forked from TrueCloudLab/frostfs-node
[#1503] container: Fix APE-request target
* Request target shouldn't contain container target as container operations can't be checked with container-targeted rules. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
46fef276b4
commit
e883fa35f1
2 changed files with 67 additions and 60 deletions
|
|
@ -327,9 +327,15 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
|
||||||
reqProps,
|
reqProps,
|
||||||
)
|
)
|
||||||
|
|
||||||
s, found, err := ac.router.IsAllowed(apechain.Ingress,
|
rt := policyengine.NewRequestTargetWithNamespace(namespace)
|
||||||
policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups),
|
userTarget := policyengine.UserTarget(fmt.Sprintf("%s:%s", namespace, pk.Address()))
|
||||||
request)
|
rt.User = &userTarget
|
||||||
|
rt.Groups = make([]policyengine.Target, len(groups))
|
||||||
|
for i := range groups {
|
||||||
|
rt.Groups[i] = policyengine.GroupTarget(groups[i])
|
||||||
|
}
|
||||||
|
|
||||||
|
s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -102,7 +102,7 @@ func testAllowThenDenyGetContainerRuleDefined(t *testing.T) {
|
||||||
nm.netmaps[nm.currentEpoch] = &testNetmap
|
nm.netmaps[nm.currentEpoch] = &testNetmap
|
||||||
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
||||||
|
|
||||||
addDefaultAllowGetPolicy(t, router, contID)
|
addDefaultAllowGetPolicy(t, router)
|
||||||
|
|
||||||
req := &container.GetRequest{}
|
req := &container.GetRequest{}
|
||||||
req.SetBody(&container.GetRequestBody{})
|
req.SetBody(&container.GetRequestBody{})
|
||||||
|
|
@ -117,7 +117,7 @@ func testAllowThenDenyGetContainerRuleDefined(t *testing.T) {
|
||||||
_, err = apeSrv.Get(context.Background(), req)
|
_, err = apeSrv.Get(context.Background(), req)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.AccessDenied,
|
Status: chain.AccessDenied,
|
||||||
|
|
@ -324,7 +324,7 @@ func testDenyGetContainerForOthers(t *testing.T) {
|
||||||
nm.netmaps[nm.currentEpoch] = &testNetmap
|
nm.netmaps[nm.currentEpoch] = &testNetmap
|
||||||
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
||||||
|
|
||||||
_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.AccessDenied,
|
Status: chain.AccessDenied,
|
||||||
|
|
@ -424,7 +424,7 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
|
||||||
nm.netmaps[nm.currentEpoch] = &testNetmap
|
nm.netmaps[nm.currentEpoch] = &testNetmap
|
||||||
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
||||||
|
|
||||||
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.AccessDenied,
|
Status: chain.AccessDenied,
|
||||||
|
|
@ -522,7 +522,7 @@ func testDenyGetContainerByIP(t *testing.T) {
|
||||||
nm.netmaps[nm.currentEpoch] = &testNetmap
|
nm.netmaps[nm.currentEpoch] = &testNetmap
|
||||||
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
||||||
|
|
||||||
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.AccessDenied,
|
Status: chain.AccessDenied,
|
||||||
|
|
@ -621,7 +621,7 @@ func testDenyGetContainerByGroupID(t *testing.T) {
|
||||||
nm.netmaps[nm.currentEpoch] = &testNetmap
|
nm.netmaps[nm.currentEpoch] = &testNetmap
|
||||||
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
||||||
|
|
||||||
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.AccessDenied,
|
Status: chain.AccessDenied,
|
||||||
|
|
@ -1213,7 +1213,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
||||||
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
|
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
|
||||||
initTestNetmap(components.netmap)
|
initTestNetmap(components.netmap)
|
||||||
|
|
||||||
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.AccessDenied,
|
Status: chain.AccessDenied,
|
||||||
|
|
@ -1255,7 +1255,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
||||||
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
|
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
|
||||||
initTestNetmap(components.netmap)
|
initTestNetmap(components.netmap)
|
||||||
|
|
||||||
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.AccessDenied,
|
Status: chain.AccessDenied,
|
||||||
|
|
@ -1282,7 +1282,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
||||||
})
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
addDefaultAllowGetPolicy(t, components.engine, contID)
|
addDefaultAllowGetPolicy(t, components.engine)
|
||||||
|
|
||||||
req := initTestGetContainerRequest(t, contID)
|
req := initTestGetContainerRequest(t, contID)
|
||||||
|
|
||||||
|
|
@ -1325,7 +1325,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
||||||
})
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
addDefaultAllowGetPolicy(t, components.engine, contID)
|
addDefaultAllowGetPolicy(t, components.engine)
|
||||||
|
|
||||||
req := initTestGetContainerRequest(t, contID)
|
req := initTestGetContainerRequest(t, contID)
|
||||||
|
|
||||||
|
|
@ -1341,50 +1341,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
||||||
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
|
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
|
||||||
initTestNetmap(components.netmap)
|
initTestNetmap(components.netmap)
|
||||||
|
|
||||||
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(testDomainName), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
|
||||||
{
|
|
||||||
Status: chain.AccessDenied,
|
|
||||||
Actions: chain.Actions{
|
|
||||||
Names: []string{
|
|
||||||
nativeschema.MethodGetContainer,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Resources: chain.Resources{
|
|
||||||
Names: []string{
|
|
||||||
fmt.Sprintf(nativeschema.ResourceFormatRootContainer, contID.EncodeToString()),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Condition: []chain.Condition{
|
|
||||||
{
|
|
||||||
Kind: chain.KindRequest,
|
|
||||||
Key: nativeschema.PropertyKeyActorRole,
|
|
||||||
Value: nativeschema.PropertyValueContainerRoleOthers,
|
|
||||||
Op: chain.CondStringEquals,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
})
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
addDefaultAllowGetPolicy(t, components.engine, contID)
|
|
||||||
|
|
||||||
req := initTestGetContainerRequest(t, contID)
|
|
||||||
|
|
||||||
err = components.apeChecker.validateContainerBoundedOperation(ctxWithPeerInfo(), req.GetBody().GetContainerID(), req.GetMetaHeader(), req.GetVerificationHeader(), nativeschema.MethodGetContainer)
|
|
||||||
require.NoError(t, err)
|
|
||||||
})
|
|
||||||
|
|
||||||
t.Run("check testdomain-defined container in testdomain-defined container target rule", func(t *testing.T) {
|
|
||||||
t.Parallel()
|
|
||||||
|
|
||||||
components := newTestAPEServer()
|
|
||||||
contID, testContainer := initTestContainer(t, true)
|
|
||||||
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
|
|
||||||
initTestNetmap(components.netmap)
|
|
||||||
|
|
||||||
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.AccessDenied,
|
Status: chain.AccessDenied,
|
||||||
|
|
@ -1411,7 +1368,51 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
|
||||||
})
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
addDefaultAllowGetPolicy(t, components.engine, contID)
|
addDefaultAllowGetPolicy(t, components.engine)
|
||||||
|
|
||||||
|
req := initTestGetContainerRequest(t, contID)
|
||||||
|
|
||||||
|
err = components.apeChecker.validateContainerBoundedOperation(ctxWithPeerInfo(), req.GetBody().GetContainerID(), req.GetMetaHeader(), req.GetVerificationHeader(), nativeschema.MethodGetContainer)
|
||||||
|
aErr := apeErr(nativeschema.MethodGetContainer, chain.AccessDenied)
|
||||||
|
require.ErrorContains(t, err, aErr.Error())
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("check testdomain-defined container in testdomain-defined container target rule", func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
components := newTestAPEServer()
|
||||||
|
contID, testContainer := initTestContainer(t, true)
|
||||||
|
components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
|
||||||
|
initTestNetmap(components.netmap)
|
||||||
|
|
||||||
|
_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
|
Rules: []chain.Rule{
|
||||||
|
{
|
||||||
|
Status: chain.AccessDenied,
|
||||||
|
Actions: chain.Actions{
|
||||||
|
Names: []string{
|
||||||
|
nativeschema.MethodGetContainer,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Resources: chain.Resources{
|
||||||
|
Names: []string{
|
||||||
|
fmt.Sprintf(nativeschema.ResourceFormatNamespaceContainer, testDomainName, contID.EncodeToString()),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Condition: []chain.Condition{
|
||||||
|
{
|
||||||
|
Kind: chain.KindRequest,
|
||||||
|
Key: nativeschema.PropertyKeyActorRole,
|
||||||
|
Value: nativeschema.PropertyValueContainerRoleOthers,
|
||||||
|
Op: chain.CondStringEquals,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
addDefaultAllowGetPolicy(t, components.engine)
|
||||||
|
|
||||||
req := initTestGetContainerRequest(t, contID)
|
req := initTestGetContainerRequest(t, contID)
|
||||||
|
|
||||||
|
|
@ -1565,8 +1566,8 @@ func initListRequest(t *testing.T, actorPK *keys.PrivateKey, ownerPK *keys.Priva
|
||||||
return req
|
return req
|
||||||
}
|
}
|
||||||
|
|
||||||
func addDefaultAllowGetPolicy(t *testing.T, e engine.Engine, contID cid.ID) {
|
func addDefaultAllowGetPolicy(t *testing.T, e engine.Engine) {
|
||||||
_, _, err := e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
_, _, err := e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
|
||||||
Rules: []chain.Rule{
|
Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.Allow,
|
Status: chain.Allow,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue