apemanager/chain.go

@@ -0,0 +1,52 @@
+package apemanager
+
+import (
+	"errors"
+	"fmt"
+
+	apemanager_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+)
+
+var (
+	ErrInvalidChainRepresentation = errors.New("invalid chain representation")
+)
+
+// ChainID is Chain's identifier.
+type ChainID []byte
+
+// Chain is an SDK representation for v2's Chain.
+//
+// Note that Chain (as well as v2's Chain) and all related entities
+// are NOT operated by Access-Policy-Engine (APE). The client is responsible
+// to convert these types to policy-engine entities.
+type Chain struct {
+	// Raw is the encoded chain kind.
+	// It assumes that Raw's bytes are the result of encoding provided by
+	// policy-engine package.
+	Raw []byte
+}
+
+// ToV2 converts Chain to v2.
+func (c *Chain) ToV2() *apemanager_v2.Chain {
+	v2ct := new(apemanager_v2.Chain)
+
+	if c.Raw != nil {
+		v2Raw := new(apemanager_v2.ChainRaw)
+		v2Raw.SetRaw(c.Raw)
+		v2ct.SetKind(v2Raw)
+	}
+
+	return v2ct
+}
+
+// ReadFromV2 fills Chain from v2.
+func (c *Chain) ReadFromV2(v2ct *apemanager_v2.Chain) error {
+	switch v := v2ct.GetKind().(type) {
+	default:
+		return fmt.Errorf("unsupported chain kind: %T", v)
+	case *apemanager_v2.ChainRaw:
+		raw := v.GetRaw()
+		c.Raw = raw
+	}
+	return nil
+}

apemanager/chain_target.go

@@ -0,0 +1,53 @@
+package apemanager
+
+import (
+	apemanager_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+)
+
+// TargetType is an SDK representation for v2's TargetType.
+type TargetType apemanager_v2.TargetType
+
+const (
+	TargetTypeUndefined TargetType = iota
+	TargetTypeNamespace
+	TargetTypeContainer
+	TargetTypeUser
+	TargetTypeGroup
+)
+
+// ToV2 converts TargetType to v2.
+func (targetType TargetType) ToV2() apemanager_v2.TargetType {
+	return apemanager_v2.TargetType(targetType)
+}
+
+// FromV2 reads TargetType to v2.
+func (targetType *TargetType) FromV2(v2targetType apemanager_v2.TargetType) {
+	*targetType = TargetType(v2targetType)
+}
+
+// ChainTarget is an SDK representation for v2's ChainTarget.
+//
+// Note that ChainTarget (as well as v2's ChainTarget) and all related entities
+// are NOT operated by Access-Policy-Engine (APE). The client is responsible
+// to convert these types to policy-engine entities.
+type ChainTarget struct {
+	TargetType TargetType
+
+	Name string
+}
+
+// ToV2 converts ChainTarget to v2.
+func (ct *ChainTarget) ToV2() *apemanager_v2.ChainTarget {
+	v2ct := new(apemanager_v2.ChainTarget)
+
+	v2ct.SetTargetType(ct.TargetType.ToV2())
+	v2ct.SetName(ct.Name)
+
+	return v2ct
+}
+
+// FromV2 reads ChainTarget frpm v2.
+func (ct *ChainTarget) FromV2(v2ct *apemanager_v2.ChainTarget) {
+	ct.TargetType.FromV2(v2ct.GetTargetType())
+	ct.Name = v2ct.GetName()
+}

apemanager/chain_target_test.go

@@ -0,0 +1,65 @@
+package apemanager_test
+
+import (
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/apemanager"
+	"github.com/stretchr/testify/require"
+
+	apemanager_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+)
+
+var (
+	m = map[apemanager.TargetType]apemanager_v2.TargetType{
+		apemanager.TargetTypeUndefined: apemanager_v2.TargetTypeUndefined,
+		apemanager.TargetTypeNamespace: apemanager_v2.TargetTypeNamespace,
+		apemanager.TargetTypeContainer: apemanager_v2.TargetTypeContainer,
+		apemanager.TargetTypeUser:      apemanager_v2.TargetTypeUser,
+		apemanager.TargetTypeGroup:     apemanager_v2.TargetTypeGroup,
+	}
+)
+
+func TestTargetType(t *testing.T) {
+	for typesdk, typev2 := range m {
+		t.Run("from sdk to v2 "+typev2.String(), func(t *testing.T) {
+			v2 := typesdk.ToV2()
+			require.Equal(t, v2, typev2)
+		})
+
+		t.Run("from v2 to sdk "+typev2.String(), func(t *testing.T) {
+			var typ apemanager.TargetType
+			typ.FromV2(typev2)
+			require.Equal(t, typesdk, typ)
+		})
+	}
+}
+
+func TestChainTarget(t *testing.T) {
+	var (
+		typ  = apemanager.TargetTypeNamespace
+		name = "namespaceXXYYZZ"
+	)
+
+	t.Run("from sdk to v2", func(t *testing.T) {
+		ct := apemanager.ChainTarget{
+			TargetType: typ,
+			Name:       name,
+		}
+
+		v2 := ct.ToV2()
+		require.Equal(t, m[typ], v2.GetTargetType())
+		require.Equal(t, name, v2.GetName())
+	})
+
+	t.Run("from v2 to sdk", func(t *testing.T) {
+		v2 := &apemanager_v2.ChainTarget{}
+		v2.SetTargetType(m[typ])
+		v2.SetName(name)
+
+		var ct apemanager.ChainTarget
+		ct.FromV2(v2)
+
+		require.Equal(t, typ, ct.TargetType)
+		require.Equal(t, name, ct.Name)
+	})
+}

apemanager/chain_test.go

@@ -0,0 +1,43 @@
+package apemanager_test
+
+import (
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/apemanager"
+	"github.com/stretchr/testify/require"
+
+	apemanager_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+)
+
+const (
+	encoded = `{"ID":"","Rules":[{"Status":"Allow","Actions":{"Inverted":false,"Names":["GetObject"]},"Resources":{"Inverted":false,"Names":["native:object/*"]},"Any":false,"Condition":[{"Op":"StringEquals","Object":"Resource","Key":"Department","Value":"HR"}]}],"MatchType":"DenyPriority"}`
+)
+
+func TestChainData(t *testing.T) {
+	t.Run("raw chain", func(t *testing.T) {
+		var c apemanager.Chain
+
+		b := []byte(encoded)
+		c.Raw = b
+
+		v2, ok := c.ToV2().GetKind().(*apemanager_v2.ChainRaw)
+		require.True(t, ok)
+		require.Equal(t, b, v2.Raw)
+	})
+}
+
+func TestChainMessageV2(t *testing.T) {
+	b := []byte(encoded)
+
+	v2Raw := &apemanager_v2.ChainRaw{}
+	v2Raw.SetRaw(b)
+
+	v2 := &apemanager_v2.Chain{}
+	v2.SetKind(v2Raw)
+
+	var c apemanager.Chain
+	c.ReadFromV2(v2)
+
+	require.NotNil(t, c.Raw)
+	require.Equal(t, b, c.Raw)
+}

client/apemanager_add_chain.go

@@ -0,0 +1,79 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	apemanager_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+	rpcapi "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	session_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/signature"
+	apemanager_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/apemanager"
+	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
+)
+
+// PrmAPEManagerAddChain groups parameters of APEManagerAddChain operation.
+type PrmAPEManagerAddChain struct {
+	XHeaders []string
+
+	ChainTarget apemanager_sdk.ChainTarget
+
+	Chain apemanager_sdk.Chain
+}
+
+func (prm *PrmAPEManagerAddChain) buildRequest(c *Client) (*apemanager_v2.AddChainRequest, error) {
+	if len(prm.XHeaders)%2 != 0 {
+		return nil, errorInvalidXHeaders
+	}
+
+	req := new(apemanager_v2.AddChainRequest)
+	reqBody := new(apemanager_v2.AddChainRequestBody)
+
+	reqBody.SetTarget(prm.ChainTarget.ToV2())
+	reqBody.SetChain(prm.Chain.ToV2())
+
+	req.SetBody(reqBody)
+
+	var meta session_v2.RequestMetaHeader
+	writeXHeadersToMeta(prm.XHeaders, &meta)
+
+	c.prepareRequest(req, &meta)
+
+	return req, nil
+}
+
+type ResAPEManagerAddChain struct {
+	statusRes
+
+	// ChainID of set Chain. If Chain does not contain chainID before request, then
+	// ChainID is generated.
+	ChainID apemanager_sdk.ChainID
+}
+
+// APEManagerAddChain sets Chain for ChainTarget.
+func (c *Client) APEManagerAddChain(ctx context.Context, prm PrmAPEManagerAddChain) (*ResAPEManagerAddChain, error) {
+	req, err := prm.buildRequest(c)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := signature.SignServiceMessage(&c.prm.Key, req); err != nil {
+		return nil, fmt.Errorf("sign request: %w", err)
+	}
+
+	resp, err := rpcapi.AddChain(&c.c, req, client.WithContext(ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	var res ResAPEManagerAddChain
+	res.st, err = c.processResponse(resp)
+	if err != nil || !apistatus.IsSuccessful(res.st) {
+		return &res, err
+	}
+
+	res.ChainID = resp.GetBody().GetChainID()
+
+	return &res, nil
+}

client/apemanager_list_chains.go

@@ -0,0 +1,80 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	apemanager_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+	rpcapi "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	session_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/signature"
+	apemanager_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/apemanager"
+	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
+)
+
+// PrmAPEManagerListChains groups parameters of APEManagerListChains operation.
+type PrmAPEManagerListChains struct {
+	XHeaders []string
+
+	ChainTarget apemanager_sdk.ChainTarget
+}
+
+func (prm *PrmAPEManagerListChains) buildRequest(c *Client) (*apemanager_v2.ListChainsRequest, error) {
+	if len(prm.XHeaders)%2 != 0 {
+		return nil, errorInvalidXHeaders
+	}
+
+	req := new(apemanager_v2.ListChainsRequest)
+	reqBody := new(apemanager_v2.ListChainsRequestBody)
+
+	reqBody.SetTarget(prm.ChainTarget.ToV2())
+
+	req.SetBody(reqBody)
+
+	var meta session_v2.RequestMetaHeader
+	writeXHeadersToMeta(prm.XHeaders, &meta)
+
+	c.prepareRequest(req, &meta)
+
+	return req, nil
+}
+
+type ResAPEManagerListChains struct {
+	statusRes
+
+	Chains []apemanager_sdk.Chain
+}
+
+// APEManagerListChains lists Chains for ChainTarget.
+func (c *Client) APEManagerListChains(ctx context.Context, prm PrmAPEManagerListChains) (*ResAPEManagerListChains, error) {
+	req, err := prm.buildRequest(c)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := signature.SignServiceMessage(&c.prm.Key, req); err != nil {
+		return nil, fmt.Errorf("sign request: %w", err)
+	}
+
+	resp, err := rpcapi.ListChains(&c.c, req, client.WithContext(ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	var res ResAPEManagerListChains
+	res.st, err = c.processResponse(resp)
+	if err != nil || !apistatus.IsSuccessful(res.st) {
+		return nil, err
+	}
+
+	for _, ch := range resp.GetBody().GetChains() {
+		var chSDK apemanager_sdk.Chain
+		if err := chSDK.ReadFromV2(ch); err != nil {
+			return nil, err
+		}
+		res.Chains = append(res.Chains, chSDK)
+	}
+
+	return &res, nil
+}

client/apemanager_remove_chain.go

@@ -0,0 +1,73 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	apemanager_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+	rpcapi "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	session_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/signature"
+	apemanager_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/apemanager"
+	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
+)
+
+// PrmAPEManagerRemoveChain groups parameters of APEManagerRemoveChain operation.
+type PrmAPEManagerRemoveChain struct {
+	XHeaders []string
+
+	ChainTarget apemanager_sdk.ChainTarget
+
+	ChainID apemanager_sdk.ChainID
+}
+
+func (prm *PrmAPEManagerRemoveChain) buildRequest(c *Client) (*apemanager_v2.RemoveChainRequest, error) {
+	if len(prm.XHeaders)%2 != 0 {
+		return nil, errorInvalidXHeaders
+	}
+
+	req := new(apemanager_v2.RemoveChainRequest)
+	reqBody := new(apemanager_v2.RemoveChainRequestBody)
+
+	reqBody.SetTarget(prm.ChainTarget.ToV2())
+	reqBody.SetChainID(prm.ChainID)
+
+	req.SetBody(reqBody)
+
+	var meta session_v2.RequestMetaHeader
+	writeXHeadersToMeta(prm.XHeaders, &meta)
+
+	c.prepareRequest(req, &meta)
+
+	return req, nil
+}
+
+type ResAPEManagerRemoveChain struct {
+	statusRes
+}
+
+// APEManagerRemoveChain removes Chain with ChainID defined for ChainTarget.
+func (c *Client) APEManagerRemoveChain(ctx context.Context, prm PrmAPEManagerRemoveChain) (*ResAPEManagerRemoveChain, error) {
+	req, err := prm.buildRequest(c)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := signature.SignServiceMessage(&c.prm.Key, req); err != nil {
+		return nil, fmt.Errorf("sign request: %w", err)
+	}
+
+	resp, err := rpcapi.RemoveChain(&c.c, req, client.WithContext(ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	var res ResAPEManagerRemoveChain
+	res.st, err = c.processResponse(resp)
+	if err != nil || !apistatus.IsSuccessful(res.st) {
+		return &res, err
+	}
+
+	return &res, nil
+}

client/errors.go

@@ -61,6 +61,12 @@ func IsErrSessionNotFound(err error) bool {
 	return wrapsErrType[*apistatus.SessionTokenNotFound](err)
 }
 
+// IsErrAPEManagerAccessDenied checks if err corresponds to FrostFS status return
+// corresponding to apemanager access deny. Supports wrapped errors.
+func IsErrAPEManagerAccessDenied(err error) bool {
+	return wrapsErrType[*apistatus.APEManagerAccessDenied](err)
+}
+
 // returns error describing missing field with the given name.
 func newErrMissingResponseField(name string) error {
 	return fmt.Errorf("missing %s field in the response", name)

client/status/apemanager.go

@@ -0,0 +1,53 @@
+package apistatus
+
+import (
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/status"
+)
+
+// APEManagerAccessDenied describes status of the failure because of the access control violation.
+// Instances provide Status and StatusV2 interfaces.
+type APEManagerAccessDenied struct {
+	v2 status.Status
+}
+
+const defaultAPEManagerAccessDeniedMsg = "apemanager access denied"
+
+func (x *APEManagerAccessDenied) Error() string {
+	msg := x.v2.Message()
+	if msg == "" {
+		msg = defaultAPEManagerAccessDeniedMsg
+	}
+
+	return errMessageStatusV2(
+		globalizeCodeV2(apemanager.StatusAPEManagerAccessDenied, apemanager.GlobalizeFail),
+		msg,
+	)
+}
+
+func (x *APEManagerAccessDenied) fromStatusV2(st *status.Status) {
+	x.v2 = *st
+}
+
+// ToStatusV2 converts APEManagerAccessDenied to v2's Status.
+// If the value was returned by FromStatusV2, returns the source message.
+// Otherwise, returns message with
+//   - code: APE_MANAGER_ACCESS_DENIED;
+//   - string message: "apemanager access denied";
+//   - details: empty.
+func (x APEManagerAccessDenied) ToStatusV2() *status.Status {
+	x.v2.SetCode(globalizeCodeV2(apemanager.StatusAPEManagerAccessDenied, apemanager.GlobalizeFail))
+	x.v2.SetMessage(defaultAPEManagerAccessDeniedMsg)
+	return &x.v2
+}
+
+// WriteReason writes human-readable access rejection reason.
+func (x *APEManagerAccessDenied) WriteReason(reason string) {
+	apemanager.WriteAccessDeniedDesc(&x.v2, reason)
+}
+
+// Reason returns human-readable access rejection reason returned by the server.
+// Returns empty value is reason is not presented.
+func (x APEManagerAccessDenied) Reason() string {
+	return apemanager.ReadAccessDeniedDesc(x.v2)
+}

client/status/v2.go

@@ -3,6 +3,7 @@ package apistatus
 import (
 	"fmt"
 
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
 	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
 	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
@@ -92,6 +93,12 @@ func FromStatusV2(st *status.Status) Status {
 		case session.StatusTokenExpired:
 			decoder = new(SessionTokenExpired)
 		}
+	case apemanager.LocalizeFailStatus(&code):
+		//nolint:exhaustive
+		switch code {
+		case apemanager.StatusAPEManagerAccessDenied:
+			decoder = new(APEManagerAccessDenied)
+		}
 	}
 
 	if decoder == nil {

client/status/v2_test.go

@@ -125,6 +125,12 @@ func TestToStatusV2(t *testing.T) {
 			}),
 			codeV2: 4097,
 		},
+		{
+			status: (statusConstructor)(func() apistatus.Status {
+				return new(apistatus.APEManagerAccessDenied)
+			}),
+			codeV2: 5120,
+		},
 		{
 			status: (statusConstructor)(func() apistatus.Status {
 				return new(apistatus.NodeUnderMaintenance)
@@ -278,6 +284,12 @@ func TestFromStatusV2(t *testing.T) {
 			}),
 			codeV2: 4097,
 		},
+		{
+			status: (statusConstructor)(func() apistatus.Status {
+				return new(apistatus.APEManagerAccessDenied)
+			}),
+			codeV2: 5120,
+		},
 		{
 			status: (statusConstructor)(func() apistatus.Status {
 				return new(apistatus.NodeUnderMaintenance)

go.mod

@@ -3,7 +3,7 @@ module git.frostfs.info/TrueCloudLab/frostfs-sdk-go
 go 1.20
 
 require (
-	git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240427200446-67c6f305b21f
+	git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240506114654-b171364079c3
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb
 	git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1