Skip to content

Commit

Permalink
Add result filter ALL_FAILED
Browse files Browse the repository at this point in the history
  • Loading branch information
@molotkov-and
molotkov-and committed Jan 19, 2024
1 parent a16f023 commit e6087d5
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 1 deletion.
1 change: 1 addition & 0 deletions ydb/core/security/ticket_parser_impl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -409,6 +409,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
action->set_permission(permissionName);
requestForPermissions << " " << permissionName;
}
request->Request.set_result_filter(yandex::cloud::priv::accessservice::v2::BulkAuthorizeRequest::ALL_FAILED);
BLOG_TRACE("Ticket " << record.GetMaskedTicket() << " asking for AccessServiceBulkAuthorization(" << requestForPermissions << ")");
record.ResponsesLeft++;
Send(AccessServiceValidatorV2, request.Release());
Expand Down
12 changes: 12 additions & 0 deletions ydb/core/security/ticket_parser_ut.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1441,6 +1441,18 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as"));
UNIT_ASSERT(!result->Token->IsExist("something.write-bbbb4554@as"));

accessServiceMock.AllowedUserPermissions.insert("user1-something.connect");
runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
userToken,
{{"folder_id", "aaaa1234"}, {"database_id", "bbbb4554"}},
{"something.read", "something.connect", "something.list", "something.update"})), 0);
result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
UNIT_ASSERT(result->Error.empty());
UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as"));
UNIT_ASSERT(result->Token->IsExist("something.connect-bbbb4554@as"));
UNIT_ASSERT(!result->Token->IsExist("something.list-bbbb4554@as"));
UNIT_ASSERT(!result->Token->IsExist("something.update-bbbb4554@as"));

// Authorization ApiKey successful.
runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
"ApiKey ApiKey-value-valid",
Expand Down
10 changes: 9 additions & 1 deletion ydb/library/testlib/service_mocks/access_service_mock.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ class TTicketParserAccessServiceMockV2 : public yandex::cloud::priv::accessservi
TString token = request->has_iam_token() ? request->iam_token() : request->api_key();
if (request->has_actions()) {
const auto& actions = request->actions();
bool wasFoundFirstAccessDenied = false;
for (const auto& action : actions.items()) {
if (UnavailableUserPermissions.count(token + '-' + action.permission()) > 0) {
return grpc::Status(grpc::StatusCode::UNAVAILABLE, "Service Unavailable");
Expand All @@ -251,7 +252,14 @@ class TTicketParserAccessServiceMockV2 : public yandex::cloud::priv::accessservi
response->mutable_subject()->mutable_service_account()->set_id(token);
response->mutable_subject()->mutable_service_account()->set_folder_id(AllowedServicePermissions[token + '-' + action.permission()]);
} else {
SetAccessDenied(response->mutable_results(), action);
if (request->result_filter() == yandex::cloud::priv::accessservice::v2::BulkAuthorizeRequest::ALL_FAILED) {
SetAccessDenied(response->mutable_results(), action);
} else {
if (!wasFoundFirstAccessDenied) {
SetAccessDenied(response->mutable_results(), action);
wasFoundFirstAccessDenied = true;
}
}
}
} else {
SetAccessDenied(response->mutable_results(), action);
Expand Down

0 comments on commit e6087d5

Please sign in to comment.