frostfs-node/cmd/frostfs-cli/modules/control/add_rule.go

package control

import (
	"encoding/hex"
	"errors"

	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
	"github.com/spf13/cobra"
)

const (
	ruleFlag = "rule"
	pathFlag = "path"
)

var addRuleCmd = &cobra.Command{
	Use:   "add-rule",
	Short: "Add local override",
	Long:  "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",
	Example: `control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --rule "allow Object.Get *"
--rule "deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*"
--rule "deny:QuotaLimitReached Object.Put ResourceCondition:Department=HR *"

control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --path some_chain.json
`,
	Run: addRule,
}

func parseChain(cmd *cobra.Command) *apechain.Chain {
	chainID, _ := cmd.Flags().GetString(chainIDFlag)
	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)

	chainIDRaw := []byte(chainID)

	if hexEncoded {
		var err error
		chainIDRaw, err = hex.DecodeString(chainID)
		commonCmd.ExitOnErr(cmd, "can't decode chain ID as hex: %w", err)
	}

	chain := new(apechain.Chain)
	chain.ID = apechain.ID(chainIDRaw)

	if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {
		commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, rules))
	} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
		commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", util.ParseAPEChainBinaryOrJSON(chain, encPath))
	} else {
		commonCmd.ExitOnErr(cmd, "parser error", errors.New("rule is not passed"))
	}

	cmd.Println("Parsed chain:")
	util.PrintHumanReadableAPEChain(cmd, chain)

	return chain
}

func addRule(cmd *cobra.Command, _ []string) {
	pk := key.Get(cmd)

	target := parseTarget(cmd)

	parsed := parseChain(cmd)

	req := &control.AddChainLocalOverrideRequest{
		Body: &control.AddChainLocalOverrideRequest_Body{
			Target: target,
			Chain:  parsed.Bytes(),
		},
	}

	signRequest(cmd, pk, req)

	cli := getClient(cmd, pk)

	var resp *control.AddChainLocalOverrideResponse
	var err error
	err = cli.ExecRaw(func(client *client.Client) error {
		resp, err = control.AddChainLocalOverride(client, req)
		return err
	})
	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)

	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
	cmd.Println("\nRule has been added.")
}

func initControlAddRuleCmd() {
	initControlFlags(addRuleCmd)

	ff := addRuleCmd.Flags()
	ff.StringArray(ruleFlag, []string{}, "Rule statement")
	ff.String(pathFlag, "", "Path to encoded chain in JSON or binary format")
	ff.String(chainIDFlag, "", "Assign ID to the parsed chain")
	ff.String(targetNameFlag, "", targetNameDesc)
	ff.String(targetTypeFlag, "", targetTypeDesc)
	_ = addRuleCmd.MarkFlagRequired(targetTypeFlag)
	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")

	addRuleCmd.MarkFlagsMutuallyExclusive(pathFlag, ruleFlag)
}
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00			`package control`

			`import (`
[#885] cli: Support hex chain id in control API Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-12-21 12:55:09 +00:00			`"encoding/hex"`
[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00			`"errors"`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00
			`"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"`
			`"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"`
			`"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"`
			`commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"`
			`"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"`
[#811] ape: Update policy-engine module version and rebase Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-11-16 07:58:55 +00:00			`apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00			`"github.com/spf13/cobra"`
			`)`

			`const (`
			`ruleFlag = "rule"`
[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00			`pathFlag = "path"`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00			`)`

			`var addRuleCmd = &cobra.Command{`
			`Use: "add-rule",`
			`Short: "Add local override",`
			`Long: "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",`
[#876] cli: Add support for `container` in local rules Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2024-01-25 17:25:23 +00:00			Example: `control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --rule "allow Object.Get *"
			`--rule "deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*"`
[#1124] cli: Improve APE rule parsing * Make APE rule parser to read condition's kind in unambiguous using lexemes `ResourceCondition`, `RequestCondition` instead confusing `Object.Request`, `Object.Resource`. * Fix unit-tests. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-05-14 09:23:26 +00:00			`--rule "deny:QuotaLimitReached Object.Put ResourceCondition:Department=HR *"`
[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00
			`control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --path some_chain.json`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00			`,
			`Run: addRule,`
			`}`

[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00			`func parseChain(cmd cobra.Command) apechain.Chain {`
[#824] cli: Support passing chain ID in add-rule command Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-11-21 14:01:14 +00:00			`chainID, _ := cmd.Flags().GetString(chainIDFlag)`
[#885] cli: Support hex chain id in control API Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-12-21 12:55:09 +00:00			`hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)`

			`chainIDRaw := []byte(chainID)`

			`if hexEncoded {`
			`var err error`
			`chainIDRaw, err = hex.DecodeString(chainID)`
			`commonCmd.ExitOnErr(cmd, "can't decode chain ID as hex: %w", err)`
			`}`
[#824] cli: Support passing chain ID in add-rule command Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-11-21 14:01:14 +00:00
[#811] ape: Update policy-engine module version and rebase Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-11-16 07:58:55 +00:00			`chain := new(apechain.Chain)`
[#885] cli: Support hex chain id in control API Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-12-21 12:55:09 +00:00			`chain.ID = apechain.ID(chainIDRaw)`
[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00
			`if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {`
			`commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, rules))`
			`} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {`
			`commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", util.ParseAPEChainBinaryOrJSON(chain, encPath))`
			`} else {`
			`commonCmd.ExitOnErr(cmd, "parser error", errors.New("rule is not passed"))`
			`}`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00
[#876] cli: Add support for `container` in local rules Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2024-01-25 17:25:23 +00:00			`cmd.Println("Parsed chain:")`
			`util.PrintHumanReadableAPEChain(cmd, chain)`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00
[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00			`return chain`
			`}`

			`func addRule(cmd *cobra.Command, _ []string) {`
			`pk := key.Get(cmd)`

			`target := parseTarget(cmd)`

			`parsed := parseChain(cmd)`

[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00			`req := &control.AddChainLocalOverrideRequest{`
			`Body: &control.AddChainLocalOverrideRequest_Body{`
[#909] cli: Make add-rule and list-rules recieve namespace param Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-01-12 14:44:27 +00:00			`Target: target,`
[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00			`Chain: parsed.Bytes(),`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00			`},`
			`}`

			`signRequest(cmd, pk, req)`

			`cli := getClient(cmd, pk)`

			`var resp *control.AddChainLocalOverrideResponse`
			`var err error`
			`err = cli.ExecRaw(func(client *client.Client) error {`
			`resp, err = control.AddChainLocalOverride(client, req)`
			`return err`
			`})`
			`commonCmd.ExitOnErr(cmd, "rpc error: %w", err)`

			`verifyResponse(cmd, resp.GetSignature(), resp.GetBody())`
[#876] cli: Add support for `container` in local rules Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2024-01-25 17:25:23 +00:00			`cmd.Println("\nRule has been added.")`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00			`}`

			`func initControlAddRuleCmd() {`
			`initControlFlags(addRuleCmd)`

			`ff := addRuleCmd.Flags()`
[#876] cli: Add support for `container` in local rules Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2024-01-25 17:25:23 +00:00			`ff.StringArray(ruleFlag, []string{}, "Rule statement")`
[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00			`ff.String(pathFlag, "", "Path to encoded chain in JSON or binary format")`
[#824] cli: Support passing chain ID in add-rule command Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-11-21 14:01:14 +00:00			`ff.String(chainIDFlag, "", "Assign ID to the parsed chain")`
[#909] cli: Make add-rule and list-rules recieve namespace param Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-01-12 14:44:27 +00:00			`ff.String(targetNameFlag, "", targetNameDesc)`
			`ff.String(targetTypeFlag, "", targetTypeDesc)`
			`_ = addRuleCmd.MarkFlagRequired(targetTypeFlag)`
[#885] cli: Support hex chain id in control API Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-12-21 12:55:09 +00:00			`ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")`
[#989] cli: Read and parse chains from file * Introduce path flag to make add-rule command read and parse chain from file. File is binary/JSON-encoded chain. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2024-02-16 09:36:42 +00:00
			`addRuleCmd.MarkFlagsMutuallyExclusive(pathFlag, ruleFlag)`
[#770] cli: Add methods to work with APE rules via control svc * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-10-31 08:55:42 +00:00			`}`