TrueCloudLab/frostfs-node
21
1
Fork 27
Code Issues 104 Pull requests 4 Projects Releases 2 Activity Actions

[#989] util: Introduce any and all statements for ape rule parsing
All checks were successful
DCO action / DCO (pull_request) Successful in 2m13s
Details
Build / Build Components (1.20) (pull_request) Successful in 3m26s
Details
Vulncheck / Vulncheck (pull_request) Successful in 3m21s
Details
Build / Build Components (1.21) (pull_request) Successful in 4m6s
Details
Tests and linters / Staticcheck (pull_request) Successful in 4m35s
Details
Tests and linters / Lint (pull_request) Successful in 5m45s
Details
Tests and linters / Tests (1.20) (pull_request) Successful in 6m53s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 7m17s
Details
Tests and linters / Tests with -race (pull_request) Successful in 7m40s
Details

Browse source 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2024-02-16 13:13:54 +03:00
parent 8a4b219bc7
commit fa8b98fb64
2 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
cmd/frostfs-cli/docs/policy.md
View file

@ -30,6 +30,9 @@ Actions is a regular operations upon FrostFS containers/objects. Like `Object.Pu
In status section it is possible to use `allow`, `deny` or `deny:QuotaLimitReached` actions. In status section it is possible to use `allow`, `deny` or `deny:QuotaLimitReached` actions.
If a statement does not contain lexeme `any`, field `Any` is set to `false` by default. Otherwise, it is set
to `true`. Optionally, `all` can be used - it also sets `Any=false`.
It is prohibited to mix operation under FrostFS container and object in one rule. It is prohibited to mix operation under FrostFS container and object in one rule.
The same statement is equal for conditions and resources - one rule is for one type of items. The same statement is equal for conditions and resources - one rule is for one type of items.

19
cmd/frostfs-cli/modules/util/ape.go
View file

@ -100,6 +100,8 @@ func ParseAPEChain(chain *apechain.Chain, rules []string) error {
// deny:QuotaLimitReached Object.Put * // deny:QuotaLimitReached Object.Put *
// allow Object.Put * // allow Object.Put *
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA * // allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
// allow Object.Get any Object.Resource:Department=HR Object.Request:Actor=ownerA *
// allow Object.Get all Object.Resource:Department=HR Object.Request:Actor=ownerA *
// //
//nolint:godot //nolint:godot
func ParseAPERule(r *apechain.Rule, rule string) error { func ParseAPERule(r *apechain.Rule, rule string) error {
@ -123,6 +125,12 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
var isObject *bool var isObject *bool
for i, lexeme := range lexemes[1:] { for i, lexeme := range lexemes[1:] {
anyExpr, anyErr := parseAnyAll(lexeme)
if anyErr == nil {
r.Any = anyExpr
continue
}
var name string var name string
var actionType bool var actionType bool
name, actionType, err = parseAction(lexeme) name, actionType, err = parseAction(lexeme)
@ -158,6 +166,17 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
return nil return nil
} }
func parseAnyAll(lexeme string) (bool, error) {
switch strings.ToLower(lexeme) {
case "any":
return true, nil
case "all":
return false, nil
default:
return false, fmt.Errorf("any/all is not parsed")
}
}
func parseStatus(lexeme string) (apechain.Status, error) { func parseStatus(lexeme string) (apechain.Status, error) {
action, expression, found := strings.Cut(lexeme, ":") action, expression, found := strings.Cut(lexeme, ":")
switch strings.ToLower(action) { switch strings.ToLower(action) {