forked from TrueCloudLab/policy-engine
Compare commits
54 commits
Author | SHA1 | Date | |
---|---|---|---|
|
839f22e1a3 | ||
|
cf1f091e26 | ||
|
9e66ce59c6 | ||
c960b1b088 | |||
|
8354a074c4 | ||
4a989d6bb7 | |||
0edc002441 | |||
1cdb3e5a4a | |||
af388779a3 | |||
8cc5173d73 | |||
2af381ae81 | |||
8d21ab2d99 | |||
0a28f0a992 | |||
dd0f582fc3 | |||
5f13d91c0d | |||
88c2a476b0 | |||
58386edf58 | |||
06cbfe8691 | |||
c80c99b13e | |||
ed93bb5cc5 | |||
06e9c91014 | |||
b82544b0fe | |||
641a1429ef | |||
02e50307df | |||
3128352693 | |||
ec39d8371a | |||
|
e57d213595 | ||
|
62ea96b82c | ||
1d07331f5d | |||
3b107e9413 | |||
8c673ee4f4 | |||
1375e8f7fd | |||
|
156018bcba | ||
|
df15b38c63 | ||
|
2d4a9fc6dc | ||
|
4d8242584a | ||
a0a35bf4bf | |||
5fa9d91903 | |||
5db67021e1 | |||
|
17453d3cda | ||
|
a08f600d97 | ||
|
9472a7123e | ||
38985e4ec8 | |||
b7645489d0 | |||
63ecf63a08 | |||
8d291039d8 | |||
5eee1a7334 | |||
8dc9d9fa58 | |||
7f6ee39cb8 | |||
|
76372aac04 | ||
|
35f24627f0 | ||
31a308ea61 | |||
88cf807951 | |||
5ebb2e694c |
44 changed files with 6836 additions and 5 deletions
21
.forgejo/workflows/dco.yml
Normal file
21
.forgejo/workflows/dco.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
name: DCO action
|
||||
on: [pull_request]
|
||||
|
||||
jobs:
|
||||
dco:
|
||||
name: DCO
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: '1.21'
|
||||
|
||||
- name: Run commit format checker
|
||||
uses: https://git.frostfs.info/TrueCloudLab/dco-go@v3
|
||||
with:
|
||||
from: 'origin/${{ github.event.pull_request.base.ref }}'
|
73
.forgejo/workflows/tests.yml
Normal file
73
.forgejo/workflows/tests.yml
Normal file
|
@ -0,0 +1,73 @@
|
|||
name: Tests and linters
|
||||
on: [pull_request]
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
name: Lint
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: '1.21'
|
||||
cache: true
|
||||
|
||||
- name: Install linters
|
||||
run: make lint-install
|
||||
|
||||
- name: Run linters
|
||||
run: make lint
|
||||
|
||||
tests:
|
||||
name: Tests
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
go_versions: [ '1.20', '1.21' ]
|
||||
fail-fast: false
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: '${{ matrix.go_versions }}'
|
||||
cache: true
|
||||
|
||||
- name: Run tests
|
||||
run: make test
|
||||
|
||||
tests-race:
|
||||
name: Tests with -race
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: '1.21'
|
||||
cache: true
|
||||
|
||||
- name: Run tests
|
||||
run: go test ./... -count=1 -race
|
||||
|
||||
staticcheck:
|
||||
name: Staticcheck
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: '1.21'
|
||||
cache: true
|
||||
|
||||
- name: Install staticcheck
|
||||
run: make staticcheck-install
|
||||
|
||||
- name: Run staticcheck
|
||||
run: make staticcheck-run
|
2
.gitattributes
vendored
2
.gitattributes
vendored
|
@ -1,2 +1,4 @@
|
|||
/**/*.pb.go -diff -merge
|
||||
/**/*.pb.go linguist-generated=true
|
||||
/**/*_easyjson.go -diff -merge
|
||||
/**/*_easyjson.go linguist-generated=true
|
|
@ -47,7 +47,7 @@ linters:
|
|||
- durationcheck
|
||||
- exhaustive
|
||||
- exportloopref
|
||||
- gofmt
|
||||
- gofumpt
|
||||
- goimports
|
||||
- misspell
|
||||
- whitespace
|
||||
|
|
|
@ -26,14 +26,17 @@ repos:
|
|||
exclude: ".key$"
|
||||
|
||||
- repo: https://github.com/shellcheck-py/shellcheck-py
|
||||
rev: v0.9.0.2
|
||||
rev: v0.9.0.6
|
||||
hooks:
|
||||
- id: shellcheck
|
||||
|
||||
- repo: https://github.com/golangci/golangci-lint
|
||||
rev: v1.51.2
|
||||
- repo: local
|
||||
hooks:
|
||||
- id: golangci-lint
|
||||
- id: make-lint
|
||||
name: Run Make Lint
|
||||
entry: make lint
|
||||
language: system
|
||||
pass_filenames: false
|
||||
|
||||
- repo: local
|
||||
hooks:
|
||||
|
@ -43,3 +46,9 @@ repos:
|
|||
pass_filenames: false
|
||||
types: [go]
|
||||
language: system
|
||||
|
||||
- repo: https://github.com/TekWizely/pre-commit-golang
|
||||
rev: v1.0.0-rc.1
|
||||
hooks:
|
||||
- id: go-staticcheck-repo-mod
|
||||
- id: go-mod-tidy
|
||||
|
|
76
Makefile
Executable file
76
Makefile
Executable file
|
@ -0,0 +1,76 @@
|
|||
#!/usr/bin/make -f
|
||||
|
||||
TRUECLOUDLAB_LINT_VERSION ?= 0.0.2
|
||||
TMP_DIR := .cache
|
||||
OUTPUT_LINT_DIR ?= $(shell pwd)/bin
|
||||
LINT_VERSION ?= 1.55.1
|
||||
LINT_DIR = $(OUTPUT_LINT_DIR)/golangci-lint-$(LINT_VERSION)-v$(TRUECLOUDLAB_LINT_VERSION)
|
||||
EASYJSON_VERSION ?= $(shell go list -f '{{.Version}}' -m github.com/mailru/easyjson)
|
||||
EASYJSON_DIR ?= $(shell pwd)/bin/easyjson-$(EASYJSON_VERSION)
|
||||
|
||||
# Run all code formatters
|
||||
fmts: fmt imports
|
||||
|
||||
# Reformat code
|
||||
fmt:
|
||||
@echo "⇒ Processing gofmt check"
|
||||
@gofumpt -s -w .
|
||||
|
||||
# Reformat imports
|
||||
imports:
|
||||
@echo "⇒ Processing goimports check"
|
||||
@goimports -w .
|
||||
|
||||
# Run Unit Test with go test
|
||||
test:
|
||||
@echo "⇒ Running go test"
|
||||
@go test ./... -count=1
|
||||
|
||||
# Activate pre-commit hooks
|
||||
pre-commit:
|
||||
pre-commit install -t pre-commit -t commit-msg
|
||||
|
||||
# Deactivate pre-commit hooks
|
||||
unpre-commit:
|
||||
pre-commit uninstall -t pre-commit -t commit-msg
|
||||
|
||||
pre-commit-run:
|
||||
@pre-commit run -a --hook-stage manual
|
||||
|
||||
# Install linters
|
||||
lint-install:
|
||||
@mkdir -p $(TMP_DIR)
|
||||
@rm -rf $(TMP_DIR)/linters
|
||||
@git -c advice.detachedHead=false clone --branch v$(TRUECLOUDLAB_LINT_VERSION) https://git.frostfs.info/TrueCloudLab/linters.git $(TMP_DIR)/linters
|
||||
@make -C $(TMP_DIR)/linters lib CGO_ENABLED=1 OUT_DIR=$(OUTPUT_LINT_DIR)
|
||||
@rm -rf $(TMP_DIR)/linters
|
||||
@rmdir $(TMP_DIR) 2>/dev/null || true
|
||||
@CGO_ENABLED=1 GOBIN=$(LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$(LINT_VERSION)
|
||||
|
||||
# Run linters
|
||||
lint:
|
||||
@if [ ! -d "$(LINT_DIR)" ]; then \
|
||||
echo "Run make lint-install"; \
|
||||
exit 1; \
|
||||
fi
|
||||
@$(LINT_DIR)/golangci-lint run
|
||||
|
||||
# Install staticcheck
|
||||
staticcheck-install:
|
||||
@go install honnef.co/go/tools/cmd/staticcheck@latest
|
||||
|
||||
# Run staticcheck
|
||||
staticcheck-run:
|
||||
@staticcheck ./...
|
||||
|
||||
easyjson-install:
|
||||
@rm -rf $(EASYJSON_DIR)
|
||||
@mkdir -p $(EASYJSON_DIR)
|
||||
@GOBIN=$(EASYJSON_DIR) go install github.com/mailru/easyjson/...@$(EASYJSON_VERSION)
|
||||
|
||||
generate:
|
||||
@if [ ! -d "$(EASYJSON_DIR)" ]; then \
|
||||
make easyjson-install; \
|
||||
fi
|
||||
find ./ -name "_easyjson.go" -exec rm -rf {} \;
|
||||
$(EASYJSON_DIR)/easyjson ./pkg/chain/chain.go
|
20
docs/resource.md
Normal file
20
docs/resource.md
Normal file
|
@ -0,0 +1,20 @@
|
|||
# Resource
|
||||
|
||||
From the point of the access policy engine, a resource is an object to which a request is being performed.
|
||||
This can be an object in a container within a namespace, or all objects in a container,
|
||||
or all containers within the root namespace etc.
|
||||
|
||||
A resource can be viewed from two sides:
|
||||
- As part of a [request](../pkg/resource/resource.go). In this case a resource has a name and properties.
|
||||
- As part of rule [chain](../pkg/chain/chain.go): a resource has just a name.
|
||||
|
||||
## Resource name
|
||||
|
||||
A resource name must have a such format that can be processed by a chain router that matches a request
|
||||
either with local overrides or with rules within policy contract to get if this request is allowed to be performed.
|
||||
The main idea of this format is for the chain router to match by full name (`native:object//cnrID/objID`) or
|
||||
wildcard (`native:object//cnrID/*`).
|
||||
|
||||
Check out formats that are defined in the schema: [native formats](../schema/native/consts.go), [s3 formats](../schema/s3/consts.go).
|
||||
You should validate a resource name using [util](../schema/native/util/validation.go) before instantiating a request or
|
||||
before putting it to either to local override storage or the policy contract storage.
|
28
go.mod
Normal file
28
go.mod
Normal file
|
@ -0,0 +1,28 @@
|
|||
module git.frostfs.info/TrueCloudLab/policy-engine
|
||||
|
||||
go 1.20
|
||||
|
||||
require (
|
||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958
|
||||
github.com/google/uuid v1.3.0
|
||||
github.com/mailru/easyjson v0.7.7
|
||||
github.com/nspcc-dev/neo-go v0.103.0
|
||||
github.com/stretchr/testify v1.8.4
|
||||
golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
|
||||
github.com/hashicorp/golang-lru v0.6.0 // indirect
|
||||
github.com/josharian/intern v1.0.0 // indirect
|
||||
github.com/mr-tron/base58 v1.2.0 // indirect
|
||||
github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 // indirect
|
||||
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 // indirect
|
||||
github.com/nspcc-dev/rfc6979 v0.2.0 // indirect
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
golang.org/x/crypto v0.14.0 // indirect
|
||||
golang.org/x/sync v0.3.0 // indirect
|
||||
golang.org/x/text v0.13.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
)
|
49
go.sum
Normal file
49
go.sum
Normal file
|
@ -0,0 +1,49 @@
|
|||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958 h1:X9yPizADIhD3K/gdKVCthlAnf9aQ3UJJGnZgIwwixRQ=
|
||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958/go.mod h1:rQWdsG18NaiFvkJpMguJev913KD/yleHaniRBkUyt0o=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
|
||||
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
|
||||
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
|
||||
github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
|
||||
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
|
||||
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
|
||||
github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4=
|
||||
github.com/hashicorp/golang-lru v0.6.0/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
|
||||
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
|
||||
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
|
||||
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
|
||||
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
|
||||
github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
|
||||
github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
|
||||
github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 h1:n4ZaFCKt1pQJd7PXoMJabZWK9ejjbLOVrkl/lOUmshg=
|
||||
github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22/go.mod h1:79bEUDEviBHJMFV6Iq6in57FEOCMcRhfQnfaf0ETA5U=
|
||||
github.com/nspcc-dev/neo-go v0.103.0 h1:UVyWPhzZdfYFG35ORP3FRDLh8J/raRQ6m8SptDdlgfM=
|
||||
github.com/nspcc-dev/neo-go v0.103.0/go.mod h1:x+wmcYqpZYJwLp1l/pHZrqNp3RSWlkMymWGDij3/OPo=
|
||||
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 h1:09CpI5uwsxb1EeFPIKQRwwWlfCmDD/Dwwh01lPiQScM=
|
||||
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5/go.mod h1:J/Mk6+nKeKSW4wygkZQFLQ6SkLOSGX5Ga0RuuuktEag=
|
||||
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
||||
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
|
||||
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
|
||||
github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954 h1:xQdMZ1WLrgkkvOZ/LDQxjVxMLdby7osSh4ZEVa5sIjs=
|
||||
github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 h1:JwtAtbp7r/7QSyGz8mKUbYJBg2+6Cd7OjM8o/GNOcVo=
|
||||
github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74/go.mod h1:RmMWU37GKR2s6pgrIEB4ixgpVCt/cf7dnJv3fuH1J1c=
|
||||
go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
|
||||
golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
|
||||
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
|
||||
golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
|
||||
golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
|
||||
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
|
||||
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
|
||||
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
|
||||
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
|
||||
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
319
iam/converter.go
Normal file
319
iam/converter.go
Normal file
|
@ -0,0 +1,319 @@
|
|||
package iam
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
"unicode/utf8"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
)
|
||||
|
||||
const condKeyAWSPrincipalARN = "aws:PrincipalArn"
|
||||
|
||||
const (
|
||||
// String condition operators.
|
||||
CondStringEquals string = "StringEquals"
|
||||
CondStringNotEquals string = "StringNotEquals"
|
||||
CondStringEqualsIgnoreCase string = "StringEqualsIgnoreCase"
|
||||
CondStringNotEqualsIgnoreCase string = "StringNotEqualsIgnoreCase"
|
||||
CondStringLike string = "StringLike"
|
||||
CondStringNotLike string = "StringNotLike"
|
||||
|
||||
// Numeric condition operators.
|
||||
CondNumericEquals string = "NumericEquals"
|
||||
CondNumericNotEquals string = "NumericNotEquals"
|
||||
CondNumericLessThan string = "NumericLessThan"
|
||||
CondNumericLessThanEquals string = "NumericLessThanEquals"
|
||||
CondNumericGreaterThan string = "NumericGreaterThan"
|
||||
CondNumericGreaterThanEquals string = "NumericGreaterThanEquals"
|
||||
|
||||
// Date condition operators.
|
||||
CondDateEquals string = "DateEquals"
|
||||
CondDateNotEquals string = "DateNotEquals"
|
||||
CondDateLessThan string = "DateLessThan"
|
||||
CondDateLessThanEquals string = "DateLessThanEquals"
|
||||
CondDateGreaterThan string = "DateGreaterThan"
|
||||
CondDateGreaterThanEquals string = "DateGreaterThanEquals"
|
||||
|
||||
// Bolean condition operators.
|
||||
CondBool string = "Bool"
|
||||
|
||||
// IP address condition operators.
|
||||
CondIPAddress string = "IpAddress"
|
||||
CondNotIPAddress string = "NotIpAddress"
|
||||
|
||||
// ARN condition operators.
|
||||
CondArnEquals string = "ArnEquals"
|
||||
CondArnLike string = "ArnLike"
|
||||
CondArnNotEquals string = "ArnNotEquals"
|
||||
CondArnNotLike string = "ArnNotLike"
|
||||
|
||||
// Custom condition operators.
|
||||
CondSliceContains string = "SliceContains"
|
||||
)
|
||||
|
||||
const (
|
||||
arnIAMPrefix = "arn:aws:iam::"
|
||||
s3ResourcePrefix = "arn:aws:s3:::"
|
||||
s3ActionPrefix = "s3:"
|
||||
iamActionPrefix = "iam:"
|
||||
)
|
||||
|
||||
var (
|
||||
// ErrInvalidPrincipalFormat occurs when principal has unknown/unsupported format.
|
||||
ErrInvalidPrincipalFormat = errors.New("invalid principal format")
|
||||
|
||||
// ErrInvalidResourceFormat occurs when resource has unknown/unsupported format.
|
||||
ErrInvalidResourceFormat = errors.New("invalid resource format")
|
||||
|
||||
// ErrInvalidActionFormat occurs when action has unknown/unsupported format.
|
||||
ErrInvalidActionFormat = errors.New("invalid action format")
|
||||
|
||||
// ErrActionsNotApplicable occurs when failed to convert any actions.
|
||||
ErrActionsNotApplicable = errors.New("actions not applicable")
|
||||
)
|
||||
|
||||
type formPrincipalConditionFunc func(string) chain.Condition
|
||||
|
||||
type transformConditionFunc func(gr GroupedConditions) (GroupedConditions, error)
|
||||
|
||||
func convertToChainConditions(c Conditions, transformer transformConditionFunc) ([]GroupedConditions, error) {
|
||||
conditions, err := convertToChainCondition(c)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for i := range conditions {
|
||||
if conditions[i], err = transformer(conditions[i]); err != nil {
|
||||
return nil, fmt.Errorf("transform condition: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
return conditions, nil
|
||||
}
|
||||
|
||||
type GroupedConditions struct {
|
||||
Conditions []chain.Condition
|
||||
Any bool
|
||||
}
|
||||
|
||||
func convertToChainCondition(c Conditions) ([]GroupedConditions, error) {
|
||||
var grouped []GroupedConditions
|
||||
|
||||
for op, KVs := range c {
|
||||
condType, convertValue, err := getConditionTypeAndConverter(op)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for key, values := range KVs {
|
||||
group := GroupedConditions{
|
||||
Conditions: make([]chain.Condition, len(values)),
|
||||
Any: len(values) > 1,
|
||||
}
|
||||
|
||||
for i, val := range values {
|
||||
converted, err := convertValue(val)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
group.Conditions[i] = chain.Condition{
|
||||
Op: condType,
|
||||
Object: chain.ObjectRequest,
|
||||
Key: key,
|
||||
Value: converted,
|
||||
}
|
||||
}
|
||||
grouped = append(grouped, group)
|
||||
}
|
||||
}
|
||||
|
||||
return grouped, nil
|
||||
}
|
||||
|
||||
func getConditionTypeAndConverter(op string) (chain.ConditionType, convertFunction, error) {
|
||||
switch {
|
||||
case strings.HasPrefix(op, "String"):
|
||||
switch op {
|
||||
case CondStringEquals:
|
||||
return chain.CondStringEquals, noConvertFunction, nil
|
||||
case CondStringNotEquals:
|
||||
return chain.CondStringNotEquals, noConvertFunction, nil
|
||||
case CondStringEqualsIgnoreCase:
|
||||
return chain.CondStringEqualsIgnoreCase, noConvertFunction, nil
|
||||
case CondStringNotEqualsIgnoreCase:
|
||||
return chain.CondStringNotEqualsIgnoreCase, noConvertFunction, nil
|
||||
case CondStringLike:
|
||||
return chain.CondStringLike, noConvertFunction, nil
|
||||
case CondStringNotLike:
|
||||
return chain.CondStringNotLike, noConvertFunction, nil
|
||||
default:
|
||||
return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
|
||||
}
|
||||
case strings.HasPrefix(op, "Arn"):
|
||||
switch op {
|
||||
case CondArnEquals:
|
||||
return chain.CondStringEquals, noConvertFunction, nil
|
||||
case CondArnNotEquals:
|
||||
return chain.CondStringNotEquals, noConvertFunction, nil
|
||||
case CondArnLike:
|
||||
return chain.CondStringLike, noConvertFunction, nil
|
||||
case CondArnNotLike:
|
||||
return chain.CondStringNotLike, noConvertFunction, nil
|
||||
default:
|
||||
return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
|
||||
}
|
||||
case strings.HasPrefix(op, "Numeric"):
|
||||
// TODO
|
||||
return 0, nil, fmt.Errorf("currently nummeric conditions unsupported: '%s'", op)
|
||||
case strings.HasPrefix(op, "Date"):
|
||||
switch op {
|
||||
case CondDateEquals:
|
||||
return chain.CondStringEquals, dateConvertFunction, nil
|
||||
case CondDateNotEquals:
|
||||
return chain.CondStringNotEquals, dateConvertFunction, nil
|
||||
case CondDateLessThan:
|
||||
return chain.CondStringLessThan, dateConvertFunction, nil
|
||||
case CondDateLessThanEquals:
|
||||
return chain.CondStringLessThanEquals, dateConvertFunction, nil
|
||||
case CondDateGreaterThan:
|
||||
return chain.CondStringGreaterThan, dateConvertFunction, nil
|
||||
case CondDateGreaterThanEquals:
|
||||
return chain.CondStringGreaterThanEquals, dateConvertFunction, nil
|
||||
default:
|
||||
return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
|
||||
}
|
||||
case op == CondBool:
|
||||
return chain.CondStringEqualsIgnoreCase, noConvertFunction, nil
|
||||
case op == CondIPAddress:
|
||||
// todo consider using converters
|
||||
// "203.0.113.0/24" -> "203.0.113.*",
|
||||
// "2001:DB8:1234:5678::/64" -> "2001:DB8:1234:5678:*"
|
||||
// or having specific condition type for IP
|
||||
return chain.CondStringLike, noConvertFunction, nil
|
||||
case op == CondNotIPAddress:
|
||||
return chain.CondStringNotLike, noConvertFunction, nil
|
||||
case op == CondSliceContains:
|
||||
return chain.CondSliceContains, noConvertFunction, nil
|
||||
default:
|
||||
return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
|
||||
}
|
||||
}
|
||||
|
||||
type convertFunction func(string) (string, error)
|
||||
|
||||
func noConvertFunction(val string) (string, error) {
|
||||
return val, nil
|
||||
}
|
||||
|
||||
func dateConvertFunction(val string) (string, error) {
|
||||
if _, err := strconv.ParseInt(val, 10, 64); err == nil {
|
||||
return val, nil
|
||||
}
|
||||
|
||||
parsed, err := time.Parse(time.RFC3339, val)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return strconv.FormatInt(parsed.UTC().Unix(), 10), nil
|
||||
}
|
||||
|
||||
func parsePrincipalAsIAMUser(principal string) (account string, user string, err error) {
|
||||
if !strings.HasPrefix(principal, arnIAMPrefix) {
|
||||
return "", "", ErrInvalidPrincipalFormat
|
||||
}
|
||||
|
||||
// iam arn format arn:aws:iam::<account>:user/<user-name-with-path>
|
||||
iamResource := strings.TrimPrefix(principal, arnIAMPrefix)
|
||||
sepIndex := strings.Index(iamResource, ":user/")
|
||||
if sepIndex < 0 {
|
||||
return "", "", ErrInvalidPrincipalFormat
|
||||
}
|
||||
|
||||
account = iamResource[:sepIndex]
|
||||
user = iamResource[sepIndex+6:]
|
||||
if len(user) == 0 {
|
||||
return "", "", ErrInvalidPrincipalFormat
|
||||
}
|
||||
|
||||
userNameIndex := strings.LastIndexByte(user, '/')
|
||||
if userNameIndex > -1 {
|
||||
user = user[userNameIndex+1:]
|
||||
if len(user) == 0 {
|
||||
return "", "", ErrInvalidPrincipalFormat
|
||||
}
|
||||
}
|
||||
|
||||
return account, user, nil
|
||||
}
|
||||
|
||||
func validateResource(resource string) error {
|
||||
if resource == Wildcard {
|
||||
return nil
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(resource, s3ResourcePrefix) && !strings.HasPrefix(resource, arnIAMPrefix) {
|
||||
return ErrInvalidResourceFormat
|
||||
}
|
||||
|
||||
index := strings.IndexByte(resource, Wildcard[0])
|
||||
if index != -1 && index != utf8.RuneCountInString(resource)-1 {
|
||||
return ErrInvalidResourceFormat
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func validateAction(action string) error {
|
||||
if action == Wildcard {
|
||||
return nil
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(action, s3ActionPrefix) && !strings.HasPrefix(action, iamActionPrefix) {
|
||||
return ErrInvalidActionFormat
|
||||
}
|
||||
|
||||
index := strings.IndexByte(action, Wildcard[0])
|
||||
if index != -1 && index != utf8.RuneCountInString(action)-1 {
|
||||
return ErrInvalidActionFormat
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func splitGroupedConditions(groupedConditions []GroupedConditions) [][]chain.Condition {
|
||||
var orConditions []chain.Condition
|
||||
commonConditions := make([]chain.Condition, 0, len(groupedConditions))
|
||||
for _, grouped := range groupedConditions {
|
||||
if grouped.Any {
|
||||
orConditions = append(orConditions, grouped.Conditions...)
|
||||
} else {
|
||||
commonConditions = append(commonConditions, grouped.Conditions...)
|
||||
}
|
||||
}
|
||||
|
||||
if len(orConditions) == 0 {
|
||||
return [][]chain.Condition{commonConditions}
|
||||
}
|
||||
|
||||
res := make([][]chain.Condition, len(orConditions))
|
||||
for i, condition := range orConditions {
|
||||
res[i] = append([]chain.Condition{condition}, commonConditions...)
|
||||
}
|
||||
|
||||
return res
|
||||
}
|
||||
|
||||
func formStatus(statement Statement) chain.Status {
|
||||
status := chain.AccessDenied
|
||||
if statement.Effect == AllowEffect {
|
||||
status = chain.Allow
|
||||
}
|
||||
|
||||
return status
|
||||
}
|
355
iam/converter_native.go
Normal file
355
iam/converter_native.go
Normal file
|
@ -0,0 +1,355 @@
|
|||
package iam
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
)
|
||||
|
||||
const PropertyKeyFilePath = "FilePath"
|
||||
|
||||
var supportedActionToNativeOpMap = map[string][]string{
|
||||
supportedS3NativeActionDeleteObject: {native.MethodDeleteObject, native.MethodHeadObject},
|
||||
supportedS3NativeActionHeadObject: {native.MethodHeadObject},
|
||||
supportedS3NativeActionGetObject: {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
||||
supportedS3NativeActionPutObject: {native.MethodPutObject},
|
||||
supportedS3NativeActionListBucket: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
|
||||
|
||||
supportedS3NativeActionCreateBucket: {native.MethodPutContainer},
|
||||
supportedS3NativeActionDeleteBucket: {native.MethodDeleteContainer},
|
||||
supportedS3NativeActionListAllMyBucket: {native.MethodListContainers},
|
||||
supportedS3NativeActionPutBucketACL: {native.MethodSetContainerEACL},
|
||||
supportedS3NativeActionGetBucketACL: {native.MethodGetContainerEACL},
|
||||
}
|
||||
|
||||
var containerNativeOperations = map[string]struct{}{
|
||||
native.MethodPutContainer: {},
|
||||
native.MethodDeleteContainer: {},
|
||||
native.MethodGetContainer: {},
|
||||
native.MethodListContainers: {},
|
||||
native.MethodSetContainerEACL: {},
|
||||
native.MethodGetContainerEACL: {},
|
||||
}
|
||||
|
||||
var objectNativeOperations = map[string]struct{}{
|
||||
native.MethodGetObject: {},
|
||||
native.MethodPutObject: {},
|
||||
native.MethodHeadObject: {},
|
||||
native.MethodDeleteObject: {},
|
||||
native.MethodSearchObject: {},
|
||||
native.MethodRangeObject: {},
|
||||
native.MethodHashObject: {},
|
||||
}
|
||||
|
||||
const (
|
||||
supportedS3NativeActionDeleteObject = "s3:DeleteObject"
|
||||
supportedS3NativeActionGetObject = "s3:GetObject"
|
||||
supportedS3NativeActionHeadObject = "s3:HeadObject"
|
||||
supportedS3NativeActionPutObject = "s3:PutObject"
|
||||
supportedS3NativeActionListBucket = "s3:ListBucket"
|
||||
|
||||
supportedS3NativeActionCreateBucket = "s3:CreateBucket"
|
||||
supportedS3NativeActionDeleteBucket = "s3:DeleteBucket"
|
||||
supportedS3NativeActionListAllMyBucket = "s3:ListAllMyBuckets"
|
||||
supportedS3NativeActionPutBucketACL = "s3:PutBucketAcl"
|
||||
supportedS3NativeActionGetBucketACL = "s3:GetBucketAcl"
|
||||
)
|
||||
|
||||
type NativeResolver interface {
|
||||
GetUserKey(account, name string) (string, error)
|
||||
GetBucketInfo(bucket string) (*BucketInfo, error)
|
||||
}
|
||||
|
||||
type BucketInfo struct {
|
||||
Namespace string
|
||||
Container string
|
||||
}
|
||||
|
||||
func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, error) {
|
||||
if err := p.Validate(ResourceBasedPolicyType); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var engineChain chain.Chain
|
||||
|
||||
for _, statement := range p.Statement {
|
||||
status := formStatus(statement)
|
||||
|
||||
action, actionInverted := statement.action()
|
||||
nativeActions, err := formNativeActionNames(action)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ruleAction := chain.Actions{Inverted: actionInverted, Names: nativeActions}
|
||||
if len(ruleAction.Names) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
resource, resourceInverted := statement.resource()
|
||||
groupedResources, err := formNativeResourceNamesAndConditions(resource, resolver, getActionTypes(nativeActions))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
groupedConditions, err := convertToNativeChainCondition(statement.Conditions, resolver)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
splitConditions := splitGroupedConditions(groupedConditions)
|
||||
|
||||
principals, principalCondFn, err := getNativePrincipalsAndConditionFunc(statement, resolver)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, groupedResource := range groupedResources {
|
||||
for _, principal := range principals {
|
||||
for _, conditions := range splitConditions {
|
||||
var principalCondition []chain.Condition
|
||||
if principal != Wildcard {
|
||||
principalCondition = []chain.Condition{principalCondFn(principal)}
|
||||
}
|
||||
|
||||
ruleConditions := append(principalCondition, groupedResource.Conditions...)
|
||||
|
||||
r := chain.Rule{
|
||||
Status: status,
|
||||
Actions: ruleAction,
|
||||
Resources: chain.Resources{
|
||||
Inverted: resourceInverted,
|
||||
Names: groupedResource.Names,
|
||||
},
|
||||
Condition: append(ruleConditions, conditions...),
|
||||
}
|
||||
engineChain.Rules = append(engineChain.Rules, r)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if len(engineChain.Rules) == 0 {
|
||||
return nil, ErrActionsNotApplicable
|
||||
}
|
||||
|
||||
return &engineChain, nil
|
||||
}
|
||||
|
||||
func getActionTypes(nativeActions []string) ActionTypes {
|
||||
var res ActionTypes
|
||||
for _, action := range nativeActions {
|
||||
if res.Object && res.Container {
|
||||
break
|
||||
}
|
||||
|
||||
_, isObj := objectNativeOperations[action]
|
||||
_, isCnr := containerNativeOperations[action]
|
||||
|
||||
res.Object = isObj || action == Wildcard
|
||||
res.Container = isCnr || action == Wildcard
|
||||
}
|
||||
|
||||
return res
|
||||
}
|
||||
|
||||
func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeResolver) ([]string, formPrincipalConditionFunc, error) {
|
||||
var principals []string
|
||||
var op chain.ConditionType
|
||||
statementPrincipal, inverted := statement.principal()
|
||||
if _, ok := statementPrincipal[Wildcard]; ok { // this can be true only if 'inverted' false
|
||||
principals = []string{Wildcard}
|
||||
op = chain.CondStringLike
|
||||
} else {
|
||||
for principalType, principal := range statementPrincipal {
|
||||
if principalType != AWSPrincipalType {
|
||||
return nil, nil, fmt.Errorf("unsupported principal type '%s'", principalType)
|
||||
}
|
||||
parsedPrincipal, err := formNativePrincipal(principal, resolver)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("parse principal: %w", err)
|
||||
}
|
||||
principals = append(principals, parsedPrincipal...)
|
||||
}
|
||||
|
||||
op = chain.CondStringEquals
|
||||
if inverted {
|
||||
op = chain.CondStringNotEquals
|
||||
}
|
||||
}
|
||||
|
||||
return principals, func(principal string) chain.Condition {
|
||||
return chain.Condition{
|
||||
Op: op,
|
||||
Object: chain.ObjectRequest,
|
||||
Key: native.PropertyKeyActorPublicKey,
|
||||
Value: principal,
|
||||
}
|
||||
}, nil
|
||||
}
|
||||
|
||||
func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]GroupedConditions, error) {
|
||||
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
|
||||
for i := range gr.Conditions {
|
||||
if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
|
||||
gr.Conditions[i].Key = native.PropertyKeyActorPublicKey
|
||||
val, err := formPrincipalKey(gr.Conditions[i].Value, resolver)
|
||||
if err != nil {
|
||||
return GroupedConditions{}, err
|
||||
}
|
||||
gr.Conditions[i].Value = val
|
||||
}
|
||||
}
|
||||
|
||||
return gr, nil
|
||||
})
|
||||
}
|
||||
|
||||
type GroupedResources struct {
|
||||
Names []string
|
||||
Conditions []chain.Condition
|
||||
}
|
||||
|
||||
type ActionTypes struct {
|
||||
Object bool
|
||||
Container bool
|
||||
}
|
||||
|
||||
func formNativeResourceNamesAndConditions(names []string, resolver NativeResolver, actionTypes ActionTypes) ([]GroupedResources, error) {
|
||||
if !actionTypes.Object && !actionTypes.Container {
|
||||
return nil, ErrActionsNotApplicable
|
||||
}
|
||||
|
||||
res := make([]GroupedResources, 0, len(names))
|
||||
|
||||
var combined []string
|
||||
|
||||
for _, resource := range names {
|
||||
if err := validateResource(resource); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if resource == Wildcard {
|
||||
res = res[:0]
|
||||
return append(res, formWildcardNativeResource(actionTypes)), nil
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(resource, s3ResourcePrefix) {
|
||||
continue
|
||||
}
|
||||
|
||||
var bkt, obj string
|
||||
s3Resource := strings.TrimPrefix(resource, s3ResourcePrefix)
|
||||
if s3Resource == Wildcard {
|
||||
res = res[:0]
|
||||
return append(res, formWildcardNativeResource(actionTypes)), nil
|
||||
}
|
||||
|
||||
if sepIndex := strings.Index(s3Resource, "/"); sepIndex < 0 {
|
||||
bkt = s3Resource
|
||||
} else {
|
||||
bkt = s3Resource[:sepIndex]
|
||||
obj = s3Resource[sepIndex+1:]
|
||||
if len(obj) == 0 {
|
||||
obj = Wildcard
|
||||
}
|
||||
}
|
||||
|
||||
bktInfo, err := resolver.GetBucketInfo(bkt)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if obj == Wildcard && actionTypes.Object { // this corresponds to arn:aws:s3:::BUCKET/ or arn:aws:s3:::BUCKET/*
|
||||
combined = append(combined, fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container))
|
||||
continue
|
||||
}
|
||||
if obj == "" && actionTypes.Container { // this corresponds to arn:aws:s3:::BUCKET
|
||||
combined = append(combined, fmt.Sprintf(native.ResourceFormatNamespaceContainer, bktInfo.Namespace, bktInfo.Container))
|
||||
continue
|
||||
}
|
||||
|
||||
res = append(res, GroupedResources{
|
||||
Names: []string{fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container)},
|
||||
Conditions: []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringLike,
|
||||
Object: chain.ObjectResource,
|
||||
Key: PropertyKeyFilePath,
|
||||
Value: obj,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
if len(combined) != 0 {
|
||||
res = append(res, GroupedResources{Names: combined})
|
||||
}
|
||||
|
||||
return res, nil
|
||||
}
|
||||
|
||||
func formWildcardNativeResource(actionTypes ActionTypes) GroupedResources {
|
||||
groupedNames := make([]string, 0, 2)
|
||||
if actionTypes.Object {
|
||||
groupedNames = append(groupedNames, native.ResourceFormatAllObjects)
|
||||
}
|
||||
if actionTypes.Container {
|
||||
groupedNames = append(groupedNames, native.ResourceFormatAllContainers)
|
||||
}
|
||||
|
||||
return GroupedResources{Names: groupedNames}
|
||||
}
|
||||
|
||||
func formNativePrincipal(principal []string, resolver NativeResolver) ([]string, error) {
|
||||
res := make([]string, len(principal))
|
||||
|
||||
var err error
|
||||
for i := range principal {
|
||||
if res[i], err = formPrincipalKey(principal[i], resolver); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
return res, nil
|
||||
}
|
||||
|
||||
func formPrincipalKey(principal string, resolver NativeResolver) (string, error) {
|
||||
account, user, err := parsePrincipalAsIAMUser(principal)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
key, err := resolver.GetUserKey(account, user)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("get user key: %w", err)
|
||||
}
|
||||
|
||||
return key, nil
|
||||
}
|
||||
|
||||
func formNativeActionNames(names []string) ([]string, error) {
|
||||
res := make([]string, 0, len(names))
|
||||
|
||||
for _, action := range names {
|
||||
if err := validateAction(action); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if action == Wildcard {
|
||||
return []string{Wildcard}, nil
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(action, s3ActionPrefix) {
|
||||
continue
|
||||
}
|
||||
|
||||
if strings.TrimPrefix(action, s3ActionPrefix) == Wildcard {
|
||||
return []string{Wildcard}, nil
|
||||
}
|
||||
|
||||
res = append(res, supportedActionToNativeOpMap[action]...)
|
||||
}
|
||||
|
||||
return res, nil
|
||||
}
|
255
iam/converter_s3.go
Normal file
255
iam/converter_s3.go
Normal file
|
@ -0,0 +1,255 @@
|
|||
package iam
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
|
||||
)
|
||||
|
||||
var specialActionToS3OpMap = map[string][]string{
|
||||
specialS3ActionsListAllMyBuckets: {"s3:ListBuckets"},
|
||||
specialS3ActionsListBucket: {"s3:HeadBucket", "s3:GetBucketLocation", "s3:ListObjectsV1", "s3:ListObjectsV2"},
|
||||
specialS3ActionsListBucketVersions: {"s3:ListBucketObjectVersions"},
|
||||
specialS3ActionsListBucketMultipartUploads: {"s3:ListMultipartUploads"},
|
||||
specialS3ActionsGetBucketObjectLockConfiguration: {"s3:GetBucketObjectLockConfig"},
|
||||
specialS3ActionsGetEncryptionConfiguration: {"s3:GetBucketEncryption"},
|
||||
specialS3ActionsGetLifecycleConfiguration: {"s3:GetBucketLifecycle"},
|
||||
specialS3ActionsGetBucketACL: {"s3:GetBucketACL"},
|
||||
specialS3ActionsGetBucketCORS: {"s3:GetBucketCors"},
|
||||
specialS3ActionsPutBucketTagging: {"s3:PutBucketTagging", "s3:DeleteBucketTagging"},
|
||||
specialS3ActionsPutBucketObjectLockConfiguration: {"s3:PutBucketObjectLockConfig"},
|
||||
specialS3ActionsPutEncryptionConfiguration: {"s3:PutBucketEncryption", "s3:DeleteBucketEncryption"},
|
||||
specialS3ActionsPutLifecycleConfiguration: {"s3:PutBucketLifecycle", "s3:DeleteBucketLifecycle"},
|
||||
specialS3ActionsPutBucketACL: {"s3:PutBucketACL"},
|
||||
specialS3ActionsPutBucketCORS: {"s3:PutBucketCors", "s3:DeleteBucketCors"},
|
||||
specialS3ActionsDeleteBucketCORS: {"s3:DeleteBucketCors"},
|
||||
|
||||
specialS3ActionsListMultipartUploadParts: {"s3:ListParts"},
|
||||
specialS3ActionsGetObjectACL: {"s3:GetObjectACL"},
|
||||
specialS3ActionsGetObject: {"s3:GetObject", "s3:HeadObject"},
|
||||
specialS3ActionsGetObjectVersion: {"s3:GetObject", "s3:HeadObject"},
|
||||
specialS3ActionsGetObjectVersionACL: {"s3:GetObjectACL"},
|
||||
specialS3ActionsGetObjectVersionAttributes: {"s3:GetObjectAttributes"},
|
||||
specialS3ActionsGetObjectVersionTagging: {"s3:GetObjectTagging"},
|
||||
specialS3ActionsPutObjectACL: {"s3:PutObjectACL"},
|
||||
specialS3ActionsPutObjectVersionACL: {"s3:PutObjectACL"},
|
||||
specialS3ActionsPutObjectVersionTagging: {"s3:PutObjectTagging"},
|
||||
specialS3ActionsPutObject: {
|
||||
"s3:PutObject", "s3:PostObject", "s3:CopyObject",
|
||||
"s3:UploadPart", "s3:UploadPartCopy", "s3:CreateMultipartUpload", "s3:CompleteMultipartUpload",
|
||||
},
|
||||
specialS3ActionsDeleteObjectVersionTagging: {"s3:DeleteObjectTagging"},
|
||||
specialS3ActionsDeleteObject: {"s3:DeleteObject", "s3:DeleteMultipleObjects"},
|
||||
specialS3ActionsDeleteObjectVersion: {"s3:DeleteObject", "s3:DeleteMultipleObjects"},
|
||||
}
|
||||
|
||||
const (
|
||||
specialS3ActionsListAllMyBuckets = "s3:ListAllMyBuckets"
|
||||
specialS3ActionsListBucket = "s3:ListBucket"
|
||||
specialS3ActionsListBucketVersions = "s3:ListBucketVersions"
|
||||
specialS3ActionsListBucketMultipartUploads = "s3:ListBucketMultipartUploads"
|
||||
specialS3ActionsGetBucketObjectLockConfiguration = "s3:GetBucketObjectLockConfiguration"
|
||||
specialS3ActionsGetEncryptionConfiguration = "s3:GetEncryptionConfiguration"
|
||||
specialS3ActionsGetLifecycleConfiguration = "s3:GetLifecycleConfiguration"
|
||||
specialS3ActionsGetBucketACL = "s3:GetBucketAcl"
|
||||
specialS3ActionsGetBucketCORS = "s3:GetBucketCORS"
|
||||
specialS3ActionsPutBucketTagging = "s3:PutBucketTagging"
|
||||
specialS3ActionsPutBucketObjectLockConfiguration = "s3:PutBucketObjectLockConfiguration"
|
||||
specialS3ActionsPutEncryptionConfiguration = "s3:PutEncryptionConfiguration"
|
||||
specialS3ActionsPutLifecycleConfiguration = "s3:PutLifecycleConfiguration"
|
||||
specialS3ActionsPutBucketACL = "s3:PutBucketAcl"
|
||||
specialS3ActionsPutBucketCORS = "s3:PutBucketCORS"
|
||||
specialS3ActionsDeleteBucketCORS = "s3:DeleteBucketCORS"
|
||||
specialS3ActionsListMultipartUploadParts = "s3:ListMultipartUploadParts"
|
||||
specialS3ActionsGetObjectACL = "s3:GetObjectAcl"
|
||||
specialS3ActionsGetObject = "s3:GetObject"
|
||||
specialS3ActionsGetObjectVersion = "s3:GetObjectVersion"
|
||||
specialS3ActionsGetObjectVersionACL = "s3:GetObjectVersionAcl"
|
||||
specialS3ActionsGetObjectVersionAttributes = "s3:GetObjectVersionAttributes"
|
||||
specialS3ActionsGetObjectVersionTagging = "s3:GetObjectVersionTagging"
|
||||
specialS3ActionsPutObjectACL = "s3:PutObjectAcl"
|
||||
specialS3ActionsPutObjectVersionACL = "s3:PutObjectVersionAcl"
|
||||
specialS3ActionsPutObjectVersionTagging = "s3:PutObjectVersionTagging"
|
||||
specialS3ActionsPutObject = "s3:PutObject"
|
||||
specialS3ActionsDeleteObjectVersionTagging = "s3:DeleteObjectVersionTagging"
|
||||
specialS3ActionsDeleteObject = "s3:DeleteObject"
|
||||
specialS3ActionsDeleteObjectVersion = "s3:DeleteObjectVersion"
|
||||
)
|
||||
|
||||
type S3Resolver interface {
|
||||
GetUserAddress(account, user string) (string, error)
|
||||
}
|
||||
|
||||
func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
|
||||
if err := p.Validate(ResourceBasedPolicyType); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var engineChain chain.Chain
|
||||
|
||||
for _, statement := range p.Statement {
|
||||
status := formStatus(statement)
|
||||
|
||||
actions, actionInverted := statement.action()
|
||||
s3Actions, err := formS3ActionNames(actions)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ruleAction := chain.Actions{Inverted: actionInverted, Names: s3Actions}
|
||||
if len(ruleAction.Names) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
resources, resourceInverted := statement.resource()
|
||||
if err := validateS3ResourceNames(resources); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ruleResource := chain.Resources{Inverted: resourceInverted, Names: resources}
|
||||
|
||||
groupedConditions, err := convertToS3ChainCondition(statement.Conditions, resolver)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
splitConditions := splitGroupedConditions(groupedConditions)
|
||||
|
||||
principals, principalCondFn, err := getS3PrincipalsAndConditionFunc(statement, resolver)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, principal := range principals {
|
||||
for _, conditions := range splitConditions {
|
||||
var principalCondition []chain.Condition
|
||||
if principal != Wildcard {
|
||||
principalCondition = []chain.Condition{principalCondFn(principal)}
|
||||
}
|
||||
|
||||
r := chain.Rule{
|
||||
Status: status,
|
||||
Actions: ruleAction,
|
||||
Resources: ruleResource,
|
||||
Condition: append(principalCondition, conditions...),
|
||||
}
|
||||
engineChain.Rules = append(engineChain.Rules, r)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if len(engineChain.Rules) == 0 {
|
||||
return nil, ErrActionsNotApplicable
|
||||
}
|
||||
|
||||
return &engineChain, nil
|
||||
}
|
||||
|
||||
func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) ([]string, formPrincipalConditionFunc, error) {
|
||||
var principals []string
|
||||
var op chain.ConditionType
|
||||
statementPrincipal, inverted := statement.principal()
|
||||
if _, ok := statementPrincipal[Wildcard]; ok { // this can be true only if 'inverted' false
|
||||
principals = []string{Wildcard}
|
||||
op = chain.CondStringLike
|
||||
} else {
|
||||
for principalType, principal := range statementPrincipal {
|
||||
if principalType != AWSPrincipalType {
|
||||
return nil, nil, fmt.Errorf("unsupported principal type '%s'", principalType)
|
||||
}
|
||||
parsedPrincipal, err := formS3Principal(principal, resolver)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("parse principal: %w", err)
|
||||
}
|
||||
principals = append(principals, parsedPrincipal...)
|
||||
}
|
||||
|
||||
op = chain.CondStringEquals
|
||||
if inverted {
|
||||
op = chain.CondStringNotEquals
|
||||
}
|
||||
}
|
||||
|
||||
return principals, func(principal string) chain.Condition {
|
||||
return chain.Condition{
|
||||
Op: op,
|
||||
Object: chain.ObjectRequest,
|
||||
Key: s3.PropertyKeyOwner,
|
||||
Value: principal,
|
||||
}
|
||||
}, nil
|
||||
}
|
||||
|
||||
func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
|
||||
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
|
||||
for i := range gr.Conditions {
|
||||
if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
|
||||
gr.Conditions[i].Key = s3.PropertyKeyOwner
|
||||
val, err := formPrincipalOwner(gr.Conditions[i].Value, resolver)
|
||||
if err != nil {
|
||||
return GroupedConditions{}, err
|
||||
}
|
||||
gr.Conditions[i].Value = val
|
||||
}
|
||||
}
|
||||
|
||||
return gr, nil
|
||||
})
|
||||
}
|
||||
|
||||
func formS3Principal(principal []string, resolver S3Resolver) ([]string, error) {
|
||||
res := make([]string, len(principal))
|
||||
|
||||
var err error
|
||||
for i := range principal {
|
||||
if res[i], err = formPrincipalOwner(principal[i], resolver); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
return res, nil
|
||||
}
|
||||
|
||||
func formPrincipalOwner(principal string, resolver S3Resolver) (string, error) {
|
||||
account, user, err := parsePrincipalAsIAMUser(principal)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
address, err := resolver.GetUserAddress(account, user)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("get user address: %w", err)
|
||||
}
|
||||
|
||||
return address, nil
|
||||
}
|
||||
|
||||
func validateS3ResourceNames(names []string) error {
|
||||
for i := range names {
|
||||
if err := validateResource(names[i]); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func formS3ActionNames(names []string) ([]string, error) {
|
||||
res := make([]string, 0, len(names))
|
||||
|
||||
for _, action := range names {
|
||||
if err := validateAction(action); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if action == Wildcard {
|
||||
return []string{Wildcard}, nil
|
||||
}
|
||||
|
||||
if actions, ok := specialActionToS3OpMap[action]; ok {
|
||||
res = append(res, actions...)
|
||||
} else {
|
||||
res = append(res, action)
|
||||
}
|
||||
}
|
||||
|
||||
return res, nil
|
||||
}
|
1425
iam/converter_test.go
Normal file
1425
iam/converter_test.go
Normal file
File diff suppressed because it is too large
Load diff
318
iam/policy.go
Normal file
318
iam/policy.go
Normal file
|
@ -0,0 +1,318 @@
|
|||
package iam
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type (
|
||||
// Policy grammar https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html
|
||||
Policy struct {
|
||||
Version string `json:"Version,omitempty"`
|
||||
ID string `json:"Id,omitempty"`
|
||||
Statement Statements `json:"Statement"`
|
||||
}
|
||||
|
||||
Statements []Statement
|
||||
|
||||
Statement struct {
|
||||
ID string `json:"Id,omitempty"`
|
||||
SID string `json:"Sid,omitempty"`
|
||||
Principal Principal `json:"Principal,omitempty"`
|
||||
NotPrincipal Principal `json:"NotPrincipal,omitempty"`
|
||||
Effect Effect `json:"Effect"`
|
||||
Action Action `json:"Action,omitempty"`
|
||||
NotAction Action `json:"NotAction,omitempty"`
|
||||
Resource Resource `json:"Resource,omitempty"`
|
||||
NotResource Resource `json:"NotResource,omitempty"`
|
||||
Conditions Conditions `json:"Condition,omitempty"`
|
||||
}
|
||||
|
||||
Principal map[PrincipalType][]string
|
||||
|
||||
Effect string
|
||||
|
||||
Action []string
|
||||
|
||||
Resource []string
|
||||
|
||||
Conditions map[string]Condition
|
||||
|
||||
Condition map[string][]string
|
||||
|
||||
PolicyType int
|
||||
|
||||
PrincipalType string
|
||||
)
|
||||
|
||||
const (
|
||||
GeneralPolicyType PolicyType = iota
|
||||
IdentityBasedPolicyType
|
||||
ResourceBasedPolicyType
|
||||
)
|
||||
|
||||
const Wildcard = "*"
|
||||
|
||||
const (
|
||||
AllowEffect Effect = "Allow"
|
||||
DenyEffect Effect = "Deny"
|
||||
)
|
||||
|
||||
func (e Effect) IsValid() bool {
|
||||
return e == AllowEffect || e == DenyEffect
|
||||
}
|
||||
|
||||
const (
|
||||
AWSPrincipalType PrincipalType = "AWS"
|
||||
FederatedPrincipalType PrincipalType = "Federated"
|
||||
ServicePrincipalType PrincipalType = "Service"
|
||||
CanonicalUserPrincipalType PrincipalType = "CanonicalUser"
|
||||
)
|
||||
|
||||
func (p PrincipalType) IsValid() bool {
|
||||
return p == AWSPrincipalType || p == FederatedPrincipalType ||
|
||||
p == ServicePrincipalType || p == CanonicalUserPrincipalType
|
||||
}
|
||||
|
||||
func (s *Statements) UnmarshalJSON(data []byte) error {
|
||||
var list []Statement
|
||||
if err := json.Unmarshal(data, &list); err == nil {
|
||||
*s = list
|
||||
return nil
|
||||
}
|
||||
|
||||
var elem Statement
|
||||
if err := json.Unmarshal(data, &elem); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
*s = []Statement{elem}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p *Principal) UnmarshalJSON(data []byte) error {
|
||||
*p = make(Principal)
|
||||
|
||||
var str string
|
||||
|
||||
if err := json.Unmarshal(data, &str); err == nil {
|
||||
if str != Wildcard {
|
||||
return errors.New("invalid IAM string principal")
|
||||
}
|
||||
(*p)[Wildcard] = nil
|
||||
return nil
|
||||
}
|
||||
|
||||
m := make(map[PrincipalType]any)
|
||||
if err := json.Unmarshal(data, &m); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for key, val := range m {
|
||||
element, ok := val.(string)
|
||||
if ok {
|
||||
(*p)[key] = []string{element}
|
||||
continue
|
||||
}
|
||||
|
||||
list, ok := val.([]any)
|
||||
if !ok {
|
||||
return errors.New("invalid principal format")
|
||||
}
|
||||
|
||||
resList := make([]string, len(list))
|
||||
for i := range list {
|
||||
val, ok := list[i].(string)
|
||||
if !ok {
|
||||
return errors.New("invalid principal format")
|
||||
}
|
||||
resList[i] = val
|
||||
}
|
||||
|
||||
(*p)[key] = resList
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a *Action) UnmarshalJSON(data []byte) error {
|
||||
var list []string
|
||||
if err := json.Unmarshal(data, &list); err == nil {
|
||||
*a = list
|
||||
return nil
|
||||
}
|
||||
|
||||
var elem string
|
||||
if err := json.Unmarshal(data, &elem); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
*a = []string{elem}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *Resource) UnmarshalJSON(data []byte) error {
|
||||
var list []string
|
||||
if err := json.Unmarshal(data, &list); err == nil {
|
||||
*r = list
|
||||
return nil
|
||||
}
|
||||
|
||||
var elem string
|
||||
if err := json.Unmarshal(data, &elem); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
*r = []string{elem}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Condition) UnmarshalJSON(data []byte) error {
|
||||
*c = make(Condition)
|
||||
|
||||
m := make(map[string]any)
|
||||
if err := json.Unmarshal(data, &m); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for key, val := range m {
|
||||
element, ok := val.(string)
|
||||
if ok {
|
||||
(*c)[key] = []string{element}
|
||||
continue
|
||||
}
|
||||
|
||||
list, ok := val.([]any)
|
||||
if !ok {
|
||||
return errors.New("invalid principal format")
|
||||
}
|
||||
|
||||
resList := make([]string, len(list))
|
||||
for i := range list {
|
||||
val, ok := list[i].(string)
|
||||
if !ok {
|
||||
return errors.New("invalid principal format")
|
||||
}
|
||||
resList[i] = val
|
||||
}
|
||||
|
||||
(*c)[key] = resList
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p Policy) Validate(typ PolicyType) error {
|
||||
if err := p.validate(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
switch typ {
|
||||
case IdentityBasedPolicyType:
|
||||
return p.validateIdentityBased()
|
||||
case ResourceBasedPolicyType:
|
||||
return p.validateResourceBased()
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func (p Policy) validate() error {
|
||||
if len(p.Statement) == 0 {
|
||||
return errors.New("'Statement' is missing")
|
||||
}
|
||||
|
||||
for _, statement := range p.Statement {
|
||||
if !statement.Effect.IsValid() {
|
||||
return fmt.Errorf("unknown effect: '%s'", statement.Effect)
|
||||
}
|
||||
if len(statement.Action) != 0 && len(statement.NotAction) != 0 {
|
||||
return errors.New("'Actions' and 'NotAction' are mutually exclusive")
|
||||
}
|
||||
if statement.Resource != nil && statement.NotResource != nil {
|
||||
return errors.New("'Resources' and 'NotResource' are mutually exclusive")
|
||||
}
|
||||
if len(statement.Resource) == 0 && len(statement.NotResource) == 0 {
|
||||
return errors.New("one of 'Resources'/'NotResource' must be provided")
|
||||
}
|
||||
if len(statement.Principal) != 0 && len(statement.NotPrincipal) != 0 {
|
||||
return errors.New("'Principal' and 'NotPrincipal' are mutually exclusive")
|
||||
}
|
||||
if len(statement.NotPrincipal) != 0 && statement.Effect != DenyEffect {
|
||||
return errors.New("using 'NotPrincipal' with effect 'Allow' is not supported")
|
||||
}
|
||||
|
||||
principal, _ := statement.principal()
|
||||
if err := principal.validate(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p Policy) validateIdentityBased() error {
|
||||
if len(p.ID) != 0 {
|
||||
return errors.New("'Id' is not allowed for identity-based policy")
|
||||
}
|
||||
|
||||
for _, statement := range p.Statement {
|
||||
if len(statement.Principal) != 0 || len(statement.NotPrincipal) != 0 {
|
||||
return errors.New("'Principal' and 'NotPrincipal' are not allowed for identity-based policy")
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p Policy) validateResourceBased() error {
|
||||
for _, statement := range p.Statement {
|
||||
if len(statement.Principal) == 0 && len(statement.NotPrincipal) == 0 {
|
||||
return errors.New("'Principal' or 'NotPrincipal' must be provided for resource-based policy")
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s Statement) principal() (Principal, bool) {
|
||||
if len(s.NotPrincipal) != 0 {
|
||||
return s.NotPrincipal, true
|
||||
}
|
||||
|
||||
return s.Principal, false
|
||||
}
|
||||
|
||||
func (s Statement) action() (Action, bool) {
|
||||
if len(s.NotAction) != 0 {
|
||||
return s.NotAction, true
|
||||
}
|
||||
|
||||
return s.Action, false
|
||||
}
|
||||
|
||||
func (s Statement) resource() (Resource, bool) {
|
||||
if len(s.NotResource) != 0 {
|
||||
return s.NotResource, true
|
||||
}
|
||||
|
||||
return s.Resource, false
|
||||
}
|
||||
|
||||
func (p Principal) validate() error {
|
||||
if _, ok := p[Wildcard]; ok && len(p) == 1 {
|
||||
return nil
|
||||
}
|
||||
|
||||
for key := range p {
|
||||
if !key.IsValid() {
|
||||
return fmt.Errorf("unknown principal type: '%s'", key)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
503
iam/policy_test.go
Normal file
503
iam/policy_test.go
Normal file
|
@ -0,0 +1,503 @@
|
|||
package iam
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestUnmarshalIAMPolicy(t *testing.T) {
|
||||
t.Run("simple fields", func(t *testing.T) {
|
||||
policy := `{
|
||||
"Version": "2012-10-17",
|
||||
"Id": "PutObjPolicy",
|
||||
"Statement": {
|
||||
"Sid": "DenyObjectsThatAreNotSSEKMS",
|
||||
"Principal": "*",
|
||||
"Effect": "Deny",
|
||||
"Action": "s3:PutObject",
|
||||
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
|
||||
"Condition": {
|
||||
"Null": {
|
||||
"s3:x-amz-server-side-encryption-aws-kms-key-id": "true"
|
||||
}
|
||||
}
|
||||
}
|
||||
}`
|
||||
|
||||
expected := Policy{
|
||||
Version: "2012-10-17",
|
||||
ID: "PutObjPolicy",
|
||||
Statement: []Statement{{
|
||||
SID: "DenyObjectsThatAreNotSSEKMS",
|
||||
Principal: map[PrincipalType][]string{
|
||||
"*": nil,
|
||||
},
|
||||
Effect: DenyEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
||||
Conditions: map[string]Condition{
|
||||
"Null": {
|
||||
"s3:x-amz-server-side-encryption-aws-kms-key-id": {"true"},
|
||||
},
|
||||
},
|
||||
}},
|
||||
}
|
||||
|
||||
var p Policy
|
||||
err := json.Unmarshal([]byte(policy), &p)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, expected, p)
|
||||
})
|
||||
|
||||
t.Run("complex fields", func(t *testing.T) {
|
||||
policy := `{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [{
|
||||
"Principal":{
|
||||
"AWS":[
|
||||
"arn:aws:iam::111122223333:user/JohnDoe"
|
||||
]
|
||||
},
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:PutObject"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
|
||||
],
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"s3:RequestObjectTag/Department": ["Finance"]
|
||||
}
|
||||
}
|
||||
}]
|
||||
}`
|
||||
|
||||
expected := Policy{
|
||||
Version: "2012-10-17",
|
||||
Statement: []Statement{{
|
||||
Principal: map[PrincipalType][]string{
|
||||
AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"},
|
||||
},
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
||||
Conditions: map[string]Condition{
|
||||
"StringEquals": {
|
||||
"s3:RequestObjectTag/Department": {"Finance"},
|
||||
},
|
||||
},
|
||||
}},
|
||||
}
|
||||
|
||||
var p Policy
|
||||
err := json.Unmarshal([]byte(policy), &p)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, expected, p)
|
||||
|
||||
raw, err := json.Marshal(expected)
|
||||
require.NoError(t, err)
|
||||
require.JSONEq(t, policy, string(raw))
|
||||
})
|
||||
|
||||
t.Run("check principal AWS", func(t *testing.T) {
|
||||
policy := `{
|
||||
"Statement": [{
|
||||
"Principal":{
|
||||
"AWS":"arn:aws:iam::111122223333:user/JohnDoe"
|
||||
}
|
||||
}]
|
||||
}`
|
||||
|
||||
expected := Policy{
|
||||
Statement: []Statement{{
|
||||
Principal: map[PrincipalType][]string{
|
||||
AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"},
|
||||
},
|
||||
}},
|
||||
}
|
||||
|
||||
var p Policy
|
||||
err := json.Unmarshal([]byte(policy), &p)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, expected, p)
|
||||
})
|
||||
|
||||
t.Run("native example", func(t *testing.T) {
|
||||
policy := `
|
||||
{
|
||||
"Version": "xyz",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"native:*",
|
||||
"s3:PutObject",
|
||||
"s3:GetObject"
|
||||
],
|
||||
"Resource": ["*"],
|
||||
"Principal": {"FrostFS": ["did:frostfs:039e3ee771a223361fe7862f532e9511b57baaae3c3e2622682e99d0e660f7671"]},
|
||||
"Condition": {"StringEquals": {"native::object::attribute": "iamuser-admin"}}
|
||||
}
|
||||
]
|
||||
}`
|
||||
|
||||
var p Policy
|
||||
err := json.Unmarshal([]byte(policy), &p)
|
||||
require.NoError(t, err)
|
||||
})
|
||||
|
||||
t.Run("condition array", func(t *testing.T) {
|
||||
policy := `
|
||||
{
|
||||
"Statement": [{
|
||||
"Condition": {"StringLike": {"ec2:InstanceType": ["t1.*", "t2.*", "m3.*"]}}
|
||||
}]
|
||||
}`
|
||||
|
||||
expected := Policy{
|
||||
Statement: []Statement{{
|
||||
Conditions: map[string]Condition{
|
||||
"StringLike": {"ec2:InstanceType": {"t1.*", "t2.*", "m3.*"}},
|
||||
},
|
||||
}},
|
||||
}
|
||||
|
||||
var p Policy
|
||||
err := json.Unmarshal([]byte(policy), &p)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, expected, p)
|
||||
})
|
||||
|
||||
t.Run("'Not*' fields", func(t *testing.T) {
|
||||
policy := `
|
||||
{
|
||||
"Id": "PutObjPolicy",
|
||||
"Statement": [{
|
||||
"NotPrincipal": {"AWS":["arn:aws:iam::111122223333:user/Alice"]},
|
||||
"Effect": "Deny",
|
||||
"NotAction": "s3:PutObject",
|
||||
"NotResource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
|
||||
}]
|
||||
}`
|
||||
|
||||
expected := Policy{
|
||||
ID: "PutObjPolicy",
|
||||
Statement: []Statement{{
|
||||
NotPrincipal: map[PrincipalType][]string{
|
||||
AWSPrincipalType: {"arn:aws:iam::111122223333:user/Alice"},
|
||||
},
|
||||
Effect: DenyEffect,
|
||||
NotAction: []string{"s3:PutObject"},
|
||||
NotResource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
||||
}},
|
||||
}
|
||||
|
||||
var p Policy
|
||||
err := json.Unmarshal([]byte(policy), &p)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, expected, p)
|
||||
})
|
||||
}
|
||||
|
||||
func TestValidatePolicies(t *testing.T) {
|
||||
for _, tc := range []struct {
|
||||
name string
|
||||
policy Policy
|
||||
typ PolicyType
|
||||
isValid bool
|
||||
}{
|
||||
{
|
||||
name: "valid permission boundaries",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:*", "cloudwatch:*", "ec2:*"},
|
||||
Resource: []string{Wildcard},
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: true,
|
||||
},
|
||||
{
|
||||
name: "general invalid effect",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: "dummy",
|
||||
Action: []string{"s3:*", "cloudwatch:*", "ec2:*"},
|
||||
Resource: []string{Wildcard},
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "general invalid principal block",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:*", "cloudwatch:*", "ec2:*"},
|
||||
Resource: []string{Wildcard},
|
||||
Principal: map[PrincipalType][]string{Wildcard: nil},
|
||||
NotPrincipal: map[PrincipalType][]string{Wildcard: nil},
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "general invalid not principal",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:*", "cloudwatch:*", "ec2:*"},
|
||||
Resource: []string{Wildcard},
|
||||
NotPrincipal: map[PrincipalType][]string{AWSPrincipalType: {"arn:aws:iam::111122223333:user/Alice"}},
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "general invalid principal type",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:*", "cloudwatch:*", "ec2:*"},
|
||||
Resource: []string{Wildcard},
|
||||
NotPrincipal: map[PrincipalType][]string{"dummy": {"arn:aws:iam::111122223333:user/Alice"}},
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "general invalid action block",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:*", "cloudwatch:*", "ec2:*"},
|
||||
NotAction: []string{"iam:*"},
|
||||
Resource: []string{Wildcard},
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "general invalid resource block",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Resource: []string{Wildcard},
|
||||
NotResource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "invalid resource block",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Resource: []string{},
|
||||
NotResource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "missing resource block",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
}},
|
||||
},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "missing statement block",
|
||||
policy: Policy{},
|
||||
typ: GeneralPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "identity based valid",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{Wildcard},
|
||||
}},
|
||||
},
|
||||
typ: IdentityBasedPolicyType,
|
||||
isValid: true,
|
||||
},
|
||||
{
|
||||
name: "identity based invalid because of id presence",
|
||||
policy: Policy{
|
||||
ID: "some-id",
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{Wildcard},
|
||||
}},
|
||||
},
|
||||
typ: IdentityBasedPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "identity based invalid because of principal presence",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{Wildcard},
|
||||
Principal: map[PrincipalType][]string{AWSPrincipalType: {"arn:aws:iam::111122223333:user/Alice"}},
|
||||
}},
|
||||
},
|
||||
typ: IdentityBasedPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "identity based invalid because of not principal presence",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{Wildcard},
|
||||
NotPrincipal: map[PrincipalType][]string{AWSPrincipalType: {"arn:aws:iam::111122223333:user/Alice"}},
|
||||
}},
|
||||
},
|
||||
typ: IdentityBasedPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
{
|
||||
name: "resource based valid principal",
|
||||
policy: Policy{
|
||||
Statement: []Statement{{
|
||||
Effect: DenyEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{Wildcard},
|
||||
Principal: map[PrincipalType][]string{AWSPrincipalType: {"arn:aws:iam::111122223333:user/Alice"}},
|
||||
}},
|
||||
},
|
||||
typ: ResourceBasedPolicyType,
|
||||
isValid: true,
|
||||
},
|
||||
{
|
||||
name: "resource based valid not principal",
|
||||
policy: Policy{
|
||||
ID: "some-id",
|
||||
Statement: []Statement{{
|
||||
Effect: DenyEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{Wildcard},
|
||||
NotPrincipal: map[PrincipalType][]string{AWSPrincipalType: {"arn:aws:iam::111122223333:user/Alice"}},
|
||||
}},
|
||||
},
|
||||
typ: ResourceBasedPolicyType,
|
||||
isValid: true,
|
||||
},
|
||||
{
|
||||
name: "resource based invalid missing principal",
|
||||
policy: Policy{
|
||||
ID: "some-id",
|
||||
Statement: []Statement{{
|
||||
Effect: AllowEffect,
|
||||
Action: []string{"s3:PutObject"},
|
||||
Resource: []string{Wildcard},
|
||||
}},
|
||||
},
|
||||
typ: ResourceBasedPolicyType,
|
||||
isValid: false,
|
||||
},
|
||||
} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
err := tc.policy.Validate(tc.typ)
|
||||
if tc.isValid {
|
||||
require.NoError(t, err)
|
||||
} else {
|
||||
require.Error(t, err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestProcessDenyFirst(t *testing.T) {
|
||||
identityBasedPolicyStr := `
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": [ "arn:aws:iam::root:user/user-name" ]
|
||||
},
|
||||
"Action": ["s3:PutObject" ],
|
||||
"Resource": "arn:aws:s3:::*"
|
||||
}
|
||||
]
|
||||
}
|
||||
`
|
||||
|
||||
resourceBasedPolicyStr := `
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Deny",
|
||||
"Principal": "*",
|
||||
"Action": "s3:*",
|
||||
"Resource": [ "arn:aws:s3:::test-bucket/*" ]
|
||||
}
|
||||
]
|
||||
}
|
||||
`
|
||||
|
||||
var identityPolicy Policy
|
||||
err := json.Unmarshal([]byte(identityBasedPolicyStr), &identityPolicy)
|
||||
require.NoError(t, err)
|
||||
|
||||
var resourcePolicy Policy
|
||||
err = json.Unmarshal([]byte(resourceBasedPolicyStr), &resourcePolicy)
|
||||
require.NoError(t, err)
|
||||
|
||||
mockResolver := newMockUserResolver([]string{"root/user-name"}, []string{"test-bucket"}, "")
|
||||
|
||||
identityNativePolicy, err := ConvertToNativeChain(identityPolicy, mockResolver)
|
||||
require.NoError(t, err)
|
||||
identityNativePolicy.MatchType = chain.MatchTypeFirstMatch
|
||||
|
||||
resourceNativePolicy, err := ConvertToNativeChain(resourcePolicy, mockResolver)
|
||||
require.NoError(t, err)
|
||||
|
||||
s := inmemory.NewInMemory()
|
||||
|
||||
target := engine.NamespaceTarget("ns")
|
||||
|
||||
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, target, identityNativePolicy)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, target, resourceNativePolicy)
|
||||
require.NoError(t, err)
|
||||
|
||||
resource := testutil.NewResource(fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers["test-bucket"]), nil)
|
||||
request := testutil.NewRequest("PutObject", resource, map[string]string{native.PropertyKeyActorPublicKey: mockResolver.users["root/user-name"]})
|
||||
|
||||
status, found, err := s.IsAllowed(chain.Ingress, engine.NewRequestTarget("ns", ""), request)
|
||||
require.NoError(t, err)
|
||||
require.True(t, found)
|
||||
require.Equal(t, chain.AccessDenied, status)
|
||||
}
|
273
pkg/chain/chain.go
Normal file
273
pkg/chain/chain.go
Normal file
|
@ -0,0 +1,273 @@
|
|||
package chain
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/util"
|
||||
"golang.org/x/exp/slices"
|
||||
)
|
||||
|
||||
// ID is the ID of rule chain.
|
||||
type ID []byte
|
||||
|
||||
// MatchType is the match type for chain rules.
|
||||
type MatchType uint8
|
||||
|
||||
const (
|
||||
// MatchTypeDenyPriority rejects the request if any `Deny` is specified.
|
||||
MatchTypeDenyPriority MatchType = 0
|
||||
// MatchTypeFirstMatch returns the first rule action matched to the request.
|
||||
MatchTypeFirstMatch MatchType = 1
|
||||
)
|
||||
|
||||
//easyjson:json
|
||||
type Chain struct {
|
||||
ID ID
|
||||
|
||||
Rules []Rule
|
||||
|
||||
MatchType MatchType
|
||||
}
|
||||
|
||||
func (c *Chain) Bytes() []byte {
|
||||
data, err := c.MarshalBinary()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
return data
|
||||
}
|
||||
|
||||
func (c *Chain) DecodeBytes(b []byte) error {
|
||||
return c.UnmarshalBinary(b)
|
||||
}
|
||||
|
||||
type Rule struct {
|
||||
Status Status
|
||||
// Actions the operation is applied to.
|
||||
Actions Actions
|
||||
// List of the resources the operation is applied to.
|
||||
Resources Resources
|
||||
// True iff individual conditions must be combined with the logical OR.
|
||||
// By default AND is used, so _each_ condition must pass.
|
||||
Any bool
|
||||
Condition []Condition
|
||||
}
|
||||
|
||||
type Actions struct {
|
||||
Inverted bool
|
||||
Names []string
|
||||
}
|
||||
|
||||
type Resources struct {
|
||||
Inverted bool
|
||||
Names []string
|
||||
}
|
||||
|
||||
type Condition struct {
|
||||
Op ConditionType
|
||||
Object ObjectType
|
||||
Key string
|
||||
Value string
|
||||
}
|
||||
|
||||
type ObjectType byte
|
||||
|
||||
const (
|
||||
ObjectResource ObjectType = iota
|
||||
ObjectRequest
|
||||
ContainerResource
|
||||
ContainerRequest
|
||||
)
|
||||
|
||||
type ConditionType byte
|
||||
|
||||
// TODO @fyrchik: reduce the number of conditions.
|
||||
// Everything from here should be expressable, but we do not need them all.
|
||||
// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
|
||||
const (
|
||||
// String condition operators.
|
||||
CondStringEquals ConditionType = iota
|
||||
CondStringNotEquals
|
||||
CondStringEqualsIgnoreCase
|
||||
CondStringNotEqualsIgnoreCase
|
||||
CondStringLike
|
||||
CondStringNotLike
|
||||
CondStringLessThan
|
||||
CondStringLessThanEquals
|
||||
CondStringGreaterThan
|
||||
CondStringGreaterThanEquals
|
||||
|
||||
// Numeric condition operators.
|
||||
CondNumericEquals
|
||||
CondNumericNotEquals
|
||||
CondNumericLessThan
|
||||
CondNumericLessThanEquals
|
||||
CondNumericGreaterThan
|
||||
CondNumericGreaterThanEquals
|
||||
|
||||
CondSliceContains
|
||||
)
|
||||
|
||||
var condToStr = []struct {
|
||||
ct ConditionType
|
||||
str string
|
||||
}{
|
||||
{CondStringEquals, "StringEquals"},
|
||||
{CondStringNotEquals, "StringNotEquals"},
|
||||
{CondStringEqualsIgnoreCase, "StringEqualsIgnoreCase"},
|
||||
{CondStringNotEqualsIgnoreCase, "StringNotEqualsIgnoreCase"},
|
||||
{CondStringLike, "StringLike"},
|
||||
{CondStringNotLike, "StringNotLike"},
|
||||
{CondStringLessThan, "StringLessThan"},
|
||||
{CondStringLessThanEquals, "StringLessThanEquals"},
|
||||
{CondStringGreaterThan, "StringGreaterThan"},
|
||||
{CondStringGreaterThanEquals, "StringGreaterThanEquals"},
|
||||
{CondNumericEquals, "NumericEquals"},
|
||||
{CondNumericNotEquals, "NumericNotEquals"},
|
||||
{CondNumericLessThan, "NumericLessThan"},
|
||||
{CondNumericLessThanEquals, "NumericLessThanEquals"},
|
||||
{CondNumericGreaterThan, "NumericGreaterThan"},
|
||||
{CondNumericGreaterThanEquals, "NumericGreaterThanEquals"},
|
||||
{CondSliceContains, "SliceContains"},
|
||||
}
|
||||
|
||||
func (c ConditionType) String() string {
|
||||
for _, v := range condToStr {
|
||||
if v.ct == c {
|
||||
return v.str
|
||||
}
|
||||
}
|
||||
return "unknown condition type"
|
||||
}
|
||||
|
||||
const condSliceContainsDelimiter = "\x00"
|
||||
|
||||
// FormCondSliceContainsValue builds value for ObjectResource or ObjectRequest property
|
||||
// that can be matched by CondSliceContains condition.
|
||||
func FormCondSliceContainsValue(values []string) string {
|
||||
return strings.Join(values, condSliceContainsDelimiter)
|
||||
}
|
||||
|
||||
func (c *Condition) Match(req resource.Request) bool {
|
||||
var val string
|
||||
switch c.Object {
|
||||
case ObjectResource:
|
||||
val = req.Resource().Property(c.Key)
|
||||
case ObjectRequest:
|
||||
val = req.Property(c.Key)
|
||||
default:
|
||||
panic(fmt.Sprintf("unknown condition type: %d", c.Object))
|
||||
}
|
||||
|
||||
switch c.Op {
|
||||
default:
|
||||
panic(fmt.Sprintf("unimplemented: %d", c.Op))
|
||||
case CondStringEquals:
|
||||
return val == c.Value
|
||||
case CondStringNotEquals:
|
||||
return val != c.Value
|
||||
case CondStringEqualsIgnoreCase:
|
||||
return strings.EqualFold(val, c.Value)
|
||||
case CondStringNotEqualsIgnoreCase:
|
||||
return !strings.EqualFold(val, c.Value)
|
||||
case CondStringLike:
|
||||
return util.GlobMatch(val, c.Value)
|
||||
case CondStringNotLike:
|
||||
return !util.GlobMatch(val, c.Value)
|
||||
case CondStringLessThan:
|
||||
return val < c.Value
|
||||
case CondStringLessThanEquals:
|
||||
return val <= c.Value
|
||||
case CondStringGreaterThan:
|
||||
return val > c.Value
|
||||
case CondStringGreaterThanEquals:
|
||||
return val >= c.Value
|
||||
case CondSliceContains:
|
||||
return slices.Contains(strings.Split(val, condSliceContainsDelimiter), c.Value)
|
||||
}
|
||||
}
|
||||
|
||||
func (r *Rule) Match(req resource.Request) (status Status, matched bool) {
|
||||
found := len(r.Resources.Names) == 0
|
||||
for i := range r.Resources.Names {
|
||||
if util.GlobMatch(req.Resource().Name(), r.Resources.Names[i]) != r.Resources.Inverted {
|
||||
found = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
return NoRuleFound, false
|
||||
}
|
||||
for i := range r.Actions.Names {
|
||||
if util.GlobMatch(req.Operation(), r.Actions.Names[i]) != r.Actions.Inverted {
|
||||
return r.matchCondition(req)
|
||||
}
|
||||
}
|
||||
return NoRuleFound, false
|
||||
}
|
||||
|
||||
func (r *Rule) matchCondition(obj resource.Request) (status Status, matched bool) {
|
||||
if r.Any {
|
||||
return r.matchAny(obj)
|
||||
}
|
||||
return r.matchAll(obj)
|
||||
}
|
||||
|
||||
func (r *Rule) matchAny(obj resource.Request) (status Status, matched bool) {
|
||||
for i := range r.Condition {
|
||||
if r.Condition[i].Match(obj) {
|
||||
return r.Status, true
|
||||
}
|
||||
}
|
||||
return NoRuleFound, false
|
||||
}
|
||||
|
||||
func (r *Rule) matchAll(obj resource.Request) (status Status, matched bool) {
|
||||
for i := range r.Condition {
|
||||
if !r.Condition[i].Match(obj) {
|
||||
return NoRuleFound, false
|
||||
}
|
||||
}
|
||||
return r.Status, true
|
||||
}
|
||||
|
||||
func (c *Chain) Match(req resource.Request) (status Status, matched bool) {
|
||||
switch c.MatchType {
|
||||
case MatchTypeDenyPriority:
|
||||
return c.denyPriority(req)
|
||||
case MatchTypeFirstMatch:
|
||||
return c.firstMatch(req)
|
||||
default:
|
||||
panic(fmt.Sprintf("unknown MatchType %d", c.MatchType))
|
||||
}
|
||||
}
|
||||
|
||||
func (c *Chain) firstMatch(req resource.Request) (status Status, matched bool) {
|
||||
for i := range c.Rules {
|
||||
status, matched := c.Rules[i].Match(req)
|
||||
if matched {
|
||||
return status, true
|
||||
}
|
||||
}
|
||||
return NoRuleFound, false
|
||||
}
|
||||
|
||||
func (c *Chain) denyPriority(req resource.Request) (status Status, matched bool) {
|
||||
var allowFound bool
|
||||
for i := range c.Rules {
|
||||
status, matched := c.Rules[i].Match(req)
|
||||
if !matched {
|
||||
continue
|
||||
}
|
||||
if status != Allow {
|
||||
return status, true
|
||||
}
|
||||
allowFound = true
|
||||
}
|
||||
if allowFound {
|
||||
return Allow, true
|
||||
}
|
||||
return NoRuleFound, false
|
||||
}
|
BIN
pkg/chain/chain_easyjson.go
generated
Normal file
BIN
pkg/chain/chain_easyjson.go
generated
Normal file
Binary file not shown.
13
pkg/chain/chain_names.go
Normal file
13
pkg/chain/chain_names.go
Normal file
|
@ -0,0 +1,13 @@
|
|||
package chain
|
||||
|
||||
// Name represents the place in the request lifecycle where policy is applied.
|
||||
type Name string
|
||||
|
||||
const (
|
||||
// Ingress represents chains applied when crossing user/storage network boundary.
|
||||
// It is not applied when talking between nodes.
|
||||
Ingress Name = "ingress"
|
||||
|
||||
// S3 represents chains applied when crossing user/s3 network boundary.
|
||||
S3 Name = "s3"
|
||||
)
|
151
pkg/chain/chain_test.go
Normal file
151
pkg/chain/chain_test.go
Normal file
|
@ -0,0 +1,151 @@
|
|||
package chain
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestChainIDSerialization(t *testing.T) {
|
||||
chainIDBytes := []byte{93, 236, 80, 138, 168, 3, 144, 92, 173, 141, 16, 42, 249, 90, 97, 109, 211, 169, 54, 163}
|
||||
|
||||
chain1 := &Chain{ID: ID(chainIDBytes)}
|
||||
data := chain1.Bytes()
|
||||
|
||||
var chain2 Chain
|
||||
err := chain2.DecodeBytes(data)
|
||||
require.NoError(t, err)
|
||||
|
||||
require.Equal(t, chain1.ID, chain2.ID)
|
||||
}
|
||||
|
||||
func TestEncodeDecode(t *testing.T) {
|
||||
expected := Chain{
|
||||
MatchType: MatchTypeFirstMatch,
|
||||
Rules: []Rule{
|
||||
{
|
||||
Status: Allow,
|
||||
Actions: Actions{Names: []string{
|
||||
"native::PutObject",
|
||||
}},
|
||||
Resources: Resources{Names: []string{"*"}},
|
||||
Condition: []Condition{
|
||||
{
|
||||
Op: CondStringEquals,
|
||||
Key: "Name",
|
||||
Value: "NNS",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
data := expected.Bytes()
|
||||
|
||||
var actual Chain
|
||||
require.NoError(t, actual.DecodeBytes(data))
|
||||
require.Equal(t, expected, actual)
|
||||
}
|
||||
|
||||
func TestReturnFirstMatch(t *testing.T) {
|
||||
ch := Chain{
|
||||
Rules: []Rule{
|
||||
{
|
||||
Status: Allow,
|
||||
Actions: Actions{Names: []string{
|
||||
native.MethodPutObject,
|
||||
}},
|
||||
Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
|
||||
Condition: []Condition{},
|
||||
},
|
||||
{
|
||||
Status: AccessDenied,
|
||||
Actions: Actions{Names: []string{
|
||||
native.MethodPutObject,
|
||||
}},
|
||||
Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
|
||||
Condition: []Condition{},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
resource := testutil.NewResource(native.ResourceFormatRootContainers, nil)
|
||||
request := testutil.NewRequest(native.MethodPutObject, resource, nil)
|
||||
|
||||
t.Run("default match", func(t *testing.T) {
|
||||
st, found := ch.Match(request)
|
||||
require.True(t, found)
|
||||
require.Equal(t, AccessDenied, st)
|
||||
})
|
||||
|
||||
t.Run("return first match", func(t *testing.T) {
|
||||
ch.MatchType = MatchTypeFirstMatch
|
||||
st, found := ch.Match(request)
|
||||
require.True(t, found)
|
||||
require.Equal(t, Allow, st)
|
||||
})
|
||||
}
|
||||
|
||||
func TestCondSliceContainsMatch(t *testing.T) {
|
||||
propKey := common.PropertyKeyFrostFSIDGroupID
|
||||
groupID := "1"
|
||||
|
||||
ch := Chain{Rules: []Rule{{
|
||||
Status: Allow,
|
||||
Actions: Actions{Names: []string{native.MethodPutObject}},
|
||||
Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
|
||||
Condition: []Condition{{
|
||||
Op: CondSliceContains,
|
||||
Object: ObjectRequest,
|
||||
Key: propKey,
|
||||
Value: groupID,
|
||||
}},
|
||||
}}}
|
||||
|
||||
for _, tc := range []struct {
|
||||
name string
|
||||
value string
|
||||
status Status
|
||||
}{
|
||||
{
|
||||
name: "simple value",
|
||||
value: groupID,
|
||||
status: Allow,
|
||||
},
|
||||
{
|
||||
name: "simple value by func",
|
||||
value: FormCondSliceContainsValue([]string{groupID}),
|
||||
status: Allow,
|
||||
},
|
||||
{
|
||||
name: "multiple values by func",
|
||||
value: FormCondSliceContainsValue([]string{groupID, "2", "3"}),
|
||||
status: Allow,
|
||||
},
|
||||
{
|
||||
name: "simple mismatched",
|
||||
value: "3",
|
||||
status: NoRuleFound,
|
||||
},
|
||||
{
|
||||
name: "multiple mismatched",
|
||||
value: FormCondSliceContainsValue([]string{"11", "12"}),
|
||||
status: NoRuleFound,
|
||||
},
|
||||
{
|
||||
name: "comma correct handling mismatched",
|
||||
value: "1,11",
|
||||
status: NoRuleFound,
|
||||
},
|
||||
} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
resource := testutil.NewResource(native.ResourceFormatRootContainers, nil)
|
||||
request := testutil.NewRequest(native.MethodPutObject, resource, map[string]string{propKey: tc.value})
|
||||
|
||||
st, _ := ch.Match(request)
|
||||
require.Equal(t, tc.status.String(), st.String())
|
||||
})
|
||||
}
|
||||
}
|
35
pkg/chain/error.go
Normal file
35
pkg/chain/error.go
Normal file
|
@ -0,0 +1,35 @@
|
|||
package chain
|
||||
|
||||
import "fmt"
|
||||
|
||||
// Status is the status for policy application.
|
||||
type Status byte
|
||||
|
||||
const (
|
||||
Allow Status = iota
|
||||
NoRuleFound
|
||||
AccessDenied
|
||||
QuotaLimitReached
|
||||
last
|
||||
)
|
||||
|
||||
// Valid returns true if the status is valid.
|
||||
func (s Status) Valid() bool {
|
||||
return s < last
|
||||
}
|
||||
|
||||
// String implements the fmt.Stringer interface.
|
||||
func (s Status) String() string {
|
||||
switch s {
|
||||
case Allow:
|
||||
return "Allowed"
|
||||
case NoRuleFound:
|
||||
return "NoRuleFound"
|
||||
case AccessDenied:
|
||||
return "Access denied"
|
||||
case QuotaLimitReached:
|
||||
return "Quota limit reached"
|
||||
default:
|
||||
return fmt.Sprintf("Denied with status: %d", s)
|
||||
}
|
||||
}
|
257
pkg/chain/marshal_binary.go
Normal file
257
pkg/chain/marshal_binary.go
Normal file
|
@ -0,0 +1,257 @@
|
|||
package chain
|
||||
|
||||
import (
|
||||
"encoding"
|
||||
"fmt"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/marshal"
|
||||
)
|
||||
|
||||
const (
|
||||
ChainMarshalVersion uint8 = 0 // increase if breaking change
|
||||
)
|
||||
|
||||
var (
|
||||
_ encoding.BinaryMarshaler = (*Chain)(nil)
|
||||
_ encoding.BinaryUnmarshaler = (*Chain)(nil)
|
||||
)
|
||||
|
||||
func (c *Chain) MarshalBinary() ([]byte, error) {
|
||||
s := marshal.UInt8Size // Marshaller version
|
||||
s += marshal.UInt8Size // Chain version
|
||||
s += marshal.SliceSize(c.ID, func(byte) int { return marshal.ByteSize })
|
||||
s += marshal.SliceSize(c.Rules, ruleSize)
|
||||
s += marshal.UInt8Size // MatchType
|
||||
|
||||
buf := make([]byte, s)
|
||||
var offset int
|
||||
var err error
|
||||
offset, err = marshal.UInt8Marshal(buf, offset, marshal.Version)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
offset, err = marshal.UInt8Marshal(buf, offset, ChainMarshalVersion)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
offset, err = marshal.SliceMarshal(buf, offset, c.ID, marshal.ByteMarshal)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
offset, err = marshal.SliceMarshal(buf, offset, c.Rules, marshalRule)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
offset, err = marshal.UInt8Marshal(buf, offset, uint8(c.MatchType))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := marshal.VerifyMarshal(buf, offset); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return buf, nil
|
||||
}
|
||||
|
||||
func (c *Chain) UnmarshalBinary(data []byte) error {
|
||||
var offset int
|
||||
|
||||
marshallerVersion, offset, err := marshal.UInt8Unmarshal(data, offset)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if marshallerVersion != marshal.Version {
|
||||
return fmt.Errorf("unsupported marshaller version %d", marshallerVersion)
|
||||
}
|
||||
|
||||
chainVersion, offset, err := marshal.UInt8Unmarshal(data, offset)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if chainVersion != ChainMarshalVersion {
|
||||
return fmt.Errorf("unsupported chain version %d", chainVersion)
|
||||
}
|
||||
|
||||
idBytes, offset, err := marshal.SliceUnmarshal(data, offset, marshal.ByteUnmarshal)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
c.ID = ID(idBytes)
|
||||
|
||||
c.Rules, offset, err = marshal.SliceUnmarshal(data, offset, unmarshalRule)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
matchTypeV, offset, err := marshal.UInt8Unmarshal(data, offset)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
c.MatchType = MatchType(matchTypeV)
|
||||
|
||||
return marshal.VerifyUnmarshal(data, offset)
|
||||
}
|
||||
|
||||
func ruleSize(r Rule) int {
|
||||
s := marshal.ByteSize // Status
|
||||
s += actionsSize(r.Actions)
|
||||
s += resourcesSize(r.Resources)
|
||||
s += marshal.BoolSize // Any
|
||||
s += marshal.SliceSize(r.Condition, conditionSize)
|
||||
return s
|
||||
}
|
||||
|
||||
func marshalRule(buf []byte, offset int, r Rule) (int, error) {
|
||||
offset, err := marshal.ByteMarshal(buf, offset, byte(r.Status))
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
offset, err = marshalActions(buf, offset, r.Actions)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
offset, err = marshalResources(buf, offset, r.Resources)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
offset, err = marshal.BoolMarshal(buf, offset, r.Any)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return marshal.SliceMarshal(buf, offset, r.Condition, marshalCondition)
|
||||
}
|
||||
|
||||
func unmarshalRule(buf []byte, offset int) (Rule, int, error) {
|
||||
var r Rule
|
||||
statusV, offset, err := marshal.ByteUnmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return Rule{}, 0, err
|
||||
}
|
||||
r.Status = Status(statusV)
|
||||
|
||||
r.Actions, offset, err = unmarshalActions(buf, offset)
|
||||
if err != nil {
|
||||
return Rule{}, 0, err
|
||||
}
|
||||
|
||||
r.Resources, offset, err = unmarshalResources(buf, offset)
|
||||
if err != nil {
|
||||
return Rule{}, 0, err
|
||||
}
|
||||
|
||||
r.Any, offset, err = marshal.BoolUnmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return Rule{}, 0, err
|
||||
}
|
||||
|
||||
r.Condition, offset, err = marshal.SliceUnmarshal(buf, offset, unmarshalCondition)
|
||||
if err != nil {
|
||||
return Rule{}, 0, err
|
||||
}
|
||||
|
||||
return r, offset, nil
|
||||
}
|
||||
|
||||
func actionsSize(a Actions) int {
|
||||
return marshal.BoolSize + // Inverted
|
||||
marshal.SliceSize(a.Names, marshal.StringSize)
|
||||
}
|
||||
|
||||
func marshalActions(buf []byte, offset int, a Actions) (int, error) {
|
||||
offset, err := marshal.BoolMarshal(buf, offset, a.Inverted)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return marshal.SliceMarshal(buf, offset, a.Names, marshal.StringMarshal)
|
||||
}
|
||||
|
||||
func unmarshalActions(buf []byte, offset int) (Actions, int, error) {
|
||||
var a Actions
|
||||
var err error
|
||||
a.Inverted, offset, err = marshal.BoolUnmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return Actions{}, 0, err
|
||||
}
|
||||
a.Names, offset, err = marshal.SliceUnmarshal(buf, offset, marshal.StringUnmarshal)
|
||||
if err != nil {
|
||||
return Actions{}, 0, err
|
||||
}
|
||||
return a, offset, nil
|
||||
}
|
||||
|
||||
func resourcesSize(r Resources) int {
|
||||
return marshal.BoolSize + // Inverted
|
||||
marshal.SliceSize(r.Names, marshal.StringSize)
|
||||
}
|
||||
|
||||
func marshalResources(buf []byte, offset int, r Resources) (int, error) {
|
||||
offset, err := marshal.BoolMarshal(buf, offset, r.Inverted)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return marshal.SliceMarshal(buf, offset, r.Names, marshal.StringMarshal)
|
||||
}
|
||||
|
||||
func unmarshalResources(buf []byte, offset int) (Resources, int, error) {
|
||||
var r Resources
|
||||
var err error
|
||||
r.Inverted, offset, err = marshal.BoolUnmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return Resources{}, 0, err
|
||||
}
|
||||
r.Names, offset, err = marshal.SliceUnmarshal(buf, offset, marshal.StringUnmarshal)
|
||||
if err != nil {
|
||||
return Resources{}, 0, err
|
||||
}
|
||||
return r, offset, nil
|
||||
}
|
||||
|
||||
func conditionSize(c Condition) int {
|
||||
return marshal.ByteSize + // Op
|
||||
marshal.ByteSize + // Object
|
||||
marshal.StringSize(c.Key) +
|
||||
marshal.StringSize(c.Value)
|
||||
}
|
||||
|
||||
func marshalCondition(buf []byte, offset int, c Condition) (int, error) {
|
||||
offset, err := marshal.ByteMarshal(buf, offset, byte(c.Op))
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
offset, err = marshal.ByteMarshal(buf, offset, byte(c.Object))
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
offset, err = marshal.StringMarshal(buf, offset, c.Key)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return marshal.StringMarshal(buf, offset, c.Value)
|
||||
}
|
||||
|
||||
func unmarshalCondition(buf []byte, offset int) (Condition, int, error) {
|
||||
var c Condition
|
||||
opV, offset, err := marshal.ByteUnmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return Condition{}, 0, err
|
||||
}
|
||||
c.Op = ConditionType(opV)
|
||||
|
||||
obV, offset, err := marshal.ByteUnmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return Condition{}, 0, err
|
||||
}
|
||||
c.Object = ObjectType(obV)
|
||||
|
||||
c.Key, offset, err = marshal.StringUnmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return Condition{}, 0, err
|
||||
}
|
||||
|
||||
c.Value, offset, err = marshal.StringUnmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return Condition{}, 0, err
|
||||
}
|
||||
|
||||
return c, offset, nil
|
||||
}
|
272
pkg/chain/marshal_binary_test.go
Normal file
272
pkg/chain/marshal_binary_test.go
Normal file
|
@ -0,0 +1,272 @@
|
|||
package chain
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
"github.com/google/uuid"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestChainMarshalling(t *testing.T) {
|
||||
t.Parallel()
|
||||
for _, id := range generateTestIDs() {
|
||||
for _, rules := range generateTestRules() {
|
||||
for _, matchType := range generateTestMatchTypes() {
|
||||
performMarshalTest(t, id, rules, matchType)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestInvalidChainData(t *testing.T) {
|
||||
var ch Chain
|
||||
require.Error(t, ch.UnmarshalBinary(nil))
|
||||
require.Error(t, ch.UnmarshalBinary([]byte{}))
|
||||
require.Error(t, ch.UnmarshalBinary([]byte{1, 2, 3}))
|
||||
require.Error(t, ch.UnmarshalBinary([]byte("\x00\x00:aws:iam::namespace:group/so\x82\x82\x82\x82\x82\x82u\x82")))
|
||||
}
|
||||
|
||||
func FuzzUnmarshal(f *testing.F) {
|
||||
for _, id := range generateTestIDs() {
|
||||
for _, rules := range generateTestRules() {
|
||||
for _, matchType := range generateTestMatchTypes() {
|
||||
|
||||
chain := Chain{
|
||||
ID: id,
|
||||
Rules: rules,
|
||||
MatchType: matchType,
|
||||
}
|
||||
data, err := chain.MarshalBinary()
|
||||
require.NoError(f, err)
|
||||
f.Add(data)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
f.Fuzz(func(t *testing.T, data []byte) {
|
||||
var ch Chain
|
||||
require.NotPanics(t, func() {
|
||||
_ = ch.UnmarshalBinary(data)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func performMarshalTest(t *testing.T, id ID, r []Rule, mt MatchType) {
|
||||
chain := Chain{
|
||||
ID: id,
|
||||
Rules: r,
|
||||
MatchType: mt,
|
||||
}
|
||||
data, err := chain.MarshalBinary()
|
||||
require.NoError(t, err)
|
||||
|
||||
var unmarshalledChain Chain
|
||||
require.NoError(t, unmarshalledChain.UnmarshalBinary(data))
|
||||
|
||||
require.Equal(t, chain, unmarshalledChain)
|
||||
}
|
||||
|
||||
func generateTestIDs() []ID {
|
||||
return []ID{
|
||||
ID(""),
|
||||
ID(uuid.New().String()),
|
||||
ID("*::/"),
|
||||
ID("avada kedavra"),
|
||||
ID("arn:aws:iam::namespace:group/some_group"),
|
||||
ID("$Object:homomorphicHash"),
|
||||
ID("native:container/ns/9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
|
||||
}
|
||||
}
|
||||
|
||||
func generateTestRules() [][]Rule {
|
||||
result := [][]Rule{
|
||||
nil,
|
||||
{},
|
||||
{},
|
||||
}
|
||||
|
||||
for _, st := range generateTestStatuses() {
|
||||
for _, act := range generateTestActions() {
|
||||
for _, res := range generateTestResources() {
|
||||
for _, cond := range generateTestConditions() {
|
||||
result[2] = append(result[2], Rule{
|
||||
Status: st,
|
||||
Actions: act,
|
||||
Resources: res,
|
||||
Condition: cond,
|
||||
Any: true,
|
||||
})
|
||||
result[2] = append(result[2], Rule{
|
||||
Status: st,
|
||||
Actions: act,
|
||||
Resources: res,
|
||||
Condition: cond,
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
func generateTestStatuses() []Status {
|
||||
return []Status{
|
||||
Allow,
|
||||
NoRuleFound,
|
||||
AccessDenied,
|
||||
QuotaLimitReached,
|
||||
}
|
||||
}
|
||||
|
||||
func generateTestActions() []Actions {
|
||||
return []Actions{
|
||||
{
|
||||
Inverted: true,
|
||||
Names: nil,
|
||||
},
|
||||
{
|
||||
Names: nil,
|
||||
},
|
||||
{
|
||||
Inverted: true,
|
||||
Names: []string{},
|
||||
},
|
||||
{
|
||||
Names: []string{},
|
||||
},
|
||||
{
|
||||
Inverted: true,
|
||||
Names: []string{native.MethodPutObject},
|
||||
},
|
||||
{
|
||||
Names: []string{native.MethodPutObject},
|
||||
},
|
||||
{
|
||||
Inverted: true,
|
||||
Names: []string{native.MethodPutObject, native.MethodDeleteContainer, native.MethodDeleteObject},
|
||||
},
|
||||
{
|
||||
Names: []string{native.MethodPutObject, native.MethodDeleteContainer, native.MethodDeleteObject},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func generateTestResources() []Resources {
|
||||
return []Resources{
|
||||
{
|
||||
Inverted: true,
|
||||
Names: nil,
|
||||
},
|
||||
{
|
||||
Names: nil,
|
||||
},
|
||||
{
|
||||
Inverted: true,
|
||||
Names: []string{},
|
||||
},
|
||||
{
|
||||
Names: []string{},
|
||||
},
|
||||
{
|
||||
Inverted: true,
|
||||
Names: []string{native.ResourceFormatAllObjects},
|
||||
},
|
||||
{
|
||||
Names: []string{native.ResourceFormatAllObjects},
|
||||
},
|
||||
{
|
||||
Inverted: true,
|
||||
Names: []string{
|
||||
native.ResourceFormatAllObjects,
|
||||
fmt.Sprintf(native.ResourceFormatRootContainer, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
|
||||
},
|
||||
},
|
||||
{
|
||||
Names: []string{
|
||||
native.ResourceFormatAllObjects,
|
||||
fmt.Sprintf(native.ResourceFormatRootContainer, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func generateTestConditions() [][]Condition {
|
||||
result := [][]Condition{
|
||||
nil,
|
||||
{},
|
||||
{},
|
||||
}
|
||||
|
||||
for _, ct := range generateTestConditionTypes() {
|
||||
for _, ot := range generateObjectTypes() {
|
||||
result[2] = append(result[2], Condition{
|
||||
Op: ct,
|
||||
Object: ot,
|
||||
Key: "",
|
||||
Value: "",
|
||||
})
|
||||
|
||||
result[2] = append(result[2], Condition{
|
||||
Op: ct,
|
||||
Object: ot,
|
||||
Key: "key",
|
||||
Value: "",
|
||||
})
|
||||
|
||||
result[2] = append(result[2], Condition{
|
||||
Op: ct,
|
||||
Object: ot,
|
||||
Key: "",
|
||||
Value: "value",
|
||||
})
|
||||
|
||||
result[2] = append(result[2], Condition{
|
||||
Op: ct,
|
||||
Object: ot,
|
||||
Key: "key",
|
||||
Value: "value",
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
func generateTestConditionTypes() []ConditionType {
|
||||
return []ConditionType{
|
||||
CondStringEquals,
|
||||
CondStringNotEquals,
|
||||
CondStringEqualsIgnoreCase,
|
||||
CondStringNotEqualsIgnoreCase,
|
||||
CondStringLike,
|
||||
CondStringNotLike,
|
||||
CondStringLessThan,
|
||||
CondStringLessThanEquals,
|
||||
CondStringGreaterThan,
|
||||
CondStringGreaterThanEquals,
|
||||
CondNumericEquals,
|
||||
CondNumericNotEquals,
|
||||
CondNumericLessThan,
|
||||
CondNumericLessThanEquals,
|
||||
CondNumericGreaterThan,
|
||||
CondNumericGreaterThanEquals,
|
||||
CondSliceContains,
|
||||
}
|
||||
}
|
||||
|
||||
func generateObjectTypes() []ObjectType {
|
||||
return []ObjectType{
|
||||
ObjectResource,
|
||||
ObjectRequest,
|
||||
}
|
||||
}
|
||||
|
||||
func generateTestMatchTypes() []MatchType {
|
||||
return []MatchType{
|
||||
MatchTypeDenyPriority,
|
||||
MatchTypeFirstMatch,
|
||||
}
|
||||
}
|
145
pkg/chain/marshal_json.go
Normal file
145
pkg/chain/marshal_json.go
Normal file
|
@ -0,0 +1,145 @@
|
|||
package chain
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strconv"
|
||||
|
||||
jlexer "github.com/mailru/easyjson/jlexer"
|
||||
jwriter "github.com/mailru/easyjson/jwriter"
|
||||
)
|
||||
|
||||
// Run `make generate`` if types added or changed
|
||||
|
||||
var matchTypeToJSONValue = []struct {
|
||||
mt MatchType
|
||||
str string
|
||||
}{
|
||||
{MatchTypeDenyPriority, "DenyPriority"},
|
||||
{MatchTypeFirstMatch, "FirstMatch"},
|
||||
}
|
||||
|
||||
var statusToJSONValue = []struct {
|
||||
s Status
|
||||
str string
|
||||
}{
|
||||
{Allow, "Allow"},
|
||||
{NoRuleFound, "NoRuleFound"},
|
||||
{AccessDenied, "AccessDenied"},
|
||||
{QuotaLimitReached, "QuotaLimitReached"},
|
||||
}
|
||||
|
||||
var objectTypeToJSONValue = []struct {
|
||||
t ObjectType
|
||||
str string
|
||||
}{
|
||||
{ObjectRequest, "Request"},
|
||||
{ObjectResource, "Resource"},
|
||||
}
|
||||
|
||||
func (mt MatchType) MarshalEasyJSON(w *jwriter.Writer) {
|
||||
for _, p := range matchTypeToJSONValue {
|
||||
if p.mt == mt {
|
||||
w.String(p.str)
|
||||
return
|
||||
}
|
||||
}
|
||||
w.String(strconv.FormatUint(uint64(mt), 10))
|
||||
}
|
||||
|
||||
func (mt *MatchType) UnmarshalEasyJSON(l *jlexer.Lexer) {
|
||||
str := l.String()
|
||||
for _, p := range matchTypeToJSONValue {
|
||||
if p.str == str {
|
||||
*mt = p.mt
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
v, err := strconv.ParseUint(str, 10, 8)
|
||||
if err != nil {
|
||||
l.AddError(fmt.Errorf("failed to parse match type: %w", err))
|
||||
return
|
||||
}
|
||||
*mt = MatchType(v)
|
||||
}
|
||||
|
||||
func (st Status) MarshalEasyJSON(w *jwriter.Writer) {
|
||||
for _, p := range statusToJSONValue {
|
||||
if p.s == st {
|
||||
w.String(p.str)
|
||||
return
|
||||
}
|
||||
}
|
||||
w.String(strconv.FormatUint(uint64(st), 10))
|
||||
}
|
||||
|
||||
func (st *Status) UnmarshalEasyJSON(l *jlexer.Lexer) {
|
||||
str := l.String()
|
||||
for _, p := range statusToJSONValue {
|
||||
if p.str == str {
|
||||
*st = p.s
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
v, err := strconv.ParseUint(str, 10, 8)
|
||||
if err != nil {
|
||||
l.AddError(fmt.Errorf("failed to parse status: %w", err))
|
||||
return
|
||||
}
|
||||
*st = Status(v)
|
||||
}
|
||||
|
||||
func (ot ObjectType) MarshalEasyJSON(w *jwriter.Writer) {
|
||||
for _, p := range objectTypeToJSONValue {
|
||||
if p.t == ot {
|
||||
w.String(p.str)
|
||||
return
|
||||
}
|
||||
}
|
||||
w.String(strconv.FormatUint(uint64(ot), 10))
|
||||
}
|
||||
|
||||
func (ot *ObjectType) UnmarshalEasyJSON(l *jlexer.Lexer) {
|
||||
str := l.String()
|
||||
for _, p := range objectTypeToJSONValue {
|
||||
if p.str == str {
|
||||
*ot = p.t
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
v, err := strconv.ParseUint(str, 10, 8)
|
||||
if err != nil {
|
||||
l.AddError(fmt.Errorf("failed to parse object type: %w", err))
|
||||
return
|
||||
}
|
||||
*ot = ObjectType(v)
|
||||
}
|
||||
|
||||
func (ct ConditionType) MarshalEasyJSON(w *jwriter.Writer) {
|
||||
for _, p := range condToStr {
|
||||
if p.ct == ct {
|
||||
w.String(p.str)
|
||||
return
|
||||
}
|
||||
}
|
||||
w.String(strconv.FormatUint(uint64(ct), 10))
|
||||
}
|
||||
|
||||
func (ct *ConditionType) UnmarshalEasyJSON(l *jlexer.Lexer) {
|
||||
str := l.String()
|
||||
for _, p := range condToStr {
|
||||
if p.str == str {
|
||||
*ct = p.ct
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
v, err := strconv.ParseUint(str, 10, 8)
|
||||
if err != nil {
|
||||
l.AddError(fmt.Errorf("failed to parse condition type: %w", err))
|
||||
return
|
||||
}
|
||||
*ct = ConditionType(v)
|
||||
}
|
121
pkg/chain/marshal_json_test.go
Normal file
121
pkg/chain/marshal_json_test.go
Normal file
|
@ -0,0 +1,121 @@
|
|||
package chain
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestID(t *testing.T) {
|
||||
key, err := keys.NewPrivateKeyFromWIF("L5eVx6HcHaFpQpvjQ3fy29uKDZ8rQ34bfMVx4XfZMm52EqafpNMg") // s3-gw key
|
||||
require.NoError(t, err)
|
||||
|
||||
chain1 := &Chain{ID: ID(key.PublicKey().GetScriptHash().BytesBE())}
|
||||
data := chain1.Bytes()
|
||||
|
||||
var chain2 Chain
|
||||
require.NoError(t, chain2.DecodeBytes(data))
|
||||
|
||||
require.Equal(t, chain1.ID, chain2.ID)
|
||||
|
||||
data, err = chain1.MarshalJSON()
|
||||
require.NoError(t, err)
|
||||
|
||||
require.NoError(t, chain2.UnmarshalJSON(data))
|
||||
|
||||
require.Equal(t, chain1.ID, chain2.ID)
|
||||
}
|
||||
|
||||
func TestMatchTypeJson(t *testing.T) {
|
||||
for _, mt := range []MatchType{MatchTypeDenyPriority, MatchTypeFirstMatch, MatchType(100)} {
|
||||
var chain Chain
|
||||
chain.MatchType = mt
|
||||
|
||||
data, err := chain.MarshalJSON()
|
||||
require.NoError(t, err)
|
||||
if mt == MatchTypeDenyPriority {
|
||||
require.Equal(t, []byte("{\"ID\":null,\"Rules\":null,\"MatchType\":\"DenyPriority\"}"), data)
|
||||
} else if mt == MatchTypeFirstMatch {
|
||||
require.Equal(t, []byte("{\"ID\":null,\"Rules\":null,\"MatchType\":\"FirstMatch\"}"), data)
|
||||
} else {
|
||||
require.Equal(t, []byte(fmt.Sprintf("{\"ID\":null,\"Rules\":null,\"MatchType\":\"%d\"}", mt)), data)
|
||||
}
|
||||
|
||||
var parsed Chain
|
||||
require.NoError(t, parsed.UnmarshalJSON(data))
|
||||
require.Equal(t, chain, parsed)
|
||||
|
||||
require.Error(t, parsed.UnmarshalJSON([]byte("{\"ID\":\"\",\"Rules\":null,\"MatchType\":\"NotValid\"}")))
|
||||
}
|
||||
}
|
||||
|
||||
func TestJsonEnums(t *testing.T) {
|
||||
chain := Chain{
|
||||
ID: []byte("2cca5ae7-cee8-428d-b45f-567fb1d03f01"), // will be encoded to base64
|
||||
MatchType: MatchTypeFirstMatch,
|
||||
Rules: []Rule{
|
||||
{
|
||||
Status: AccessDenied,
|
||||
Actions: Actions{
|
||||
Names: []string{native.MethodDeleteObject, native.MethodGetContainer},
|
||||
},
|
||||
Resources: Resources{
|
||||
Names: []string{native.ResourceFormatAllObjects},
|
||||
},
|
||||
Condition: []Condition{
|
||||
{
|
||||
Op: CondStringEquals,
|
||||
Object: ObjectRequest,
|
||||
Key: native.PropertyKeyActorRole,
|
||||
Value: native.PropertyValueContainerRoleOthers,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
Status: QuotaLimitReached,
|
||||
Actions: Actions{
|
||||
Inverted: true,
|
||||
Names: []string{native.MethodPutObject},
|
||||
},
|
||||
Resources: Resources{
|
||||
Names: []string{fmt.Sprintf(native.ResourceFormatRootContainerObjects, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J")},
|
||||
},
|
||||
Any: true,
|
||||
Condition: []Condition{
|
||||
{
|
||||
Op: CondStringNotLike,
|
||||
Object: ObjectResource,
|
||||
Key: native.PropertyKeyObjectType,
|
||||
Value: "regular",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
Status: Status(100),
|
||||
Condition: []Condition{
|
||||
{
|
||||
Op: ConditionType(255),
|
||||
Object: ObjectType(128),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
data, err := chain.MarshalJSON()
|
||||
require.NoError(t, err)
|
||||
|
||||
var parsed Chain
|
||||
require.NoError(t, parsed.UnmarshalJSON(data))
|
||||
require.Equal(t, chain, parsed)
|
||||
|
||||
expected, err := os.ReadFile("./testdata/test_status_json.json")
|
||||
require.NoError(t, err)
|
||||
|
||||
require.NoError(t, parsed.UnmarshalJSON(expected))
|
||||
require.Equal(t, chain, parsed)
|
||||
}
|
75
pkg/chain/testdata/test_status_json.json
vendored
Normal file
75
pkg/chain/testdata/test_status_json.json
vendored
Normal file
|
@ -0,0 +1,75 @@
|
|||
{
|
||||
"ID": "MmNjYTVhZTctY2VlOC00MjhkLWI0NWYtNTY3ZmIxZDAzZjAx",
|
||||
"Rules": [
|
||||
{
|
||||
"Status": "AccessDenied",
|
||||
"Actions": {
|
||||
"Inverted": false,
|
||||
"Names": [
|
||||
"DeleteObject",
|
||||
"GetContainer"
|
||||
]
|
||||
},
|
||||
"Resources": {
|
||||
"Inverted": false,
|
||||
"Names": [
|
||||
"native:object/*"
|
||||
]
|
||||
},
|
||||
"Any": false,
|
||||
"Condition": [
|
||||
{
|
||||
"Op": "StringEquals",
|
||||
"Object": "Request",
|
||||
"Key": "$Actor:role",
|
||||
"Value": "others"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"Status": "QuotaLimitReached",
|
||||
"Actions": {
|
||||
"Inverted": true,
|
||||
"Names": [
|
||||
"PutObject"
|
||||
]
|
||||
},
|
||||
"Resources": {
|
||||
"Inverted": false,
|
||||
"Names": [
|
||||
"native:object//9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J/*"
|
||||
]
|
||||
},
|
||||
"Any": true,
|
||||
"Condition": [
|
||||
{
|
||||
"Op": "StringNotLike",
|
||||
"Object": "Resource",
|
||||
"Key": "$Object:objectType",
|
||||
"Value": "regular"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"Status": "100",
|
||||
"Actions": {
|
||||
"Inverted": false,
|
||||
"Names": null
|
||||
},
|
||||
"Resources": {
|
||||
"Inverted": false,
|
||||
"Names": null
|
||||
},
|
||||
"Any": false,
|
||||
"Condition": [
|
||||
{
|
||||
"Op": "255",
|
||||
"Object": "128",
|
||||
"Key": "",
|
||||
"Value": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"MatchType": "FirstMatch"
|
||||
}
|
116
pkg/engine/chain_router.go
Normal file
116
pkg/engine/chain_router.go
Normal file
|
@ -0,0 +1,116 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
||||
)
|
||||
|
||||
type defaultChainRouter struct {
|
||||
morph MorphRuleChainStorageReader
|
||||
|
||||
local LocalOverrideStorage
|
||||
}
|
||||
|
||||
func NewDefaultChainRouter(morph MorphRuleChainStorageReader) ChainRouter {
|
||||
return &defaultChainRouter{
|
||||
morph: morph,
|
||||
}
|
||||
}
|
||||
|
||||
func NewDefaultChainRouterWithLocalOverrides(morph MorphRuleChainStorageReader, local LocalOverrideStorage) ChainRouter {
|
||||
return &defaultChainRouter{
|
||||
morph: morph,
|
||||
local: local,
|
||||
}
|
||||
}
|
||||
|
||||
func (dr *defaultChainRouter) IsAllowed(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
|
||||
status, ruleFound, err = dr.checkLocal(name, rt, r)
|
||||
if err != nil {
|
||||
return chain.NoRuleFound, false, err
|
||||
} else if ruleFound {
|
||||
// The local overrides have the highest priority and thus
|
||||
// morph rules are not considered if a local one is found.
|
||||
return
|
||||
}
|
||||
|
||||
status, ruleFound, err = dr.checkMorph(name, rt, r)
|
||||
return
|
||||
}
|
||||
|
||||
func (dr *defaultChainRouter) checkLocal(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
|
||||
if dr.local == nil {
|
||||
return
|
||||
}
|
||||
var ruleFounds []bool
|
||||
for _, target := range rt.Targets() {
|
||||
status, ruleFound, err = dr.matchLocalOverrides(name, target, r)
|
||||
if err != nil || ruleFound && status != chain.Allow {
|
||||
return
|
||||
}
|
||||
ruleFounds = append(ruleFounds, ruleFound)
|
||||
}
|
||||
|
||||
status = chain.NoRuleFound
|
||||
for _, ruleFound = range ruleFounds {
|
||||
if ruleFound {
|
||||
status = chain.Allow
|
||||
break
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (dr *defaultChainRouter) checkMorph(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
|
||||
var ruleFounds []bool
|
||||
for _, target := range rt.Targets() {
|
||||
status, ruleFound, err = dr.matchMorphRuleChains(name, target, r)
|
||||
if err != nil || ruleFound && status != chain.Allow {
|
||||
return
|
||||
}
|
||||
ruleFounds = append(ruleFounds, ruleFound)
|
||||
}
|
||||
|
||||
status = chain.NoRuleFound
|
||||
for _, ruleFound = range ruleFounds {
|
||||
if ruleFound {
|
||||
status = chain.Allow
|
||||
break
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (dr *defaultChainRouter) matchLocalOverrides(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
|
||||
localOverrides, err := dr.local.ListOverrides(name, target)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
status, ruleFound = dr.getStatusFromChains(localOverrides, r)
|
||||
return
|
||||
}
|
||||
|
||||
func (dr *defaultChainRouter) matchMorphRuleChains(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
|
||||
namespaceChains, err := dr.morph.ListMorphRuleChains(name, target)
|
||||
if err != nil {
|
||||
return chain.NoRuleFound, false, err
|
||||
}
|
||||
status, ruleFound = dr.getStatusFromChains(namespaceChains, r)
|
||||
return
|
||||
}
|
||||
|
||||
func (dr *defaultChainRouter) getStatusFromChains(chains []*chain.Chain, r resource.Request) (chain.Status, bool) {
|
||||
var allow bool
|
||||
for _, c := range chains {
|
||||
if status, found := c.Match(r); found {
|
||||
if status != chain.Allow {
|
||||
return status, true
|
||||
}
|
||||
allow = true
|
||||
}
|
||||
}
|
||||
if allow {
|
||||
return chain.Allow, true
|
||||
}
|
||||
return chain.NoRuleFound, false
|
||||
}
|
10
pkg/engine/errors.go
Normal file
10
pkg/engine/errors.go
Normal file
|
@ -0,0 +1,10 @@
|
|||
package engine
|
||||
|
||||
import "errors"
|
||||
|
||||
var (
|
||||
ErrUnknownTarget = errors.New("unknown target type")
|
||||
ErrChainNotFound = errors.New("chain not found")
|
||||
ErrChainNameNotFound = errors.New("chain name not found")
|
||||
ErrResourceNotFound = errors.New("resource not found")
|
||||
)
|
48
pkg/engine/inmemory/inmemory.go
Normal file
48
pkg/engine/inmemory/inmemory.go
Normal file
|
@ -0,0 +1,48 @@
|
|||
package inmemory
|
||||
|
||||
import (
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
||||
)
|
||||
|
||||
type inmemory struct {
|
||||
router engine.ChainRouter
|
||||
|
||||
morph engine.MorphRuleChainStorage
|
||||
|
||||
local engine.LocalOverrideStorage
|
||||
}
|
||||
|
||||
// NewInMemoryLocalOverrides returns new inmemory instance of chain storage with
|
||||
// local overrides manager.
|
||||
func NewInMemoryLocalOverrides() engine.LocalOverrideEngine {
|
||||
morph := NewInmemoryMorphRuleChainStorage()
|
||||
local := NewInmemoryLocalStorage()
|
||||
return &inmemory{
|
||||
router: engine.NewDefaultChainRouterWithLocalOverrides(morph, local),
|
||||
morph: morph,
|
||||
local: local,
|
||||
}
|
||||
}
|
||||
|
||||
// NewInMemory returns new inmemory instance of chain storage.
|
||||
func NewInMemory() engine.Engine {
|
||||
morph := NewInmemoryMorphRuleChainStorage()
|
||||
return &inmemory{
|
||||
router: engine.NewDefaultChainRouter(morph),
|
||||
morph: morph,
|
||||
}
|
||||
}
|
||||
|
||||
func (im *inmemory) LocalStorage() engine.LocalOverrideStorage {
|
||||
return im.local
|
||||
}
|
||||
|
||||
func (im *inmemory) MorphRuleChainStorage() engine.MorphRuleChainStorage {
|
||||
return im.morph
|
||||
}
|
||||
|
||||
func (im *inmemory) IsAllowed(name chain.Name, rt engine.RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
|
||||
return im.router.IsAllowed(name, rt, r)
|
||||
}
|
206
pkg/engine/inmemory/inmemory_test.go
Normal file
206
pkg/engine/inmemory/inmemory_test.go
Normal file
|
@ -0,0 +1,206 @@
|
|||
package inmemory
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
resourcetest "git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestInmemory(t *testing.T) {
|
||||
const (
|
||||
object = "native::object::abc/xyz"
|
||||
container = "native::object::abc/*"
|
||||
namespace = "Tenant1"
|
||||
namespace2 = "Tenant2"
|
||||
actor1 = "owner1"
|
||||
actor2 = "owner2"
|
||||
)
|
||||
|
||||
s := NewInMemoryLocalOverrides()
|
||||
|
||||
// Object which was put via S3.
|
||||
res := resourcetest.NewResource(object, map[string]string{"FromS3": "true"})
|
||||
// Request initiating from the trusted subnet and actor.
|
||||
reqGood := resourcetest.NewRequest("native::object::put", res, map[string]string{
|
||||
"SourceIP": "10.1.1.12",
|
||||
"Actor": actor1,
|
||||
})
|
||||
|
||||
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTargetWithNamespace(namespace), reqGood)
|
||||
require.Equal(t, chain.NoRuleFound, status)
|
||||
require.False(t, ok)
|
||||
|
||||
s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(namespace), &chain.Chain{
|
||||
Rules: []chain.Rule{
|
||||
{ // Restrict to remove ANY object from the namespace.
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Names: []string{"native::object::delete"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
},
|
||||
{ // Allow to put object only from the trusted subnet AND trusted actor, deny otherwise.
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Names: []string{"native::object::put"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
Any: true,
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringNotLike,
|
||||
Object: chain.ObjectRequest,
|
||||
Key: "SourceIP",
|
||||
Value: "10.1.1.*",
|
||||
},
|
||||
{
|
||||
Op: chain.CondStringNotEquals,
|
||||
Object: chain.ObjectRequest,
|
||||
Key: "Actor",
|
||||
Value: actor1,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(namespace2), &chain.Chain{
|
||||
Rules: []chain.Rule{
|
||||
{ // Deny all expect "native::object::get" for all objects expect "native::object::abc/xyz".
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Inverted: true, Names: []string{"native::object::get"}},
|
||||
Resources: chain.Resources{Inverted: true, Names: []string{object}},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
|
||||
Rules: []chain.Rule{
|
||||
{ // Allow to actor2 to get objects from the specific container only if they have `Department=HR` attribute.
|
||||
Status: chain.Allow,
|
||||
Actions: chain.Actions{Names: []string{"native::object::get"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::abc/*"}},
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringEquals,
|
||||
Object: chain.ObjectResource,
|
||||
Key: "Department",
|
||||
Value: "HR",
|
||||
},
|
||||
{
|
||||
Op: chain.CondStringEquals,
|
||||
Object: chain.ObjectRequest,
|
||||
Key: "Actor",
|
||||
Value: actor2,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
t.Run("bad subnet, namespace deny", func(t *testing.T) {
|
||||
// Request initiating from the untrusted subnet.
|
||||
reqBadIP := resourcetest.NewRequest("native::object::put", res, map[string]string{
|
||||
"SourceIP": "10.122.1.20",
|
||||
"Actor": actor1,
|
||||
})
|
||||
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadIP)
|
||||
require.Equal(t, chain.AccessDenied, status)
|
||||
require.True(t, ok)
|
||||
})
|
||||
t.Run("bad actor, namespace deny", func(t *testing.T) {
|
||||
// Request initiating from the untrusted actor.
|
||||
reqBadActor := resourcetest.NewRequest("native::object::put", res, map[string]string{
|
||||
"SourceIP": "10.1.1.13",
|
||||
"Actor": actor2,
|
||||
})
|
||||
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadActor)
|
||||
require.Equal(t, chain.AccessDenied, status)
|
||||
require.True(t, ok)
|
||||
})
|
||||
t.Run("bad object, container deny", func(t *testing.T) {
|
||||
objGood := resourcetest.NewResource("native::object::abc/id1", map[string]string{"Department": "HR"})
|
||||
objBadAttr := resourcetest.NewResource("native::object::abc/id2", map[string]string{"Department": "Support"})
|
||||
|
||||
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), resourcetest.NewRequest("native::object::get", objGood, map[string]string{
|
||||
"SourceIP": "10.1.1.14",
|
||||
"Actor": actor2,
|
||||
}))
|
||||
require.Equal(t, chain.Allow, status)
|
||||
require.True(t, ok)
|
||||
|
||||
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), resourcetest.NewRequest("native::object::get", objBadAttr, map[string]string{
|
||||
"SourceIP": "10.1.1.14",
|
||||
"Actor": actor2,
|
||||
}))
|
||||
require.Equal(t, chain.NoRuleFound, status)
|
||||
require.False(t, ok)
|
||||
})
|
||||
t.Run("bad operation, namespace deny", func(t *testing.T) {
|
||||
// Request with the forbidden operation.
|
||||
reqBadOperation := resourcetest.NewRequest("native::object::delete", res, map[string]string{
|
||||
"SourceIP": "10.1.1.12",
|
||||
"Actor": actor1,
|
||||
})
|
||||
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadOperation)
|
||||
require.Equal(t, chain.AccessDenied, status)
|
||||
require.True(t, ok)
|
||||
})
|
||||
t.Run("inverted rules", func(t *testing.T) {
|
||||
req := resourcetest.NewRequest("native::object::put", resourcetest.NewResource(object, nil), nil)
|
||||
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
|
||||
require.Equal(t, chain.NoRuleFound, status)
|
||||
require.False(t, ok)
|
||||
|
||||
req = resourcetest.NewRequest("native::object::put", resourcetest.NewResource("native::object::cba/def", nil), nil)
|
||||
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
|
||||
require.Equal(t, chain.AccessDenied, status)
|
||||
require.True(t, ok)
|
||||
|
||||
req = resourcetest.NewRequest("native::object::get", resourcetest.NewResource("native::object::cba/def", nil), nil)
|
||||
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
|
||||
require.Equal(t, chain.NoRuleFound, status)
|
||||
require.False(t, ok)
|
||||
})
|
||||
t.Run("good", func(t *testing.T) {
|
||||
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
|
||||
require.Equal(t, chain.NoRuleFound, status)
|
||||
require.False(t, ok)
|
||||
|
||||
t.Run("quota on a different container", func(t *testing.T) {
|
||||
s.LocalStorage().AddOverride(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
|
||||
Rules: []chain.Rule{{
|
||||
Status: chain.QuotaLimitReached,
|
||||
Actions: chain.Actions{Names: []string{"native::object::put"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::cba/*"}},
|
||||
}},
|
||||
})
|
||||
|
||||
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
|
||||
require.Equal(t, chain.NoRuleFound, status)
|
||||
require.False(t, ok)
|
||||
})
|
||||
|
||||
var quotaRuleChainID chain.ID
|
||||
t.Run("quota on the request container", func(t *testing.T) {
|
||||
quotaRuleChainID, _ = s.LocalStorage().AddOverride(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
|
||||
Rules: []chain.Rule{{
|
||||
Status: chain.QuotaLimitReached,
|
||||
Actions: chain.Actions{Names: []string{"native::object::put"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::abc/*"}},
|
||||
}},
|
||||
})
|
||||
|
||||
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
|
||||
require.Equal(t, chain.QuotaLimitReached, status)
|
||||
require.True(t, ok)
|
||||
})
|
||||
t.Run("removed quota on the request container", func(t *testing.T) {
|
||||
err := s.LocalStorage().RemoveOverride(chain.Ingress, engine.ContainerTarget(container), quotaRuleChainID)
|
||||
require.NoError(t, err)
|
||||
|
||||
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
|
||||
require.Equal(t, chain.NoRuleFound, status)
|
||||
require.False(t, ok)
|
||||
})
|
||||
})
|
||||
}
|
158
pkg/engine/inmemory/local_storage.go
Normal file
158
pkg/engine/inmemory/local_storage.go
Normal file
|
@ -0,0 +1,158 @@
|
|||
package inmemory
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"math/rand"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/util"
|
||||
)
|
||||
|
||||
type targetToChain map[engine.Target][]*chain.Chain
|
||||
|
||||
type inmemoryLocalStorage struct {
|
||||
usedChainID map[string]struct{}
|
||||
nameToResourceChains map[chain.Name]targetToChain
|
||||
guard *sync.RWMutex
|
||||
}
|
||||
|
||||
func NewInmemoryLocalStorage() engine.LocalOverrideStorage {
|
||||
return &inmemoryLocalStorage{
|
||||
usedChainID: map[string]struct{}{},
|
||||
nameToResourceChains: make(map[chain.Name]targetToChain),
|
||||
guard: &sync.RWMutex{},
|
||||
}
|
||||
}
|
||||
|
||||
func (s *inmemoryLocalStorage) generateChainID(name chain.Name, target engine.Target) chain.ID {
|
||||
var id chain.ID
|
||||
for {
|
||||
suffix := rand.Uint32() % 100
|
||||
sid := fmt.Sprintf("%s:%s/%d", name, target.Name, suffix)
|
||||
sid = strings.ReplaceAll(sid, "*", "")
|
||||
sid = strings.ReplaceAll(sid, "/", ":")
|
||||
sid = strings.ReplaceAll(sid, "::", ":")
|
||||
_, ok := s.usedChainID[sid]
|
||||
if ok {
|
||||
continue
|
||||
}
|
||||
s.usedChainID[sid] = struct{}{}
|
||||
|
||||
id = chain.ID(sid)
|
||||
break
|
||||
}
|
||||
return id
|
||||
}
|
||||
|
||||
func (s *inmemoryLocalStorage) AddOverride(name chain.Name, target engine.Target, c *chain.Chain) (chain.ID, error) {
|
||||
s.guard.Lock()
|
||||
defer s.guard.Unlock()
|
||||
|
||||
// AddOverride assigns generated chain ID if it has not been assigned.
|
||||
if len(c.ID) == 0 {
|
||||
c.ID = s.generateChainID(name, target)
|
||||
}
|
||||
if s.nameToResourceChains[name] == nil {
|
||||
s.nameToResourceChains[name] = make(targetToChain)
|
||||
}
|
||||
rc := s.nameToResourceChains[name]
|
||||
for i := range rc[target] {
|
||||
if bytes.Equal(rc[target][i].ID, c.ID) {
|
||||
rc[target][i] = c
|
||||
return c.ID, nil
|
||||
}
|
||||
}
|
||||
rc[target] = append(rc[target], c)
|
||||
return c.ID, nil
|
||||
}
|
||||
|
||||
func (s *inmemoryLocalStorage) GetOverride(name chain.Name, target engine.Target, chainID chain.ID) (*chain.Chain, error) {
|
||||
s.guard.RLock()
|
||||
defer s.guard.RUnlock()
|
||||
|
||||
if _, ok := s.nameToResourceChains[name]; !ok {
|
||||
return nil, engine.ErrChainNameNotFound
|
||||
}
|
||||
if target.Name == "" {
|
||||
target.Name = "root"
|
||||
}
|
||||
chains, ok := s.nameToResourceChains[name][target]
|
||||
if !ok {
|
||||
return nil, engine.ErrResourceNotFound
|
||||
}
|
||||
for _, c := range chains {
|
||||
if bytes.Equal(c.ID, chainID) {
|
||||
return c, nil
|
||||
}
|
||||
}
|
||||
return nil, engine.ErrChainNotFound
|
||||
}
|
||||
|
||||
func (s *inmemoryLocalStorage) RemoveOverride(name chain.Name, target engine.Target, chainID chain.ID) error {
|
||||
s.guard.Lock()
|
||||
defer s.guard.Unlock()
|
||||
|
||||
if _, ok := s.nameToResourceChains[name]; !ok {
|
||||
return engine.ErrChainNameNotFound
|
||||
}
|
||||
if target.Name == "" {
|
||||
target.Name = "root"
|
||||
}
|
||||
chains, ok := s.nameToResourceChains[name][target]
|
||||
if !ok {
|
||||
return engine.ErrResourceNotFound
|
||||
}
|
||||
for i, c := range chains {
|
||||
if bytes.Equal(c.ID, chainID) {
|
||||
s.nameToResourceChains[name][target] = append(chains[:i], chains[i+1:]...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
return engine.ErrChainNotFound
|
||||
}
|
||||
|
||||
func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
|
||||
s.guard.RLock()
|
||||
defer s.guard.RUnlock()
|
||||
|
||||
rcs, ok := s.nameToResourceChains[name]
|
||||
if !ok {
|
||||
return []*chain.Chain{}, nil
|
||||
}
|
||||
if target.Name == "" {
|
||||
target.Name = "root"
|
||||
}
|
||||
for t, chains := range rcs {
|
||||
if t.Type != target.Type {
|
||||
continue
|
||||
}
|
||||
if !util.GlobMatch(target.Name, t.Name) {
|
||||
continue
|
||||
}
|
||||
return chains, nil
|
||||
}
|
||||
return []*chain.Chain{}, nil
|
||||
}
|
||||
|
||||
func (s *inmemoryLocalStorage) DropAllOverrides(name chain.Name) error {
|
||||
s.guard.Lock()
|
||||
defer s.guard.Unlock()
|
||||
|
||||
s.nameToResourceChains[name] = make(targetToChain)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *inmemoryLocalStorage) ListOverrideDefinedTargets(name chain.Name) ([]engine.Target, error) {
|
||||
s.guard.RLock()
|
||||
defer s.guard.RUnlock()
|
||||
ttc := s.nameToResourceChains[name]
|
||||
var keys []engine.Target
|
||||
for k := range ttc {
|
||||
keys = append(keys, k)
|
||||
}
|
||||
return keys, nil
|
||||
}
|
222
pkg/engine/inmemory/local_storage_test.go
Normal file
222
pkg/engine/inmemory/local_storage_test.go
Normal file
|
@ -0,0 +1,222 @@
|
|||
package inmemory
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
const (
|
||||
container = "native:::object/ExYw/*"
|
||||
chainID = "ingress:ExYw"
|
||||
nonExistChainId = "ingress:LxGyWyL"
|
||||
)
|
||||
|
||||
var resrc = engine.ContainerTarget(container)
|
||||
|
||||
func testInmemLocalStorage() *inmemoryLocalStorage {
|
||||
return NewInmemoryLocalStorage().(*inmemoryLocalStorage)
|
||||
}
|
||||
|
||||
func TestAddOverride(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
|
||||
inmem.AddOverride(chain.Ingress, resrc, &chain.Chain{
|
||||
Rules: []chain.Rule{
|
||||
{
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Names: []string{"native::object::delete"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
ingressChains, ok := inmem.nameToResourceChains[chain.Ingress]
|
||||
require.True(t, ok)
|
||||
resourceChains, ok := ingressChains[resrc]
|
||||
require.True(t, ok)
|
||||
require.Len(t, resourceChains, 1)
|
||||
require.Len(t, resourceChains[0].Rules, 1)
|
||||
|
||||
inmem.AddOverride(chain.Ingress, resrc, &chain.Chain{
|
||||
Rules: []chain.Rule{
|
||||
{
|
||||
Status: chain.QuotaLimitReached,
|
||||
Actions: chain.Actions{Names: []string{"native::object::put"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
},
|
||||
{
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Names: []string{"native::object::get"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
ingressChains, ok = inmem.nameToResourceChains[chain.Ingress]
|
||||
require.True(t, ok)
|
||||
resourceChains, ok = ingressChains[resrc]
|
||||
require.True(t, ok)
|
||||
require.Len(t, resourceChains, 2)
|
||||
require.Len(t, resourceChains[1].Rules, 2)
|
||||
}
|
||||
|
||||
func TestRemoveOverride(t *testing.T) {
|
||||
t.Run("remove from empty storage", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
err := inmem.RemoveOverride(chain.Ingress, resrc, chain.ID(chainID))
|
||||
require.ErrorIs(t, err, engine.ErrChainNameNotFound)
|
||||
})
|
||||
|
||||
t.Run("remove not added chain id", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
inmem.AddOverride(chain.Ingress, resrc, &chain.Chain{
|
||||
ID: chain.ID(chainID),
|
||||
Rules: []chain.Rule{
|
||||
{ // Restrict to remove ANY object from the namespace.
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Names: []string{"native::object::delete"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
err := inmem.RemoveOverride(chain.Ingress, resrc, chain.ID(nonExistChainId))
|
||||
require.ErrorIs(t, err, engine.ErrChainNotFound)
|
||||
})
|
||||
|
||||
t.Run("remove existing chain id", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
inmem.AddOverride(chain.Ingress, resrc, &chain.Chain{
|
||||
ID: chain.ID(chainID),
|
||||
Rules: []chain.Rule{
|
||||
{ // Restrict to remove ANY object from the namespace.
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Names: []string{"native::object::delete"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
err := inmem.RemoveOverride(chain.Ingress, resrc, chain.ID(chainID))
|
||||
require.NoError(t, err)
|
||||
|
||||
ingressChains, ok := inmem.nameToResourceChains[chain.Ingress]
|
||||
require.True(t, ok)
|
||||
require.Len(t, ingressChains, 1)
|
||||
resourceChains, ok := ingressChains[resrc]
|
||||
require.True(t, ok)
|
||||
require.Len(t, resourceChains, 0)
|
||||
})
|
||||
}
|
||||
|
||||
func TestGetOverride(t *testing.T) {
|
||||
addChain := &chain.Chain{
|
||||
ID: chain.ID(chainID),
|
||||
Rules: []chain.Rule{
|
||||
{ // Restrict to remove ANY object from the namespace.
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Names: []string{"native::object::delete"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
t.Run("get from empty storage", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
_, err := inmem.GetOverride(chain.Ingress, resrc, chain.ID(chainID))
|
||||
require.ErrorIs(t, err, engine.ErrChainNameNotFound)
|
||||
})
|
||||
|
||||
t.Run("get not added chain id", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
inmem.AddOverride(chain.Ingress, resrc, addChain)
|
||||
|
||||
const nonExistingChainID = "ingress:LxGyWyL"
|
||||
|
||||
_, err := inmem.GetOverride(chain.Ingress, resrc, chain.ID(nonExistingChainID))
|
||||
require.ErrorIs(t, err, engine.ErrChainNotFound)
|
||||
})
|
||||
|
||||
t.Run("get existing chain id", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
inmem.AddOverride(chain.Ingress, resrc, addChain)
|
||||
|
||||
c, err := inmem.GetOverride(chain.Ingress, resrc, chain.ID(chainID))
|
||||
require.NoError(t, err)
|
||||
require.EqualValues(t, *addChain, *c)
|
||||
})
|
||||
|
||||
t.Run("get removed chain id", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
inmem.AddOverride(chain.Ingress, resrc, addChain)
|
||||
|
||||
err := inmem.RemoveOverride(chain.Ingress, resrc, chain.ID(chainID))
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = inmem.GetOverride(chain.Ingress, resrc, chain.ID(chainID))
|
||||
require.ErrorIs(t, err, engine.ErrChainNotFound)
|
||||
})
|
||||
}
|
||||
|
||||
func TestListOverrides(t *testing.T) {
|
||||
addChain := &chain.Chain{
|
||||
ID: chain.ID(chainID),
|
||||
Rules: []chain.Rule{
|
||||
{ // Restrict to remove ANY object from the namespace.
|
||||
Status: chain.AccessDenied,
|
||||
Actions: chain.Actions{Names: []string{"native::object::delete"}},
|
||||
Resources: chain.Resources{Names: []string{"native::object::*"}},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
t.Run("list empty storage", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
l, _ := inmem.ListOverrides(chain.Ingress, resrc)
|
||||
require.Len(t, l, 0)
|
||||
})
|
||||
|
||||
t.Run("list with one added resource", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
inmem.AddOverride(chain.Ingress, resrc, addChain)
|
||||
l, _ := inmem.ListOverrides(chain.Ingress, resrc)
|
||||
require.Len(t, l, 1)
|
||||
targets, err := inmem.ListOverrideDefinedTargets(chain.Ingress)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, []engine.Target{resrc}, targets)
|
||||
})
|
||||
|
||||
t.Run("list after drop", func(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
inmem.AddOverride(chain.Ingress, resrc, addChain)
|
||||
l, _ := inmem.ListOverrides(chain.Ingress, resrc)
|
||||
require.Len(t, l, 1)
|
||||
|
||||
_ = inmem.DropAllOverrides(chain.Ingress)
|
||||
l, _ = inmem.ListOverrides(chain.Ingress, resrc)
|
||||
require.Len(t, l, 0)
|
||||
})
|
||||
}
|
||||
|
||||
func TestGenerateID(t *testing.T) {
|
||||
inmem := testInmemLocalStorage()
|
||||
ids := make([]chain.ID, 0, 100)
|
||||
for i := 0; i < 100; i++ {
|
||||
ids = append(ids, inmem.generateChainID(chain.Ingress, resrc))
|
||||
}
|
||||
require.False(t, hasDuplicates(ids))
|
||||
}
|
||||
|
||||
func hasDuplicates(ids []chain.ID) bool {
|
||||
seen := make(map[string]bool)
|
||||
for _, id := range ids {
|
||||
if seen[string(id)] {
|
||||
return true
|
||||
}
|
||||
seen[string(id)] = true
|
||||
}
|
||||
return false
|
||||
}
|
62
pkg/engine/inmemory/morph_storage.go
Normal file
62
pkg/engine/inmemory/morph_storage.go
Normal file
|
@ -0,0 +1,62 @@
|
|||
package inmemory
|
||||
|
||||
import (
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
"github.com/nspcc-dev/neo-go/pkg/util"
|
||||
)
|
||||
|
||||
type inmemoryMorphRuleChainStorage struct {
|
||||
nameToNamespaceChains engine.LocalOverrideStorage
|
||||
nameToContainerChains engine.LocalOverrideStorage
|
||||
}
|
||||
|
||||
func NewInmemoryMorphRuleChainStorage() engine.MorphRuleChainStorage {
|
||||
return &inmemoryMorphRuleChainStorage{
|
||||
nameToNamespaceChains: NewInmemoryLocalStorage(),
|
||||
nameToContainerChains: NewInmemoryLocalStorage(),
|
||||
}
|
||||
}
|
||||
|
||||
func (s *inmemoryMorphRuleChainStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (_ util.Uint256, _ uint32, err error) {
|
||||
switch target.Type {
|
||||
case engine.Namespace:
|
||||
_, err = s.nameToNamespaceChains.AddOverride(name, target, c)
|
||||
case engine.Container:
|
||||
_, err = s.nameToContainerChains.AddOverride(name, target, c)
|
||||
default:
|
||||
err = engine.ErrUnknownTarget
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (s *inmemoryMorphRuleChainStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) (_ util.Uint256, _ uint32, err error) {
|
||||
switch target.Type {
|
||||
case engine.Namespace:
|
||||
err = s.nameToNamespaceChains.RemoveOverride(name, target, chainID)
|
||||
case engine.Container:
|
||||
err = s.nameToContainerChains.RemoveOverride(name, target, chainID)
|
||||
default:
|
||||
err = engine.ErrUnknownTarget
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (s *inmemoryMorphRuleChainStorage) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
|
||||
switch target.Type {
|
||||
case engine.Namespace:
|
||||
return s.nameToNamespaceChains.ListOverrides(name, target)
|
||||
case engine.Container:
|
||||
return s.nameToContainerChains.ListOverrides(name, target)
|
||||
default:
|
||||
}
|
||||
return nil, engine.ErrUnknownTarget
|
||||
}
|
||||
|
||||
func (s *inmemoryMorphRuleChainStorage) GetAdmin() (util.Uint160, error) {
|
||||
panic("not implemented")
|
||||
}
|
||||
|
||||
func (s *inmemoryMorphRuleChainStorage) SetAdmin(_ util.Uint160) (util.Uint256, uint32, error) {
|
||||
panic("not implemented")
|
||||
}
|
133
pkg/engine/interface.go
Normal file
133
pkg/engine/interface.go
Normal file
|
@ -0,0 +1,133 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
||||
"github.com/nspcc-dev/neo-go/pkg/util"
|
||||
)
|
||||
|
||||
type ChainRouter interface {
|
||||
// IsAllowed returns status for the operation after all checks.
|
||||
// The second return value signifies whether a matching rule was found.
|
||||
IsAllowed(name chain.Name, reqTarget RequestTarget, r resource.Request) (status chain.Status, found bool, err error)
|
||||
}
|
||||
|
||||
// LocalOverrideStorage is the interface to manage local overrides defined
|
||||
// for a node. Local overrides have a higher priority than chains got from morph storage.
|
||||
type LocalOverrideStorage interface {
|
||||
AddOverride(name chain.Name, target Target, c *chain.Chain) (chain.ID, error)
|
||||
|
||||
GetOverride(name chain.Name, target Target, chainID chain.ID) (*chain.Chain, error)
|
||||
|
||||
RemoveOverride(name chain.Name, target Target, chainID chain.ID) error
|
||||
|
||||
ListOverrides(name chain.Name, target Target) ([]*chain.Chain, error)
|
||||
|
||||
DropAllOverrides(name chain.Name) error
|
||||
|
||||
ListOverrideDefinedTargets(name chain.Name) ([]Target, error)
|
||||
}
|
||||
|
||||
type TargetType rune
|
||||
|
||||
const (
|
||||
Namespace TargetType = 'n'
|
||||
Container TargetType = 'c'
|
||||
)
|
||||
|
||||
type Target struct {
|
||||
Type TargetType
|
||||
Name string
|
||||
}
|
||||
|
||||
// RequestTarget combines several targets on which the request is performed.
|
||||
type RequestTarget struct {
|
||||
Namespace *Target
|
||||
Container *Target
|
||||
}
|
||||
|
||||
func NewRequestTargetWithNamespace(namespace string) RequestTarget {
|
||||
nt := NamespaceTarget(namespace)
|
||||
return RequestTarget{
|
||||
Namespace: &nt,
|
||||
}
|
||||
}
|
||||
|
||||
func NewRequestTargetWithContainer(container string) RequestTarget {
|
||||
ct := ContainerTarget(container)
|
||||
return RequestTarget{
|
||||
Container: &ct,
|
||||
}
|
||||
}
|
||||
|
||||
func NewRequestTarget(namespace, container string) RequestTarget {
|
||||
nt := NamespaceTarget(namespace)
|
||||
ct := ContainerTarget(container)
|
||||
return RequestTarget{
|
||||
Namespace: &nt,
|
||||
Container: &ct,
|
||||
}
|
||||
}
|
||||
|
||||
func (rt *RequestTarget) Targets() (targets []Target) {
|
||||
if rt.Namespace != nil {
|
||||
targets = append(targets, *rt.Namespace)
|
||||
}
|
||||
if rt.Container != nil {
|
||||
targets = append(targets, *rt.Container)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func NamespaceTarget(namespace string) Target {
|
||||
return Target{
|
||||
Type: Namespace,
|
||||
Name: namespace,
|
||||
}
|
||||
}
|
||||
|
||||
func ContainerTarget(container string) Target {
|
||||
return Target{
|
||||
Type: Container,
|
||||
Name: container,
|
||||
}
|
||||
}
|
||||
|
||||
// MorphRuleChainStorageReader is the interface that provides read-only methods to receive
|
||||
// data like chains, target or admin from a chain storage.
|
||||
type MorphRuleChainStorageReader interface {
|
||||
// ListMorphRuleChains just lists deserialized chains.
|
||||
ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
|
||||
|
||||
GetAdmin() (util.Uint160, error)
|
||||
}
|
||||
|
||||
// MorphRuleChainStorage is the interface to read and manage data within a chain storage.
|
||||
// Basically, this implies that the storage manages rules stored in policy contract.
|
||||
type MorphRuleChainStorage interface {
|
||||
MorphRuleChainStorageReader
|
||||
|
||||
// AddMorphRuleChain adds a chain rule to the policy contract and returns transaction hash, VUB and error.
|
||||
AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) (util.Uint256, uint32, error)
|
||||
|
||||
// RemoveMorphRuleChain removes a chain rule to the policy contract and returns transaction hash, VUB and error.
|
||||
RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) (util.Uint256, uint32, error)
|
||||
|
||||
SetAdmin(addr util.Uint160) (util.Uint256, uint32, error)
|
||||
}
|
||||
|
||||
// Engine is the interface that provides methods to check request permissions checking
|
||||
// chain rules from morph client - this implies using the policy contract.
|
||||
type Engine interface {
|
||||
ChainRouter
|
||||
|
||||
MorphRuleChainStorage() MorphRuleChainStorage
|
||||
}
|
||||
|
||||
// LocalOverrideEngine is extended Engine that also provides methods to manage a local
|
||||
// chain rule storage. Local overrides must have the highest priority during request checking.
|
||||
type LocalOverrideEngine interface {
|
||||
Engine
|
||||
|
||||
LocalStorage() LocalOverrideStorage
|
||||
}
|
267
pkg/marshal/marshal.go
Normal file
267
pkg/marshal/marshal.go
Normal file
|
@ -0,0 +1,267 @@
|
|||
package marshal
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
const (
|
||||
Version byte = 0 // increase if breaking change
|
||||
|
||||
ByteSize int = 1
|
||||
UInt8Size int = ByteSize
|
||||
BoolSize int = ByteSize
|
||||
|
||||
nilSlice int64 = -1
|
||||
nilSliceSize int = 1
|
||||
|
||||
byteTrue uint8 = 1
|
||||
byteFalse uint8 = 0
|
||||
|
||||
// maxSliceLen taken from https://github.com/neo-project/neo/blob/38218bbee5bbe8b33cd8f9453465a19381c9a547/src/Neo/IO/Helper.cs#L77
|
||||
maxSliceLen = 0x1000000
|
||||
)
|
||||
|
||||
type MarshallerError struct {
|
||||
errMsg string
|
||||
offset int
|
||||
}
|
||||
|
||||
func (e *MarshallerError) Error() string {
|
||||
if e == nil {
|
||||
return ""
|
||||
}
|
||||
if e.offset < 0 {
|
||||
return e.errMsg
|
||||
}
|
||||
return fmt.Sprintf("%s (offset: %d)", e.errMsg, e.offset)
|
||||
}
|
||||
|
||||
func errBufTooSmall(t string, marshal bool, offset int) error {
|
||||
action := "unmarshal"
|
||||
if marshal {
|
||||
action = "marshal"
|
||||
}
|
||||
return &MarshallerError{
|
||||
errMsg: fmt.Sprintf("not enough bytes left to %s value of type '%s'", action, t),
|
||||
offset: offset,
|
||||
}
|
||||
}
|
||||
|
||||
func VerifyMarshal(buf []byte, lastOffset int) error {
|
||||
if len(buf) != lastOffset {
|
||||
return &MarshallerError{
|
||||
errMsg: "actual data size differs from expected",
|
||||
offset: -1,
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func VerifyUnmarshal(buf []byte, lastOffset int) error {
|
||||
if len(buf) != lastOffset {
|
||||
return &MarshallerError{
|
||||
errMsg: "unmarshalled bytes left",
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func SliceSize[T any](slice []T, sizeOf func(T) int) int {
|
||||
if slice == nil {
|
||||
return nilSliceSize
|
||||
}
|
||||
s := Int64Size(int64(len(slice)))
|
||||
for _, v := range slice {
|
||||
s += sizeOf(v)
|
||||
}
|
||||
return s
|
||||
}
|
||||
|
||||
func SliceMarshal[T any](buf []byte, offset int, slice []T, marshalT func([]byte, int, T) (int, error)) (int, error) {
|
||||
if slice == nil {
|
||||
return Int64Marshal(buf, offset, nilSlice)
|
||||
}
|
||||
if len(slice) > maxSliceLen {
|
||||
return 0, &MarshallerError{
|
||||
errMsg: fmt.Sprintf("slice size if too big: '%d'", len(slice)),
|
||||
offset: offset,
|
||||
}
|
||||
}
|
||||
offset, err := Int64Marshal(buf, offset, int64(len(slice)))
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
for _, v := range slice {
|
||||
offset, err = marshalT(buf, offset, v)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
}
|
||||
return offset, nil
|
||||
}
|
||||
|
||||
func SliceUnmarshal[T any](buf []byte, offset int, unmarshalT func(buf []byte, offset int) (T, int, error)) ([]T, int, error) {
|
||||
size, offset, err := Int64Unmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return nil, 0, err
|
||||
}
|
||||
if size == nilSlice {
|
||||
return nil, offset, nil
|
||||
}
|
||||
if size > maxSliceLen {
|
||||
return nil, 0, &MarshallerError{
|
||||
errMsg: fmt.Sprintf("slice size if too big: '%d'", size),
|
||||
offset: offset,
|
||||
}
|
||||
}
|
||||
if size < 0 {
|
||||
return nil, 0, &MarshallerError{
|
||||
errMsg: fmt.Sprintf("invalid slice size: '%d'", size),
|
||||
offset: offset,
|
||||
}
|
||||
}
|
||||
result := make([]T, size)
|
||||
for idx := 0; idx < len(result); idx++ {
|
||||
result[idx], offset, err = unmarshalT(buf, offset)
|
||||
if err != nil {
|
||||
return nil, 0, err
|
||||
}
|
||||
}
|
||||
return result, offset, nil
|
||||
}
|
||||
|
||||
func Int64Size(v int64) int {
|
||||
// https://cs.opensource.google/go/go/+/master:src/encoding/binary/varint.go;l=92;drc=dac9b9ddbd5160c5f4552410f5f8281bd5eed38c
|
||||
// and
|
||||
// https://cs.opensource.google/go/go/+/master:src/encoding/binary/varint.go;l=41;drc=dac9b9ddbd5160c5f4552410f5f8281bd5eed38c
|
||||
ux := uint64(v) << 1
|
||||
if v < 0 {
|
||||
ux = ^ux
|
||||
}
|
||||
s := 0
|
||||
for ux >= 0x80 {
|
||||
s++
|
||||
ux >>= 7
|
||||
}
|
||||
return s + 1
|
||||
}
|
||||
|
||||
func Int64Marshal(buf []byte, offset int, v int64) (int, error) {
|
||||
if len(buf)-offset < Int64Size(v) {
|
||||
return 0, errBufTooSmall("int64", true, offset)
|
||||
}
|
||||
return offset + binary.PutVarint(buf[offset:], v), nil
|
||||
}
|
||||
|
||||
func Int64Unmarshal(buf []byte, offset int) (int64, int, error) {
|
||||
v, read := binary.Varint(buf[offset:])
|
||||
if read == 0 {
|
||||
return 0, 0, errBufTooSmall("int64", false, offset)
|
||||
}
|
||||
if read < 0 {
|
||||
return 0, 0, &MarshallerError{
|
||||
errMsg: "int64 unmarshal overflow",
|
||||
offset: offset,
|
||||
}
|
||||
}
|
||||
return v, offset + read, nil
|
||||
}
|
||||
|
||||
func StringSize(s string) int {
|
||||
return Int64Size(int64(len(s))) + len(s)
|
||||
}
|
||||
|
||||
func StringMarshal(buf []byte, offset int, s string) (int, error) {
|
||||
if len(s) > maxSliceLen {
|
||||
return 0, &MarshallerError{
|
||||
errMsg: fmt.Sprintf("string is too long: '%d'", len(s)),
|
||||
offset: offset,
|
||||
}
|
||||
}
|
||||
if len(buf)-offset < Int64Size(int64(len(s)))+len(s) {
|
||||
return 0, errBufTooSmall("string", true, offset)
|
||||
}
|
||||
|
||||
offset, err := Int64Marshal(buf, offset, int64(len(s)))
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
if s == "" {
|
||||
return offset, nil
|
||||
}
|
||||
return offset + copy(buf[offset:], s), nil
|
||||
}
|
||||
|
||||
func StringUnmarshal(buf []byte, offset int) (string, int, error) {
|
||||
size, offset, err := Int64Unmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return "", 0, err
|
||||
}
|
||||
if size == 0 {
|
||||
return "", offset, nil
|
||||
}
|
||||
if size > maxSliceLen {
|
||||
return "", 0, &MarshallerError{
|
||||
errMsg: fmt.Sprintf("string is too long: '%d'", size),
|
||||
offset: offset,
|
||||
}
|
||||
}
|
||||
if size < 0 {
|
||||
return "", 0, &MarshallerError{
|
||||
errMsg: fmt.Sprintf("invalid string size: '%d'", size),
|
||||
offset: offset,
|
||||
}
|
||||
}
|
||||
if len(buf)-offset < int(size) {
|
||||
return "", 0, errBufTooSmall("string", false, offset)
|
||||
}
|
||||
return string(buf[offset : offset+int(size)]), offset + int(size), nil
|
||||
}
|
||||
|
||||
func UInt8Marshal(buf []byte, offset int, value uint8) (int, error) {
|
||||
if len(buf)-offset < 1 {
|
||||
return 0, errBufTooSmall("uint8", true, offset)
|
||||
}
|
||||
buf[offset] = value
|
||||
return offset + 1, nil
|
||||
}
|
||||
|
||||
func UInt8Unmarshal(buf []byte, offset int) (uint8, int, error) {
|
||||
if len(buf)-offset < 1 {
|
||||
return 0, 0, errBufTooSmall("uint8", false, offset)
|
||||
}
|
||||
return buf[offset], offset + 1, nil
|
||||
}
|
||||
|
||||
func ByteMarshal(buf []byte, offset int, value byte) (int, error) {
|
||||
return UInt8Marshal(buf, offset, value)
|
||||
}
|
||||
|
||||
func ByteUnmarshal(buf []byte, offset int) (byte, int, error) {
|
||||
return UInt8Unmarshal(buf, offset)
|
||||
}
|
||||
|
||||
func BoolMarshal(buf []byte, offset int, value bool) (int, error) {
|
||||
if value {
|
||||
return UInt8Marshal(buf, offset, byteTrue)
|
||||
}
|
||||
return UInt8Marshal(buf, offset, byteFalse)
|
||||
}
|
||||
|
||||
func BoolUnmarshal(buf []byte, offset int) (bool, int, error) {
|
||||
v, offset, err := UInt8Unmarshal(buf, offset)
|
||||
if err != nil {
|
||||
return false, 0, err
|
||||
}
|
||||
if v == byteTrue {
|
||||
return true, offset, nil
|
||||
}
|
||||
if v == byteFalse {
|
||||
return false, offset, nil
|
||||
}
|
||||
return false, 0, &MarshallerError{
|
||||
errMsg: fmt.Sprintf("invalid marshalled value for bool: %d", v),
|
||||
offset: offset - BoolSize,
|
||||
}
|
||||
}
|
313
pkg/marshal/marshal_test.go
Normal file
313
pkg/marshal/marshal_test.go
Normal file
|
@ -0,0 +1,313 @@
|
|||
package marshal
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"math"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestMarshalling(t *testing.T) {
|
||||
t.Parallel()
|
||||
t.Run("slice", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
t.Run("nil slice", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
var int64s []int64
|
||||
expectedSize := SliceSize(int64s, Int64Size)
|
||||
require.Equal(t, 1, expectedSize)
|
||||
buf := make([]byte, expectedSize)
|
||||
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyUnmarshal(buf, offset))
|
||||
require.Nil(t, result)
|
||||
})
|
||||
|
||||
t.Run("empty slice", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
int64s := make([]int64, 0)
|
||||
expectedSize := SliceSize(int64s, Int64Size)
|
||||
require.Equal(t, 1, expectedSize)
|
||||
buf := make([]byte, expectedSize)
|
||||
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyUnmarshal(buf, offset))
|
||||
require.NotNil(t, result)
|
||||
require.Len(t, result, 0)
|
||||
})
|
||||
|
||||
t.Run("non empty slice", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
int64s := make([]int64, 100)
|
||||
for i := range int64s {
|
||||
int64s[i] = int64(i)
|
||||
}
|
||||
expectedSize := SliceSize(int64s, Int64Size)
|
||||
buf := make([]byte, expectedSize)
|
||||
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyUnmarshal(buf, offset))
|
||||
require.Equal(t, int64s, result)
|
||||
})
|
||||
|
||||
t.Run("corrupted slice size", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
int64s := make([]int64, 100)
|
||||
for i := range int64s {
|
||||
int64s[i] = int64(i)
|
||||
}
|
||||
expectedSize := SliceSize(int64s, Int64Size)
|
||||
buf := make([]byte, expectedSize)
|
||||
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
for i := 0; i < binary.MaxVarintLen64; i++ {
|
||||
buf[i] = 129
|
||||
}
|
||||
|
||||
_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
|
||||
var mErr *MarshallerError
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
|
||||
for i := 0; i < binary.MaxVarintLen64; i++ {
|
||||
buf[i] = 127
|
||||
}
|
||||
_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
})
|
||||
|
||||
t.Run("corrupted slice item", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
int64s := make([]int64, 100)
|
||||
for i := range int64s {
|
||||
int64s[i] = int64(i)
|
||||
}
|
||||
expectedSize := SliceSize(int64s, Int64Size)
|
||||
buf := make([]byte, expectedSize)
|
||||
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
for i := 2; i < binary.MaxVarintLen64+2; i++ {
|
||||
buf[i] = 129
|
||||
}
|
||||
|
||||
_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
|
||||
var mErr *MarshallerError
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
})
|
||||
|
||||
t.Run("small buffer", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
int64s := make([]int64, 100)
|
||||
for i := range int64s {
|
||||
int64s[i] = int64(i)
|
||||
}
|
||||
buf := make([]byte, 1)
|
||||
_, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
|
||||
var mErr *MarshallerError
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
|
||||
buf = make([]byte, 10)
|
||||
_, err = SliceMarshal(buf, 0, int64s, Int64Marshal)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("int64", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
t.Run("success", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
require.Equal(t, 1, Int64Size(0))
|
||||
require.Equal(t, binary.MaxVarintLen64, Int64Size(math.MaxInt64))
|
||||
require.Equal(t, binary.MaxVarintLen64, Int64Size(math.MinInt64))
|
||||
|
||||
for _, v := range []int64{0, math.MinInt64, math.MaxInt64} {
|
||||
size := Int64Size(v)
|
||||
buf := make([]byte, size)
|
||||
offset, err := Int64Marshal(buf, 0, v)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
uv, offset, err := Int64Unmarshal(buf, 0)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyUnmarshal(buf, offset))
|
||||
require.Equal(t, v, uv)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("invalid buffer", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
var mErr *MarshallerError
|
||||
|
||||
_, err := Int64Marshal([]byte{}, 0, 100500)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
|
||||
_, _, err = Int64Unmarshal(nil, 0)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
})
|
||||
|
||||
t.Run("overflow", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
var mErr *MarshallerError
|
||||
|
||||
var v int64 = math.MaxInt64
|
||||
buf := make([]byte, Int64Size(v))
|
||||
_, err := Int64Marshal(buf, 0, v)
|
||||
require.NoError(t, err)
|
||||
|
||||
buf[9] = 2
|
||||
|
||||
_, _, err = Int64Unmarshal(buf, 0)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("string", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
t.Run("success", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
for _, v := range []string{
|
||||
"", "arn:aws:iam::namespace:group/some_group", "$Object:homomorphicHash",
|
||||
"native:container/ns/9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J",
|
||||
} {
|
||||
size := StringSize(v)
|
||||
buf := make([]byte, size)
|
||||
offset, err := StringMarshal(buf, 0, v)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
uv, offset, err := StringUnmarshal(buf, 0)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyUnmarshal(buf, offset))
|
||||
require.Equal(t, v, uv)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("invalid buffer", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
str := "avada kedavra"
|
||||
|
||||
var mErr *MarshallerError
|
||||
_, err := StringMarshal(nil, 0, str)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
|
||||
_, _, err = StringUnmarshal(nil, 0)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
|
||||
buf := make([]byte, StringSize(str))
|
||||
offset, err := StringMarshal(buf, 0, str)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
buf = buf[:len(buf)-1]
|
||||
_, _, err = StringUnmarshal(buf, 0)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("uint8, byte", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
for _, v := range []byte{0, 8, 16, 32, 64, 128, 255} {
|
||||
buf := make([]byte, ByteSize)
|
||||
offset, err := ByteMarshal(buf, 0, v)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
ub, offset, err := ByteUnmarshal(buf, 0)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyUnmarshal(buf, offset))
|
||||
require.Equal(t, v, ub)
|
||||
|
||||
buf = make([]byte, UInt8Size)
|
||||
offset, err = UInt8Marshal(buf, 0, v)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
uu, offset, err := UInt8Unmarshal(buf, 0)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyUnmarshal(buf, offset))
|
||||
require.Equal(t, v, uu)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("bool", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
t.Run("success", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
for _, v := range []bool{false, true} {
|
||||
buf := make([]byte, BoolSize)
|
||||
offset, err := BoolMarshal(buf, 0, v)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
ub, offset, err := BoolUnmarshal(buf, 0)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyUnmarshal(buf, offset))
|
||||
require.Equal(t, v, ub)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("invalid value", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
buf := make([]byte, BoolSize)
|
||||
offset, err := BoolMarshal(buf, 0, true)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, VerifyMarshal(buf, offset))
|
||||
|
||||
buf[0] = 2
|
||||
|
||||
_, _, err = BoolUnmarshal(buf, 0)
|
||||
var mErr *MarshallerError
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
})
|
||||
|
||||
t.Run("invalid buffer", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
var mErr *MarshallerError
|
||||
|
||||
_, err := BoolMarshal(nil, 0, true)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
|
||||
buf := append(make([]byte, BoolSize), 100)
|
||||
offset, err := BoolMarshal(buf, 0, true)
|
||||
require.NoError(t, err)
|
||||
require.ErrorAs(t, VerifyMarshal(buf, offset), &mErr)
|
||||
|
||||
v, offset, err := BoolUnmarshal(buf, 0)
|
||||
require.NoError(t, err)
|
||||
require.True(t, v)
|
||||
require.ErrorAs(t, VerifyUnmarshal(buf, offset), &mErr)
|
||||
|
||||
_, _, err = BoolUnmarshal(nil, 0)
|
||||
require.ErrorAs(t, err, &mErr)
|
||||
})
|
||||
})
|
||||
}
|
184
pkg/morph/policy/policy_contract_storage.go
Normal file
184
pkg/morph/policy/policy_contract_storage.go
Normal file
|
@ -0,0 +1,184 @@
|
|||
package policy
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"strings"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-contract/policy"
|
||||
client "git.frostfs.info/TrueCloudLab/frostfs-contract/rpcclient/policy"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
|
||||
"github.com/nspcc-dev/neo-go/pkg/util"
|
||||
"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
|
||||
"github.com/nspcc-dev/neo-go/pkg/wallet"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrEmptyChainID = errors.New("chain id is not set")
|
||||
|
||||
ErrEngineTargetTypeUnsupported = errors.New("this target type is not supported yet")
|
||||
)
|
||||
|
||||
// ContractStorage is the interface to manage chain rules within Policy contract.
|
||||
type ContractStorage struct {
|
||||
contractInterface *client.Contract
|
||||
}
|
||||
|
||||
var _ engine.MorphRuleChainStorage = (*ContractStorage)(nil)
|
||||
|
||||
// ContractStorageReader is the interface to read data from Policy contract.
|
||||
type ContractStorageReader struct {
|
||||
contractReaderInterface *client.ContractReader
|
||||
}
|
||||
|
||||
var _ engine.MorphRuleChainStorageReader = (*ContractStorageReader)(nil)
|
||||
|
||||
func NewContractStorage(actor client.Actor, contract util.Uint160) *ContractStorage {
|
||||
return &ContractStorage{
|
||||
contractInterface: client.New(actor, contract),
|
||||
}
|
||||
}
|
||||
|
||||
func NewContractStorageWithSimpleActor(rpcActor actor.RPCActor, acc *wallet.Account, contract util.Uint160) (*ContractStorage, error) {
|
||||
act, err := actor.NewSimple(rpcActor, acc)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create simple actor: %w", err)
|
||||
}
|
||||
return NewContractStorage(act, contract), nil
|
||||
}
|
||||
|
||||
func (s *ContractStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (txHash util.Uint256, vub uint32, err error) {
|
||||
if len(c.ID) == 0 {
|
||||
err = ErrEmptyChainID
|
||||
return
|
||||
}
|
||||
|
||||
var kind policy.Kind
|
||||
kind, err = policyKind(target.Type)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
fullName := prefixedChainName(name, c.ID)
|
||||
|
||||
txHash, vub, err = s.contractInterface.AddChain(big.NewInt(int64(kind)), target.Name, fullName, c.Bytes())
|
||||
return
|
||||
}
|
||||
|
||||
func (s *ContractStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) (txHash util.Uint256, vub uint32, err error) {
|
||||
if len(chainID) == 0 {
|
||||
err = ErrEmptyChainID
|
||||
return
|
||||
}
|
||||
|
||||
var kind policy.Kind
|
||||
kind, err = policyKind(target.Type)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
fullName := prefixedChainName(name, chainID)
|
||||
|
||||
txHash, vub, err = s.contractInterface.RemoveChain(big.NewInt(int64(kind)), target.Name, fullName)
|
||||
return
|
||||
}
|
||||
|
||||
func (s *ContractStorage) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
|
||||
kind, err := policyKind(target.Type)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
items, err := s.contractInterface.ListChainsByPrefix(big.NewInt(int64(kind)), target.Name, []byte(name))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var chains []*chain.Chain
|
||||
for _, item := range items {
|
||||
serialized, err := bytesFromStackItem(item)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
c := new(chain.Chain)
|
||||
if err := c.DecodeBytes(serialized); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
chains = append(chains, c)
|
||||
}
|
||||
|
||||
return chains, nil
|
||||
}
|
||||
|
||||
func (s *ContractStorage) GetAdmin() (util.Uint160, error) {
|
||||
return s.contractInterface.GetAdmin()
|
||||
}
|
||||
|
||||
func (s *ContractStorage) SetAdmin(addr util.Uint160) (util.Uint256, uint32, error) {
|
||||
return s.contractInterface.SetAdmin(addr)
|
||||
}
|
||||
|
||||
func NewContractStorageReader(inv client.Invoker, contract util.Uint160) *ContractStorageReader {
|
||||
return &ContractStorageReader{
|
||||
contractReaderInterface: client.NewReader(inv, contract),
|
||||
}
|
||||
}
|
||||
|
||||
func (s *ContractStorageReader) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
|
||||
kind, err := policyKind(target.Type)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
items, err := s.contractReaderInterface.ListChainsByPrefix(big.NewInt(int64(kind)), target.Name, []byte(name))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var chains []*chain.Chain
|
||||
for _, item := range items {
|
||||
serialized, err := bytesFromStackItem(item)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
c := new(chain.Chain)
|
||||
if err := c.DecodeBytes(serialized); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
chains = append(chains, c)
|
||||
}
|
||||
|
||||
return chains, nil
|
||||
}
|
||||
|
||||
func (s *ContractStorageReader) GetAdmin() (util.Uint160, error) {
|
||||
return s.contractReaderInterface.GetAdmin()
|
||||
}
|
||||
|
||||
func bytesFromStackItem(param stackitem.Item) ([]byte, error) {
|
||||
switch param.Type() {
|
||||
case stackitem.BufferT, stackitem.ByteArrayT, stackitem.IntegerT:
|
||||
return param.TryBytes()
|
||||
case stackitem.AnyT:
|
||||
if param.Value() == nil {
|
||||
return nil, nil
|
||||
}
|
||||
fallthrough
|
||||
default:
|
||||
return nil, fmt.Errorf("chain/client: %s is not a byte array type", param.Type())
|
||||
}
|
||||
}
|
||||
|
||||
func prefixedChainName(name chain.Name, chainID chain.ID) []byte {
|
||||
return []byte(strings.ToLower(fmt.Sprintf("%s:%s", name, chainID)))
|
||||
}
|
||||
|
||||
func policyKind(typ engine.TargetType) (policy.Kind, error) {
|
||||
if typ == engine.Namespace {
|
||||
return policy.Namespace, nil
|
||||
} else if typ == engine.Container {
|
||||
return policy.Container, nil
|
||||
}
|
||||
return policy.Kind(0), ErrEngineTargetTypeUnsupported
|
||||
}
|
19
pkg/resource/resource.go
Normal file
19
pkg/resource/resource.go
Normal file
|
@ -0,0 +1,19 @@
|
|||
package resource
|
||||
|
||||
// Request represents generic named resource (bucket, container etc.).
|
||||
// Name is resource depenent but should be globally unique for any given
|
||||
// type of resource.
|
||||
type Request interface {
|
||||
// Name is the operation name, such as Object.Put. Must not include wildcards.
|
||||
Operation() string
|
||||
// Property returns request properties, such as IP address of the origin.
|
||||
Property(string) string
|
||||
// Resource returns resource the operation is applied to.
|
||||
Resource() Resource
|
||||
}
|
||||
|
||||
// Resource represents the resource operation is applied to.
|
||||
type Resource interface {
|
||||
Name() string
|
||||
Property(string) string
|
||||
}
|
53
pkg/resource/testutil/resource.go
Normal file
53
pkg/resource/testutil/resource.go
Normal file
|
@ -0,0 +1,53 @@
|
|||
package testutil
|
||||
|
||||
import (
|
||||
resourcepkg "git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
||||
)
|
||||
|
||||
type Resource struct {
|
||||
name string
|
||||
properties map[string]string
|
||||
}
|
||||
|
||||
func (r *Resource) Name() string {
|
||||
return r.name
|
||||
}
|
||||
|
||||
func (r *Resource) Property(name string) string {
|
||||
return r.properties[name]
|
||||
}
|
||||
|
||||
func NewResource(name string, properties map[string]string) *Resource {
|
||||
if properties == nil {
|
||||
properties = make(map[string]string)
|
||||
}
|
||||
return &Resource{name: name, properties: properties}
|
||||
}
|
||||
|
||||
type Request struct {
|
||||
operation string
|
||||
properties map[string]string
|
||||
resource *Resource
|
||||
}
|
||||
|
||||
var _ resourcepkg.Request = (*Request)(nil)
|
||||
|
||||
func (r *Request) Operation() string {
|
||||
return r.operation
|
||||
}
|
||||
|
||||
func (r *Request) Resource() resourcepkg.Resource {
|
||||
return r.resource
|
||||
}
|
||||
|
||||
func (r *Request) Property(name string) string {
|
||||
return r.properties[name]
|
||||
}
|
||||
|
||||
func NewRequest(op string, r *Resource, properties map[string]string) *Request {
|
||||
return &Request{
|
||||
operation: op,
|
||||
properties: properties,
|
||||
resource: r,
|
||||
}
|
||||
}
|
5
schema/common/consts.go
Normal file
5
schema/common/consts.go
Normal file
|
@ -0,0 +1,5 @@
|
|||
package common
|
||||
|
||||
const (
|
||||
PropertyKeyFrostFSIDGroupID = "frostfsid:groupID"
|
||||
)
|
59
schema/native/consts.go
Normal file
59
schema/native/consts.go
Normal file
|
@ -0,0 +1,59 @@
|
|||
package native
|
||||
|
||||
const (
|
||||
MethodGetObject = "GetObject"
|
||||
MethodPutObject = "PutObject"
|
||||
MethodHeadObject = "HeadObject"
|
||||
MethodDeleteObject = "DeleteObject"
|
||||
MethodSearchObject = "SearchObject"
|
||||
MethodRangeObject = "RangeObject"
|
||||
MethodHashObject = "HashObject"
|
||||
|
||||
MethodPutContainer = "PutContainer"
|
||||
MethodDeleteContainer = "DeleteContainer"
|
||||
MethodGetContainer = "GetContainer"
|
||||
MethodListContainers = "ListContainers"
|
||||
MethodSetContainerEACL = "SetContainerEACL"
|
||||
MethodGetContainerEACL = "GetContainerEACL"
|
||||
|
||||
ObjectPrefix = "native:object"
|
||||
ContainerPrefix = "native:container"
|
||||
|
||||
ResourceFormatNamespaceObjects = "native:object/%s/*"
|
||||
ResourceFormatNamespaceContainerObjects = "native:object/%s/%s/*"
|
||||
ResourceFormatNamespaceContainerObject = "native:object/%s/%s/%s"
|
||||
|
||||
ResourceFormatRootObjects = "native:object//*"
|
||||
ResourceFormatRootContainerObjects = "native:object//%s/*"
|
||||
ResourceFormatRootContainerObject = "native:object//%s/%s"
|
||||
|
||||
ResourceFormatAllObjects = "native:object/*"
|
||||
|
||||
ResourceFormatNamespaceContainer = "native:container/%s/%s"
|
||||
ResourceFormatNamespaceContainers = "native:container/%s/*"
|
||||
|
||||
ResourceFormatRootContainer = "native:container//%s"
|
||||
ResourceFormatRootContainers = "native:container//*"
|
||||
|
||||
ResourceFormatAllContainers = "native:container/*"
|
||||
|
||||
PropertyKeyActorPublicKey = "$Actor:publicKey"
|
||||
PropertyKeyActorRole = "$Actor:role"
|
||||
|
||||
PropertyKeyObjectVersion = "$Object:version"
|
||||
PropertyKeyObjectID = "$Object:objectID"
|
||||
PropertyKeyObjectContainerID = "$Object:containerID"
|
||||
PropertyKeyObjectOwnerID = "$Object:ownerID"
|
||||
PropertyKeyObjectCreationEpoch = "$Object:creationEpoch"
|
||||
PropertyKeyObjectPayloadLength = "$Object:payloadLength"
|
||||
PropertyKeyObjectPayloadHash = "$Object:payloadHash"
|
||||
PropertyKeyObjectType = "$Object:objectType"
|
||||
PropertyKeyObjectHomomorphicHash = "$Object:homomorphicHash"
|
||||
|
||||
PropertyKeyContainerOwnerID = "$Container:ownerID"
|
||||
|
||||
PropertyValueContainerRoleOwner = "owner"
|
||||
PropertyValueContainerRoleIR = "ir"
|
||||
PropertyValueContainerRoleContainer = "container"
|
||||
PropertyValueContainerRoleOthers = "others"
|
||||
)
|
45
schema/native/util/validation.go
Normal file
45
schema/native/util/validation.go
Normal file
|
@ -0,0 +1,45 @@
|
|||
package util
|
||||
|
||||
import (
|
||||
"strings"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
)
|
||||
|
||||
var nativePatterns = []string{
|
||||
native.ResourceFormatNamespaceObjects, native.ResourceFormatNamespaceContainerObjects,
|
||||
native.ResourceFormatNamespaceContainerObject, native.ResourceFormatRootObjects,
|
||||
native.ResourceFormatRootContainerObjects, native.ResourceFormatRootContainerObject,
|
||||
native.ResourceFormatAllObjects, native.ResourceFormatNamespaceContainer,
|
||||
native.ResourceFormatNamespaceContainers, native.ResourceFormatRootContainer,
|
||||
native.ResourceFormatRootContainers, native.ResourceFormatAllContainers,
|
||||
}
|
||||
|
||||
func match(resource, pattern string) bool {
|
||||
rTokens := strings.Split(resource, "/")
|
||||
pToken := strings.Split(pattern, "/")
|
||||
|
||||
if len(rTokens) != len(pToken) {
|
||||
return false
|
||||
}
|
||||
|
||||
for i := range rTokens {
|
||||
if pToken[i] == "%s" {
|
||||
continue
|
||||
}
|
||||
if pToken[i] != rTokens[i] {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func IsNativeResourceNameValid(resource string) bool {
|
||||
for _, pattern := range nativePatterns {
|
||||
if match(resource, pattern) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
97
schema/native/util/validation_test.go
Normal file
97
schema/native/util/validation_test.go
Normal file
|
@ -0,0 +1,97 @@
|
|||
package util
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
var tests = []struct {
|
||||
name string
|
||||
expected bool
|
||||
resource string
|
||||
}{
|
||||
{
|
||||
name: "ResourceFormatNamespaceObjects",
|
||||
expected: true,
|
||||
resource: "native:object/RootNamespace/*",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatNamespaceContainerObjects",
|
||||
expected: true,
|
||||
resource: "native:object/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/*",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatNamespaceContainerObject",
|
||||
expected: true,
|
||||
resource: "native:object/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/AeZa5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB4E",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatRootObjects",
|
||||
expected: true,
|
||||
resource: "native:object//*",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatRootContainerObjects",
|
||||
expected: true,
|
||||
resource: "native:object//BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/*",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatRootContainerObject",
|
||||
expected: true,
|
||||
resource: "native:object//BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/AeZa5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB4E",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatAllObjects",
|
||||
expected: true,
|
||||
resource: "native:object/*",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatNamespaceContainer",
|
||||
expected: true,
|
||||
resource: "native:container/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatNamespaceContainers",
|
||||
expected: true,
|
||||
resource: "native:container/RootNamespace/*",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatRootContainers",
|
||||
expected: true,
|
||||
resource: "native:container//*",
|
||||
},
|
||||
{
|
||||
name: "ResourceFormatAllContainers",
|
||||
expected: true,
|
||||
resource: "native:container/*",
|
||||
},
|
||||
{
|
||||
name: "Invalid resource 1",
|
||||
expected: false,
|
||||
resource: "native:::container/*",
|
||||
},
|
||||
{
|
||||
name: "Invalid resource 2",
|
||||
expected: false,
|
||||
resource: "native:container/RootNamespace/w5HH3feoxFDD5tCTtoRzB3R/Bz726qzgLfxEE7wgtoRzB3R/RootNamespace",
|
||||
},
|
||||
}
|
||||
|
||||
func TestIsNativeResourceNameValid(t *testing.T) {
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
require.Equal(t, test.expected, IsNativeResourceNameValid(test.resource))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func BenchmarkIsNativeResourceNameValid(b *testing.B) {
|
||||
for _, test := range tests {
|
||||
b.Run(test.name, func(b *testing.B) {
|
||||
for i := 0; i < b.N; i++ {
|
||||
_ = IsNativeResourceNameValid(test.resource)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
17
schema/s3/consts.go
Normal file
17
schema/s3/consts.go
Normal file
|
@ -0,0 +1,17 @@
|
|||
package s3
|
||||
|
||||
const (
|
||||
PropertyKeyOwner = "Owner"
|
||||
|
||||
PropertyKeyDelimiter = "s3:delimiter"
|
||||
PropertyKeyPrefix = "s3:prefix"
|
||||
PropertyKeyVersionID = "s3:VersionId"
|
||||
|
||||
ResourceFormatS3All = "arn:aws:s3:::*"
|
||||
ResourceFormatS3Bucket = "arn:aws:s3:::%s"
|
||||
ResourceFormatS3BucketObjects = "arn:aws:s3:::%s/*"
|
||||
ResourceFormatS3BucketObject = "arn:aws:s3:::%s/%s"
|
||||
|
||||
ResourceFormatIAMNamespaceUser = "arn:aws:iam::%s:user/%s"
|
||||
ResourceFormatIAMNamespaceGroup = "arn:aws:iam::%s:group/%s"
|
||||
)
|
22
util/glob.go
Normal file
22
util/glob.go
Normal file
|
@ -0,0 +1,22 @@
|
|||
package util
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"unicode/utf8"
|
||||
)
|
||||
|
||||
// Matches s against the pattern.
|
||||
// ? in pattern correspond to any symbol.
|
||||
// * in pattern correspond to any sequence of symbols.
|
||||
// Currently only '*' in the suffix is supported.
|
||||
func GlobMatch(s, pattern string) bool {
|
||||
index := strings.IndexByte(pattern, '*')
|
||||
switch index {
|
||||
default:
|
||||
panic("unimplemented")
|
||||
case -1:
|
||||
return pattern == s
|
||||
case utf8.RuneCountInString(pattern) - 1:
|
||||
return strings.HasPrefix(s, pattern[:len(pattern)-1])
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue