Airat Arifullin
952d13cd2b
All checks were successful
Vulncheck / Vulncheck (pull_request) Successful in 1m25s
DCO action / DCO (pull_request) Successful in 1m59s
Build / Build Components (1.21) (pull_request) Successful in 2m27s
Build / Build Components (1.22) (pull_request) Successful in 4m25s
Pre-commit hooks / Pre-commit (pull_request) Successful in 4m57s
Tests and linters / Staticcheck (pull_request) Successful in 5m38s
Tests and linters / gopls check (pull_request) Successful in 5m57s
Tests and linters / Lint (pull_request) Successful in 6m26s
Tests and linters / Tests (1.22) (pull_request) Successful in 9m5s
Tests and linters / Tests (1.21) (pull_request) Successful in 9m11s
Tests and linters / Tests with -race (pull_request) Successful in 9m4s
* Make APE rule parser to read condition's kind in unambiguous using lexemes `ResourceCondition`, `RequestCondition` instead confusing `Object.Request`, `Object.Resource`. * Fix unit-tests. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
106 lines
3.2 KiB
Go
106 lines
3.2 KiB
Go
package control
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"errors"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
|
|
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
const (
|
|
ruleFlag = "rule"
|
|
pathFlag = "path"
|
|
)
|
|
|
|
var addRuleCmd = &cobra.Command{
|
|
Use: "add-rule",
|
|
Short: "Add local override",
|
|
Long: "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",
|
|
Example: `control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --rule "allow Object.Get *"
|
|
--rule "deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*"
|
|
--rule "deny:QuotaLimitReached Object.Put ResourceCondition:Department=HR *"
|
|
|
|
control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --path some_chain.json
|
|
`,
|
|
Run: addRule,
|
|
}
|
|
|
|
func parseChain(cmd *cobra.Command) *apechain.Chain {
|
|
chainID, _ := cmd.Flags().GetString(chainIDFlag)
|
|
hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
|
|
|
|
chainIDRaw := []byte(chainID)
|
|
|
|
if hexEncoded {
|
|
var err error
|
|
chainIDRaw, err = hex.DecodeString(chainID)
|
|
commonCmd.ExitOnErr(cmd, "can't decode chain ID as hex: %w", err)
|
|
}
|
|
|
|
chain := new(apechain.Chain)
|
|
chain.ID = apechain.ID(chainIDRaw)
|
|
|
|
if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {
|
|
commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, rules))
|
|
} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
|
|
commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", util.ParseAPEChainBinaryOrJSON(chain, encPath))
|
|
} else {
|
|
commonCmd.ExitOnErr(cmd, "parser error", errors.New("rule is not passed"))
|
|
}
|
|
|
|
cmd.Println("Parsed chain:")
|
|
util.PrintHumanReadableAPEChain(cmd, chain)
|
|
|
|
return chain
|
|
}
|
|
|
|
func addRule(cmd *cobra.Command, _ []string) {
|
|
pk := key.Get(cmd)
|
|
|
|
target := parseTarget(cmd)
|
|
|
|
parsed := parseChain(cmd)
|
|
|
|
req := &control.AddChainLocalOverrideRequest{
|
|
Body: &control.AddChainLocalOverrideRequest_Body{
|
|
Target: target,
|
|
Chain: parsed.Bytes(),
|
|
},
|
|
}
|
|
|
|
signRequest(cmd, pk, req)
|
|
|
|
cli := getClient(cmd, pk)
|
|
|
|
var resp *control.AddChainLocalOverrideResponse
|
|
var err error
|
|
err = cli.ExecRaw(func(client *client.Client) error {
|
|
resp, err = control.AddChainLocalOverride(client, req)
|
|
return err
|
|
})
|
|
commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
|
|
|
|
verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
|
|
cmd.Println("\nRule has been added.")
|
|
}
|
|
|
|
func initControlAddRuleCmd() {
|
|
initControlFlags(addRuleCmd)
|
|
|
|
ff := addRuleCmd.Flags()
|
|
ff.StringArray(ruleFlag, []string{}, "Rule statement")
|
|
ff.String(pathFlag, "", "Path to encoded chain in JSON or binary format")
|
|
ff.String(chainIDFlag, "", "Assign ID to the parsed chain")
|
|
ff.String(targetNameFlag, "", targetNameDesc)
|
|
ff.String(targetTypeFlag, "", targetTypeDesc)
|
|
_ = addRuleCmd.MarkFlagRequired(targetTypeFlag)
|
|
ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
|
|
|
|
addRuleCmd.MarkFlagsMutuallyExclusive(pathFlag, ruleFlag)
|
|
}
|