[#1089] ape: Provide request actor as an additional target

Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
2024-04-11 13:51:39 +03:00 · 2024-04-11 13:51:39 +03:00 · 50ec4febcc
parent 59d7a6940d
commit 50ec4febcc
6 changed files with 35 additions and 19 deletions
--- a/go.mod
+++ b/go.mod
@ -9,7 +9,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1
-	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240410114823-1f190e1668ec
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02
 	github.com/cheggaaa/pb v1.0.29
--- a/go.sum
+++ b/go.sum
@ -12,8 +12,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b/go.mod h1:XcgrbZ88XfvhAMxmZCQJ0dv6FyRSq6Mg2J7nN8uuO0k=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240410114823-1f190e1668ec h1:OG8tBs5CN2HKp10sAWdtiFaX8qSGFyLGWfQmf4FQ6bE=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240410114823-1f190e1668ec/go.mod h1:H/AW85RtYxVTbcgwHW76DqXeKlsiCIOeNXHPqyDBrfQ=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a h1:wbndKvHbwDQiSMQWL75RxiTZCeUyCi7NUj1lsfdAGkc=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a/go.mod h1:H/AW85RtYxVTbcgwHW76DqXeKlsiCIOeNXHPqyDBrfQ=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=
--- a/pkg/services/container/ape.go
+++ b/pkg/services/container/ape.go
@ -157,9 +157,12 @@ func (ac *apeChecker) List(ctx context.Context, req *container.ListRequest) (*co
 		reqProps,
 	)

-	s, found, err := ac.router.IsAllowed(apechain.Ingress,
-		policyengine.NewRequestTargetWithNamespace(namespace),
-		request)
+	rt := policyengine.NewRequestTargetWithNamespace(namespace)
+	rt.User = &policyengine.Target{
+		Type: policyengine.User,
+		Name: fmt.Sprintf("%s:%s", namespace, pk.Address()),
+	}
+	s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request)
 	if err != nil {
 		return nil, err
 	}
@ -202,9 +205,12 @@ func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*cont
 		reqProps,
 	)

-	s, found, err := ac.router.IsAllowed(apechain.Ingress,
-		policyengine.NewRequestTargetWithNamespace(namespace),
-		request)
+	rt := policyengine.NewRequestTargetWithNamespace(namespace)
+	rt.User = &policyengine.Target{
+		Type: policyengine.User,
+		Name: fmt.Sprintf("%s:%s", namespace, pk.Address()),
+	}
+	s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request)
 	if err != nil {
 		return nil, err
 	}
@ -277,7 +283,7 @@ func (ac *apeChecker) validateContainerBoundedOperation(containerID *refs.Contai
 		return err
 	}

-	reqProps, err := ac.getRequestProps(mh, vh, cont, id)
+	reqProps, pk, err := ac.getRequestProps(mh, vh, cont, id)
 	if err != nil {
 		return err
 	}
@ -298,7 +304,7 @@ func (ac *apeChecker) validateContainerBoundedOperation(containerID *refs.Contai
 	)

 	s, found, err := ac.router.IsAllowed(apechain.Ingress,
-		policyengine.NewRequestTarget(namespace, id.EncodeToString()),
+		policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), nil),
 		request)
 	if err != nil {
 		return err
@ -350,19 +356,19 @@ func (ac *apeChecker) getContainerProps(c *containercore.Container) map[string]s

 func (ac *apeChecker) getRequestProps(mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader,
 	cont *containercore.Container, cnrID cid.ID,
-) (map[string]string, error) {
+) (map[string]string, *keys.PublicKey, error) {
 	actor, pk, err := ac.getActorAndPublicKey(mh, vh, cnrID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	role, err := ac.getRole(actor, pk, cont, cnrID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	return map[string]string{
 		nativeschema.PropertyKeyActorPublicKey: hex.EncodeToString(pk.Bytes()),
 		nativeschema.PropertyKeyActorRole:      role,
-	}, nil
+	}, pk, nil
 }

 func (ac *apeChecker) getRole(actor *user.ID, pk *keys.PublicKey, cont *containercore.Container, cnrID cid.ID) (string, error) {
--- a/pkg/services/object/ape/checker.go
+++ b/pkg/services/object/ape/checker.go
@ -12,6 +12,7 @@ import (
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 )

 type checkerImpl struct {
@ -84,8 +85,13 @@ func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error {
 		return fmt.Errorf("failed to create ape request: %w", err)
 	}

-	status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress,
-		policyengine.NewRequestTarget(prm.Namespace, prm.Container.EncodeToString()), r)
+	pub, err := keys.NewPublicKeyFromString(prm.SenderKey)
+	if err != nil {
+		return err
+	}
+
+	rt := policyengine.NewRequestTargetExtended(prm.Namespace, prm.Container.EncodeToString(), fmt.Sprintf("%s:%s", prm.Namespace, pub.Address()), nil)
+	status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, rt, r)
 	if err != nil {
 		return err
 	}
--- a/pkg/services/object/ape/checker_test.go
+++ b/pkg/services/object/ape/checker_test.go
@ -16,6 +16,7 @@ import (
 	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/stretchr/testify/require"
 )

@ -147,7 +148,9 @@ var (

 	role = "Container"

-	senderKey = hex.EncodeToString([]byte{1, 0, 0, 1})
+	senderPrivateKey, _ = keys.NewPrivateKey()
+
+	senderKey = hex.EncodeToString(senderPrivateKey.PublicKey().Bytes())
 )

 func TestAPECheck(t *testing.T) {
--- a/pkg/services/tree/ape.go
+++ b/pkg/services/tree/ape.go
@ -51,7 +51,8 @@ func (s *Service) checkAPE(container *core.Container, cid cid.ID, operation acl.
 		reqProps,
 	)

-	status, found, err := s.router.IsAllowed(apechain.Ingress, engine.NewRequestTarget(namespace, cid.EncodeToString()), request)
+	rt := engine.NewRequestTargetExtended(namespace, cid.EncodeToString(), fmt.Sprintf("%s:%s", namespace, publicKey.Address()), nil)
+	status, found, err := s.router.IsAllowed(apechain.Ingress, rt, request)
 	if err != nil {
 		return apeErr(err)
 	}