forked from TrueCloudLab/policy-engine
e78ae34bbd
* Pass RequestTarget instead only namespace * Refactor unit-tests and dependencies Signed-off-by: Airat Arifullin <aarifullin@yadro.com>
117 lines
3.1 KiB
Go
117 lines
3.1 KiB
Go
package engine
|
|
|
|
import (
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
|
)
|
|
|
|
type ChainRouter interface {
|
|
// IsAllowed returns status for the operation after all checks.
|
|
// The second return value signifies whether a matching rule was found.
|
|
IsAllowed(name chain.Name, reqTarget RequestTarget, r resource.Request) (status chain.Status, found bool, err error)
|
|
}
|
|
|
|
// LocalOverrideStorage is the interface to manage local overrides defined
|
|
// for a node. Local overrides have a higher priority than chains got from morph storage.
|
|
type LocalOverrideStorage interface {
|
|
AddOverride(name chain.Name, target Target, c *chain.Chain) (chain.ID, error)
|
|
|
|
GetOverride(name chain.Name, target Target, chainID chain.ID) (*chain.Chain, error)
|
|
|
|
RemoveOverride(name chain.Name, target Target, chainID chain.ID) error
|
|
|
|
ListOverrides(name chain.Name, target Target) ([]*chain.Chain, error)
|
|
|
|
DropAllOverrides(name chain.Name) error
|
|
}
|
|
|
|
type TargetType rune
|
|
|
|
const (
|
|
Namespace TargetType = 'n'
|
|
Container TargetType = 'c'
|
|
)
|
|
|
|
type Target struct {
|
|
Type TargetType
|
|
Name string
|
|
}
|
|
|
|
// RequestTarget combines several targets on which the request is performed.
|
|
type RequestTarget struct {
|
|
Namespace *Target
|
|
Container *Target
|
|
}
|
|
|
|
func NewRequestTargetWithNamespace(namespace string) RequestTarget {
|
|
nt := NamespaceTarget(namespace)
|
|
return RequestTarget{
|
|
Namespace: &nt,
|
|
}
|
|
}
|
|
|
|
func NewRequestTargetWithContainer(container string) RequestTarget {
|
|
ct := ContainerTarget(container)
|
|
return RequestTarget{
|
|
Container: &ct,
|
|
}
|
|
}
|
|
|
|
func NewRequestTarget(namespace, container string) RequestTarget {
|
|
nt := NamespaceTarget(namespace)
|
|
ct := ContainerTarget(container)
|
|
return RequestTarget{
|
|
Namespace: &nt,
|
|
Container: &ct,
|
|
}
|
|
}
|
|
|
|
func (rt *RequestTarget) Targets() (targets []Target) {
|
|
if rt.Container != nil {
|
|
targets = append(targets, *rt.Container)
|
|
}
|
|
if rt.Namespace != nil {
|
|
targets = append(targets, *rt.Namespace)
|
|
}
|
|
return
|
|
}
|
|
|
|
func NamespaceTarget(namespace string) Target {
|
|
return Target{
|
|
Type: Namespace,
|
|
Name: namespace,
|
|
}
|
|
}
|
|
|
|
func ContainerTarget(container string) Target {
|
|
return Target{
|
|
Type: Container,
|
|
Name: container,
|
|
}
|
|
}
|
|
|
|
// MorphRuleChainStorage is the interface to manage chains from the chain storage.
|
|
// Basically, this implies that the storage manages rules stored in policy contract.
|
|
type MorphRuleChainStorage interface {
|
|
AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) error
|
|
|
|
RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) error
|
|
|
|
ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
|
|
}
|
|
|
|
// Engine is the interface that provides methods to check request permissions checking
|
|
// chain rules from morph client - this implies using the policy contract.
|
|
type Engine interface {
|
|
ChainRouter
|
|
|
|
MorphRuleChainStorage() MorphRuleChainStorage
|
|
}
|
|
|
|
// LocalOverrideEngine is extended Engine that also provides methods to manage a local
|
|
// chain rule storage. Local overrides must have the highest priority during request checking.
|
|
type LocalOverrideEngine interface {
|
|
Engine
|
|
|
|
LocalStorage() LocalOverrideStorage
|
|
}
|