[#1189] cli: Make util subcommand convert eACL to APE chains

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2024-06-18 18:29:56 +03:00
parent 5b100699d7
commit 09d9d47aef
2 changed files with 72 additions and 21 deletions

View file

@ -6,9 +6,17 @@ import (
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
apeutil "git.frostfs.info/TrueCloudLab/frostfs-node/internal/ape"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"github.com/spf13/cobra"
)
const (
fromFlagStr = "from"
toFlagStr = "to"
apeFlagStr = "ape"
)
var convertEACLCmd = &cobra.Command{
Use: "eacl",
Short: "Convert representation of extended ACL table",
@ -18,24 +26,35 @@ var convertEACLCmd = &cobra.Command{
func initConvertEACLCmd() {
flags := convertEACLCmd.Flags()
flags.String("from", "", "File with JSON or binary encoded extended ACL table")
_ = convertEACLCmd.MarkFlagFilename("from")
_ = convertEACLCmd.MarkFlagRequired("from")
flags.String(fromFlagStr, "", "File with JSON or binary encoded extended ACL table")
_ = convertEACLCmd.MarkFlagFilename(fromFlagStr)
_ = convertEACLCmd.MarkFlagRequired(fromFlagStr)
flags.String("to", "", "File to dump extended ACL table (default: binary encoded)")
flags.String(toFlagStr, "", "File to dump extended ACL table (default: binary encoded)")
flags.Bool(commonflags.JSON, false, "Dump extended ACL table in JSON encoding")
flags.Bool(apeFlagStr, false, "Dump converted eACL table to APE chain format")
convertEACLCmd.MarkFlagsMutuallyExclusive(apeFlagStr, commonflags.JSON)
}
func convertEACLTable(cmd *cobra.Command, _ []string) {
pathFrom := cmd.Flag("from").Value.String()
to := cmd.Flag("to").Value.String()
pathFrom := cmd.Flag(fromFlagStr).Value.String()
to := cmd.Flag(toFlagStr).Value.String()
jsonFlag, _ := cmd.Flags().GetBool(commonflags.JSON)
apeFlag, _ := cmd.Flags().GetBool(apeFlagStr)
table := common.ReadEACL(cmd, pathFrom)
var data []byte
var err error
if jsonFlag || len(to) == 0 {
if apeFlag {
var ch *chain.Chain
ch, err = apeutil.ConvertEACLToAPE(table)
commonCmd.ExitOnErr(cmd, "convert eACL table to APE chain error: %w", err)
data = ch.Bytes()
} else if jsonFlag || len(to) == 0 {
data, err = table.MarshalJSON()
commonCmd.ExitOnErr(cmd, "can't JSON encode extended ACL table: %w", err)
} else {

View file

@ -69,6 +69,50 @@ func ConvertEACLToAPE(eaclTable *eacl.Table) (*apechain.Chain, error) {
return res, nil
}
func apeRoleConds(role eacl.Role) (res []apechain.Condition) {
switch role {
case eacl.RoleSystem:
res = append(res,
apechain.Condition{
Op: apechain.CondStringEquals,
Kind: apechain.KindRequest,
Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleContainer,
},
)
res = append(res,
apechain.Condition{
Op: apechain.CondStringEquals,
Kind: apechain.KindRequest,
Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleIR,
},
)
case eacl.RoleOthers:
res = append(res,
apechain.Condition{
Op: apechain.CondStringEquals,
Kind: apechain.KindRequest,
Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers,
},
)
case eacl.RoleUser:
res = append(res,
apechain.Condition{
Op: apechain.CondStringEquals,
Kind: apechain.KindRequest,
Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOwner,
},
)
case eacl.RoleUnknown:
// such condition has no effect
default:
}
return
}
func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.Actions, res apechain.Resources, targets []eacl.Target) []apechain.Rule {
// see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101
// role OR public key must be equal
@ -79,13 +123,7 @@ func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.
Any: true,
}
for _, target := range targets {
var roleCondition apechain.Condition
roleCondition.Kind = apechain.KindRequest
roleCondition.Key = nativeschema.PropertyKeyActorRole
roleCondition.Value = target.Role().String()
roleCondition.Op = apechain.CondStringEquals
rule.Condition = append(rule.Condition, roleCondition)
rule.Condition = append(rule.Condition, apeRoleConds(target.Role())...)
for _, binKey := range target.BinaryKeys() {
var pubKeyCondition apechain.Condition
pubKeyCondition.Kind = apechain.KindRequest
@ -111,13 +149,7 @@ func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act ape
Actions: act,
Resources: res,
}
var roleCondition apechain.Condition
roleCondition.Kind = apechain.KindRequest
roleCondition.Key = nativeschema.PropertyKeyActorRole
roleCondition.Value = target.Role().String()
roleCondition.Op = apechain.CondStringEquals
rule.Condition = append(rule.Condition, roleCondition)
rule.Condition = append(rule.Condition, apeRoleConds(target.Role())...)
rule.Condition, err = appendFilters(rule.Condition, filters)
if err != nil {
return nil, err