package ape import ( "context" "errors" "fmt" objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" ) type checkerImpl struct { chainRouter policyengine.ChainRouter headerProvider HeaderProvider frostFSIDClient frostfsidcore.SubjectProvider nm netmap.Source cnrSource container.Source nodePK []byte } func NewChecker(chainRouter policyengine.ChainRouter, headerProvider HeaderProvider, frostFSIDClient frostfsidcore.SubjectProvider, nm netmap.Source, cnrSource container.Source, nodePK []byte) Checker { return &checkerImpl{ chainRouter: chainRouter, headerProvider: headerProvider, frostFSIDClient: frostFSIDClient, nm: nm, cnrSource: cnrSource, nodePK: nodePK, } } type Prm struct { Namespace string Container cid.ID // Object ID is omitted for some methods. Object *oid.ID // If Header is set, then object attributes and properties will be parsed from // a request/response's header. Header *objectV2.Header // Method must be represented only as a constant represented in native schema. Method string // Role must be representedonly as a constant represented in native schema. Role string // An encoded sender's public key string. SenderKey string // An encoded container's owner user ID. ContainerOwner user.ID // If SoftAPECheck is set to true, then NoRuleFound is interpreted as allow. SoftAPECheck bool // If true, object headers will not retrieved from storage engine. WithoutHeaderRequest bool } var errMissingOID = errors.New("object ID is not set") // CheckAPE checks if a request or a response is permitted creating an ape request and passing // it to chain router. func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error { // APE check is ignored for some inter-node requests. if prm.Role == nativeschema.PropertyValueContainerRoleContainer { return nil } else if prm.Role == nativeschema.PropertyValueContainerRoleIR { switch prm.Method { case nativeschema.MethodGetObject, nativeschema.MethodHeadObject, nativeschema.MethodSearchObject, nativeschema.MethodRangeObject, nativeschema.MethodHashObject: return nil default: } } r, err := c.newAPERequest(ctx, prm) if err != nil { return fmt.Errorf("failed to create ape request: %w", err) } pub, err := keys.NewPublicKeyFromString(prm.SenderKey) if err != nil { return err } rt := policyengine.NewRequestTargetExtended(prm.Namespace, prm.Container.EncodeToString(), fmt.Sprintf("%s:%s", prm.Namespace, pub.Address()), nil) status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, rt, r) if err != nil { return err } if !ruleFound && prm.SoftAPECheck || status == apechain.Allow { return nil } return fmt.Errorf("method %s: %s", prm.Method, status) }