Alexander Chuprov
b078fe5ba1
All checks were successful
DCO action / DCO (pull_request) Successful in 6m11s
Build / Build Components (1.22) (pull_request) Successful in 7m50s
Build / Build Components (1.21) (pull_request) Successful in 8m3s
Tests and linters / Lint (pull_request) Successful in 9m45s
Tests and linters / gopls check (pull_request) Successful in 12m40s
Vulncheck / Vulncheck (pull_request) Successful in 12m35s
Tests and linters / Staticcheck (pull_request) Successful in 15m34s
Pre-commit hooks / Pre-commit (pull_request) Successful in 19m38s
Tests and linters / Tests with -race (pull_request) Successful in 21m40s
Tests and linters / Tests (1.22) (pull_request) Successful in 3m21s
Tests and linters / Tests (1.21) (pull_request) Successful in 3m36s
Signed-off-by: Alexander Chuprov <a.chuprov@yadro.com>
253 lines
8.1 KiB
Go
253 lines
8.1 KiB
Go
package control
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/server/ape"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/server/ctrlmessage"
|
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
func apeTarget(chainTarget *control.ChainTarget) (engine.Target, error) {
|
|
switch chainTarget.GetType() {
|
|
case control.ChainTarget_CONTAINER:
|
|
return engine.ContainerTarget(chainTarget.GetName()), nil
|
|
case control.ChainTarget_NAMESPACE:
|
|
return engine.NamespaceTarget(chainTarget.GetName()), nil
|
|
case control.ChainTarget_USER:
|
|
return engine.UserTarget(chainTarget.GetName()), nil
|
|
case control.ChainTarget_GROUP:
|
|
return engine.GroupTarget(chainTarget.GetName()), nil
|
|
default:
|
|
}
|
|
return engine.Target{}, status.Error(codes.InvalidArgument,
|
|
fmt.Errorf("target type is not supported: %s", chainTarget.GetType().String()).Error())
|
|
}
|
|
|
|
func controlTarget(chainTarget *engine.Target) (control.ChainTarget, error) {
|
|
switch chainTarget.Type {
|
|
case engine.Container:
|
|
return control.ChainTarget{
|
|
Name: chainTarget.Name,
|
|
Type: control.ChainTarget_CONTAINER,
|
|
}, nil
|
|
case engine.Namespace:
|
|
// If namespace is empty, we take it for root namespace.
|
|
nm := chainTarget.Name
|
|
if nm == "root" {
|
|
nm = ""
|
|
}
|
|
return control.ChainTarget{
|
|
Name: nm,
|
|
Type: control.ChainTarget_NAMESPACE,
|
|
}, nil
|
|
case engine.User:
|
|
return control.ChainTarget{
|
|
Name: chainTarget.Name,
|
|
Type: control.ChainTarget_USER,
|
|
}, nil
|
|
case engine.Group:
|
|
return control.ChainTarget{
|
|
Name: chainTarget.Name,
|
|
Type: control.ChainTarget_GROUP,
|
|
}, nil
|
|
default:
|
|
}
|
|
return control.ChainTarget{}, status.Error(codes.InvalidArgument,
|
|
fmt.Errorf("target type is not supported: %c", chainTarget.Type).Error())
|
|
}
|
|
|
|
func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainLocalOverrideRequest) (*control.AddChainLocalOverrideResponse, error) {
|
|
if err := s.isValidRequest(req); err != nil {
|
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
}
|
|
|
|
var chain apechain.Chain
|
|
if err := chain.DecodeBytes(req.GetBody().GetChain()); err != nil {
|
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
|
}
|
|
for _, rule := range chain.Rules {
|
|
for _, name := range rule.Resources.Names {
|
|
if err := ape.ValidateResourceName(name); err != nil {
|
|
return nil, status.Error(codes.InvalidArgument, fmt.Errorf("invalid resource: %w", err).Error())
|
|
}
|
|
}
|
|
}
|
|
|
|
s.apeChainCounter.Add(1)
|
|
// TODO (aarifullin): the such chain id is not well-designed yet.
|
|
if len(chain.ID) == 0 {
|
|
chain.ID = apechain.ID(fmt.Sprintf("%s:%d", apechain.Ingress, s.apeChainCounter.Load()))
|
|
}
|
|
|
|
target, err := apeTarget(req.GetBody().GetTarget())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if _, err = s.localOverrideStorage.LocalStorage().AddOverride(apechain.Ingress, target, &chain); err != nil {
|
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
|
}
|
|
|
|
resp := &control.AddChainLocalOverrideResponse{
|
|
Body: &control.AddChainLocalOverrideResponse_Body{
|
|
ChainId: []byte(chain.ID),
|
|
},
|
|
}
|
|
err = ctrlmessage.Sign(s.key, resp)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (s *Server) GetChainLocalOverride(_ context.Context, req *control.GetChainLocalOverrideRequest) (*control.GetChainLocalOverrideResponse, error) {
|
|
if err := s.isValidRequest(req); err != nil {
|
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
}
|
|
|
|
target, err := apeTarget(req.GetBody().GetTarget())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
chain, err := s.localOverrideStorage.LocalStorage().GetOverride(apechain.Ingress, target, apechain.ID(req.GetBody().GetChainId()))
|
|
if err != nil {
|
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
|
}
|
|
|
|
resp := &control.GetChainLocalOverrideResponse{
|
|
Body: &control.GetChainLocalOverrideResponse_Body{
|
|
Chain: chain.Bytes(),
|
|
},
|
|
}
|
|
err = ctrlmessage.Sign(s.key, resp)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (s *Server) ListChainLocalOverrides(_ context.Context, req *control.ListChainLocalOverridesRequest) (*control.ListChainLocalOverridesResponse, error) {
|
|
if err := s.isValidRequest(req); err != nil {
|
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
}
|
|
|
|
target, err := apeTarget(req.GetBody().GetTarget())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
chains, err := s.localOverrideStorage.LocalStorage().ListOverrides(apechain.Ingress, target)
|
|
if err != nil {
|
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
|
}
|
|
serializedChains := make([][]byte, 0, len(chains))
|
|
for _, chain := range chains {
|
|
serializedChains = append(serializedChains, chain.Bytes())
|
|
}
|
|
|
|
resp := &control.ListChainLocalOverridesResponse{
|
|
Body: &control.ListChainLocalOverridesResponse_Body{
|
|
Chains: serializedChains,
|
|
},
|
|
}
|
|
err = ctrlmessage.Sign(s.key, resp)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.RemoveChainLocalOverrideRequest) (*control.RemoveChainLocalOverrideResponse, error) {
|
|
if err := s.isValidRequest(req); err != nil {
|
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
}
|
|
|
|
target, err := apeTarget(req.GetBody().GetTarget())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err = s.localOverrideStorage.LocalStorage().RemoveOverride(apechain.Ingress, target, apechain.ID(req.GetBody().GetChainId())); err != nil {
|
|
if code := getCodeByLocalStorageErr(err); code != codes.NotFound {
|
|
return nil, status.Error(code, err.Error())
|
|
}
|
|
}
|
|
resp := &control.RemoveChainLocalOverrideResponse{
|
|
Body: &control.RemoveChainLocalOverrideResponse_Body{},
|
|
}
|
|
err = ctrlmessage.Sign(s.key, resp)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (s *Server) RemoveChainLocalOverridesByTarget(_ context.Context, req *control.RemoveChainLocalOverridesByTargetRequest) (*control.RemoveChainLocalOverridesByTargetResponse, error) {
|
|
if err := s.isValidRequest(req); err != nil {
|
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
}
|
|
|
|
target, err := apeTarget(req.GetBody().GetTarget())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err = s.localOverrideStorage.LocalStorage().RemoveOverridesByTarget(apechain.Ingress, target); err != nil {
|
|
if code := getCodeByLocalStorageErr(err); code != codes.NotFound {
|
|
return nil, status.Error(code, err.Error())
|
|
}
|
|
}
|
|
resp := &control.RemoveChainLocalOverridesByTargetResponse{
|
|
Body: &control.RemoveChainLocalOverridesByTargetResponse_Body{},
|
|
}
|
|
err = ctrlmessage.Sign(s.key, resp)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func (s *Server) ListTargetsLocalOverrides(_ context.Context, req *control.ListTargetsLocalOverridesRequest) (*control.ListTargetsLocalOverridesResponse, error) {
|
|
if err := s.isValidRequest(req); err != nil {
|
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
}
|
|
|
|
apeChainName := apechain.Name(req.GetBody().GetChainName())
|
|
apeTargets, err := s.localOverrideStorage.LocalStorage().ListOverrideDefinedTargets(apeChainName)
|
|
if err != nil {
|
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
|
}
|
|
targets := make([]*control.ChainTarget, 0, len(apeTargets))
|
|
for i := range apeTargets {
|
|
target, err := controlTarget(&apeTargets[i])
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
targets = append(targets, &target)
|
|
}
|
|
|
|
resp := &control.ListTargetsLocalOverridesResponse{
|
|
Body: &control.ListTargetsLocalOverridesResponse_Body{
|
|
Targets: targets,
|
|
},
|
|
}
|
|
err = ctrlmessage.Sign(s.key, resp)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
return resp, nil
|
|
}
|
|
|
|
func getCodeByLocalStorageErr(err error) codes.Code {
|
|
if errors.Is(err, engine.ErrChainNotFound) || errors.Is(err, engine.ErrChainNameNotFound) {
|
|
return codes.NotFound
|
|
}
|
|
return codes.Internal
|
|
}
|