frostfs-node/cmd/frostfs-cli/modules/container/set_eacl.go

package container

import (
	"bytes"
	"errors"
	"time"

	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
	"github.com/spf13/cobra"
)

var flagVarsSetEACL struct {
	noPreCheck bool

	srcPath string
}

var setExtendedACLCmd = &cobra.Command{
	Use:   "set-eacl",
	Short: "Set new extended ACL table for container",
	Long: `Set new extended ACL table for container.
Container ID in EACL table will be substituted with ID from the CLI.`,
	Run: func(cmd *cobra.Command, args []string) {
		id := parseContainerID(cmd)
		eaclTable := common.ReadEACL(cmd, flagVarsSetEACL.srcPath)

		tok := getSession(cmd)

		eaclTable.SetCID(id)

		pk := key.GetOrGenerate(cmd)
		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)

		if !flagVarsSetEACL.noPreCheck {
			cmd.Println("Checking the ability to modify access rights in the container...")

			extendable, err := internalclient.IsACLExtendable(cmd.Context(), cli, id)
			commonCmd.ExitOnErr(cmd, "Extensibility check failure: %w", err)

			if !extendable {
				commonCmd.ExitOnErr(cmd, "", errors.New("container ACL is immutable"))
			}

			cmd.Println("ACL extension is enabled in the container, continue processing.")
		}

		setEACLPrm := internalclient.SetEACLPrm{
			Client: cli,
			ClientParams: client.PrmContainerSetEACL{
				Table:   eaclTable,
				Session: tok,
			},
		}

		_, err := internalclient.SetEACL(cmd.Context(), setEACLPrm)
		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)

		if containerAwait {
			exp, err := eaclTable.Marshal()
			commonCmd.ExitOnErr(cmd, "broken EACL table: %w", err)

			cmd.Println("awaiting...")

			getEACLPrm := internalclient.EACLPrm{
				Client: cli,
				ClientParams: client.PrmContainerEACL{
					ContainerID: &id,
				},
			}

			for i := 0; i < awaitTimeout; i++ {
				time.Sleep(1 * time.Second)

				res, err := internalclient.EACL(cmd.Context(), getEACLPrm)
				if err == nil {
					// compare binary values because EACL could have been set already
					table := res.EACL()
					got, err := table.Marshal()
					if err != nil {
						continue
					}

					if bytes.Equal(exp, got) {
						cmd.Println("EACL has been persisted on sidechain")
						return
					}
				}
			}

			commonCmd.ExitOnErr(cmd, "", errSetEACLTimeout)
		}
	},
}

func initContainerSetEACLCmd() {
	commonflags.Init(setExtendedACLCmd)

	flags := setExtendedACLCmd.Flags()
	flags.StringVar(&containerID, commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
	flags.StringVar(&flagVarsSetEACL.srcPath, "table", "", "path to file with JSON or binary encoded EACL table")
	flags.BoolVar(&containerAwait, "await", false, "block execution until EACL is persisted")
	flags.BoolVar(&flagVarsSetEACL.noPreCheck, "no-precheck", false, "do not pre-check the extensibility of the container ACL")
}
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`package container`

			`import (`
			`"bytes"`
[#1652] cli/container: Pre-check ACL extensibility in `set-eacl` Container ACL in NeoFS can be extended only for container in which the corresponding option is enabled. In previous implementation command `set-eacl` could hang up on modifying eACL of the non-existent or non-extendable container. To improve UX, there is a need to pre-check the availability of `SETEACL` operation. Add boolean `precheck` flag to `set-eacl` cmd which reads the container before the actual transaction formation. If flag is set, command fails on non-extendable container ACL. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:22:05 +00:00			`"errors"`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`"time"`

Rename package name Due to source code relocation from GitHub. Signed-off-by: Alex Vanin <a.vanin@yadro.com> 2023-03-07 13:38:26 +00:00			`internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"`
			`"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"`
			`"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"`
			`"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"`
			`commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"`
[#625] cli: Fix SDK EACLPrm usage for PrmContainerEACL Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-08-18 14:44:17 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`"github.com/spf13/cobra"`
			`)`

[#1652] cli/container: Pre-check ACL extensibility in `set-eacl` Container ACL in NeoFS can be extended only for container in which the corresponding option is enabled. In previous implementation command `set-eacl` could hang up on modifying eACL of the non-existent or non-extendable container. To improve UX, there is a need to pre-check the availability of `SETEACL` operation. Add boolean `precheck` flag to `set-eacl` cmd which reads the container before the actual transaction formation. If flag is set, command fails on non-extendable container ACL. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:22:05 +00:00			`var flagVarsSetEACL struct {`
[#1652] cli/container: Invert pre-check flag of `set-eacl` command Flag `--pre-check` of `set-eacl` command found to be in demand in most cases. based on this, it makes sense to add its action to the default behavior. Pre-check container extensibility by default. Rename flag to `--no-precheck` and invert its action. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-09-02 07:57:23 +00:00			`noPreCheck bool`
[#1652] cli/container: Move `eaclPathFrom` flag var into the struct Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:23:48 +00:00
			`srcPath string`
[#1652] cli/container: Pre-check ACL extensibility in `set-eacl` Container ACL in NeoFS can be extended only for container in which the corresponding option is enabled. In previous implementation command `set-eacl` could hang up on modifying eACL of the non-existent or non-extendable container. To improve UX, there is a need to pre-check the availability of `SETEACL` operation. Add boolean `precheck` flag to `set-eacl` cmd which reads the container before the actual transaction formation. If flag is set, command fails on non-extendable container ACL. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:22:05 +00:00			`}`

[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`var setExtendedACLCmd = &cobra.Command{`
			`Use: "set-eacl",`
			`Short: "Set new extended ACL table for container",`
			Long: `Set new extended ACL table for container.
			Container ID in EACL table will be substituted with ID from the CLI.`,
			`Run: func(cmd *cobra.Command, args []string) {`
			`id := parseContainerID(cmd)`
[#1652] cli/container: Move `eaclPathFrom` flag var into the struct Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:23:48 +00:00			`eaclTable := common.ReadEACL(cmd, flagVarsSetEACL.srcPath)`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00
[#1933] cli: Support binary sessions There is a need to support NeoFS-binary sessions along with JSON ones in NeoFS CLI. Provide generic `common.ReadBinaryOrJSON` functions which tries to decode NeoFS-binary structure and falls back to JSON format. Use this function in all places with token reading. Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com> 2022-10-20 09:40:33 +00:00			`tok := getSession(cmd)`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00
			`eaclTable.SetCID(id)`

			`pk := key.GetOrGenerate(cmd)`
			`cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)`

[#1652] cli/container: Invert pre-check flag of `set-eacl` command Flag `--pre-check` of `set-eacl` command found to be in demand in most cases. based on this, it makes sense to add its action to the default behavior. Pre-check container extensibility by default. Rename flag to `--no-precheck` and invert its action. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-09-02 07:57:23 +00:00			`if !flagVarsSetEACL.noPreCheck {`
[#1652] cli/container: Pre-check ACL extensibility in `set-eacl` Container ACL in NeoFS can be extended only for container in which the corresponding option is enabled. In previous implementation command `set-eacl` could hang up on modifying eACL of the non-existent or non-extendable container. To improve UX, there is a need to pre-check the availability of `SETEACL` operation. Add boolean `precheck` flag to `set-eacl` cmd which reads the container before the actual transaction formation. If flag is set, command fails on non-extendable container ACL. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:22:05 +00:00			`cmd.Println("Checking the ability to modify access rights in the container...")`

[#406] cli: Pass context to internal client Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-05-24 13:51:57 +00:00			`extendable, err := internalclient.IsACLExtendable(cmd.Context(), cli, id)`
[#1889] Move netmap.go and exit.go from `cli` to `cmd/internal/common` Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2023-01-16 09:20:16 +00:00			`commonCmd.ExitOnErr(cmd, "Extensibility check failure: %w", err)`
[#1652] cli/container: Pre-check ACL extensibility in `set-eacl` Container ACL in NeoFS can be extended only for container in which the corresponding option is enabled. In previous implementation command `set-eacl` could hang up on modifying eACL of the non-existent or non-extendable container. To improve UX, there is a need to pre-check the availability of `SETEACL` operation. Add boolean `precheck` flag to `set-eacl` cmd which reads the container before the actual transaction formation. If flag is set, command fails on non-extendable container ACL. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:22:05 +00:00
			`if !extendable {`
[#1889] Move netmap.go and exit.go from `cli` to `cmd/internal/common` Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2023-01-16 09:20:16 +00:00			`commonCmd.ExitOnErr(cmd, "", errors.New("container ACL is immutable"))`
[#1652] cli/container: Pre-check ACL extensibility in `set-eacl` Container ACL in NeoFS can be extended only for container in which the corresponding option is enabled. In previous implementation command `set-eacl` could hang up on modifying eACL of the non-existent or non-extendable container. To improve UX, there is a need to pre-check the availability of `SETEACL` operation. Add boolean `precheck` flag to `set-eacl` cmd which reads the container before the actual transaction formation. If flag is set, command fails on non-extendable container ACL. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:22:05 +00:00			`}`

			`cmd.Println("ACL extension is enabled in the container, continue processing.")`
			`}`

[#630] cli: Fix SDK SetEACLPrm usage for PrmContainerSetEACL Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-08-21 16:11:43 +00:00			`setEACLPrm := internalclient.SetEACLPrm{`
			`Client: cli,`
			`ClientParams: client.PrmContainerSetEACL{`
			`Table: eaclTable,`
			`Session: tok,`
			`},`
[#xxx] Upgrade NeoFS SDK Go with changed container sessions After recent changes in NeoFS SDK Go library session tokens aren't embedded into `container.Container` and `eacl.Table` structures. Group value, session token and signature in a structure for container and eACL. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-06-22 10:55:31 +00:00			`}`

[#406] cli: Pass context to internal client Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-05-24 13:51:57 +00:00			`_, err := internalclient.SetEACL(cmd.Context(), setEACLPrm)`
[#1889] Move netmap.go and exit.go from `cli` to `cmd/internal/common` Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2023-01-16 09:20:16 +00:00			`commonCmd.ExitOnErr(cmd, "rpc error: %w", err)`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00
			`if containerAwait {`
			`exp, err := eaclTable.Marshal()`
[#1889] Move netmap.go and exit.go from `cli` to `cmd/internal/common` Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2023-01-16 09:20:16 +00:00			`commonCmd.ExitOnErr(cmd, "broken EACL table: %w", err)`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00
			`cmd.Println("awaiting...")`

[#625] cli: Fix SDK EACLPrm usage for PrmContainerEACL Signed-off-by: Airat Arifullin <a.arifullin@yadro.com> 2023-08-18 14:44:17 +00:00			`getEACLPrm := internalclient.EACLPrm{`
			`Client: cli,`
			`ClientParams: client.PrmContainerEACL{`
			`ContainerID: &id,`
			`},`
			`}`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00
			`for i := 0; i < awaitTimeout; i++ {`
			`time.Sleep(1 * time.Second)`

[#406] cli: Pass context to internal client Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-05-24 13:51:57 +00:00			`res, err := internalclient.EACL(cmd.Context(), getEACLPrm)`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`if err == nil {`
			`// compare binary values because EACL could have been set already`
[#1687] go.mod: Update neofs-sdk-go Signed-off-by: Pavel Karpy <carpawell@nspcc.ru> 2022-08-22 11:04:00 +00:00			`table := res.EACL()`
			`got, err := table.Marshal()`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`if err != nil {`
			`continue`
			`}`

			`if bytes.Equal(exp, got) {`
			`cmd.Println("EACL has been persisted on sidechain")`
			`return`
			`}`
			`}`
			`}`

[#1889] Move netmap.go and exit.go from `cli` to `cmd/internal/common` Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2023-01-16 09:20:16 +00:00			`commonCmd.ExitOnErr(cmd, "", errSetEACLTimeout)`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`}`
			`},`
			`}`

			`func initContainerSetEACLCmd() {`
			`commonflags.Init(setExtendedACLCmd)`

			`flags := setExtendedACLCmd.Flags()`
[#1338] neofs-cli: Add support to store/restore/delete binary objects Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com> 2022-10-18 11:43:04 +00:00			`flags.StringVar(&containerID, commonflags.CIDFlag, "", commonflags.CIDFlagUsage)`
[#1652] cli/container: Move `eaclPathFrom` flag var into the struct Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-08-17 10:23:48 +00:00			`flags.StringVar(&flagVarsSetEACL.srcPath, "table", "", "path to file with JSON or binary encoded EACL table")`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`flags.BoolVar(&containerAwait, "await", false, "block execution until EACL is persisted")`
[#1652] cli/container: Invert pre-check flag of `set-eacl` command Flag `--pre-check` of `set-eacl` command found to be in demand in most cases. based on this, it makes sense to add its action to the default behavior. Pre-check container extensibility by default. Rename flag to `--no-precheck` and invert its action. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-09-02 07:57:23 +00:00			`flags.BoolVar(&flagVarsSetEACL.noPreCheck, "no-precheck", false, "do not pre-check the extensibility of the container ACL")`
[#1380] neofs-cli: move `container` command to a separate package Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-06-02 12:24:31 +00:00			`}`