Compare commits

...

1 commit

Author SHA1 Message Date
e883fa35f1 [#1503] container: Fix APE-request target
All checks were successful
Tests and linters / Run gofumpt (pull_request) Successful in 2m3s
DCO action / DCO (pull_request) Successful in 2m37s
Vulncheck / Vulncheck (pull_request) Successful in 2m39s
Pre-commit hooks / Pre-commit (pull_request) Successful in 3m26s
Tests and linters / gopls check (pull_request) Successful in 3m24s
Build / Build Components (pull_request) Successful in 3m38s
Tests and linters / Staticcheck (pull_request) Successful in 3m58s
Tests and linters / Lint (pull_request) Successful in 4m51s
Tests and linters / Tests (pull_request) Successful in 5m9s
Tests and linters / Tests with -race (pull_request) Successful in 6m8s
* Request target shouldn't contain container target as container
  operations can't be checked with container-targeted rules.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-11-19 12:39:20 +03:00
2 changed files with 67 additions and 60 deletions

View file

@ -327,9 +327,15 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
reqProps, reqProps,
) )
s, found, err := ac.router.IsAllowed(apechain.Ingress, rt := policyengine.NewRequestTargetWithNamespace(namespace)
policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups), userTarget := policyengine.UserTarget(fmt.Sprintf("%s:%s", namespace, pk.Address()))
request) rt.User = &userTarget
rt.Groups = make([]policyengine.Target, len(groups))
for i := range groups {
rt.Groups[i] = policyengine.GroupTarget(groups[i])
}
s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request)
if err != nil { if err != nil {
return err return err
} }

View file

@ -102,7 +102,7 @@ func testAllowThenDenyGetContainerRuleDefined(t *testing.T) {
nm.netmaps[nm.currentEpoch] = &testNetmap nm.netmaps[nm.currentEpoch] = &testNetmap
nm.netmaps[nm.currentEpoch-1] = &testNetmap nm.netmaps[nm.currentEpoch-1] = &testNetmap
addDefaultAllowGetPolicy(t, router, contID) addDefaultAllowGetPolicy(t, router)
req := &container.GetRequest{} req := &container.GetRequest{}
req.SetBody(&container.GetRequestBody{}) req.SetBody(&container.GetRequestBody{})
@ -117,7 +117,7 @@ func testAllowThenDenyGetContainerRuleDefined(t *testing.T) {
_, err = apeSrv.Get(context.Background(), req) _, err = apeSrv.Get(context.Background(), req)
require.NoError(t, err) require.NoError(t, err)
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.AccessDenied, Status: chain.AccessDenied,
@ -324,7 +324,7 @@ func testDenyGetContainerForOthers(t *testing.T) {
nm.netmaps[nm.currentEpoch] = &testNetmap nm.netmaps[nm.currentEpoch] = &testNetmap
nm.netmaps[nm.currentEpoch-1] = &testNetmap nm.netmaps[nm.currentEpoch-1] = &testNetmap
_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.AccessDenied, Status: chain.AccessDenied,
@ -424,7 +424,7 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
nm.netmaps[nm.currentEpoch] = &testNetmap nm.netmaps[nm.currentEpoch] = &testNetmap
nm.netmaps[nm.currentEpoch-1] = &testNetmap nm.netmaps[nm.currentEpoch-1] = &testNetmap
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.AccessDenied, Status: chain.AccessDenied,
@ -522,7 +522,7 @@ func testDenyGetContainerByIP(t *testing.T) {
nm.netmaps[nm.currentEpoch] = &testNetmap nm.netmaps[nm.currentEpoch] = &testNetmap
nm.netmaps[nm.currentEpoch-1] = &testNetmap nm.netmaps[nm.currentEpoch-1] = &testNetmap
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.AccessDenied, Status: chain.AccessDenied,
@ -621,7 +621,7 @@ func testDenyGetContainerByGroupID(t *testing.T) {
nm.netmaps[nm.currentEpoch] = &testNetmap nm.netmaps[nm.currentEpoch] = &testNetmap
nm.netmaps[nm.currentEpoch-1] = &testNetmap nm.netmaps[nm.currentEpoch-1] = &testNetmap
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.AccessDenied, Status: chain.AccessDenied,
@ -1213,7 +1213,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
components.containerReader.c[contID] = &containercore.Container{Value: testContainer} components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
initTestNetmap(components.netmap) initTestNetmap(components.netmap)
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.AccessDenied, Status: chain.AccessDenied,
@ -1255,7 +1255,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
components.containerReader.c[contID] = &containercore.Container{Value: testContainer} components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
initTestNetmap(components.netmap) initTestNetmap(components.netmap)
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.AccessDenied, Status: chain.AccessDenied,
@ -1282,7 +1282,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
addDefaultAllowGetPolicy(t, components.engine, contID) addDefaultAllowGetPolicy(t, components.engine)
req := initTestGetContainerRequest(t, contID) req := initTestGetContainerRequest(t, contID)
@ -1325,7 +1325,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
addDefaultAllowGetPolicy(t, components.engine, contID) addDefaultAllowGetPolicy(t, components.engine)
req := initTestGetContainerRequest(t, contID) req := initTestGetContainerRequest(t, contID)
@ -1341,50 +1341,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
components.containerReader.c[contID] = &containercore.Container{Value: testContainer} components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
initTestNetmap(components.netmap) initTestNetmap(components.netmap)
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(testDomainName), &chain.Chain{
Rules: []chain.Rule{
{
Status: chain.AccessDenied,
Actions: chain.Actions{
Names: []string{
nativeschema.MethodGetContainer,
},
},
Resources: chain.Resources{
Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatRootContainer, contID.EncodeToString()),
},
},
Condition: []chain.Condition{
{
Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals,
},
},
},
},
})
require.NoError(t, err)
addDefaultAllowGetPolicy(t, components.engine, contID)
req := initTestGetContainerRequest(t, contID)
err = components.apeChecker.validateContainerBoundedOperation(ctxWithPeerInfo(), req.GetBody().GetContainerID(), req.GetMetaHeader(), req.GetVerificationHeader(), nativeschema.MethodGetContainer)
require.NoError(t, err)
})
t.Run("check testdomain-defined container in testdomain-defined container target rule", func(t *testing.T) {
t.Parallel()
components := newTestAPEServer()
contID, testContainer := initTestContainer(t, true)
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
initTestNetmap(components.netmap)
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.AccessDenied, Status: chain.AccessDenied,
@ -1411,7 +1368,51 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
addDefaultAllowGetPolicy(t, components.engine, contID) addDefaultAllowGetPolicy(t, components.engine)
req := initTestGetContainerRequest(t, contID)
err = components.apeChecker.validateContainerBoundedOperation(ctxWithPeerInfo(), req.GetBody().GetContainerID(), req.GetMetaHeader(), req.GetVerificationHeader(), nativeschema.MethodGetContainer)
aErr := apeErr(nativeschema.MethodGetContainer, chain.AccessDenied)
require.ErrorContains(t, err, aErr.Error())
})
t.Run("check testdomain-defined container in testdomain-defined container target rule", func(t *testing.T) {
t.Parallel()
components := newTestAPEServer()
contID, testContainer := initTestContainer(t, true)
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
initTestNetmap(components.netmap)
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{
{
Status: chain.AccessDenied,
Actions: chain.Actions{
Names: []string{
nativeschema.MethodGetContainer,
},
},
Resources: chain.Resources{
Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatNamespaceContainer, testDomainName, contID.EncodeToString()),
},
},
Condition: []chain.Condition{
{
Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals,
},
},
},
},
})
require.NoError(t, err)
addDefaultAllowGetPolicy(t, components.engine)
req := initTestGetContainerRequest(t, contID) req := initTestGetContainerRequest(t, contID)
@ -1565,8 +1566,8 @@ func initListRequest(t *testing.T, actorPK *keys.PrivateKey, ownerPK *keys.Priva
return req return req
} }
func addDefaultAllowGetPolicy(t *testing.T, e engine.Engine, contID cid.ID) { func addDefaultAllowGetPolicy(t *testing.T, e engine.Engine) {
_, _, err := e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{ _, _, err := e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
Rules: []chain.Rule{ Rules: []chain.Rule{
{ {
Status: chain.Allow, Status: chain.Allow,