[#989] util: Introduce any and all statements for ape rule parsing
All checks were successful
DCO action / DCO (pull_request) Successful in 5m10s
Vulncheck / Vulncheck (pull_request) Successful in 5m38s
Build / Build Components (1.21) (pull_request) Successful in 6m35s
Build / Build Components (1.20) (pull_request) Successful in 6m39s
Tests and linters / Lint (pull_request) Successful in 8m1s
Tests and linters / Staticcheck (pull_request) Successful in 7m58s
Tests and linters / Tests (1.20) (pull_request) Successful in 10m31s
Tests and linters / Tests (1.21) (pull_request) Successful in 11m22s
Tests and linters / Tests with -race (pull_request) Successful in 12m3s

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2024-02-16 13:13:54 +03:00
parent 455ace870f
commit a5713ebda9
2 changed files with 22 additions and 0 deletions

View file

@ -30,6 +30,9 @@ Actions is a regular operations upon FrostFS containers/objects. Like `Object.Pu
In status section it is possible to use `allow`, `deny` or `deny:QuotaLimitReached` actions. In status section it is possible to use `allow`, `deny` or `deny:QuotaLimitReached` actions.
If a statement does not contain lexeme `any`, field `Any` is set to `false` by default. Otherwise, it is set
to `true`. Optionally, `all` can be used - it also sets `Any=false`.
It is prohibited to mix operation under FrostFS container and object in one rule. It is prohibited to mix operation under FrostFS container and object in one rule.
The same statement is equal for conditions and resources - one rule is for one type of items. The same statement is equal for conditions and resources - one rule is for one type of items.

View file

@ -100,6 +100,8 @@ func ParseAPEChain(chain *apechain.Chain, rules []string) error {
// deny:QuotaLimitReached Object.Put * // deny:QuotaLimitReached Object.Put *
// allow Object.Put * // allow Object.Put *
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA * // allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
// allow Object.Get any Object.Resource:Department=HR Object.Request:Actor=ownerA *
// allow Object.Get all Object.Resource:Department=HR Object.Request:Actor=ownerA *
// //
//nolint:godot //nolint:godot
func ParseAPERule(r *apechain.Rule, rule string) error { func ParseAPERule(r *apechain.Rule, rule string) error {
@ -123,6 +125,12 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
var isObject *bool var isObject *bool
for i, lexeme := range lexemes[1:] { for i, lexeme := range lexemes[1:] {
anyExpr, anyErr := parseAnyAll(lexeme)
if anyErr == nil {
r.Any = anyExpr
continue
}
var name string var name string
var actionType bool var actionType bool
name, actionType, err = parseAction(lexeme) name, actionType, err = parseAction(lexeme)
@ -158,6 +166,17 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
return nil return nil
} }
func parseAnyAll(lexeme string) (bool, error) {
switch strings.ToLower(lexeme) {
case "any":
return true, nil
case "all":
return false, nil
default:
return false, fmt.Errorf("any/all is not parsed")
}
}
func parseStatus(lexeme string) (apechain.Status, error) { func parseStatus(lexeme string) (apechain.Status, error) {
action, expression, found := strings.Cut(lexeme, ":") action, expression, found := strings.Cut(lexeme, ":")
switch strings.ToLower(action) { switch strings.ToLower(action) {