[#7] engine: Revise CachedChainStorage interface

* Nuke out CachedChainStorage interface * Introduce LocalOverrideStorage interface to manage local overrides * Introduce MorphRuleChainStorage interface to manage chains in the policy contract * Extend Engine interface Signed-off-by: Airat Arifullin <aarifullin@yadro.com>
2023-11-07 21:29:51 +03:00 · 2023-11-07 21:29:51 +03:00 · 17453d3cda
commit 17453d3cda
parent a08f600d97
9 changed files with 633 additions and 150 deletions
--- a/pkg/engine/inmemory/inmemory_test.go
+++ b/pkg/engine/inmemory/inmemory_test.go
@ -0,0 +1,206 @@
+package inmemory
+
+import (
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	resourcetest "git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
+	"github.com/stretchr/testify/require"
+)
+
+func TestInmemory(t *testing.T) {
+	const (
+		object     = "native::object::abc/xyz"
+		container  = "native::object::abc/*"
+		namespace  = "Tenant1"
+		namespace2 = "Tenant2"
+		actor1     = "owner1"
+		actor2     = "owner2"
+	)
+
+	s := NewInMemoryLocalOverrides()
+
+	// Object which was put via S3.
+	res := resourcetest.NewResource(object, map[string]string{"FromS3": "true"})
+	// Request initiating from the trusted subnet and actor.
+	reqGood := resourcetest.NewRequest("native::object::put", res, map[string]string{
+		"SourceIP": "10.1.1.12",
+		"Actor":    actor1,
+	})
+
+	status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqGood)
+	require.Equal(t, chain.NoRuleFound, status)
+	require.False(t, ok)
+
+	s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(namespace), &chain.Chain{
+		Rules: []chain.Rule{
+			{ // Restrict to remove ANY object from the namespace.
+				Status:    chain.AccessDenied,
+				Actions:   chain.Actions{Names: []string{"native::object::delete"}},
+				Resources: chain.Resources{Names: []string{"native::object::*"}},
+			},
+			{ // Allow to put object only from the trusted subnet AND trusted actor, deny otherwise.
+				Status:    chain.AccessDenied,
+				Actions:   chain.Actions{Names: []string{"native::object::put"}},
+				Resources: chain.Resources{Names: []string{"native::object::*"}},
+				Any:       true,
+				Condition: []chain.Condition{
+					{
+						Op:     chain.CondStringNotLike,
+						Object: chain.ObjectRequest,
+						Key:    "SourceIP",
+						Value:  "10.1.1.*",
+					},
+					{
+						Op:     chain.CondStringNotEquals,
+						Object: chain.ObjectRequest,
+						Key:    "Actor",
+						Value:  actor1,
+					},
+				},
+			},
+		},
+	})
+
+	s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(namespace2), &chain.Chain{
+		Rules: []chain.Rule{
+			{ // Deny all expect "native::object::get" for all objects expect "native::object::abc/xyz".
+				Status:    chain.AccessDenied,
+				Actions:   chain.Actions{Inverted: true, Names: []string{"native::object::get"}},
+				Resources: chain.Resources{Inverted: true, Names: []string{object}},
+			},
+		},
+	})
+
+	s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
+		Rules: []chain.Rule{
+			{ // Allow to actor2 to get objects from the specific container only if they have `Department=HR` attribute.
+				Status:    chain.Allow,
+				Actions:   chain.Actions{Names: []string{"native::object::get"}},
+				Resources: chain.Resources{Names: []string{"native::object::abc/*"}},
+				Condition: []chain.Condition{
+					{
+						Op:     chain.CondStringEquals,
+						Object: chain.ObjectResource,
+						Key:    "Department",
+						Value:  "HR",
+					},
+					{
+						Op:     chain.CondStringEquals,
+						Object: chain.ObjectRequest,
+						Key:    "Actor",
+						Value:  actor2,
+					},
+				},
+			},
+		},
+	})
+
+	t.Run("bad subnet, namespace deny", func(t *testing.T) {
+		// Request initiating from the untrusted subnet.
+		reqBadIP := resourcetest.NewRequest("native::object::put", res, map[string]string{
+			"SourceIP": "10.122.1.20",
+			"Actor":    actor1,
+		})
+		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadIP)
+		require.Equal(t, chain.AccessDenied, status)
+		require.True(t, ok)
+	})
+	t.Run("bad actor, namespace deny", func(t *testing.T) {
+		// Request initiating from the untrusted actor.
+		reqBadActor := resourcetest.NewRequest("native::object::put", res, map[string]string{
+			"SourceIP": "10.1.1.13",
+			"Actor":    actor2,
+		})
+		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadActor)
+		require.Equal(t, chain.AccessDenied, status)
+		require.True(t, ok)
+	})
+	t.Run("bad object, container deny", func(t *testing.T) {
+		objGood := resourcetest.NewResource("native::object::abc/id1", map[string]string{"Department": "HR"})
+		objBadAttr := resourcetest.NewResource("native::object::abc/id2", map[string]string{"Department": "Support"})
+
+		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, resourcetest.NewRequest("native::object::get", objGood, map[string]string{
+			"SourceIP": "10.1.1.14",
+			"Actor":    actor2,
+		}))
+		require.Equal(t, chain.Allow, status)
+		require.True(t, ok)
+
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace, resourcetest.NewRequest("native::object::get", objBadAttr, map[string]string{
+			"SourceIP": "10.1.1.14",
+			"Actor":    actor2,
+		}))
+		require.Equal(t, chain.NoRuleFound, status)
+		require.False(t, ok)
+	})
+	t.Run("bad operation, namespace deny", func(t *testing.T) {
+		// Request with the forbidden operation.
+		reqBadOperation := resourcetest.NewRequest("native::object::delete", res, map[string]string{
+			"SourceIP": "10.1.1.12",
+			"Actor":    actor1,
+		})
+		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadOperation)
+		require.Equal(t, chain.AccessDenied, status)
+		require.True(t, ok)
+	})
+	t.Run("inverted rules", func(t *testing.T) {
+		req := resourcetest.NewRequest("native::object::put", resourcetest.NewResource(object, nil), nil)
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
+		require.Equal(t, chain.NoRuleFound, status)
+		require.False(t, ok)
+
+		req = resourcetest.NewRequest("native::object::put", resourcetest.NewResource("native::object::cba/def", nil), nil)
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
+		require.Equal(t, chain.AccessDenied, status)
+		require.True(t, ok)
+
+		req = resourcetest.NewRequest("native::object::get", resourcetest.NewResource("native::object::cba/def", nil), nil)
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
+		require.Equal(t, chain.NoRuleFound, status)
+		require.False(t, ok)
+	})
+	t.Run("good", func(t *testing.T) {
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
+		require.Equal(t, chain.NoRuleFound, status)
+		require.False(t, ok)
+
+		t.Run("quota on a different container", func(t *testing.T) {
+			s.LocalStorage().AddOverride(chain.Ingress, container, &chain.Chain{
+				Rules: []chain.Rule{{
+					Status:    chain.QuotaLimitReached,
+					Actions:   chain.Actions{Names: []string{"native::object::put"}},
+					Resources: chain.Resources{Names: []string{"native::object::cba/*"}},
+				}},
+			})
+
+			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
+			require.Equal(t, chain.NoRuleFound, status)
+			require.False(t, ok)
+		})
+
+		var quotaRuleChainID chain.ID
+		t.Run("quota on the request container", func(t *testing.T) {
+			quotaRuleChainID, _ = s.LocalStorage().AddOverride(chain.Ingress, container, &chain.Chain{
+				Rules: []chain.Rule{{
+					Status:    chain.QuotaLimitReached,
+					Actions:   chain.Actions{Names: []string{"native::object::put"}},
+					Resources: chain.Resources{Names: []string{"native::object::abc/*"}},
+				}},
+			})
+
+			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
+			require.Equal(t, chain.QuotaLimitReached, status)
+			require.True(t, ok)
+		})
+		t.Run("removed quota on the request container", func(t *testing.T) {
+			err := s.LocalStorage().RemoveOverride(chain.Ingress, container, quotaRuleChainID)
+			require.NoError(t, err)
+
+			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
+			require.Equal(t, chain.NoRuleFound, status)
+			require.False(t, ok)
+		})
+	})
+}