ARSN-390: Add scuba arn for policy

Relates to SCUBA-76 and SCUBA-77
scality · Jan 26, 2024 · bfc8dee · bfc8dee
1 parent 29f39ab
commit bfc8dee
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/lib/policyEvaluator/RequestContext.ts b/lib/policyEvaluator/RequestContext.ts
@@ -36,6 +36,9 @@ function _findAction(service: string, method: string) {
             return actionMapSTS[method];
         case 'metadata':
             return actionMapMetadata[method];
+        case 'scuba':
+            // currently only method is GetMetrics
+            return `scuba:${method}`;
         default:
             return undefined;
     }
@@ -105,6 +108,10 @@ function _buildArn(
             return `arn:scality:metadata::${requesterInfo!.accountid}:` +
             `${generalResource}/`;
         }
+        case 'scuba': {
+            return `arn:scality:scuba::${requesterInfo!.accountid}:` +
+            `${generalResource}/${specificResource || ''}`
+        }
         default:
             return undefined;
     }

diff --git a/lib/policyEvaluator/utils/checkArnMatch.ts b/lib/policyEvaluator/utils/checkArnMatch.ts
@@ -38,9 +38,10 @@ export default function checkArnMatch(
         const requestSegment = caseSensitive ? requestArnArr[j] :
             requestArnArr[j].toLowerCase();
         const policyArnArr = policyArn.split(':');
-        // We want to allow an empty account ID for utapi service ARNs to not
+        // We want to allow an empty account ID for utapi and scuba service ARNs to not
         // break compatibility.
-        if (j === 4 && policyArnArr[2] === 'utapi' && policyArnArr[4] === '') {
+        const allowedEmptyAccountId = ['utapi', 'scuba'];
+        if (j === 4 && allowedEmptyAccountId.includes(policyArnArr[2]) && policyArnArr[4] === '') {
             continue;
         } else if (!segmentRegEx.test(requestSegment)) {
             return false;