From ff86daefa5fe66d026512f91e39b681283de85ad Mon Sep 17 00:00:00 2001 From: Ryan Koo Date: Thu, 5 Sep 2024 14:00:29 -0400 Subject: [PATCH] authn: fix proxy access check Signed-off-by: Ryan Koo --- ais/proxy.go | 6 +- .../sdk/authn/test_authn_access.py | 110 +++++++++--------- 2 files changed, 55 insertions(+), 61 deletions(-) diff --git a/ais/proxy.go b/ais/proxy.go index cbb0957c548..0a0da091fe9 100644 --- a/ais/proxy.go +++ b/ais/proxy.go @@ -1244,7 +1244,7 @@ func (p *proxy) _bckpost(w http.ResponseWriter, r *http.Request, msg *apc.ActMsg } } - bckArgs := bctx{p: p, w: w, r: r, bck: bck, perms: apc.AceObjLIST | apc.AceGET, msg: msg, query: query} + bckArgs := bctx{p: p, w: w, r: r, bck: bck, perms: apc.AccessNone /* access checked below */, msg: msg, query: query} bckArgs.createAIS = false if bck, err = bckArgs.initAndTry(); err != nil { return @@ -1779,7 +1779,7 @@ func (p *proxy) httpobjpost(w http.ResponseWriter, r *http.Request, apireq *apiR } bck := apireq.bck - bckArgs := bctx{p: p, w: w, r: r, msg: msg, perms: apc.AcePUT, bck: bck} + bckArgs := bctx{p: p, w: w, r: r, msg: msg, perms: apc.AccessNone /* access checked below */, bck: bck} bckArgs.createAIS = false bckArgs.dontHeadRemote = true if _, err := bckArgs.initAndTry(); err != nil { @@ -2088,7 +2088,7 @@ func (p *proxy) httpobjpatch(w http.ResponseWriter, r *http.Request) { bckArgs.p = p bckArgs.w = w bckArgs.r = r - bckArgs.perms = apc.AceObjHEAD + bckArgs.perms = apc.AceObjUpdate bckArgs.createAIS = false } bck, objName, err := p._parseReqTry(w, r, bckArgs) diff --git a/python/tests/integration/sdk/authn/test_authn_access.py b/python/tests/integration/sdk/authn/test_authn_access.py index 43846f978ed..c7754f3119a 100644 --- a/python/tests/integration/sdk/authn/test_authn_access.py +++ b/python/tests/integration/sdk/authn/test_authn_access.py @@ -277,6 +277,58 @@ def test_access_show_cluster(self): # Verify Access self._assert_does_not_raise(lambda: self.ais_client.cluster().get_info()) + @pytest.mark.authn + def test_access_obj_promote(self): + """Test object promote permission.""" + self.role = self._create_role( + access_attrs=[AccessAttr.PROMOTE], bucket_name=self.bucket.name + ) + self.user = self._create_user(roles=[self.role.name]) + + user_token = self.authn_client.login(username=self.user.id, password="12345") + self._create_ais_client(user_token) + + local_file_path = Path("test_promote_file.txt").absolute() + local_file_content = "Test content for promotion" + with open(local_file_path, "w", encoding=UTF_ENCODING) as file: + file.write(local_file_content) + + # Verify Access + obj_name = "promoted_test_file" + self.ais_client.bucket(self.bucket.name).object(obj_name).promote( + str(local_file_path) + ) + + local_file_path.unlink() + + @pytest.mark.authn + def test_access_move_bucket(self): + """Test move bucket permission.""" + self.role = self._create_role(access_attrs=[AccessAttr.MOVE_BUCKET]) + self.user = self._create_user(roles=[self.role.name]) + + user_token = self.authn_client.login(username=self.user.id, password="12345") + self._create_ais_client(user_token) + + # Verify Access + self.ais_client.bucket(self.bucket.name).rename(self.bucket.name + "-Renamed") + + @pytest.mark.authn + def test_access_obj_update(self): + """Test object update permission.""" + self.role = self._create_role( + access_attrs=[AccessAttr.OBJ_UPDATE], bucket_name=self.bucket.name + ) + self.user = self._create_user(roles=[self.role.name]) + + user_token = self.authn_client.login(username=self.user.id, password="12345") + self._create_ais_client(user_token) + + # Verify Access + self.ais_client.bucket(self.bucket.name).object( + self.object.name + ).set_custom_props(custom_metadata={"Test-Key": "Test-Value"}) + # Test Derived Roles (RO, RW, SU) @pytest.mark.authn @@ -395,61 +447,3 @@ def test_access_obj_patch(self): @pytest.mark.skip(reason="Bucket set ACL not implemented in SDK") def test_access_bck_set_acl(self): """Test bucket set ACL permission.""" - - # TODO: Fix on Go-side - @pytest.mark.authn - @pytest.mark.skip(reason="Not working on Go-side") - def test_access_obj_promote(self): - """Test object promote permission.""" - self.role = self._create_role( - access_attrs=[AccessAttr.PROMOTE], bucket_name=self.bucket.name - ) - self.user = self._create_user(roles=[self.role.name]) - - user_token = self.authn_client.login(username=self.user.id, password="12345") - self._create_ais_client(user_token) - - local_file_path = Path("test_promote_file.txt").absolute() - local_file_content = "Test content for promotion" - with open(local_file_path, "w", encoding=UTF_ENCODING) as file: - file.write(local_file_content) - - # Verify Access - obj_name = "promoted_test_file" - self.ais_client.bucket(self.bucket.name).object(obj_name).promote( - str(local_file_path) - ) - - local_file_path.unlink() - - # TODO: Fix on Go-side - @pytest.mark.authn - @pytest.mark.skip(reason="Not working on Go-side") - def test_access_obj_update(self): - """Test object update permission.""" - self.role = self._create_role( - access_attrs=[AccessAttr.OBJ_UPDATE], bucket_name=self.bucket.name - ) - self.user = self._create_user(roles=[self.role.name]) - - user_token = self.authn_client.login(username=self.user.id, password="12345") - self._create_ais_client(user_token) - - # Verify Access - self.ais_client.bucket(self.bucket.name).object( - self.object.name - ).set_custom_props(custom_metadata={"Test-Key": "Test-Value"}) - - # TODO: Fix on Go-side - @pytest.mark.authn - @pytest.mark.skip(reason="Not working on Go-side") - def test_access_move_bucket(self): - """Test move bucket permission.""" - self.role = self._create_role(access_attrs=[AccessAttr.MOVE_BUCKET]) - self.user = self._create_user(roles=[self.role.name]) - - user_token = self.authn_client.login(username=self.user.id, password="12345") - self._create_ais_client(user_token) - - # Verify Access - self.ais_client.bucket(self.bucket.name).rename(self.bucket.name + "-Renamed")