[#346] acl: Update APE and fix using

* Remove native policy when remove bucket policy * Allow policies that contain only s3 compatible statements (now deny rules cannot be converted to native rules) Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-04-01 12:51:05 +03:00 · 2024-04-01 12:51:05 +03:00 · 8669bf6b50
commit 8669bf6b50
parent 6b8095182e
11 changed files with 114 additions and 49 deletions
--- a/api/router_test.go
+++ b/api/router_test.go
@ -198,6 +198,7 @@ func TestPolicyCheckerReqTypeDetermination(t *testing.T) {
 	bktName, objName := "bucket", "object"

 	policy := engineiam.Policy{
+		Version: "2012-10-17",
 		Statement: []engineiam.Statement{{
 			Principal: map[engineiam.PrincipalType][]string{engineiam.Wildcard: {}},
 			Effect:    engineiam.AllowEffect,
@ -269,7 +270,7 @@ func TestACLAPE(t *testing.T) {
 		listBucketsErr(router, ns, apiErrors.ErrAccessDenied)

 		// Allow operations and check
-		allowOperations(router, ns, []string{"s3:CreateBucket", "s3:ListBuckets"})
+		allowOperations(router, ns, []string{"s3:CreateBucket", "s3:ListAllMyBuckets"})
 		createBucket(router, ns, bktName)
 		listBuckets(router, ns)
 	})
@ -295,7 +296,7 @@ func TestACLAPE(t *testing.T) {
 		listBuckets(router, ns)

 		// Deny operations and check
-		denyOperations(router, ns, []string{"s3:CreateBucket", "s3:ListBuckets"})
+		denyOperations(router, ns, []string{"s3:CreateBucket", "s3:ListAllMyBuckets"})
 		createBucketErr(router, ns, bktName, apiErrors.ErrAccessDenied)
 		listBucketsErr(router, ns, apiErrors.ErrAccessDenied)
 	})
@ -353,6 +354,7 @@ func denyOperations(router *routerMock, ns string, operations []string) {

 func addPolicy(router *routerMock, ns string, id string, effect engineiam.Effect, operations []string) {
 	policy := engineiam.Policy{
+		Version: "2012-10-17",
 		Statement: []engineiam.Statement{{
 			Principal: map[engineiam.PrincipalType][]string{engineiam.Wildcard: {}},
 			Effect:    effect,