WIP: ape: Add container source to object policy checker #1045
3 changed files with 20 additions and 2 deletions
|
@ -444,6 +444,7 @@ func createAPEService(c *cfg, splitSvc *objectService.TransportSplitter) *object
|
||||||
objectAPE.NewChecker(
|
objectAPE.NewChecker(
|
||||||
c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.chainRouter,
|
c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.chainRouter,
|
||||||
objectAPE.NewStorageEngineHeaderProvider(c.cfgObject.cfgLocalStorage.localStorage),
|
objectAPE.NewStorageEngineHeaderProvider(c.cfgObject.cfgLocalStorage.localStorage),
|
||||||
|
c.cfgObject.cnrSource,
|
||||||
),
|
),
|
||||||
splitSvc,
|
splitSvc,
|
||||||
)
|
)
|
||||||
|
|
|
@ -5,23 +5,32 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
|
objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
|
||||||
|
containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
||||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type containers interface {
|
||||||
|
Get(cid.ID) (*containercore.Container, error)
|
||||||
|
}
|
||||||
|
|
||||||
type checkerImpl struct {
|
type checkerImpl struct {
|
||||||
chainRouter policyengine.ChainRouter
|
chainRouter policyengine.ChainRouter
|
||||||
|
|
||||||
headerProvider HeaderProvider
|
headerProvider HeaderProvider
|
||||||
|
|
||||||
|
reader containers
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewChecker(chainRouter policyengine.ChainRouter, headerProvider HeaderProvider) Checker {
|
func NewChecker(chainRouter policyengine.ChainRouter, headerProvider HeaderProvider, reader containers) Checker {
|
||||||
return &checkerImpl{
|
return &checkerImpl{
|
||||||
chainRouter: chainRouter,
|
chainRouter: chainRouter,
|
||||||
|
|
||||||
headerProvider: headerProvider,
|
headerProvider: headerProvider,
|
||||||
|
|
||||||
|
reader: reader,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -145,11 +145,19 @@ func (c *checkerImpl) newAPERequest(ctx context.Context, prm Prm) (*request, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cont, err := c.reader.Get(prm.Container)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("get container: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
props := objectProperties(prm.Container, prm.Object, header)
|
||||||
|
props[nativeschema.PropertyKeyContainerOwnerID] = cont.Value.Owner().EncodeToString()
|
||||||
|
|
||||||
return &request{
|
return &request{
|
||||||
operation: prm.Method,
|
operation: prm.Method,
|
||||||
resource: &resource{
|
resource: &resource{
|
||||||
name: resourceName(prm.Container, prm.Object, prm.Namespace),
|
name: resourceName(prm.Container, prm.Object, prm.Namespace),
|
||||||
properties: objectProperties(prm.Container, prm.Object, header),
|
properties: props,
|
||||||
},
|
},
|
||||||
properties: map[string]string{
|
properties: map[string]string{
|
||||||
nativeschema.PropertyKeyActorPublicKey: prm.SenderKey,
|
nativeschema.PropertyKeyActorPublicKey: prm.SenderKey,
|
||||||
|
|
Loading…
Reference in a new issue