Airat Arifullin
8e11ef46b8
* Introduce Request type converted from RequestInfo type to implement policy-engine's Request interface * Implement basic ape checker to check if a request is permitted to be performed * Make put handlers use APE checker instead EACL Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
105 lines
2.2 KiB
Go
105 lines
2.2 KiB
Go
package acl
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
|
aclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
|
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
|
)
|
|
|
|
type Request struct {
|
|
operation string
|
|
resource *resource
|
|
properties map[string]string
|
|
}
|
|
|
|
var _ policyengine.Request = (*Request)(nil)
|
|
|
|
type resource struct {
|
|
name string
|
|
properties map[string]string
|
|
}
|
|
|
|
var _ policyengine.Resource = (*resource)(nil)
|
|
|
|
func (r *resource) Name() string {
|
|
return r.name
|
|
}
|
|
|
|
func (r *resource) Property(key string) string {
|
|
return r.properties[key]
|
|
}
|
|
|
|
// TODO (aarifullin): these stringified verbs, properties and namespaces
|
|
// should be non-implementation-specific.
|
|
func getResource(reqInfo v2.RequestInfo) *resource {
|
|
cid := reqInfo.ContainerID()
|
|
oid := "*"
|
|
if reqOID := reqInfo.ObjectID(); reqOID != nil {
|
|
oid = reqOID.EncodeToString()
|
|
}
|
|
name := fmt.Sprintf("native:::object/%s/%s",
|
|
cid,
|
|
oid)
|
|
|
|
return &resource{
|
|
name: name,
|
|
properties: make(map[string]string),
|
|
}
|
|
}
|
|
|
|
func getProperties(_ v2.RequestInfo) map[string]string {
|
|
return map[string]string{
|
|
"Actor": "",
|
|
}
|
|
}
|
|
|
|
// TODO (aarifullin): these stringified verbs, properties and namespaces
|
|
// should be non-implementation-specific.
|
|
func getOperation(reqInfo v2.RequestInfo) string {
|
|
var verb string
|
|
switch op := reqInfo.Operation(); op {
|
|
case aclSDK.OpObjectGet:
|
|
verb = "GetObject"
|
|
case aclSDK.OpObjectHead:
|
|
verb = "HeadObject"
|
|
case aclSDK.OpObjectPut:
|
|
verb = "PutObject"
|
|
case aclSDK.OpObjectDelete:
|
|
verb = "DeleteObject"
|
|
case aclSDK.OpObjectSearch:
|
|
verb = "SearchObject"
|
|
case aclSDK.OpObjectRange:
|
|
verb = "RangeObject"
|
|
case aclSDK.OpObjectHash:
|
|
verb = "HashObject"
|
|
}
|
|
|
|
return "native:" + verb
|
|
}
|
|
|
|
func NewRequest() *Request {
|
|
return &Request{
|
|
resource: new(resource),
|
|
properties: map[string]string{},
|
|
}
|
|
}
|
|
|
|
func (r *Request) FromRequestInfo(ri v2.RequestInfo) {
|
|
r.operation = getOperation(ri)
|
|
r.resource = getResource(ri)
|
|
r.properties = getProperties(ri)
|
|
}
|
|
|
|
func (r *Request) Operation() string {
|
|
return r.operation
|
|
}
|
|
|
|
func (r *Request) Property(key string) string {
|
|
return r.properties[key]
|
|
}
|
|
|
|
func (r *Request) Resource() policyengine.Resource {
|
|
return r.resource
|
|
}
|