issue-944: fix empty permissions (#1111)

* issue-944: fix empty permissions * removed obsolete test
ydb-platform · May 3, 2024 · 51f3657 · 51f3657
1 parent 7f694e3
commit 51f3657
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 63 deletions.
diff --git a/cloud/filestore/libs/service/auth_scheme.cpp b/cloud/filestore/libs/service/auth_scheme.cpp
@@ -19,33 +19,35 @@ TPermissionList GetRequestPermissions(EFileStoreRequest requestType)
         case EFileStoreRequest::SubscribeSession:
         case EFileStoreRequest::GetSessionEvents:
         case EFileStoreRequest::GetSessionEventsStream:
+            return CreatePermissionList({EPermission::Update});
         case EFileStoreRequest::ResolvePath:
+        case EFileStoreRequest::ListNodes:
+        case EFileStoreRequest::GetNodeAttr:
+        case EFileStoreRequest::GetNodeXAttr:
+        case EFileStoreRequest::ListNodeXAttr:
+        case EFileStoreRequest::ReadData:
+        case EFileStoreRequest::TestLock:
+        case EFileStoreRequest::DescribeData:
+        case EFileStoreRequest::ReadBlob:
+            return CreatePermissionList({EPermission::Read});
         case EFileStoreRequest::CreateNode:
         case EFileStoreRequest::UnlinkNode:
         case EFileStoreRequest::RenameNode:
         case EFileStoreRequest::AccessNode:
         case EFileStoreRequest::ReadLink:
-        case EFileStoreRequest::ListNodes:
         case EFileStoreRequest::SetNodeAttr:
-        case EFileStoreRequest::GetNodeAttr:
         case EFileStoreRequest::SetNodeXAttr:
-        case EFileStoreRequest::GetNodeXAttr:
-        case EFileStoreRequest::ListNodeXAttr:
         case EFileStoreRequest::RemoveNodeXAttr:
         case EFileStoreRequest::CreateHandle:
         case EFileStoreRequest::DestroyHandle:
-        case EFileStoreRequest::ReadData:
         case EFileStoreRequest::WriteData:
         case EFileStoreRequest::AllocateData:
         case EFileStoreRequest::AcquireLock:
         case EFileStoreRequest::ReleaseLock:
-        case EFileStoreRequest::TestLock:
-        case EFileStoreRequest::DescribeData:
         case EFileStoreRequest::GenerateBlobIds:
-        case EFileStoreRequest::ReadBlob:
         case EFileStoreRequest::WriteBlob:
         case EFileStoreRequest::AddData:
-            return CreatePermissionList({});
+            return CreatePermissionList({EPermission::Write});
 
         case EFileStoreRequest::AddClusterNode:
         case EFileStoreRequest::AddClusterClients:

diff --git a/cloud/filestore/libs/service_kikimr/auth_provider_kikimr_ut.cpp b/cloud/filestore/libs/service_kikimr/auth_provider_kikimr_ut.cpp
@@ -171,60 +171,6 @@ Y_UNIT_TEST_SUITE(TKikimrAuthProviderTest)
         }
     }
 
-    Y_UNIT_TEST(DoNotCheckPermissionForRead)
-    {
-        int readHandlerCount = 0;
-        auto testService = std::make_shared<TFileStoreTest>();
-        testService->ReadDataHandler =
-            [&] (TCallContextPtr callContext,
-                std::shared_ptr<NProto::TReadDataRequest> request)
-            {
-                Y_UNUSED(callContext);
-                Y_UNUSED(request);
-                ++readHandlerCount;
-                return MakeFuture<NProto::TReadDataResponse>();
-            };
-
-        const TString authToken = "TEST_AUTH_TOKEN";
-
-        bool authorizeResult = false;
-        int authorizeHandlerCount = 0;
-        auto authorizerActor = std::make_unique<TTestAuthorizerActor>();
-        authorizerActor->AuthorizeHandler =
-            [&] (const TEvAuth::TEvAuthorizationRequest::TPtr& ev) {
-                ++authorizeHandlerCount;
-                UNIT_ASSERT_EQUAL(ev->Get()->Token, authToken);
-                UNIT_ASSERT(ev->Get()->Permissions.Empty());
-                return std::make_unique<bool>(authorizeResult);
-            };
-
-        auto actorSystem = MakeIntrusive<TTestActorSystem>();
-        actorSystem->RegisterTestAuthorizer(std::move(authorizerActor));
-
-        auto service = CreateAuthService(
-            testService,
-            CreateKikimrAuthProvider(actorSystem));
-
-        auto request = std::make_shared<NProto::TReadDataRequest>();
-        request->MutableHeaders()->MutableInternal()->
-            SetRequestSource(NProto::SOURCE_SECURE_CONTROL_CHANNEL);
-        request->MutableHeaders()->MutableInternal()->
-            SetAuthToken(authToken);
-
-        auto callContext = MakeIntrusive<TCallContext>();
-        callContext->RequestType = EFileStoreRequest::ReadData;
-        auto future = service->ReadData(
-            std::move(callContext),
-            std::move(request));
-
-        actorSystem->DispatchEvents(TDuration::Seconds(0));
-
-        const auto& response = future.GetValue(TDuration::Seconds(0));
-        UNIT_ASSERT(!HasError(response));
-        UNIT_ASSERT_EQUAL(readHandlerCount, 1);
-        UNIT_ASSERT_EQUAL(authorizeHandlerCount, 0);
-    }
-
     Y_UNIT_TEST(ShouldHandleRequestTimeout)
     {
         auto authorizerActor = std::make_unique<TTestAuthorizerActor>();