBucketNotification: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject}}, // not supported + s3common.S3ActionGetBucketObjectLockConfiguration: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetBucketPolicy: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetBucketPolicyStatus: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetBucketTagging: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetBucketVersioning: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetLifecycleConfiguration: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject}}, + s3common.S3ActionGetObject: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}}, + s3common.S3ActionGetObjectACL: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetObjectAttributes: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodHeadObject}}, + s3common.S3ActionGetObjectLegalHold: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetObjectRetention: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetObjectTagging: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetObjectVersion: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}}, + s3common.S3ActionGetObjectVersionACL: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionGetObjectVersionAttributes: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodHeadObject}}, + s3common.S3ActionGetObjectVersionTagging: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionListAllMyBuckets: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodListContainers}}, + s3common.S3ActionListBucket: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}}, + s3common.S3ActionListBucketMultipartUploads: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionListBucketVersions: {treeOperations: []string{native.MethodGetObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}}, + s3common.S3ActionListMultipartUploadParts: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionPutBucketACL: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPutBucketCORS: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPutBucketNotification: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodHeadObject, native.MethodDeleteObject, native.MethodGetObject, native.MethodPutObject}}, // not supported + s3common.S3ActionPutBucketObjectLockConfiguration: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPutBucketPolicy: {treeOperations: []string{native.MethodGetObject}}, + s3common.S3ActionPutBucketTagging: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPutBucketVersioning: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPutLifecycleConfiguration: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject, native.MethodPutObject, native.MethodDeleteObject}}, + s3common.S3ActionPutObject: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodPutObject, native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject}}, + s3common.S3ActionPutObjectACL: {}, // not supported + s3common.S3ActionPutObjectLegalHold: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPutObjectRetention: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPutObjectTagging: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPutObjectVersionACL: {}, // not supported + s3common.S3ActionPutObjectVersionTagging: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionPatchObject: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}, operations: []string{native.MethodGetObject, native.MethodHeadObject, native.MethodPatchObject, native.MethodPutObject, native.MethodRangeObject}}, + s3common.S3ActionPutBucketPublicAccessBlock: {treeOperations: []string{native.MethodGetObject, native.MethodPutObject}}, + s3common.S3ActionGetBucketPublicAccessBlock: {treeOperations: []string{native.MethodGetObject}}, } var containerNativeOperations = map[string]struct{}{ @@ -90,7 +89,7 @@ var objectNativeOperations = map[string]struct{}{ native.MethodHashObject: {}, } -var errConditionKeyNotApplicable = errors.New("condition key is not applicable") +var treeNativeOperations = []string{native.MethodGetObject, native.MethodPutObject} func ConvertToNativeChain(p s3common.Policy, resolver s3common.NativeResolver) (*chain.Chain, error) { if err := p.Validate(s3common.ResourceBasedPolicyType); err != nil { @@ -109,37 +108,37 @@ func ConvertToNativeChain(p s3common.Policy, resolver s3common.NativeResolver) ( } action, actionInverted := statement.GetAction() - nativeActions, treeWrite, err := formNativeActionNames(action) + nativeActions, nativeTreeActions, err := formNativeActionNames(action) if err != nil { return nil, err } - ruleAction := chain.Actions{Inverted: actionInverted, Names: nativeActions} - if len(ruleAction.Names) == 0 { - continue - } resource, resourceInverted := statement.GetResource() - groupedResources, treeRes, err := formNativeResourceNamesAndConditions(resource, resolver, getActionTypes(nativeActions)) + groupedResources, treeRes, err := formNativeResourceNamesAndConditions(resource, resolver, getActionTypes(nativeActions, nativeTreeActions)) if err != nil { return nil, err } - groupedConditions, err := convertToNativeChainCondition(statement.Conditions, resolver) - if err != nil { - if errors.Is(err, errConditionKeyNotApplicable) { - continue - } - return nil, err - } - splitConditions := s3common.SplitGroupedConditions(groupedConditions) - principals, principalCondFn, err := getNativePrincipalsAndConditionFunc(statement, resolver) if err != nil { return nil, err } - engineChain.Rules = append(engineChain.Rules, getTreeRule(treeRes, principals, principalCondFn, treeWrite)...) + if len(treeRes) != 0 { + engineChain.Rules = append(engineChain.Rules, getTreeRule(treeRes, principals, principalCondFn, nativeTreeActions)...) + } + if len(groupedResources) == 0 { + continue + } + + groupedConditions, err := convertToNativeChainCondition(statement.Conditions, resolver) + if err != nil { + return nil, err + } + splitConditions := s3common.SplitGroupedConditions(groupedConditions) + + ruleAction := chain.Actions{Inverted: actionInverted, Names: nativeActions} for _, groupedResource := range groupedResources { for _, principal := range principals { for _, conditions := range splitConditions { @@ -172,12 +171,7 @@ func ConvertToNativeChain(p s3common.Policy, resolver s3common.NativeResolver) ( return &engineChain, nil } -func getTreeRule(resources []string, principals []string, principalCondFn s3common.FormPrincipalConditionFunc, needWrite bool) []chain.Rule { - ops := []string{native.MethodGetObject} - if needWrite { - ops = append(ops, native.MethodPutObject) - } - +func getTreeRule(resources []string, principals []string, principalCondFn s3common.FormPrincipalConditionFunc, treeActions []string) []chain.Rule { treeCondition := chain.Condition{ Op: chain.CondStringNotEquals, Kind: chain.KindResource, @@ -197,7 +191,7 @@ func getTreeRule(resources []string, principals []string, principalCondFn s3comm if len(principalTreeConditions) == 0 { return []chain.Rule{{ Status: chain.Allow, - Actions: chain.Actions{Names: ops}, + Actions: chain.Actions{Names: treeActions}, Resources: chain.Resources{Names: resources}, Condition: []chain.Condition{treeCondition}, }} @@ -207,7 +201,7 @@ func getTreeRule(resources []string, principals []string, principalCondFn s3comm for i, condition := range principalTreeConditions { res[i] = chain.Rule{ Status: chain.Allow, - Actions: chain.Actions{Names: ops}, + Actions: chain.Actions{Names: treeActions}, Resources: chain.Resources{Names: resources}, Condition: []chain.Condition{treeCondition, condition}, } @@ -216,8 +210,8 @@ func getTreeRule(resources []string, principals []string, principalCondFn s3comm return res } -func getActionTypes(nativeActions []string) ActionTypes { - var res ActionTypes +func getActionTypes(nativeActions []string, treeActions []string) ActionTypes { + res := ActionTypes{Tree: len(treeActions) != 0} for _, action := range nativeActions { if res.Object && res.Container { break @@ -278,7 +272,8 @@ func convertToNativeChainCondition(c s3common.Conditions, resolver s3common.Nati for i := range gr.Conditions { switch { case gr.Conditions[i].Key == condKeyAWSMFAPresent: - return s3common.GroupedConditions{}, errConditionKeyNotApplicable + // MFA property exist only in S3 request (in AccessBox), so native protocol should not process such conditions. + continue case gr.Conditions[i].Key == s3common.CondKeyAWSPrincipalARN: gr.Conditions[i].Key = native.PropertyKeyActorPublicKey val, err := formPrincipalKey(gr.Conditions[i].Value, resolver) @@ -308,10 +303,11 @@ type GroupedResources struct { type ActionTypes struct { Object bool Container bool + Tree bool } func formNativeResourceNamesAndConditions(names []string, resolver s3common.NativeResolver, actionTypes ActionTypes) ([]GroupedResources, []string, error) { - if !actionTypes.Object && !actionTypes.Container { + if !actionTypes.Object && !actionTypes.Container && !actionTypes.Tree { return nil, nil, s3common.ErrActionsNotApplicable } @@ -356,7 +352,12 @@ func formNativeResourceNamesAndConditions(names []string, resolver s3common.Nati return nil, nil, err } - treeResMap[fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container)] = struct{}{} + if actionTypes.Tree { + treeResMap[fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container)] = struct{}{} + if !actionTypes.Object && !actionTypes.Container { + continue + } + } if obj == s3common.Wildcard && actionTypes.Object { // this corresponds to arn:aws:s3:::BUCKET/ or arn:aws:s3:::BUCKET/* combined[fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container)] = struct{}{} @@ -440,18 +441,18 @@ func formPrincipalKey(principal string, resolver s3common.NativeResolver) (strin return key, nil } -func formNativeActionNames(names []string) ([]string, bool, error) { +func formNativeActionNames(names []string) ([]string, []string, error) { uniqueActions := make(map[string]struct{}, len(names)) - var treeWrite bool + var treeActions []string for _, action := range names { if action == s3common.Wildcard { - return []string{s3common.Wildcard}, true, nil + return []string{s3common.Wildcard}, treeNativeOperations, nil } isIAM, err := s3common.ValidateAction(action) if err != nil { - return nil, false, err + return nil, nil, err } if isIAM { @@ -459,15 +460,16 @@ func formNativeActionNames(names []string) ([]string, bool, error) { } if action[len(s3common.S3ActionPrefix):] == s3common.Wildcard { - return []string{s3common.Wildcard}, true, nil + return []string{s3common.Wildcard}, treeNativeOperations, nil } nativeActions := actionToNativeOpMap[action] - if nativeActions.needTreeWrite { - treeWrite = true + if len(nativeActions.operations) == 0 && len(nativeActions.treeOperations) == 0 { + return nil, nil, s3common.ErrActionsNotApplicable } - if len(nativeActions.operations) == 0 { - return nil, false, s3common.ErrActionsNotApplicable + + if len(nativeActions.treeOperations) > len(treeActions) { + treeActions = nativeActions.treeOperations } for _, nativeAction := range nativeActions.operations { @@ -480,5 +482,5 @@ func formNativeActionNames(names []string) ([]string, bool, error) { res = append(res, key) } - return res, treeWrite, nil + return res, treeActions, nil } diff --git a/pkg/policy-engine/v2/iam/converter_test.go b/pkg/policy-engine/v2/iam/converter_test.go index 2bf671ea4..c7b717187 100644 --- a/pkg/policy-engine/v2/iam/converter_test.go +++ b/pkg/policy-engine/v2/iam/converter_test.go @@ -160,7 +160,7 @@ func TestConverters(t *testing.T) { }, { Status: chain.Allow, - Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodPutObject, + Actions: chain.Actions{Names: []string{native.MethodPutObject, native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject}}, Resources: chain.Resources{Names: []string{ fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]), @@ -257,7 +257,7 @@ func TestConverters(t *testing.T) { { Status: chain.Allow, Actions: chain.Actions{Names: []string{ - native.MethodGetContainer, native.MethodDeleteContainer, + native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodDeleteObject, native.MethodPutObject, native.MethodGetObject, native.MethodRangeObject, @@ -284,7 +284,7 @@ func TestConverters(t *testing.T) { { Status: chain.Allow, Actions: chain.Actions{Names: []string{ - native.MethodGetContainer, native.MethodDeleteContainer, + native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodDeleteObject, native.MethodPutObject, native.MethodGetObject, native.MethodRangeObject, @@ -421,8 +421,8 @@ func TestConverters(t *testing.T) { }, { Status: chain.Allow, - Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}}, - Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects, native.ResourceFormatAllContainers}}, + Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}}, + Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects}}, Condition: []chain.Condition{{ Op: chain.CondStringEquals, Kind: chain.KindRequest, @@ -1752,7 +1752,7 @@ func TestFromActions(t *testing.T) { }, { action: "s3:PutObject", - res: []string{native.MethodGetContainer, native.MethodPutObject, + res: []string{native.MethodPutObject, native.MethodGetObject, native.MethodHeadObject, native.MethodRangeObject}, }, { @@ -2095,7 +2095,7 @@ func TestMFACondition(t *testing.T) { require.ElementsMatch(t, expectedConditions, s3Chain.Rules[0].Condition) _, err = ConvertToNativeChain(p, newMockUserResolver(nil, nil, "")) - require.ErrorIs(t, err, s3common.ErrActionsNotApplicable) + require.NoError(t, err) } }