Denis Kirillov
1f5f2bd3d5
Some checks failed
/ DCO (pull_request) Successful in 1m35s
/ Builds (1.20) (pull_request) Successful in 2m9s
/ Builds (1.21) (pull_request) Successful in 2m3s
/ Vulncheck (pull_request) Failing after 3m30s
/ Lint (pull_request) Successful in 6m1s
/ Tests (1.20) (pull_request) Successful in 3m13s
/ Tests (1.21) (pull_request) Successful in 2m52s
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
450 lines
10 KiB
Go
450 lines
10 KiB
Go
package layer
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"time"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
|
|
v2container "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
|
|
objectv2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
|
|
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
|
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
|
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
|
)
|
|
|
|
type FeatureSettingsMock struct {
|
|
clientCut bool
|
|
md5Enabled bool
|
|
}
|
|
|
|
func (k *FeatureSettingsMock) BufferMaxSizeForPut() uint64 {
|
|
return 0
|
|
}
|
|
|
|
func (k *FeatureSettingsMock) ClientCut() bool {
|
|
return k.clientCut
|
|
}
|
|
|
|
func (k *FeatureSettingsMock) SetClientCut(clientCut bool) {
|
|
k.clientCut = clientCut
|
|
}
|
|
|
|
func (k *FeatureSettingsMock) MD5Enabled() bool {
|
|
return k.md5Enabled
|
|
}
|
|
|
|
func (k *FeatureSettingsMock) SetMD5Enabled(md5Enabled bool) {
|
|
k.md5Enabled = md5Enabled
|
|
}
|
|
|
|
func (k *FeatureSettingsMock) FormContainerZone(ns string) (zone string, isDefault bool) {
|
|
if ns == "" {
|
|
return v2container.SysAttributeZoneDefault, true
|
|
}
|
|
|
|
return ns + ".ns", false
|
|
}
|
|
|
|
type TestFrostFS struct {
|
|
FrostFS
|
|
|
|
objects map[string]*object.Object
|
|
objectErrors map[string]error
|
|
objectPutErrors map[string]error
|
|
containers map[string]*container.Container
|
|
eaclTables map[string]*eacl.Table
|
|
currentEpoch uint64
|
|
key *keys.PrivateKey
|
|
}
|
|
|
|
func NewTestFrostFS(key *keys.PrivateKey) *TestFrostFS {
|
|
return &TestFrostFS{
|
|
objects: make(map[string]*object.Object),
|
|
objectErrors: make(map[string]error),
|
|
objectPutErrors: make(map[string]error),
|
|
containers: make(map[string]*container.Container),
|
|
eaclTables: make(map[string]*eacl.Table),
|
|
key: key,
|
|
}
|
|
}
|
|
|
|
func (t *TestFrostFS) CurrentEpoch() uint64 {
|
|
return t.currentEpoch
|
|
}
|
|
|
|
func (t *TestFrostFS) SetObjectError(addr oid.Address, err error) {
|
|
if err == nil {
|
|
delete(t.objectErrors, addr.EncodeToString())
|
|
} else {
|
|
t.objectErrors[addr.EncodeToString()] = err
|
|
}
|
|
}
|
|
|
|
func (t *TestFrostFS) SetObjectPutError(fileName string, err error) {
|
|
if err == nil {
|
|
delete(t.objectPutErrors, fileName)
|
|
} else {
|
|
t.objectPutErrors[fileName] = err
|
|
}
|
|
}
|
|
|
|
func (t *TestFrostFS) Objects() []*object.Object {
|
|
res := make([]*object.Object, 0, len(t.objects))
|
|
|
|
for _, obj := range t.objects {
|
|
res = append(res, obj)
|
|
}
|
|
|
|
return res
|
|
}
|
|
|
|
func (t *TestFrostFS) ObjectExists(objID oid.ID) bool {
|
|
for _, obj := range t.objects {
|
|
if id, _ := obj.ID(); id.Equals(objID) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (t *TestFrostFS) AddObject(key string, obj *object.Object) {
|
|
t.objects[key] = obj
|
|
}
|
|
|
|
func (t *TestFrostFS) ContainerID(name string) (cid.ID, error) {
|
|
for id, cnr := range t.containers {
|
|
if container.Name(*cnr) == name {
|
|
var cnrID cid.ID
|
|
return cnrID, cnrID.DecodeString(id)
|
|
}
|
|
}
|
|
return cid.ID{}, fmt.Errorf("not found")
|
|
}
|
|
|
|
func (t *TestFrostFS) SetContainer(cnrID cid.ID, cnr *container.Container) {
|
|
t.containers[cnrID.EncodeToString()] = cnr
|
|
}
|
|
|
|
func (t *TestFrostFS) CreateContainer(_ context.Context, prm PrmContainerCreate) (*ContainerCreateResult, error) {
|
|
var cnr container.Container
|
|
cnr.Init()
|
|
cnr.SetOwner(prm.Creator)
|
|
cnr.SetPlacementPolicy(prm.Policy)
|
|
cnr.SetBasicACL(prm.BasicACL)
|
|
|
|
creationTime := prm.CreationTime
|
|
if creationTime.IsZero() {
|
|
creationTime = time.Now()
|
|
}
|
|
container.SetCreationTime(&cnr, creationTime)
|
|
|
|
if prm.Name != "" {
|
|
var d container.Domain
|
|
d.SetName(prm.Name)
|
|
d.SetZone(prm.Zone)
|
|
|
|
container.WriteDomain(&cnr, d)
|
|
container.SetName(&cnr, prm.Name)
|
|
}
|
|
|
|
for i := range prm.AdditionalAttributes {
|
|
cnr.SetAttribute(prm.AdditionalAttributes[i][0], prm.AdditionalAttributes[i][1])
|
|
}
|
|
|
|
b := make([]byte, 32)
|
|
if _, err := io.ReadFull(rand.Reader, b); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var id cid.ID
|
|
id.SetSHA256(sha256.Sum256(b))
|
|
t.containers[id.EncodeToString()] = &cnr
|
|
|
|
return &ContainerCreateResult{ContainerID: id}, nil
|
|
}
|
|
|
|
func (t *TestFrostFS) DeleteContainer(_ context.Context, cnrID cid.ID, _ *session.Container) error {
|
|
delete(t.containers, cnrID.EncodeToString())
|
|
|
|
return nil
|
|
}
|
|
|
|
func (t *TestFrostFS) Container(_ context.Context, prm PrmContainer) (*container.Container, error) {
|
|
for k, v := range t.containers {
|
|
if k == prm.ContainerID.EncodeToString() {
|
|
return v, nil
|
|
}
|
|
}
|
|
|
|
return nil, fmt.Errorf("container not found %s", prm.ContainerID)
|
|
}
|
|
|
|
func (t *TestFrostFS) UserContainers(context.Context, PrmUserContainers) ([]cid.ID, error) {
|
|
var res []cid.ID
|
|
for k := range t.containers {
|
|
var idCnr cid.ID
|
|
if err := idCnr.DecodeString(k); err != nil {
|
|
return nil, err
|
|
}
|
|
res = append(res, idCnr)
|
|
}
|
|
|
|
return res, nil
|
|
}
|
|
|
|
func (t *TestFrostFS) ReadObject(ctx context.Context, prm PrmObjectRead) (*ObjectPart, error) {
|
|
var addr oid.Address
|
|
addr.SetContainer(prm.Container)
|
|
addr.SetObject(prm.Object)
|
|
|
|
sAddr := addr.EncodeToString()
|
|
|
|
if err := t.objectErrors[sAddr]; err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if obj, ok := t.objects[sAddr]; ok {
|
|
owner := getBearerOwner(ctx)
|
|
if !t.checkAccess(prm.Container, owner, eacl.OperationGet, obj) {
|
|
return nil, ErrAccessDenied
|
|
}
|
|
|
|
payload := obj.Payload()
|
|
|
|
if prm.PayloadRange[0]+prm.PayloadRange[1] > 0 {
|
|
off := prm.PayloadRange[0]
|
|
payload = payload[off : off+prm.PayloadRange[1]]
|
|
}
|
|
|
|
return &ObjectPart{
|
|
Head: obj,
|
|
Payload: io.NopCloser(bytes.NewReader(payload)),
|
|
}, nil
|
|
}
|
|
|
|
return nil, fmt.Errorf("%w: %s", &apistatus.ObjectNotFound{}, addr)
|
|
}
|
|
|
|
func (t *TestFrostFS) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.ID, error) {
|
|
b := make([]byte, 32)
|
|
if _, err := io.ReadFull(rand.Reader, b); err != nil {
|
|
return oid.ID{}, err
|
|
}
|
|
var id oid.ID
|
|
id.SetSHA256(sha256.Sum256(b))
|
|
|
|
attrs := make([]object.Attribute, 0)
|
|
|
|
if err := t.objectPutErrors[prm.Filepath]; err != nil {
|
|
return oid.ID{}, err
|
|
}
|
|
|
|
if prm.Filepath != "" {
|
|
a := object.NewAttribute()
|
|
a.SetKey(object.AttributeFilePath)
|
|
a.SetValue(prm.Filepath)
|
|
attrs = append(attrs, *a)
|
|
}
|
|
|
|
if prm.ClientCut {
|
|
a := object.NewAttribute()
|
|
a.SetKey("s3-client-cut")
|
|
a.SetValue("true")
|
|
attrs = append(attrs, *a)
|
|
}
|
|
|
|
for i := range prm.Attributes {
|
|
a := object.NewAttribute()
|
|
a.SetKey(prm.Attributes[i][0])
|
|
a.SetValue(prm.Attributes[i][1])
|
|
attrs = append(attrs, *a)
|
|
}
|
|
|
|
var owner user.ID
|
|
user.IDFromKey(&owner, t.key.PrivateKey.PublicKey)
|
|
|
|
obj := object.New()
|
|
obj.SetContainerID(prm.Container)
|
|
obj.SetID(id)
|
|
obj.SetPayloadSize(prm.PayloadSize)
|
|
obj.SetAttributes(attrs...)
|
|
obj.SetCreationEpoch(t.currentEpoch)
|
|
obj.SetOwnerID(owner)
|
|
t.currentEpoch++
|
|
|
|
if len(prm.Locks) > 0 {
|
|
lock := new(object.Lock)
|
|
lock.WriteMembers(prm.Locks)
|
|
objectv2.WriteLock(obj.ToV2(), (objectv2.Lock)(*lock))
|
|
}
|
|
|
|
if prm.Payload != nil {
|
|
all, err := io.ReadAll(prm.Payload)
|
|
if err != nil {
|
|
return oid.ID{}, err
|
|
}
|
|
obj.SetPayload(all)
|
|
obj.SetPayloadSize(uint64(len(all)))
|
|
var hash checksum.Checksum
|
|
checksum.Calculate(&hash, checksum.SHA256, all)
|
|
obj.SetPayloadChecksum(hash)
|
|
}
|
|
|
|
cnrID, _ := obj.ContainerID()
|
|
objID, _ := obj.ID()
|
|
|
|
addr := newAddress(cnrID, objID)
|
|
t.objects[addr.EncodeToString()] = obj
|
|
return objID, nil
|
|
}
|
|
|
|
func (t *TestFrostFS) DeleteObject(ctx context.Context, prm PrmObjectDelete) error {
|
|
var addr oid.Address
|
|
addr.SetContainer(prm.Container)
|
|
addr.SetObject(prm.Object)
|
|
|
|
if err := t.objectErrors[addr.EncodeToString()]; err != nil {
|
|
return err
|
|
}
|
|
|
|
if obj, ok := t.objects[addr.EncodeToString()]; ok {
|
|
owner := getBearerOwner(ctx)
|
|
if !t.checkAccess(prm.Container, owner, eacl.OperationDelete, obj) {
|
|
return ErrAccessDenied
|
|
}
|
|
|
|
delete(t.objects, addr.EncodeToString())
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (t *TestFrostFS) TimeToEpoch(_ context.Context, now, futureTime time.Time) (uint64, uint64, error) {
|
|
return t.currentEpoch, t.currentEpoch + uint64(futureTime.Sub(now).Seconds()), nil
|
|
}
|
|
|
|
func (t *TestFrostFS) AllObjects(cnrID cid.ID) []oid.ID {
|
|
result := make([]oid.ID, 0, len(t.objects))
|
|
|
|
for _, val := range t.objects {
|
|
objCnrID, _ := val.ContainerID()
|
|
objObjID, _ := val.ID()
|
|
if cnrID.Equals(objCnrID) {
|
|
result = append(result, objObjID)
|
|
}
|
|
}
|
|
|
|
return result
|
|
}
|
|
|
|
func (t *TestFrostFS) SetContainerEACL(_ context.Context, table eacl.Table, _ *session.Container) error {
|
|
cnrID, ok := table.CID()
|
|
if !ok {
|
|
return errors.New("invalid cid")
|
|
}
|
|
|
|
if _, ok = t.containers[cnrID.EncodeToString()]; !ok {
|
|
return errors.New("not found")
|
|
}
|
|
|
|
t.eaclTables[cnrID.EncodeToString()] = &table
|
|
|
|
return nil
|
|
}
|
|
|
|
func (t *TestFrostFS) ContainerEACL(_ context.Context, prm PrmContainerEACL) (*eacl.Table, error) {
|
|
table, ok := t.eaclTables[prm.ContainerID.EncodeToString()]
|
|
if !ok {
|
|
return nil, errors.New("not found")
|
|
}
|
|
|
|
return table, nil
|
|
}
|
|
|
|
func (t *TestFrostFS) checkAccess(cnrID cid.ID, owner user.ID, op eacl.Operation, obj *object.Object) bool {
|
|
cnr, ok := t.containers[cnrID.EncodeToString()]
|
|
if !ok {
|
|
return false
|
|
}
|
|
|
|
if !cnr.BasicACL().Extendable() {
|
|
return cnr.Owner().Equals(owner)
|
|
}
|
|
|
|
table, ok := t.eaclTables[cnrID.EncodeToString()]
|
|
if !ok {
|
|
return true
|
|
}
|
|
|
|
for _, rec := range table.Records() {
|
|
if rec.Operation() != op {
|
|
continue
|
|
}
|
|
|
|
if !matchTarget(rec, owner) {
|
|
continue
|
|
}
|
|
|
|
if matchFilter(rec.Filters(), obj) {
|
|
return rec.Action() == eacl.ActionAllow
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
func matchTarget(rec eacl.Record, owner user.ID) bool {
|
|
for _, trgt := range rec.Targets() {
|
|
if trgt.Role() == eacl.RoleOthers {
|
|
return true
|
|
}
|
|
var targetOwner user.ID
|
|
for _, pk := range eacl.TargetECDSAKeys(&trgt) {
|
|
user.IDFromKey(&targetOwner, *pk)
|
|
if targetOwner.Equals(owner) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func matchFilter(filters []eacl.Filter, obj *object.Object) bool {
|
|
objID, _ := obj.ID()
|
|
for _, f := range filters {
|
|
fv2 := f.ToV2()
|
|
if fv2.GetMatchType() != acl.MatchTypeStringEqual ||
|
|
fv2.GetHeaderType() != acl.HeaderTypeObject ||
|
|
fv2.GetKey() != acl.FilterObjectID ||
|
|
fv2.GetValue() != objID.EncodeToString() {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
func getBearerOwner(ctx context.Context) user.ID {
|
|
if bd, err := middleware.GetBoxData(ctx); err == nil && bd.Gate.BearerToken != nil {
|
|
return bearer.ResolveIssuer(*bd.Gate.BearerToken)
|
|
}
|
|
|
|
return user.ID{}
|
|
}
|