2022-06-09 16:08:11 +03:00
import base64
2021-09-10 15:44:40 +03:00
import json
2022-08-25 13:57:55 +03:00
import logging
2021-09-10 15:44:40 +03:00
import os
import uuid
2022-08-25 13:57:55 +03:00
from dataclasses import dataclass
from enum import Enum
from time import sleep
from typing import Any, Dict, List, Optional, Union
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
import allure
2021-09-10 15:44:40 +03:00
import base58
2022-08-25 13:57:55 +03:00
from cli import NeofsCli
2021-09-10 15:44:40 +03:00
from cli_helpers import _cmd_run
2022-08-01 13:15:02 +03:00
from data_formatters import get_wallet_public_key
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
logger = logging.getLogger('NeoLogger')
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
class EACLOperation(Enum):
PUT = 'put'
GET = 'get'
HEAD = 'head'
GET_RANGE = 'getrange'
GET_RANGE_HASH = 'getrangehash'
SEARCH = 'search'
DELETE = 'delete'
class EACLAccess(Enum):
ALLOW = 'allow'
DENY = 'deny'
class EACLRole(Enum):
OTHERS = 'others'
USER = 'user'
SYSTEM = 'system'
class EACLHeaderType(Enum):
REQUEST = 'req' # Filter request headers
OBJECT = 'obj' # Filter object headers
SERVICE = 'SERVICE' # Filter service headers. These are not processed by NeoFS nodes and exist for service use only
class EACLMatchType(Enum):
STRING_EQUAL = '=' # Return true if strings are equal
STRING_NOT_EQUAL = '!=' # Return true if strings are different
class EACLFilter:
header_type: EACLHeaderType = EACLHeaderType.REQUEST
match_type: EACLMatchType = EACLMatchType.STRING_EQUAL
key: Optional[str] = None
value: Optional[str] = None
def to_dict(self) -> Dict[str, Any]:
return {'headerType': self.header_type, 'matchType': self.match_type, 'key': self.key, 'value': self.value}
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
class EACLFilters:
filters: Optional[List[EACLFilter]] = None
2022-06-09 16:08:11 +03:00
2022-08-25 13:57:55 +03:00
def __str__(self):
return ','.join(
for filter in self.filters]
) if self.filters else []
2021-09-10 15:44:40 +03:00
2022-06-09 16:08:11 +03:00
2022-08-25 13:57:55 +03:00
class EACLPubKey:
keys: Optional[List[str]] = None
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
class EACLRule:
operation: Optional[EACLOperation] = None
access: Optional[EACLAccess] = None
role: Optional[Union[EACLRole, str]] = None
filters: Optional[EACLFilters] = None
def to_dict(self) -> Dict[str, Any]:
return {'Operation': self.operation, 'Access': self.access, 'Role': self.role,
'Filters': self.filters or []}
def __str__(self):
role = self.role.value if isinstance(self.role, EACLRole) else f'pubkey:{get_wallet_public_key(self.role, "")}'
return f'{self.access.value} {self.operation.value} {self.filters or ""} {role}'
@allure.title('Get extended ACL')
2022-08-01 13:15:02 +03:00
def get_eacl(wallet_path: str, cid: str) -> Optional[str]:
2022-08-25 13:57:55 +03:00
cli = NeofsCli(config=WALLET_CONFIG)
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
output = cli.container.get_eacl(wallet=wallet_path, rpc_endpoint=NEOFS_ENDPOINT, cid=cid)
2021-09-10 15:44:40 +03:00
except RuntimeError as exc:
logger.info("Extended ACL table is not set for this container")
logger.info(f"Got exception while getting eacl: {exc}")
return None
2022-08-25 13:57:55 +03:00
if 'extended ACL table is not set for this container' in output:
return None
return output
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
@allure.title('Set extended ACL')
2022-08-01 13:15:02 +03:00
def set_eacl(wallet_path: str, cid: str, eacl_table_path: str) -> None:
2022-08-25 13:57:55 +03:00
cli = NeofsCli(config=WALLET_CONFIG, timeout=60)
cli.container.set_eacl(wallet=wallet_path, rpc_endpoint=NEOFS_ENDPOINT, cid=cid, table=eacl_table_path,
2021-09-10 15:44:40 +03:00
def _encode_cid_for_eacl(cid: str) -> str:
cid_base58 = base58.b58decode(cid)
return base64.b64encode(cid_base58).decode("utf-8")
2022-06-09 16:08:11 +03:00
2022-08-25 13:57:55 +03:00
def create_eacl(cid: str, rules_list: List[EACLRule]) -> str:
2022-08-01 13:15:02 +03:00
table_file_path = f"{os.getcwd()}/{ASSETS_DIR}/eacl_table_{str(uuid.uuid4())}.json"
2022-08-25 13:57:55 +03:00
NeofsCli().acl.extended_create(cid=cid, out=table_file_path, rule=rules_list)
2022-02-17 12:52:48 +03:00
2022-08-01 13:15:02 +03:00
with open(table_file_path, 'r') as file:
table_data = file.read()
2022-08-03 15:20:29 +03:00
logger.info(f"Generated eACL:\n{table_data}")
2022-08-01 13:15:02 +03:00
return table_file_path
2022-02-17 12:52:48 +03:00
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
def form_bearertoken_file(wif: str, cid: str, eacl_rule_list: List[Union[EACLRule, EACLPubKey]]) -> str:
2021-09-10 15:44:40 +03:00
This function fetches eACL for given <cid> on behalf of <wif>,
2022-08-25 13:57:55 +03:00
then extends it with filters taken from <eacl_rules>, signs
2021-09-10 15:44:40 +03:00
with bearer token and writes to file
enc_cid = _encode_cid_for_eacl(cid)
file_path = f"{os.getcwd()}/{ASSETS_DIR}/{str(uuid.uuid4())}"
eacl = get_eacl(wif, cid)
json_eacl = dict()
if eacl:
2022-08-25 13:57:55 +03:00
eacl = eacl.replace('eACL: ', '').split('Signature')[0]
2021-09-10 15:44:40 +03:00
json_eacl = json.loads(eacl)
eacl_result = {
2022-06-09 16:08:11 +03:00
2021-09-10 15:44:40 +03:00
2022-06-09 16:08:11 +03:00
2021-09-10 15:44:40 +03:00
"value": enc_cid
2022-06-09 16:08:11 +03:00
"records": []
"nbf": "1",
"iat": "0"
2021-09-10 15:44:40 +03:00
2022-06-09 16:08:11 +03:00
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
assert eacl_rules, 'Got empty eacl_records list'
for rule in eacl_rule_list:
2021-09-10 15:44:40 +03:00
op_data = {
2022-08-25 13:57:55 +03:00
"operation": rule.operation.value.upper(),
"action": rule.access.value.upper(),
"filters": rule.filters or [],
2022-06-09 16:08:11 +03:00
"targets": []
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
if isinstance(rule.role, EACLRole):
2021-09-10 15:44:40 +03:00
op_data['targets'] = [
2022-06-09 16:08:11 +03:00
2022-08-25 13:57:55 +03:00
"role": rule.role.value.upper()
2022-06-09 16:08:11 +03:00
2022-08-25 13:57:55 +03:00
elif isinstance(rule.role, EACLPubKey):
2021-09-10 15:44:40 +03:00
op_data['targets'] = [
2022-06-09 16:08:11 +03:00
2022-08-25 13:57:55 +03:00
'keys': rule.role.keys
2022-06-09 16:08:11 +03:00
2021-09-10 15:44:40 +03:00
# Add records from current eACL
if "records" in json_eacl.keys():
for record in json_eacl["records"]:
with open(file_path, 'w', encoding='utf-8') as eacl_file:
json.dump(eacl_result, eacl_file, ensure_ascii=False, indent=4)
logger.info(f"Got these extended ACL records: {eacl_result}")
sign_bearer_token(wif, file_path)
return file_path
2022-08-01 13:15:02 +03:00
def eacl_rules(access: str, verbs: list, user: str) -> list[str]:
2022-07-18 13:19:05 +03:00
This function creates a list of eACL rules.
access (str): identifies if the following operation(s)
is allowed or denied
verbs (list): a list of operations to set rules for
user (str): a group of users (user/others) or a wallet of
a certain user for whom rules are set
(list): a list of eACL rules
if user not in ('others', 'user'):
2022-08-01 13:15:02 +03:00
pubkey = get_wallet_public_key(user, wallet_password="")
2022-07-22 10:04:26 +03:00
user = f"pubkey:{pubkey}"
2022-07-18 13:19:05 +03:00
rules = []
for verb in verbs:
2022-08-01 13:15:02 +03:00
rule = f"{access} {verb} {user}"
2022-07-18 13:19:05 +03:00
return rules
2022-08-01 13:15:02 +03:00
def sign_bearer_token(wallet_path: str, eacl_rules_file: str) -> None:
2021-09-10 15:44:40 +03:00
cmd = (
f'{NEOFS_CLI_EXEC} util sign bearer-token --from {eacl_rules_file} '
2022-07-18 13:19:05 +03:00
f'--to {eacl_rules_file} --wallet {wallet_path} --config {WALLET_CONFIG} --json'
2021-09-10 15:44:40 +03:00
2022-08-25 13:57:55 +03:00
@allure.title('Wait for eACL cache expired')
def wait_for_cache_expired():