cli: Improve APE rule parsing #1124
12 changed files with 195 additions and 153 deletions
|
@ -98,6 +98,16 @@ func parseChainName(cmd *cobra.Command) apechain.Name {
|
|||
return apeChainName
|
||||
}
|
||||
|
||||
// invokerAdapter adapats invoker.Invoker to ContractStorageInvoker interface.
|
||||
type invokerAdapter struct {
|
||||
*invoker.Invoker
|
||||
rpcActor invoker.RPCInvoke
|
||||
}
|
||||
|
||||
func (n *invokerAdapter) GetRPCInvoker() invoker.RPCInvoke {
|
||||
return n.rpcActor
|
||||
}
|
||||
|
||||
func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorageReader, *invoker.Invoker) {
|
||||
c, err := helper.GetN3Client(viper.GetViper())
|
||||
commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
|
||||
|
@ -111,7 +121,12 @@ func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorag
|
|||
ch, err = helper.NNSResolveHash(inv, nnsCs.Hash, helper.DomainOf(constants.PolicyContract))
|
||||
commonCmd.ExitOnErr(cmd, "unable to resolve policy contract hash: %w", err)
|
||||
|
||||
return morph.NewContractStorageReader(inv, ch), inv
|
||||
invokerAdapter := &invokerAdapter{
|
||||
Invoker: inv,
|
||||
rpcActor: c,
|
||||
}
|
||||
|
||||
return morph.NewContractStorageReader(invokerAdapter, ch), inv
|
||||
}
|
||||
|
||||
func newPolicyContractInterface(cmd *cobra.Command) (*morph.ContractStorage, *helper.LocalActor) {
|
||||
|
|
|
@ -23,9 +23,10 @@ import (
|
|||
|
||||
// LocalActor is a kludge, do not use it outside of the morph commands.
|
||||
type LocalActor struct {
|
||||
neoActor *actor.Actor
|
||||
accounts []*wallet.Account
|
||||
Invoker *invoker.Invoker
|
||||
neoActor *actor.Actor
|
||||
accounts []*wallet.Account
|
||||
Invoker *invoker.Invoker
|
||||
rpcInvoker invoker.RPCInvoke
|
||||
}
|
||||
|
||||
// NewLocalActor create LocalActor with accounts form provided wallets.
|
||||
|
@ -68,9 +69,10 @@ func NewLocalActor(cmd *cobra.Command, c actor.RPCActor) (*LocalActor, error) {
|
|||
}
|
||||
}
|
||||
return &LocalActor{
|
||||
neoActor: act,
|
||||
accounts: accounts,
|
||||
Invoker: &act.Invoker,
|
||||
neoActor: act,
|
||||
accounts: accounts,
|
||||
Invoker: &act.Invoker,
|
||||
rpcInvoker: c,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
@ -167,3 +169,7 @@ func (a *LocalActor) MakeUnsignedRun(_ []byte, _ []transaction.Attribute) (*tran
|
|||
func (a *LocalActor) MakeCall(_ util.Uint160, _ string, _ ...any) (*transaction.Transaction, error) {
|
||||
panic("unimplemented")
|
||||
}
|
||||
|
||||
func (a *LocalActor) GetRPCInvoker() invoker.RPCInvoke {
|
||||
return a.rpcInvoker
|
||||
}
|
||||
|
|
|
@ -24,7 +24,7 @@ var addRuleCmd = &cobra.Command{
|
|||
Long: "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",
|
||||
Example: `control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --rule "allow Object.Get *"
|
||||
--rule "deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*"
|
||||
--rule "deny:QuotaLimitReached Object.Put Object.Resource:Department=HR *"
|
||||
--rule "deny:QuotaLimitReached Object.Put ResourceCondition:Department=HR *"
|
||||
|
||||
control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --path some_chain.json
|
||||
`,
|
||||
|
|
|
@ -21,7 +21,7 @@ var (
|
|||
errUnknownAction = errors.New("action is not recognized")
|
||||
errUnknownBinaryOperator = errors.New("binary operator is not recognized")
|
||||
errUnknownCondObjectType = errors.New("condition object type is not recognized")
|
||||
errMixedTypesInRule = errors.New("found mixed type of actions and conditions in rule")
|
||||
errMixedTypesInRule = errors.New("found mixed type of actions in rule")
|
||||
errNoActionsInRule = errors.New("there are no actions in rule")
|
||||
errUnsupportedResourceFormat = errors.New("unsupported resource format")
|
||||
errFailedToParseAllAny = errors.New("any/all is not parsed")
|
||||
|
@ -38,10 +38,10 @@ func PrintHumanReadableAPEChain(cmd *cobra.Command, chain *apechain.Chain) {
|
|||
cmd.Println("\tConditions:")
|
||||
for _, c := range rule.Condition {
|
||||
var ot string
|
||||
switch c.Object {
|
||||
case apechain.ObjectResource:
|
||||
switch c.Kind {
|
||||
case apechain.KindResource:
|
||||
ot = "Resource"
|
||||
case apechain.ObjectRequest:
|
||||
case apechain.KindRequest:
|
||||
ot = "Request"
|
||||
default:
|
||||
panic("unknown object type")
|
||||
|
@ -100,9 +100,9 @@ func ParseAPEChain(chain *apechain.Chain, rules []string) error {
|
|||
// deny Object.Put *
|
||||
// deny:QuotaLimitReached Object.Put *
|
||||
// allow Object.Put *
|
||||
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
|
||||
// allow Object.Get any Object.Resource:Department=HR Object.Request:Actor=ownerA *
|
||||
// allow Object.Get all Object.Resource:Department=HR Object.Request:Actor=ownerA *
|
||||
// allow Object.Get ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
|
||||
// allow Object.Get any ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
|
||||
// allow Object.Get all ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
|
||||
// allow Object.* *
|
||||
// allow Container.* *
|
||||
//
|
||||
|
@ -138,7 +138,9 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
|
|||
return err
|
||||
}
|
||||
|
||||
var isObject *bool
|
||||
var objectTargeted bool
|
||||
var containerTargeted bool
|
||||
|
||||
for i, lexeme := range lexemes[1:] {
|
||||
anyExpr, anyErr := parseAnyAll(lexeme)
|
||||
if anyErr == nil {
|
||||
|
@ -156,23 +158,30 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
|
|||
lexemes = lexemes[i+1:]
|
||||
break
|
||||
}
|
||||
actionType = condition.Object == apechain.ObjectResource || condition.Object == apechain.ObjectRequest
|
||||
r.Condition = append(r.Condition, *condition)
|
||||
} else {
|
||||
if actionType {
|
||||
objectTargeted = true
|
||||
} else {
|
||||
containerTargeted = true
|
||||
}
|
||||
if objectTargeted && containerTargeted {
|
||||
// Actually, APE chain allows to define rules for several resources, for example, if
|
||||
// chain target is namespace, but the parser primitevly compiles verbs,
|
||||
// conditions and resources in one rule. So, for the parser, one rule relates only to
|
||||
// one resource type - object or container.
|
||||
return errMixedTypesInRule
|
||||
}
|
||||
|
||||
r.Actions.Names = append(r.Actions.Names, names...)
|
||||
}
|
||||
if isObject == nil {
|
||||
isObject = &actionType
|
||||
} else if actionType != *isObject {
|
||||
return errMixedTypesInRule
|
||||
}
|
||||
}
|
||||
r.Actions.Names = unique(r.Actions.Names)
|
||||
if len(r.Actions.Names) == 0 {
|
||||
return fmt.Errorf("%w:%w", err, errNoActionsInRule)
|
||||
}
|
||||
for _, lexeme := range lexemes {
|
||||
resource, errRes := parseResource(lexeme, *isObject)
|
||||
resource, errRes := parseResource(lexeme, objectTargeted)
|
||||
if errRes != nil {
|
||||
return fmt.Errorf("%w:%w", err, errRes)
|
||||
}
|
||||
|
@ -308,32 +317,27 @@ func parseResource(lexeme string, isObj bool) (string, error) {
|
|||
}
|
||||
|
||||
const (
|
||||
ObjectResource = "object.resource"
|
||||
ObjectRequest = "object.request"
|
||||
|
||||
ContainerResource = "container.resource"
|
||||
ContainerRequest = "container.request"
|
||||
ResourceCondition = "resourcecondition"
|
||||
RequestCondition = "requestcondition"
|
||||
)
|
||||
|
||||
var typeToCondObject = map[string]apechain.ObjectType{
|
||||
ObjectResource: apechain.ObjectResource,
|
||||
ObjectRequest: apechain.ObjectRequest,
|
||||
ContainerResource: apechain.ContainerResource,
|
||||
ContainerRequest: apechain.ContainerRequest,
|
||||
var typeToCondKindType = map[string]apechain.ConditionKindType{
|
||||
ResourceCondition: apechain.KindResource,
|
||||
RequestCondition: apechain.KindRequest,
|
||||
}
|
||||
|
||||
func parseCondition(lexeme string) (*apechain.Condition, error) {
|
||||
typ, expression, found := strings.Cut(lexeme, ":")
|
||||
typ = strings.ToLower(typ)
|
||||
|
||||
objType, ok := typeToCondObject[typ]
|
||||
condKindType, ok := typeToCondKindType[typ]
|
||||
if ok {
|
||||
if !found {
|
||||
return nil, fmt.Errorf("%w: %s", errInvalidConditionFormat, lexeme)
|
||||
}
|
||||
|
||||
var cond apechain.Condition
|
||||
cond.Object = objType
|
||||
cond.Kind = condKindType
|
||||
|
||||
lhs, rhs, binExpFound := strings.Cut(expression, "!=")
|
||||
if !binExpFound {
|
||||
|
|
|
@ -109,46 +109,46 @@ func TestParseAPERule(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "Valid allow rule with conditions",
|
||||
rule: "allow Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
|
||||
rule: "allow Object.Get ResourceCondition:Department=HR RequestCondition:Actor!=ownerA *",
|
||||
expectRule: policyengine.Rule{
|
||||
Status: policyengine.Allow,
|
||||
Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
|
||||
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
|
||||
Condition: []policyengine.Condition{
|
||||
{
|
||||
Op: policyengine.CondStringEquals,
|
||||
Object: policyengine.ObjectResource,
|
||||
Key: "Department",
|
||||
Value: "HR",
|
||||
Op: policyengine.CondStringEquals,
|
||||
Kind: policyengine.KindResource,
|
||||
Key: "Department",
|
||||
Value: "HR",
|
||||
},
|
||||
{
|
||||
Op: policyengine.CondStringNotEquals,
|
||||
Object: policyengine.ObjectRequest,
|
||||
Key: "Actor",
|
||||
Value: "ownerA",
|
||||
Op: policyengine.CondStringNotEquals,
|
||||
Kind: policyengine.KindRequest,
|
||||
Key: "Actor",
|
||||
Value: "ownerA",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Valid rule for object with conditions with action detail",
|
||||
rule: "deny:QuotaLimitReached Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
|
||||
rule: "deny:QuotaLimitReached Object.Get ResourceCondition:Department=HR RequestCondition:Actor!=ownerA *",
|
||||
expectRule: policyengine.Rule{
|
||||
Status: policyengine.QuotaLimitReached,
|
||||
Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
|
||||
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
|
||||
Condition: []policyengine.Condition{
|
||||
{
|
||||
Op: policyengine.CondStringEquals,
|
||||
Object: policyengine.ObjectResource,
|
||||
Key: "Department",
|
||||
Value: "HR",
|
||||
Op: policyengine.CondStringEquals,
|
||||
Kind: policyengine.KindResource,
|
||||
Key: "Department",
|
||||
Value: "HR",
|
||||
},
|
||||
{
|
||||
Op: policyengine.CondStringNotEquals,
|
||||
Object: policyengine.ObjectRequest,
|
||||
Key: "Actor",
|
||||
Value: "ownerA",
|
||||
Op: policyengine.CondStringNotEquals,
|
||||
Kind: policyengine.KindRequest,
|
||||
Key: "Actor",
|
||||
Value: "ownerA",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -170,12 +170,12 @@ func TestParseAPERule(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "Invalid rule with unknown condition binary operator",
|
||||
rule: "deny Object.Put Object.Resource:Department<HR *",
|
||||
rule: "deny Object.Put ResourceCondition:Department<HR *",
|
||||
expectErr: errUnknownBinaryOperator,
|
||||
},
|
||||
{
|
||||
name: "Invalid rule with unknown condition object type",
|
||||
rule: "deny Object.Put Object.ResourZe:Department=HR *",
|
||||
rule: "deny Object.Put ResourSeCondiDion:Department=HR *",
|
||||
expectErr: errUnknownCondObjectType,
|
||||
},
|
||||
{
|
||||
|
@ -185,7 +185,7 @@ func TestParseAPERule(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "Invalid rule with no actions",
|
||||
rule: "allow Container.Resource:A=B *",
|
||||
rule: "allow ResourceCondition:A=B *",
|
||||
expectErr: errNoActionsInRule,
|
||||
},
|
||||
{
|
||||
|
@ -271,7 +271,7 @@ func TestParseAPERule(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "Valid rule for container with conditions with action detail",
|
||||
rule: "allow Container.Get Container.Resource:A=B Container.Put Container.Request:C!=D " +
|
||||
rule: "allow Container.Get ResourceCondition:A=B Container.Put RequestCondition:C!=D " +
|
||||
"* /cnt_id",
|
||||
expectRule: policyengine.Rule{
|
||||
Status: policyengine.Allow,
|
||||
|
@ -282,16 +282,16 @@ func TestParseAPERule(t *testing.T) {
|
|||
}},
|
||||
Condition: []policyengine.Condition{
|
||||
{
|
||||
Op: policyengine.CondStringEquals,
|
||||
Object: policyengine.ContainerResource,
|
||||
Key: "A",
|
||||
Value: "B",
|
||||
Op: policyengine.CondStringEquals,
|
||||
Kind: policyengine.KindResource,
|
||||
Key: "A",
|
||||
Value: "B",
|
||||
},
|
||||
{
|
||||
Op: policyengine.CondStringNotEquals,
|
||||
Object: policyengine.ContainerRequest,
|
||||
Key: "C",
|
||||
Value: "D",
|
||||
Op: policyengine.CondStringNotEquals,
|
||||
Kind: policyengine.KindRequest,
|
||||
Key: "C",
|
||||
Value: "D",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
4
go.mod
4
go.mod
|
@ -5,11 +5,11 @@ go 1.21
|
|||
require (
|
||||
code.gitea.io/sdk/gitea v0.17.1
|
||||
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240427200446-67c6f305b21f
|
||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.0
|
||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.3-0.20240409111539-e7a05a49ff45
|
||||
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12
|
||||
git.frostfs.info/TrueCloudLab/hrw v1.2.1
|
||||
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a
|
||||
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240513163744-1f6f4163d40d
|
||||
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
||||
git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02
|
||||
github.com/cheggaaa/pb v1.0.29
|
||||
|
|
BIN
go.sum
BIN
go.sum
Binary file not shown.
|
@ -80,7 +80,7 @@ func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.
|
|||
}
|
||||
for _, target := range targets {
|
||||
var roleCondition apechain.Condition
|
||||
roleCondition.Object = apechain.ObjectRequest
|
||||
roleCondition.Kind = apechain.KindRequest
|
||||
roleCondition.Key = nativeschema.PropertyKeyActorRole
|
||||
roleCondition.Value = target.Role().String()
|
||||
roleCondition.Op = apechain.CondStringEquals
|
||||
|
@ -88,7 +88,7 @@ func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.
|
|||
|
||||
for _, binKey := range target.BinaryKeys() {
|
||||
var pubKeyCondition apechain.Condition
|
||||
pubKeyCondition.Object = apechain.ObjectRequest
|
||||
pubKeyCondition.Kind = apechain.KindRequest
|
||||
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
|
||||
pubKeyCondition.Value = hex.EncodeToString(binKey)
|
||||
pubKeyCondition.Op = apechain.CondStringEquals
|
||||
|
@ -112,7 +112,7 @@ func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act ape
|
|||
Resources: res,
|
||||
}
|
||||
var roleCondition apechain.Condition
|
||||
roleCondition.Object = apechain.ObjectRequest
|
||||
roleCondition.Kind = apechain.KindRequest
|
||||
roleCondition.Key = nativeschema.PropertyKeyActorRole
|
||||
roleCondition.Value = target.Role().String()
|
||||
roleCondition.Op = apechain.CondStringEquals
|
||||
|
@ -132,7 +132,7 @@ func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act ape
|
|||
Resources: res,
|
||||
}
|
||||
var pubKeyCondition apechain.Condition
|
||||
pubKeyCondition.Object = apechain.ObjectRequest
|
||||
pubKeyCondition.Kind = apechain.KindRequest
|
||||
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
|
||||
pubKeyCondition.Value = hex.EncodeToString(binKey)
|
||||
pubKeyCondition.Op = apechain.CondStringEquals
|
||||
|
@ -155,10 +155,10 @@ func appendFilters(source []apechain.Condition, filters []eacl.Filter) ([]apecha
|
|||
var cond apechain.Condition
|
||||
var isObject bool
|
||||
if filter.From() == eacl.HeaderFromObject {
|
||||
cond.Object = apechain.ObjectResource
|
||||
cond.Kind = apechain.KindResource
|
||||
isObject = true
|
||||
} else if filter.From() == eacl.HeaderFromRequest {
|
||||
cond.Object = apechain.ObjectRequest
|
||||
cond.Kind = apechain.KindRequest
|
||||
} else {
|
||||
return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter from: %d", filter.From())}
|
||||
}
|
||||
|
|
|
@ -6,12 +6,14 @@ import (
|
|||
"github.com/nspcc-dev/neo-go/pkg/core/transaction"
|
||||
"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
|
||||
"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
|
||||
"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
|
||||
"github.com/nspcc-dev/neo-go/pkg/util"
|
||||
"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
|
||||
)
|
||||
|
||||
type actorProvider interface {
|
||||
GetActor() *actor.Actor
|
||||
GetRPCActor() actor.RPCActor
|
||||
}
|
||||
|
||||
// Client switches an established connection with neo-go if it is broken.
|
||||
|
@ -132,3 +134,11 @@ func (a *SwitchRPCGuardedActor) TerminateSession(sessionID uuid.UUID) error {
|
|||
func (a *SwitchRPCGuardedActor) TraverseIterator(sessionID uuid.UUID, iterator *result.Iterator, num int) ([]stackitem.Item, error) {
|
||||
return a.actorProvider.GetActor().TraverseIterator(sessionID, iterator, num)
|
||||
}
|
||||
|
||||
func (a *SwitchRPCGuardedActor) GetRPCActor() actor.RPCActor {
|
||||
return a.actorProvider.GetRPCActor()
|
||||
}
|
||||
|
||||
func (a *SwitchRPCGuardedActor) GetRPCInvoker() invoker.RPCInvoke {
|
||||
return a.actorProvider.GetRPCActor()
|
||||
}
|
||||
|
|
|
@ -579,3 +579,10 @@ func (c *Client) GetActor() *actor.Actor {
|
|||
|
||||
return c.rpcActor
|
||||
}
|
||||
|
||||
func (c *Client) GetRPCActor() actor.RPCActor {
|
||||
c.switchLock.RLock()
|
||||
defer c.switchLock.RUnlock()
|
||||
|
||||
return c.client
|
||||
}
|
||||
|
|
|
@ -228,10 +228,10 @@ func testDenyGetContainerForOthers(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -328,10 +328,10 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, "tag-attr1"),
|
||||
Value: "value100",
|
||||
Op: chain.CondStringNotEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, "tag-attr1"),
|
||||
Value: "value100",
|
||||
Op: chain.CondStringNotEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -426,10 +426,10 @@ func testDenyGetContainerByGroupID(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: commonschema.PropertyKeyFrostFSIDGroupID,
|
||||
Value: "19888",
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: commonschema.PropertyKeyFrostFSIDGroupID,
|
||||
Value: "19888",
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -500,10 +500,10 @@ func testDenySetContainerEACLForIR(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleIR,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleIR,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -578,10 +578,10 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleIR,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleIR,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -657,10 +657,10 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -712,10 +712,10 @@ func testDenyPutContainerReadNamespaceFromFrostfsID(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -796,10 +796,10 @@ func testDenyPutContainerInvalidNamespace(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -879,10 +879,10 @@ func testDenyListContainersForPK(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorPublicKey,
|
||||
Value: hex.EncodeToString(pk.PublicKey().Bytes()),
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorPublicKey,
|
||||
Value: hex.EncodeToString(pk.PublicKey().Bytes()),
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -993,10 +993,10 @@ func testDenyListContainersValidationNamespaceError(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorPublicKey,
|
||||
Value: actorPK.PublicKey().String(),
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorPublicKey,
|
||||
Value: actorPK.PublicKey().String(),
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -1195,10 +1195,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -1237,10 +1237,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -1280,10 +1280,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -1323,10 +1323,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -1366,10 +1366,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -1410,10 +1410,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
|||
},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorRole,
|
||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||
Op: chain.CondStringEquals,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
@ -312,10 +312,10 @@ func TestAPECheck(t *testing.T) {
|
|||
Any: true,
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringLike,
|
||||
Object: chain.ObjectResource,
|
||||
Key: "attr1",
|
||||
Value: "attribute*",
|
||||
Op: chain.CondStringLike,
|
||||
Kind: chain.KindResource,
|
||||
Key: "attr1",
|
||||
Value: "attribute*",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -351,10 +351,10 @@ func TestAPECheck(t *testing.T) {
|
|||
Any: true,
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringLike,
|
||||
Object: chain.ObjectRequest,
|
||||
Key: nativeschema.PropertyKeyActorPublicKey,
|
||||
Value: senderKey,
|
||||
Op: chain.CondStringLike,
|
||||
Kind: chain.KindRequest,
|
||||
Key: nativeschema.PropertyKeyActorPublicKey,
|
||||
Value: senderKey,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -381,10 +381,10 @@ func TestAPECheck(t *testing.T) {
|
|||
Any: true,
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringEquals,
|
||||
Object: chain.ObjectResource,
|
||||
Key: nativeschema.PropertyKeyObjectPayloadLength,
|
||||
Value: "1000",
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindResource,
|
||||
Key: nativeschema.PropertyKeyObjectPayloadLength,
|
||||
Value: "1000",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -503,10 +503,10 @@ func TestPutECChunk(t *testing.T) {
|
|||
Any: true,
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringEquals,
|
||||
Object: chain.ObjectResource,
|
||||
Key: "attr1",
|
||||
Value: "value",
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindResource,
|
||||
Key: "attr1",
|
||||
Value: "value",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
Loading…
Reference in a new issue