From e6087d5fbe95b67c73f17293e1d32afcea5e4335 Mon Sep 17 00:00:00 2001 From: Andrei Molotkov Date: Mon, 15 Jan 2024 10:50:57 +0000 Subject: [PATCH] Add result filter ALL_FAILED --- ydb/core/security/ticket_parser_impl.h | 1 + ydb/core/security/ticket_parser_ut.cpp | 12 ++++++++++++ .../testlib/service_mocks/access_service_mock.h | 10 +++++++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h index 8e219e7ccb2f..18aa1aa0dbf7 100644 --- a/ydb/core/security/ticket_parser_impl.h +++ b/ydb/core/security/ticket_parser_impl.h @@ -409,6 +409,7 @@ class TTicketParserImpl : public TActorBootstrapped { action->set_permission(permissionName); requestForPermissions << " " << permissionName; } + request->Request.set_result_filter(yandex::cloud::priv::accessservice::v2::BulkAuthorizeRequest::ALL_FAILED); BLOG_TRACE("Ticket " << record.GetMaskedTicket() << " asking for AccessServiceBulkAuthorization(" << requestForPermissions << ")"); record.ResponsesLeft++; Send(AccessServiceValidatorV2, request.Release()); diff --git a/ydb/core/security/ticket_parser_ut.cpp b/ydb/core/security/ticket_parser_ut.cpp index 1e4383d55a66..57e87fd9e1b6 100644 --- a/ydb/core/security/ticket_parser_ut.cpp +++ b/ydb/core/security/ticket_parser_ut.cpp @@ -1441,6 +1441,18 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) { UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as")); UNIT_ASSERT(!result->Token->IsExist("something.write-bbbb4554@as")); + accessServiceMock.AllowedUserPermissions.insert("user1-something.connect"); + runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket( + userToken, + {{"folder_id", "aaaa1234"}, {"database_id", "bbbb4554"}}, + {"something.read", "something.connect", "something.list", "something.update"})), 0); + result = runtime->GrabEdgeEvent(handle); + UNIT_ASSERT(result->Error.empty()); + UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as")); + UNIT_ASSERT(result->Token->IsExist("something.connect-bbbb4554@as")); + UNIT_ASSERT(!result->Token->IsExist("something.list-bbbb4554@as")); + UNIT_ASSERT(!result->Token->IsExist("something.update-bbbb4554@as")); + // Authorization ApiKey successful. runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket( "ApiKey ApiKey-value-valid", diff --git a/ydb/library/testlib/service_mocks/access_service_mock.h b/ydb/library/testlib/service_mocks/access_service_mock.h index 1aaf93f42631..5d6f421472ee 100644 --- a/ydb/library/testlib/service_mocks/access_service_mock.h +++ b/ydb/library/testlib/service_mocks/access_service_mock.h @@ -229,6 +229,7 @@ class TTicketParserAccessServiceMockV2 : public yandex::cloud::priv::accessservi TString token = request->has_iam_token() ? request->iam_token() : request->api_key(); if (request->has_actions()) { const auto& actions = request->actions(); + bool wasFoundFirstAccessDenied = false; for (const auto& action : actions.items()) { if (UnavailableUserPermissions.count(token + '-' + action.permission()) > 0) { return grpc::Status(grpc::StatusCode::UNAVAILABLE, "Service Unavailable"); @@ -251,7 +252,14 @@ class TTicketParserAccessServiceMockV2 : public yandex::cloud::priv::accessservi response->mutable_subject()->mutable_service_account()->set_id(token); response->mutable_subject()->mutable_service_account()->set_folder_id(AllowedServicePermissions[token + '-' + action.permission()]); } else { - SetAccessDenied(response->mutable_results(), action); + if (request->result_filter() == yandex::cloud::priv::accessservice::v2::BulkAuthorizeRequest::ALL_FAILED) { + SetAccessDenied(response->mutable_results(), action); + } else { + if (!wasFoundFirstAccessDenied) { + SetAccessDenied(response->mutable_results(), action); + wasFoundFirstAccessDenied = true; + } + } } } else { SetAccessDenied(response->mutable_results(), action);