TrueCloudLab/policy-engine
21
0
Fork 13
generated from TrueCloudLab/basic
Code Issues 3 Pull requests 1 Projects Releases Packages Wiki Activity Actions

[#52] morph: Extend MorphRuleChainStorage interface with ListTargetsIterator
All checks were successful
DCO action / DCO (pull_request) Successful in 1m3s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 55s
Details
Tests and linters / Tests with -race (pull_request) Successful in 1m25s
Details
Tests and linters / Staticcheck (pull_request) Successful in 1m26s
Details
Tests and linters / Lint (pull_request) Successful in 2m42s
Details
Tests and linters / Tests (1.20) (pull_request) Successful in 1m29s
Details

Browse source 
* Update frostfs-contract package version in go.mod.
* Extend MorphRuleChainStorage interface with ListTargetsIterator and
  introduce its implementation.
* Check targets in inmemory implementation unit-tests.

Signed-off-by: Airat Arifullin <aarifullin@yadro.com>
This commit is contained in:
aarifullin 2024-02-22 12:09:22 +03:00
parent 839f22e1a3
commit c13ed8447a
6 changed files with 259 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

66
pkg/engine/inmemory/inmemory_test.go
View file

@ -1,11 +1,13 @@
package inmemory
import (
"bytes"
"testing"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
resourcetest "git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
"github.com/stretchr/testify/require"
)
@ -63,6 +65,10 @@ func TestInmemory(t *testing.T) {
},
})
_, it, err := s.MorphRuleChainStorage().ListTargetsIterator(engine.Namespace)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(namespace))
s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(namespace2), &chain.Chain{
Rules: []chain.Rule{
{ // Deny all expect "native::object::get" for all objects expect "native::object::abc/xyz".
@ -73,6 +79,10 @@ func TestInmemory(t *testing.T) {
},
})
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Namespace)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(namespace, namespace2))
s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
Rules: []chain.Rule{
{ // Allow to actor2 to get objects from the specific container only if they have `Department=HR` attribute.
@ -97,6 +107,14 @@ func TestInmemory(t *testing.T) {
},
})
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Namespace)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(namespace, namespace2))
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Container)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(container))
t.Run("bad subnet, namespace deny", func(t *testing.T) {
// Request initiating from the untrusted subnet.
reqBadIP := resourcetest.NewRequest("native::object::put", res, map[string]string{
@ -175,6 +193,14 @@ func TestInmemory(t *testing.T) {
}},
})
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Namespace)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(namespace, namespace2))
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Container)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(container))
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
require.Equal(t, chain.NoRuleFound, status)
require.False(t, ok)
@ -190,6 +216,14 @@ func TestInmemory(t *testing.T) {
}},
})
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Namespace)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(namespace, namespace2))
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Container)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(container))
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
require.Equal(t, chain.QuotaLimitReached, status)
require.True(t, ok)
@ -198,9 +232,41 @@ func TestInmemory(t *testing.T) {
err := s.LocalStorage().RemoveOverride(chain.Ingress, engine.ContainerTarget(container), quotaRuleChainID)
require.NoError(t, err)
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Namespace)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(namespace, namespace2))
_, it, err = s.MorphRuleChainStorage().ListTargetsIterator(engine.Container)
require.NoError(t, err)
itemStacksEqual(t, it.Values, toStackItems(container))
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
require.Equal(t, chain.NoRuleFound, status)
require.False(t, ok)
})
})
}
func itemStacksEqual(t *testing.T, got []stackitem.Item, expected []stackitem.Item) {
next:
for _, exp := range expected {
expBytes, err := exp.TryBytes()
require.NoError(t, err)
for _, v := range got {
vBytes, err := v.TryBytes()
require.NoError(t, err)
if bytes.Equal(vBytes, expBytes) {
continue next
}
}
t.Fatalf("not found %s", exp)
}
}
func toStackItems(names ...string) []stackitem.Item {
var items []stackitem.Item
for _, name := range names {
items = append(items, stackitem.NewByteArray([]byte(name)))
}
return items
}