Anton Nikiforov
32f4e72e6a
All checks were successful
DCO action / DCO (pull_request) Successful in 2m49s
Vulncheck / Vulncheck (pull_request) Successful in 3m31s
Build / Build Components (1.20) (pull_request) Successful in 4m15s
Build / Build Components (1.21) (pull_request) Successful in 4m13s
Tests and linters / Staticcheck (pull_request) Successful in 6m0s
Tests and linters / Lint (pull_request) Successful in 6m50s
Tests and linters / Tests (1.20) (pull_request) Successful in 11m42s
Tests and linters / Tests with -race (pull_request) Successful in 11m43s
Tests and linters / Tests (1.21) (pull_request) Successful in 11m53s
Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
214 lines
6 KiB
Go
214 lines
6 KiB
Go
package util
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"strconv"
|
|
"strings"
|
|
|
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
|
"github.com/flynn-archive/go-shlex"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
var (
|
|
errInvalidStatementFormat = errors.New("invalid statement format")
|
|
errInvalidConditionFormat = errors.New("invalid condition format")
|
|
errUnknownAction = errors.New("action is not recognized")
|
|
errUnknownOperation = errors.New("operation is not recognized")
|
|
errUnknownActionDetail = errors.New("action detail is not recognized")
|
|
errUnknownBinaryOperator = errors.New("binary operator is not recognized")
|
|
errUnknownCondObjectType = errors.New("condition object type is not recognized")
|
|
)
|
|
|
|
// PrintHumanReadableAPEChain print APE chain rules.
|
|
func PrintHumanReadableAPEChain(cmd *cobra.Command, chain *apechain.Chain) {
|
|
cmd.Println("ChainID: " + string(chain.ID))
|
|
cmd.Println("Rules:")
|
|
for _, rule := range chain.Rules {
|
|
cmd.Println("\tStatus: " + rule.Status.String())
|
|
cmd.Println("\tAny: " + strconv.FormatBool(rule.Any))
|
|
cmd.Println("\tConditions:")
|
|
for _, c := range rule.Condition {
|
|
var ot string
|
|
switch c.Object {
|
|
case apechain.ObjectResource:
|
|
ot = "Resource"
|
|
case apechain.ObjectRequest:
|
|
ot = "Request"
|
|
default:
|
|
panic("unknown object type")
|
|
}
|
|
cmd.Println(fmt.Sprintf("\t\t%s %s %s %s", ot, c.Key, c.Op, c.Value))
|
|
}
|
|
cmd.Println("\tActions:\tInverted:" + strconv.FormatBool(rule.Actions.Inverted))
|
|
for _, name := range rule.Actions.Names {
|
|
cmd.Println("\t\t" + name)
|
|
}
|
|
cmd.Println("\tResources:\tInverted:" + strconv.FormatBool(rule.Resources.Inverted))
|
|
for _, name := range rule.Resources.Names {
|
|
cmd.Println("\t\t" + name)
|
|
}
|
|
}
|
|
}
|
|
|
|
// ParseAPEChain parses APE chain rules.
|
|
func ParseAPEChain(chain *apechain.Chain, rules []string) error {
|
|
if len(rules) == 0 {
|
|
return errors.New("no APE rules provided")
|
|
}
|
|
|
|
for _, rule := range rules {
|
|
r := new(apechain.Rule)
|
|
if err := ParseAPERule(r, rule); err != nil {
|
|
return err
|
|
}
|
|
chain.Rules = append(chain.Rules, *r)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ParseAPERule parses access-policy-engine statement from the following form:
|
|
// <action>[:action_detail] <operation> [<condition1> ...] <resource>
|
|
//
|
|
// Examples:
|
|
// deny Object.Put *
|
|
// deny:QuotaLimitReached Object.Put *
|
|
// allow Object.Put *
|
|
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
|
|
//
|
|
//nolint:godot
|
|
func ParseAPERule(r *apechain.Rule, rule string) error {
|
|
lexemes, err := shlex.Split(rule)
|
|
if err != nil {
|
|
return fmt.Errorf("can't parse rule '%s': %v", rule, err)
|
|
}
|
|
return parseRuleLexemes(r, lexemes)
|
|
}
|
|
|
|
func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
|
|
if len(lexemes) < 2 {
|
|
return errInvalidStatementFormat
|
|
}
|
|
|
|
var err error
|
|
r.Status, err = parseStatus(lexemes[0])
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
r.Actions, err = parseAction(lexemes[1])
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
r.Condition, err = parseConditions(lexemes[2 : len(lexemes)-1])
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
r.Resources, err = parseResource(lexemes[len(lexemes)-1])
|
|
return err
|
|
}
|
|
|
|
func parseStatus(lexeme string) (apechain.Status, error) {
|
|
action, expression, found := strings.Cut(lexeme, ":")
|
|
switch action = strings.ToLower(action); action {
|
|
case "deny":
|
|
if !found {
|
|
return apechain.AccessDenied, nil
|
|
} else if strings.EqualFold(expression, "QuotaLimitReached") {
|
|
return apechain.QuotaLimitReached, nil
|
|
} else {
|
|
return 0, fmt.Errorf("%w: %s", errUnknownActionDetail, expression)
|
|
}
|
|
case "allow":
|
|
if found {
|
|
return 0, errUnknownActionDetail
|
|
}
|
|
return apechain.Allow, nil
|
|
default:
|
|
return 0, errUnknownAction
|
|
}
|
|
}
|
|
|
|
func parseAction(lexeme string) (apechain.Actions, error) {
|
|
switch strings.ToLower(lexeme) {
|
|
case "object.put":
|
|
return apechain.Actions{Names: []string{nativeschema.MethodPutObject}}, nil
|
|
case "object.get":
|
|
return apechain.Actions{Names: []string{nativeschema.MethodGetObject}}, nil
|
|
case "object.head":
|
|
return apechain.Actions{Names: []string{nativeschema.MethodHeadObject}}, nil
|
|
case "object.delete":
|
|
return apechain.Actions{Names: []string{nativeschema.MethodDeleteObject}}, nil
|
|
case "object.search":
|
|
return apechain.Actions{Names: []string{nativeschema.MethodSearchObject}}, nil
|
|
case "object.range":
|
|
return apechain.Actions{Names: []string{nativeschema.MethodRangeObject}}, nil
|
|
case "object.hash":
|
|
return apechain.Actions{Names: []string{nativeschema.MethodHashObject}}, nil
|
|
default:
|
|
}
|
|
return apechain.Actions{}, fmt.Errorf("%w: %s", errUnknownOperation, lexeme)
|
|
}
|
|
|
|
func parseResource(lexeme string) (apechain.Resources, error) {
|
|
if lexeme == "*" {
|
|
return apechain.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, nil
|
|
}
|
|
return apechain.Resources{Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, lexeme)}}, nil
|
|
}
|
|
|
|
const (
|
|
ObjectResource = "object.resource"
|
|
ObjectRequest = "object.request"
|
|
)
|
|
|
|
var typeToCondObject = map[string]apechain.ObjectType{
|
|
ObjectResource: apechain.ObjectResource,
|
|
ObjectRequest: apechain.ObjectRequest,
|
|
}
|
|
|
|
func parseConditions(lexemes []string) ([]apechain.Condition, error) {
|
|
conds := make([]apechain.Condition, 0)
|
|
|
|
for _, lexeme := range lexemes {
|
|
typ, expression, found := strings.Cut(lexeme, ":")
|
|
typ = strings.ToLower(typ)
|
|
|
|
objType, ok := typeToCondObject[typ]
|
|
if ok {
|
|
if !found {
|
|
return nil, fmt.Errorf("%w: %s", errInvalidConditionFormat, lexeme)
|
|
}
|
|
|
|
var lhs, rhs string
|
|
var binExpFound bool
|
|
|
|
var cond apechain.Condition
|
|
cond.Object = objType
|
|
|
|
lhs, rhs, binExpFound = strings.Cut(expression, "!=")
|
|
if !binExpFound {
|
|
lhs, rhs, binExpFound = strings.Cut(expression, "=")
|
|
if !binExpFound {
|
|
return nil, fmt.Errorf("%w: %s", errUnknownBinaryOperator, expression)
|
|
}
|
|
cond.Op = apechain.CondStringEquals
|
|
} else {
|
|
cond.Op = apechain.CondStringNotEquals
|
|
}
|
|
|
|
cond.Key, cond.Value = lhs, rhs
|
|
|
|
conds = append(conds, cond)
|
|
} else {
|
|
return nil, fmt.Errorf("%w: %s", errUnknownCondObjectType, typ)
|
|
}
|
|
}
|
|
|
|
return conds, nil
|
|
}
|