From bb77e306f43683d3049d7fc8f319d1e9b7249f0a Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Thu, 14 Sep 2023 08:30:35 +0400 Subject: [PATCH] handler: Don't add eACL rules to System group closes #817 Signed-off-by: Evgenii Baidakov --- api/handler/acl.go | 16 ---------------- api/handler/acl_test.go | 12 +----------- 2 files changed, 1 insertion(+), 27 deletions(-) diff --git a/api/handler/acl.go b/api/handler/acl.go index a56f2698..9cbe1584 100644 --- a/api/handler/acl.go +++ b/api/handler/acl.go @@ -154,16 +154,6 @@ type ServiceRecord struct { GroupRecordsLength int } -func (s ServiceRecord) ToEACLRecord() *eacl.Record { - serviceRecord := eacl.NewRecord() - serviceRecord.SetAction(eacl.ActionAllow) - serviceRecord.SetOperation(eacl.OperationGet) - serviceRecord.AddFilter(eacl.HeaderFromService, eacl.MatchUnknown, serviceRecordResourceKey, s.Resource) - serviceRecord.AddFilter(eacl.HeaderFromService, eacl.MatchUnknown, serviceRecordGroupLengthKey, strconv.Itoa(s.GroupRecordsLength)) - eacl.AddFormedTarget(serviceRecord, eacl.RoleSystem) - return serviceRecord -} - func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) { reqInfo := api.GetReqInfo(r.Context()) @@ -867,12 +857,6 @@ func astToTable(ast *ast) (*eacl.Table, error) { return nil, fmt.Errorf("form records: %w", err) } - serviceRecord := ServiceRecord{ - Resource: ast.Resources[i].Name(), - GroupRecordsLength: len(records), - } - table.AddRecord(serviceRecord.ToEACLRecord()) - for _, rec := range records { table.AddRecord(rec) } diff --git a/api/handler/acl_test.go b/api/handler/acl_test.go index 8357b8c9..ba9ccc2f 100644 --- a/api/handler/acl_test.go +++ b/api/handler/acl_test.go @@ -475,7 +475,6 @@ func TestOrder(t *testing.T) { }, }, } - bucketServiceRec := &ServiceRecord{Resource: expectedAst.Resources[0].Name(), GroupRecordsLength: 2} bucketUsersGetRec := eacl.NewRecord() bucketUsersGetRec.SetOperation(eacl.OperationGet) bucketUsersGetRec.SetAction(eacl.ActionAllow) @@ -484,7 +483,6 @@ func TestOrder(t *testing.T) { bucketOtherGetRec.SetOperation(eacl.OperationGet) bucketOtherGetRec.SetAction(eacl.ActionDeny) bucketOtherGetRec.SetTargets(*targetOther) - objectServiceRec := &ServiceRecord{Resource: expectedAst.Resources[1].Name(), GroupRecordsLength: 2} objectUsersPutRec := eacl.NewRecord() objectUsersPutRec.SetOperation(eacl.OperationPut) objectUsersPutRec.SetAction(eacl.ActionAllow) @@ -497,10 +495,8 @@ func TestOrder(t *testing.T) { objectOtherPutRec.SetTargets(*targetOther) expectedEacl := eacl.NewTable() - expectedEacl.AddRecord(objectServiceRec.ToEACLRecord()) expectedEacl.AddRecord(objectOtherPutRec) expectedEacl.AddRecord(objectUsersPutRec) - expectedEacl.AddRecord(bucketServiceRec.ToEACLRecord()) expectedEacl.AddRecord(bucketOtherGetRec) expectedEacl.AddRecord(bucketUsersGetRec) @@ -544,7 +540,7 @@ func TestOrder(t *testing.T) { mergedEacl, err := astToTable(mergedAst) require.NoError(t, err) - require.Equal(t, *childRecord, mergedEacl.Records()[1]) + require.Equal(t, *childRecord, mergedEacl.Records()[0]) }) } @@ -650,23 +646,19 @@ func TestAstToTable(t *testing.T) { } expectedTable := eacl.NewTable() - serviceRec1 := &ServiceRecord{Resource: ast.Resources[0].Name(), GroupRecordsLength: 1} record1 := eacl.NewRecord() record1.SetAction(eacl.ActionAllow) record1.SetOperation(eacl.OperationPut) // Unknown role is used, because it is ignored when keys are set eacl.AddFormedTarget(record1, eacl.RoleUnknown, *(*ecdsa.PublicKey)(key.PublicKey())) - serviceRec2 := &ServiceRecord{Resource: ast.Resources[1].Name(), GroupRecordsLength: 1} record2 := eacl.NewRecord() record2.SetAction(eacl.ActionDeny) record2.SetOperation(eacl.OperationGet) eacl.AddFormedTarget(record2, eacl.RoleOthers) record2.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, "objectName") - expectedTable.AddRecord(serviceRec2.ToEACLRecord()) expectedTable.AddRecord(record2) - expectedTable.AddRecord(serviceRec1.ToEACLRecord()) expectedTable.AddRecord(record1) actualTable, err := astToTable(ast) @@ -894,8 +886,6 @@ func allowedTableForPrivateObject(t *testing.T, key *keys.PrivateKey, resInfo *r } expectedTable := eacl.NewTable() - serviceRec := &ServiceRecord{Resource: resInfo.Name(), GroupRecordsLength: len(readOps) * 2} - expectedTable.AddRecord(serviceRec.ToEACLRecord()) for i := len(readOps) - 1; i >= 0; i-- { op := readOps[i]