From 5ec73fe8a0b6c3c2ab31b093a43c6fdfa7423773 Mon Sep 17 00:00:00 2001
From: Airat Arifullin <a.arifullin@yadro.com>
Date: Mon, 30 Oct 2023 16:48:02 +0300
Subject: [PATCH] [#770] node: Introduce ape chain source

* Provide methods to access rule chains with access
  policy engine (APE) chain source
* Initialize apeChainSource within object service
  initialization
* Share apeChainSource with control service
* Implement dummy apeChainSource instance based on
  in-memory implementation

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
---
 cmd/frostfs-node/config.go            |  5 +++++
 cmd/frostfs-node/control.go           |  1 +
 cmd/frostfs-node/object.go            |  2 ++
 cmd/frostfs-node/policy_engine.go     | 28 +++++++++++++++++++++++++++
 go.mod                                |  1 +
 go.sum                                |  2 ++
 pkg/core/container/storage.go         |  8 ++++++++
 pkg/services/control/server/server.go | 10 ++++++++++
 8 files changed, 57 insertions(+)
 create mode 100644 cmd/frostfs-node/policy_engine.go

diff --git a/cmd/frostfs-node/config.go b/cmd/frostfs-node/config.go
index e3e56e5d..a41b73d9 100644
--- a/cmd/frostfs-node/config.go
+++ b/cmd/frostfs-node/config.go
@@ -510,6 +510,11 @@ type cfgObject struct {
 
 	eaclSource container.EACLSource
 
+	// Access policy chain source is used by object service to
+	// check for operation permissions but this source is also shared with
+	// control service that dispatches local overrides.
+	apeChainSource container.AccessPolicyEngineChainSource
+
 	pool cfgObjectRoutines
 
 	cfgLocalStorage cfgLocalStorage
diff --git a/cmd/frostfs-node/control.go b/cmd/frostfs-node/control.go
index 98d893c3..30d64480 100644
--- a/cmd/frostfs-node/control.go
+++ b/cmd/frostfs-node/control.go
@@ -51,6 +51,7 @@ func initControlService(c *cfg) {
 		controlSvc.WithTreeService(treeSynchronizer{
 			c.treeService,
 		}),
+		controlSvc.WithAPEChainSource(c.cfgObject.apeChainSource),
 	)
 
 	lis, err := net.Listen("tcp", endpoint)
diff --git a/cmd/frostfs-node/object.go b/cmd/frostfs-node/object.go
index 2f714b82..bbaec01e 100644
--- a/cmd/frostfs-node/object.go
+++ b/cmd/frostfs-node/object.go
@@ -157,6 +157,8 @@ func initObjectService(c *cfg) {
 
 	c.replicator = createReplicator(c, keyStorage, c.bgClientCache)
 
+	c.cfgObject.apeChainSource = NewAPESource()
+
 	addPolicer(c, keyStorage, c.bgClientCache)
 
 	traverseGen := util.NewTraverserGenerator(c.netMapSource, c.cfgObject.cnrSource, c)
diff --git a/cmd/frostfs-node/policy_engine.go b/cmd/frostfs-node/policy_engine.go
new file mode 100644
index 00000000..039124a6
--- /dev/null
+++ b/cmd/frostfs-node/policy_engine.go
@@ -0,0 +1,28 @@
+package main
+
+import (
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+)
+
+type apeChainSourceImpl struct {
+	localChainStorage map[cid.ID]policyengine.CachedChainStorage
+}
+
+func NewAPESource() container.AccessPolicyEngineChainSource {
+	return &apeChainSourceImpl{
+		localChainStorage: make(map[cid.ID]policyengine.CachedChainStorage),
+	}
+}
+
+var _ container.AccessPolicyEngineChainSource = (*apeChainSourceImpl)(nil)
+
+func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error) {
+	s, ok := c.localChainStorage[cid]
+	if ok {
+		return s, nil
+	}
+	c.localChainStorage[cid] = policyengine.NewInMemory()
+	return c.localChainStorage[cid], nil
+}
diff --git a/go.mod b/go.mod
index 37cb477b..4f6505e8 100644
--- a/go.mod
+++ b/go.mod
@@ -8,6 +8,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20230531082742-c97d21411eb6
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231101082425-5eee1a733432
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	github.com/cheggaaa/pb v1.0.29
 	github.com/chzyer/readline v1.5.1
diff --git a/go.sum b/go.sum
index 62fd85c8..05a870b8 100644
--- a/go.sum
+++ b/go.sum
@@ -736,6 +736,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d/go.mod h1:t1akKcUH7iBrFHX8rSXScYMP17k2kYQXMbZooiL5Juw=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231101082425-5eee1a733432 h1:z0PqdiEIHXK2qC83e6pmxUZ5peP9CIL0Bh5mP/d+4Xc=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231101082425-5eee1a733432/go.mod h1:qf3B9hSz6gCMfcfvqkhTu5ak+Gx2R+wo4Hc87LnKxPg=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=
diff --git a/pkg/core/container/storage.go b/pkg/core/container/storage.go
index 0766ced3..f48fc73a 100644
--- a/pkg/core/container/storage.go
+++ b/pkg/core/container/storage.go
@@ -6,6 +6,7 @@ import (
 	frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
 )
 
 // Container groups information about the FrostFS container stored in the FrostFS network.
@@ -70,3 +71,10 @@ type EACLSource interface {
 	// eACL table is not in source.
 	GetEACL(cid.ID) (*EACL, error)
 }
+
+// AccessPolicyEngineChainSource interface provides methods to access and manipulate
+// policy engine chain storage.
+type AccessPolicyEngineChainSource interface {
+	// TODO (aarifullin): Better to use simpler interface instead CachedChainStorage.
+	GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error)
+}
diff --git a/pkg/services/control/server/server.go b/pkg/services/control/server/server.go
index a0ad44e2..ae024a82 100644
--- a/pkg/services/control/server/server.go
+++ b/pkg/services/control/server/server.go
@@ -59,6 +59,8 @@ type cfg struct {
 
 	cnrSrc container.Source
 
+	apeChainSrc container.AccessPolicyEngineChainSource
+
 	replicator *replicator.Replicator
 
 	nodeState NodeState
@@ -151,3 +153,11 @@ func WithTreeService(s TreeService) Option {
 		c.treeService = s
 	}
 }
+
+// WithAPEChainSource returns the option to set access policy engine
+// chain source.
+func WithAPEChainSource(apeChainSrc container.AccessPolicyEngineChainSource) Option {
+	return func(c *cfg) {
+		c.apeChainSrc = apeChainSrc
+	}
+}