TrueCloudLab
/
policy-engine
generated from TrueCloudLab/basic
19
0
Fork 9
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

[#60] chain: Support numeric conditions #60

Merged
dkirillov merged 1 commits from mbiryukova/policy-engine:feature/numeric_conditions into master 2024-04-08 14:32:14 +00:00
Conversation 0 Commits 1 Files Changed 5
mbiryukova commented 2024-04-02 08:04:08 +00:00
Collaborator

Signed-off-by: Marina Biryukova m.biryukova@yadro.com

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
mbiryukova self-assigned this 2024-04-02 08:04:08 +00:00
mbiryukova added 1 commit 2024-04-02 08:04:14 +00:00
DCO action / DCO (pull_request) Failing after 56s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 1m18s Details
Tests and linters / Staticcheck (pull_request) Failing after 1m22s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 1m52s Details
Tests and linters / Tests with -race (pull_request) Successful in 2m16s Details
Tests and linters / Lint (pull_request) Successful in 2m37s Details
80571b9c1f [#xx] chain: Support numeric conditions 
Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
mbiryukova force-pushed feature/numeric_conditions from 80571b9c1f to cc3259379f 2024-04-02 08:04:47 +00:00 Compare
mbiryukova changed title from [#xx] chain: Support numeric conditions to [#60] chain: Support numeric conditions 2024-04-02 08:05:04 +00:00
mbiryukova force-pushed feature/numeric_conditions from cc3259379f to e5b7e1f763 2024-04-02 08:13:54 +00:00 Compare
mbiryukova requested review from storage-core-committers 2024-04-02 08:20:25 +00:00
mbiryukova requested review from storage-core-developers 2024-04-02 08:20:25 +00:00
mbiryukova requested review from storage-services-committers 2024-04-02 08:20:26 +00:00
mbiryukova requested review from storage-services-developers 2024-04-02 08:20:26 +00:00
dstepanov-yadro reviewed 2024-04-02 10:38:17 +00:00
iam/converter_test.go Outdated
@ -385,6 +385,12 @@ func TestConvertToChainCondition(t *testing.T) {
CondArnLike: {condKeyAWSPrincipalARN: {principal}},
CondArnNotEquals: {"key18": {"val18"}},
CondArnNotLike: {"key19": {"val19"}},
CondNumericEquals: {"key20": {"20"}},
dstepanov-yadro commented 2024-04-02 10:38:17 +00:00
Collaborator

negative, zero, hex, binary values tests should be added.
also values with spaces, with '+' sign.

negative, zero, hex, binary values tests should be added. also values with spaces, with '+' sign.
dkirillov commented 2024-04-02 12:55:55 +00:00
Collaborator

AWS supports only integer and decimals. So here (in converter_test.go) I wouldn't add hex/binary values.
If this is required we can support such values in native condition types and add tests there.

AWS supports only integer and decimals. So here (in `converter_test.go`) I wouldn't add hex/binary values. If this is required we can support such values in native condition types and add tests there.
dstepanov-yadro commented 2024-04-03 12:50:42 +00:00
Collaborator

Tests should not be only positive. I was expecting to see a negative binary and hex test. Also we need to support decimals)

Tests should not be only positive. I was expecting to see a negative binary and hex test. Also we need to support decimals)
dkirillov reviewed 2024-04-02 12:57:28 +00:00
pkg/chain/chain.go Outdated
@ -191,2 +195,3 @@
func (r *Rule) Match(req resource.Request) (status Status, matched bool) {
func (c *Condition) matchNumeric(val string) (bool, error) {
valInt, err := strconv.ParseInt(val, 10, 64)
dkirillov commented 2024-04-02 12:57:28 +00:00
Collaborator

Probably we should try parse float if parsing integer failed because spec says Numeric condition operators let you construct Condition elements that restrict access based on comparing a key to an integer or decimal value.

Probably we should try parse float if parsing integer failed because [spec](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Numeric) says `Numeric condition operators let you construct Condition elements that restrict access based on comparing a key to an integer or decimal value.`
mbiryukova commented 2024-04-02 15:15:50 +00:00
Poster
Collaborator

Can we parse only float in this case?

Can we parse only float in this case?
dkirillov commented 2024-04-03 06:22:37 +00:00
Collaborator

No. In general we cannot do this because equals for float can have some error:

	tmp := 0.1
	tmp2 := 0.2

	fmt.Println(tmp+tmp2 == 0.3) // false

Or we have to write custom equal function and not use ==

No. In general we cannot do this because equals for float can have some error: ```golang tmp := 0.1 tmp2 := 0.2 fmt.Println(tmp+tmp2 == 0.3) // false ``` Or we have to write custom equal function and not use `==`
fyrchik commented 2024-04-05 06:42:01 +00:00
Owner

What is the length of a decimal?
neo-go has a fixed decimal package https://github.com/nspcc-dev/neo-go/blob/master/pkg/encoding/fixedn/decimal.go (and we already depend on neo-go)

What is the length of a decimal? neo-go has a fixed decimal package https://github.com/nspcc-dev/neo-go/blob/master/pkg/encoding/fixedn/decimal.go (and we already depend on neo-go)
fyrchik commented 2024-04-05 06:43:13 +00:00
Owner

Do we have any compatibility tests here? The description at the link you have provided is vague.

Do we have any compatibility tests here? The description at the link you have provided is vague.
dkirillov commented 2024-04-08 08:43:49 +00:00
Collaborator

I couldn't find more precise description of this conditions. So we decided to use 1e-8 precision. We can use decimal from neo-go I think

I couldn't find more precise description of this conditions. So we decided to use `1e-8` precision. We can use decimal from neo-go I think
mbiryukova force-pushed feature/numeric_conditions from e5b7e1f763 to 18aa3a3442 2024-04-04 14:41:44 +00:00 Compare
mbiryukova force-pushed feature/numeric_conditions from 18aa3a3442 to d06de615ad 2024-04-04 14:42:45 +00:00 Compare
aarifullin reviewed 2024-04-05 09:37:46 +00:00
pkg/chain/chain.go Outdated
@ -192,0 +215,4 @@
case CondNumericLessThan:
return valFloat < condVal
case CondNumericLessThanEquals:
return valFloat <= condVal
aarifullin commented 2024-04-05 09:37:46 +00:00
Collaborator

I suppose the correct way is to compare them like this

valFloat < condVal || equalFloat(valFloat, condVal)
I suppose the correct way is to compare them like this ```go valFloat < condVal || equalFloat(valFloat, condVal) ```
👍 1
aarifullin marked this conversation as resolved
alexvanin approved these changes 2024-04-08 06:45:46 +00:00
alexvanin left a comment
Owner

LGTM, but see comment

LGTM, but see [comment](https://git.frostfs.info/TrueCloudLab/policy-engine/pulls/60/files#issuecomment-36725)
mbiryukova force-pushed feature/numeric_conditions from d06de615ad to 8af1392faf 2024-04-08 06:58:43 +00:00 Compare
aarifullin approved these changes 2024-04-08 07:01:26 +00:00
dstepanov-yadro reviewed 2024-04-08 08:50:14 +00:00
iam/converter.go Outdated
@ -276,2 +294,4 @@
}
func numericConvertFunction(val string) (string, error) {
if _, err := strconv.ParseFloat(val, 64); err == nil {
dstepanov-yadro commented 2024-04-08 08:50:12 +00:00
Collaborator

+Inf, inf, NaN, nan are valid float strings, see https://pkg.go.dev/strconv#example-ParseFloat
Does IAM supports it?

`+Inf`, `inf`, `NaN`, `nan` are valid float strings, see https://pkg.go.dev/strconv#example-ParseFloat Does IAM supports it?
dkirillov commented 2024-04-08 09:58:19 +00:00
Collaborator

No. But now we use Fixed8 and it doesn't support it.

Probably we should include this +Inf, inf, NaN, nan in test cases

No. But now we use [Fixed8](https://github.com/nspcc-dev/neo-go/blob/master/pkg/encoding/fixedn/fixed8.go) and it doesn't support it. Probably we should include this `+Inf, inf, NaN, nan` in test cases
mbiryukova force-pushed feature/numeric_conditions from 8af1392faf to df6b80cd2a 2024-04-08 09:04:19 +00:00 Compare
dkirillov approved these changes 2024-04-08 09:56:26 +00:00
mbiryukova force-pushed feature/numeric_conditions from df6b80cd2a to 4bdc8d679a 2024-04-08 11:29:30 +00:00 Compare
mbiryukova force-pushed feature/numeric_conditions from 4bdc8d679a to 84c6be01de 2024-04-08 11:32:53 +00:00 Compare
dkirillov approved these changes 2024-04-08 11:50:44 +00:00
dstepanov-yadro approved these changes 2024-04-08 14:30:42 +00:00
alexvanin approved these changes 2024-04-08 14:32:02 +00:00
dkirillov merged commit 84c6be01de into master 2024-04-08 14:32:14 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
aarifullin
dkirillov
dstepanov-yadro
alexvanin
TrueCloudLab/storage-services-developers
Labels
Clear labels
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff   
blocked

The issue or PR is blocked by something   
bug

Something is not working   
config

Configuration format update or breaking change   
discussion

Talking about something in order to reach a decision or to exchange ideas   
documentation

Documentation related   
duplicate

This issue or pull request already exists   
enhancement

New feature   
go

Language features adoption   
help wanted

Extra attention is needed   
internal
   
invalid

Something is wrong   
kludge

This is a kludge and we know it   
observability

Related to metrics, tracing and logs   
perfomance

Perfomance related   
question

More information is needed   
refactoring

Refactoring   
wontfix

This won't be fixed
No Label
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
mbiryukova
6 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/policy-engine#60
There is no content yet.
Delete Branch "mbiryukova/policy-engine:feature/numeric_conditions"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?