Add result filter ALL_FAILED

Author: molotkov-and

ydb/core/security/ticket_parser_impl.h

@@ -409,6 +409,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             action->set_permission(permissionName);
             requestForPermissions << " " << permissionName;
         }
+        request->Request.set_result_filter(yandex::cloud::priv::accessservice::v2::BulkAuthorizeRequest::ALL_FAILED);
         BLOG_TRACE("Ticket " << record.GetMaskedTicket() << " asking for AccessServiceBulkAuthorization(" << requestForPermissions << ")");
         record.ResponsesLeft++;
         Send(AccessServiceValidatorV2, request.Release());

ydb/core/security/ticket_parser_ut.cpp

@@ -1441,6 +1441,18 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
         UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as"));
         UNIT_ASSERT(!result->Token->IsExist("something.write-bbbb4554@as"));
 
+        accessServiceMock.AllowedUserPermissions.insert("user1-something.connect");
+        runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
+                                           userToken,
+                                           {{"folder_id", "aaaa1234"}, {"database_id", "bbbb4554"}},
+                                           {"something.read", "something.connect", "something.list", "something.update"})), 0);
+        result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
+        UNIT_ASSERT(result->Error.empty());
+        UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as"));
+        UNIT_ASSERT(result->Token->IsExist("something.connect-bbbb4554@as"));
+        UNIT_ASSERT(!result->Token->IsExist("something.list-bbbb4554@as"));
+        UNIT_ASSERT(!result->Token->IsExist("something.update-bbbb4554@as"));
+
         // Authorization ApiKey successful.
         runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
                                            "ApiKey ApiKey-value-valid",

ydb/library/testlib/service_mocks/access_service_mock.h

@@ -229,6 +229,7 @@ class TTicketParserAccessServiceMockV2 : public yandex::cloud::priv::accessservi
             TString token = request->has_iam_token() ? request->iam_token() : request->api_key();
             if (request->has_actions()) {
                 const auto& actions = request->actions();
+                bool wasFoundFirstAccessDenied = false;
                 for (const auto& action : actions.items()) {
                     if (UnavailableUserPermissions.count(token + '-' + action.permission()) > 0) {
                         return grpc::Status(grpc::StatusCode::UNAVAILABLE, "Service Unavailable");
@@ -251,7 +252,14 @@ class TTicketParserAccessServiceMockV2 : public yandex::cloud::priv::accessservi
                             response->mutable_subject()->mutable_service_account()->set_id(token);
                             response->mutable_subject()->mutable_service_account()->set_folder_id(AllowedServicePermissions[token + '-' + action.permission()]);
                         } else {
-                            SetAccessDenied(response->mutable_results(), action);
+                            if (request->result_filter() == yandex::cloud::priv::accessservice::v2::BulkAuthorizeRequest::ALL_FAILED) {
+                                SetAccessDenied(response->mutable_results(), action);
+                            } else {
+                                if (!wasFoundFirstAccessDenied) {
+                                    SetAccessDenied(response->mutable_results(), action);
+                                    wasFoundFirstAccessDenied = true;
+                                }
+                            }
                         }
                     } else {
                         SetAccessDenied(response->mutable_results(), action);