Compare commits

..

1 commit

Author SHA1 Message Date
c9d4d15db6 [#17] iam: Add converter to native/s3 policy
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2023-11-16 09:36:38 +03:00
35 changed files with 393 additions and 3156 deletions

View file

@ -16,6 +16,6 @@ jobs:
go-version: '1.21'
- name: Run commit format checker
uses: https://git.frostfs.info/TrueCloudLab/dco-go@v3
uses: https://git.frostfs.info/TrueCloudLab/dco-go@v2
with:
from: 'origin/${{ github.event.pull_request.base.ref }}'

2
.gitattributes vendored
View file

@ -1,4 +1,2 @@
/**/*.pb.go -diff -merge
/**/*.pb.go linguist-generated=true
/**/*_easyjson.go -diff -merge
/**/*_easyjson.go linguist-generated=true

View file

@ -5,8 +5,6 @@ TMP_DIR := .cache
OUTPUT_LINT_DIR ?= $(shell pwd)/bin
LINT_VERSION ?= 1.55.1
LINT_DIR = $(OUTPUT_LINT_DIR)/golangci-lint-$(LINT_VERSION)-v$(TRUECLOUDLAB_LINT_VERSION)
EASYJSON_VERSION ?= $(shell go list -f '{{.Version}}' -m github.com/mailru/easyjson)
EASYJSON_DIR ?= $(shell pwd)/bin/easyjson-$(EASYJSON_VERSION)
# Run all code formatters
fmts: fmt imports
@ -62,15 +60,3 @@ staticcheck-install:
# Run staticcheck
staticcheck-run:
@staticcheck ./...
easyjson-install:
@rm -rf $(EASYJSON_DIR)
@mkdir -p $(EASYJSON_DIR)
@GOBIN=$(EASYJSON_DIR) go install github.com/mailru/easyjson/...@$(EASYJSON_VERSION)
generate:
@if [ ! -d "$(EASYJSON_DIR)" ]; then \
make easyjson-install; \
fi
find ./ -name "_easyjson.go" -exec rm -rf {} \;
$(EASYJSON_DIR)/easyjson ./pkg/chain/chain.go

View file

@ -1,20 +0,0 @@
# Resource
From the point of the access policy engine, a resource is an object to which a request is being performed.
This can be an object in a container within a namespace, or all objects in a container,
or all containers within the root namespace etc.
A resource can be viewed from two sides:
- As part of a [request](../pkg/resource/resource.go). In this case a resource has a name and properties.
- As part of rule [chain](../pkg/chain/chain.go): a resource has just a name.
## Resource name
A resource name must have a such format that can be processed by a chain router that matches a request
either with local overrides or with rules within policy contract to get if this request is allowed to be performed.
The main idea of this format is for the chain router to match by full name (`native:object//cnrID/objID`) or
wildcard (`native:object//cnrID/*`).
Check out formats that are defined in the schema: [native formats](../schema/native/consts.go), [s3 formats](../schema/s3/consts.go).
You should validate a resource name using [util](../schema/native/util/validation.go) before instantiating a request or
before putting it to either to local override storage or the policy contract storage.

17
go.mod
View file

@ -3,26 +3,23 @@ module git.frostfs.info/TrueCloudLab/policy-engine
go 1.20
require (
git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958
github.com/google/uuid v1.3.0
github.com/mailru/easyjson v0.7.7
github.com/nspcc-dev/neo-go v0.103.0
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231114081800-3787477133f3
github.com/nspcc-dev/neo-go v0.103.1
github.com/stretchr/testify v1.8.4
golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
)
require (
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230802075510-964c3edb3f44 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/hashicorp/golang-lru v0.6.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/mr-tron/base58 v1.2.0 // indirect
github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 // indirect
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 // indirect
github.com/nspcc-dev/rfc6979 v0.2.0 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/sync v0.3.0 // indirect
golang.org/x/text v0.13.0 // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

51
go.sum
View file

@ -1,49 +1,40 @@
git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958 h1:X9yPizADIhD3K/gdKVCthlAnf9aQ3UJJGnZgIwwixRQ=
git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958/go.mod h1:rQWdsG18NaiFvkJpMguJev913KD/yleHaniRBkUyt0o=
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230802075510-964c3edb3f44 h1:v6JqBD/VzZx3QSxbaXnUwnnJ1KEYheU4LzLGr3IhsAE=
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230802075510-964c3edb3f44/go.mod h1:pKJJRLOChW4zDQsAt1e8k/snWKljJtpkiPfxV53ngjI=
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231114081800-3787477133f3 h1:Qa35bB58plMb14LIsYzu2ibeYfsY2taFnbZytv9Ao3M=
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231114081800-3787477133f3/go.mod h1:t1akKcUH7iBrFHX8rSXScYMP17k2kYQXMbZooiL5Juw=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4=
github.com/hashicorp/golang-lru v0.6.0/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 h1:n4ZaFCKt1pQJd7PXoMJabZWK9ejjbLOVrkl/lOUmshg=
github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22/go.mod h1:79bEUDEviBHJMFV6Iq6in57FEOCMcRhfQnfaf0ETA5U=
github.com/nspcc-dev/neo-go v0.103.0 h1:UVyWPhzZdfYFG35ORP3FRDLh8J/raRQ6m8SptDdlgfM=
github.com/nspcc-dev/neo-go v0.103.0/go.mod h1:x+wmcYqpZYJwLp1l/pHZrqNp3RSWlkMymWGDij3/OPo=
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 h1:09CpI5uwsxb1EeFPIKQRwwWlfCmDD/Dwwh01lPiQScM=
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5/go.mod h1:J/Mk6+nKeKSW4wygkZQFLQ6SkLOSGX5Ga0RuuuktEag=
github.com/nspcc-dev/neo-go v0.103.1 h1:BfRBceHUu8jSc1KQy7CzmQ/pa+xzAmgcyteGf0/IGgM=
github.com/nspcc-dev/neo-go v0.103.1/go.mod h1:MD7MPiyshUwrE5n1/LzxeandbItaa/iLW/bJb6gNs/U=
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954 h1:xQdMZ1WLrgkkvOZ/LDQxjVxMLdby7osSh4ZEVa5sIjs=
github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 h1:JwtAtbp7r/7QSyGz8mKUbYJBg2+6Cd7OjM8o/GNOcVo=
github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74/go.mod h1:RmMWU37GKR2s6pgrIEB4ixgpVCt/cf7dnJv3fuH1J1c=
go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

View file

@ -6,9 +6,10 @@ import (
"strconv"
"strings"
"time"
"unicode/utf8"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
)
const condKeyAWSPrincipalARN = "aws:PrincipalArn"
@ -50,16 +51,12 @@ const (
CondArnLike string = "ArnLike"
CondArnNotEquals string = "ArnNotEquals"
CondArnNotLike string = "ArnNotLike"
// Custom condition operators.
CondSliceContains string = "SliceContains"
)
const (
arnIAMPrefix = "arn:aws:iam::"
s3ResourcePrefix = "arn:aws:s3:::"
s3ActionPrefix = "s3:"
iamActionPrefix = "iam:"
)
var (
@ -68,14 +65,21 @@ var (
// ErrInvalidResourceFormat occurs when resource has unknown/unsupported format.
ErrInvalidResourceFormat = errors.New("invalid resource format")
// ErrInvalidActionFormat occurs when action has unknown/unsupported format.
ErrInvalidActionFormat = errors.New("invalid action format")
// ErrActionsNotApplicable occurs when failed to convert any actions.
ErrActionsNotApplicable = errors.New("actions not applicable")
)
type UserResolver interface {
GetUserKey(account, user string) (*keys.PublicKey, error)
}
type BucketResolver interface {
GetBucketCID(bucket string) (cid.ID, error)
}
type Resolver interface {
UserResolver
BucketResolver
}
type formPrincipalConditionFunc func(string) chain.Condition
type transformConditionFunc func(gr GroupedConditions) (GroupedConditions, error)
@ -197,8 +201,6 @@ func getConditionTypeAndConverter(op string) (chain.ConditionType, convertFuncti
return chain.CondStringLike, noConvertFunction, nil
case op == CondNotIPAddress:
return chain.CondStringNotLike, noConvertFunction, nil
case op == CondSliceContains:
return chain.CondSliceContains, noConvertFunction, nil
default:
return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
}
@ -252,38 +254,29 @@ func parsePrincipalAsIAMUser(principal string) (account string, user string, err
return account, user, nil
}
func validateResource(resource string) error {
if resource == Wildcard {
return nil
func parseResourceAsS3ARN(resource string) (bucket string, object string, err error) {
if !strings.HasPrefix(resource, s3ResourcePrefix) {
return "", "", ErrInvalidResourceFormat
}
if !strings.HasPrefix(resource, s3ResourcePrefix) && !strings.HasPrefix(resource, arnIAMPrefix) {
return ErrInvalidResourceFormat
// iam arn format arn:aws:s3:::<bucket-name>/<object-name>
s3Resource := strings.TrimPrefix(resource, s3ResourcePrefix)
sepIndex := strings.Index(s3Resource, "/")
if sepIndex < 0 {
return s3Resource, Wildcard, nil
}
index := strings.IndexByte(resource, Wildcard[0])
if index != -1 && index != utf8.RuneCountInString(resource)-1 {
return ErrInvalidResourceFormat
bucket = s3Resource[:sepIndex]
object = s3Resource[sepIndex+1:]
if len(object) == 0 {
return bucket, Wildcard, nil
}
return nil
}
func validateAction(action string) error {
if action == Wildcard {
return nil
if bucket == Wildcard && object != Wildcard {
return "", "", ErrInvalidResourceFormat
}
if !strings.HasPrefix(action, s3ActionPrefix) && !strings.HasPrefix(action, iamActionPrefix) {
return ErrInvalidActionFormat
}
index := strings.IndexByte(action, Wildcard[0])
if index != -1 && index != utf8.RuneCountInString(action)-1 {
return ErrInvalidActionFormat
}
return nil
return bucket, object, nil
}
func splitGroupedConditions(groupedConditions []GroupedConditions) [][]chain.Condition {

View file

@ -1,6 +1,7 @@
package iam
import (
"errors"
"fmt"
"strings"
@ -10,64 +11,26 @@ import (
const PropertyKeyFilePath = "FilePath"
var supportedActionToNativeOpMap = map[string][]string{
supportedS3NativeActionDeleteObject: {native.MethodDeleteObject, native.MethodHeadObject},
supportedS3NativeActionHeadObject: {native.MethodHeadObject},
supportedS3NativeActionGetObject: {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
supportedS3NativeActionPutObject: {native.MethodPutObject},
supportedS3NativeActionListBucket: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
// ErrActionsNotApplicable occurs when failed to convert any actions.
var ErrActionsNotApplicable = errors.New("actions not applicable")
supportedS3NativeActionCreateBucket: {native.MethodPutContainer},
supportedS3NativeActionDeleteBucket: {native.MethodDeleteContainer},
supportedS3NativeActionListAllMyBucket: {native.MethodListContainers},
supportedS3NativeActionPutBucketACL: {native.MethodSetContainerEACL},
supportedS3NativeActionGetBucketACL: {native.MethodGetContainerEACL},
}
var containerNativeOperations = map[string]struct{}{
native.MethodPutContainer: {},
native.MethodDeleteContainer: {},
native.MethodGetContainer: {},
native.MethodListContainers: {},
native.MethodSetContainerEACL: {},
native.MethodGetContainerEACL: {},
}
var objectNativeOperations = map[string]struct{}{
native.MethodGetObject: {},
native.MethodPutObject: {},
native.MethodHeadObject: {},
native.MethodDeleteObject: {},
native.MethodSearchObject: {},
native.MethodRangeObject: {},
native.MethodHashObject: {},
var actionToOpMap = map[string][]string{
supportedS3ActionDeleteObject: {native.MethodDeleteObject},
supportedS3ActionGetObject: {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
supportedS3ActionHeadObject: {native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
supportedS3ActionPutObject: {native.MethodPutObject},
supportedS3ActionListBucket: {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
}
const (
supportedS3NativeActionDeleteObject = "s3:DeleteObject"
supportedS3NativeActionGetObject = "s3:GetObject"
supportedS3NativeActionHeadObject = "s3:HeadObject"
supportedS3NativeActionPutObject = "s3:PutObject"
supportedS3NativeActionListBucket = "s3:ListBucket"
supportedS3NativeActionCreateBucket = "s3:CreateBucket"
supportedS3NativeActionDeleteBucket = "s3:DeleteBucket"
supportedS3NativeActionListAllMyBucket = "s3:ListAllMyBuckets"
supportedS3NativeActionPutBucketACL = "s3:PutBucketAcl"
supportedS3NativeActionGetBucketACL = "s3:GetBucketAcl"
supportedS3ActionDeleteObject = "DeleteObject"
supportedS3ActionGetObject = "GetObject"
supportedS3ActionHeadObject = "HeadObject"
supportedS3ActionPutObject = "PutObject"
supportedS3ActionListBucket = "ListBucket"
)
type NativeResolver interface {
GetUserKey(account, name string) (string, error)
GetBucketInfo(bucket string) (*BucketInfo, error)
}
type BucketInfo struct {
Namespace string
Container string
}
func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, error) {
func ConvertToNativeChain(p Policy, resolver Resolver) (*chain.Chain, error) {
if err := p.Validate(ResourceBasedPolicyType); err != nil {
return nil, err
}
@ -78,17 +41,13 @@ func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, erro
status := formStatus(statement)
action, actionInverted := statement.action()
nativeActions, err := formNativeActionNames(action)
if err != nil {
return nil, err
}
ruleAction := chain.Actions{Inverted: actionInverted, Names: nativeActions}
ruleAction := chain.Actions{Inverted: actionInverted, Names: formNativeActionNames(action)}
if len(ruleAction.Names) == 0 {
continue
}
resource, resourceInverted := statement.resource()
groupedResources, err := formNativeResourceNamesAndConditions(resource, resolver, getActionTypes(nativeActions))
groupedResources, err := formNativeResourceNamesAndConditions(resource, resolver)
if err != nil {
return nil, err
}
@ -107,12 +66,7 @@ func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, erro
for _, groupedResource := range groupedResources {
for _, principal := range principals {
for _, conditions := range splitConditions {
var principalCondition []chain.Condition
if principal != Wildcard {
principalCondition = []chain.Condition{principalCondFn(principal)}
}
ruleConditions := append(principalCondition, groupedResource.Conditions...)
ruleConditions := append([]chain.Condition{principalCondFn(principal)}, groupedResource.Conditions...)
r := chain.Rule{
Status: status,
@ -136,24 +90,7 @@ func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, erro
return &engineChain, nil
}
func getActionTypes(nativeActions []string) ActionTypes {
var res ActionTypes
for _, action := range nativeActions {
if res.Object && res.Container {
break
}
_, isObj := objectNativeOperations[action]
_, isCnr := containerNativeOperations[action]
res.Object = isObj || action == Wildcard
res.Container = isCnr || action == Wildcard
}
return res
}
func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeResolver) ([]string, formPrincipalConditionFunc, error) {
func getNativePrincipalsAndConditionFunc(statement Statement, resolver UserResolver) ([]string, formPrincipalConditionFunc, error) {
var principals []string
var op chain.ConditionType
statementPrincipal, inverted := statement.principal()
@ -188,7 +125,7 @@ func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeRes
}, nil
}
func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]GroupedConditions, error) {
func convertToNativeChainCondition(c Conditions, resolver UserResolver) ([]GroupedConditions, error) {
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
for i := range gr.Conditions {
if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
@ -210,67 +147,35 @@ type GroupedResources struct {
Conditions []chain.Condition
}
type ActionTypes struct {
Object bool
Container bool
}
func formNativeResourceNamesAndConditions(names []string, resolver NativeResolver, actionTypes ActionTypes) ([]GroupedResources, error) {
if !actionTypes.Object && !actionTypes.Container {
return nil, ErrActionsNotApplicable
}
func formNativeResourceNamesAndConditions(names []string, resolver BucketResolver) ([]GroupedResources, error) {
res := make([]GroupedResources, 0, len(names))
var combined []string
for _, resource := range names {
if err := validateResource(resource); err != nil {
return nil, err
}
if resource == Wildcard {
res = res[:0]
return append(res, formWildcardNativeResource(actionTypes)), nil
}
if !strings.HasPrefix(resource, s3ResourcePrefix) {
continue
}
var bkt, obj string
s3Resource := strings.TrimPrefix(resource, s3ResourcePrefix)
if s3Resource == Wildcard {
res = res[:0]
return append(res, formWildcardNativeResource(actionTypes)), nil
}
if sepIndex := strings.Index(s3Resource, "/"); sepIndex < 0 {
bkt = s3Resource
} else {
bkt = s3Resource[:sepIndex]
obj = s3Resource[sepIndex+1:]
if len(obj) == 0 {
obj = Wildcard
}
}
bktInfo, err := resolver.GetBucketInfo(bkt)
for i := range names {
bkt, obj, err := parseResourceAsS3ARN(names[i])
if err != nil {
return nil, err
}
if obj == Wildcard && actionTypes.Object { // this corresponds to arn:aws:s3:::BUCKET/ or arn:aws:s3:::BUCKET/*
combined = append(combined, fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container))
continue
if bkt == Wildcard {
res = res[:0]
return append(res, GroupedResources{Names: []string{native.ResourceFormatAllObjects}}), nil
}
if obj == "" && actionTypes.Container { // this corresponds to arn:aws:s3:::BUCKET
combined = append(combined, fmt.Sprintf(native.ResourceFormatNamespaceContainer, bktInfo.Namespace, bktInfo.Container))
cnrID, err := resolver.GetBucketCID(bkt)
if err != nil {
return nil, err
}
resource := fmt.Sprintf(native.ResourceFormatRootContainerObjects, cnrID.EncodeToString())
if obj == Wildcard {
combined = append(combined, resource)
continue
}
res = append(res, GroupedResources{
Names: []string{fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container)},
Names: []string{resource},
Conditions: []chain.Condition{
{
Op: chain.CondStringLike,
@ -289,19 +194,7 @@ func formNativeResourceNamesAndConditions(names []string, resolver NativeResolve
return res, nil
}
func formWildcardNativeResource(actionTypes ActionTypes) GroupedResources {
groupedNames := make([]string, 0, 2)
if actionTypes.Object {
groupedNames = append(groupedNames, native.ResourceFormatAllObjects)
}
if actionTypes.Container {
groupedNames = append(groupedNames, native.ResourceFormatAllContainers)
}
return GroupedResources{Names: groupedNames}
}
func formNativePrincipal(principal []string, resolver NativeResolver) ([]string, error) {
func formNativePrincipal(principal []string, resolver UserResolver) ([]string, error) {
res := make([]string, len(principal))
var err error
@ -314,7 +207,7 @@ func formNativePrincipal(principal []string, resolver NativeResolver) ([]string,
return res, nil
}
func formPrincipalKey(principal string, resolver NativeResolver) (string, error) {
func formPrincipalKey(principal string, resolver UserResolver) (string, error) {
account, user, err := parsePrincipalAsIAMUser(principal)
if err != nil {
return "", err
@ -322,34 +215,22 @@ func formPrincipalKey(principal string, resolver NativeResolver) (string, error)
key, err := resolver.GetUserKey(account, user)
if err != nil {
return "", fmt.Errorf("get user key: %w", err)
return "", fmt.Errorf("resolve user: %w", err)
}
return key, nil
return string(key.Bytes()), nil
}
func formNativeActionNames(names []string) ([]string, error) {
func formNativeActionNames(names []string) []string {
res := make([]string, 0, len(names))
for _, action := range names {
if err := validateAction(action); err != nil {
return nil, err
for i := range names {
trimmed := strings.TrimPrefix(names[i], s3ActionPrefix)
if trimmed == Wildcard {
return []string{Wildcard}
}
if action == Wildcard {
return []string{Wildcard}, nil
}
if !strings.HasPrefix(action, s3ActionPrefix) {
continue
}
if strings.TrimPrefix(action, s3ActionPrefix) == Wildcard {
return []string{Wildcard}, nil
}
res = append(res, supportedActionToNativeOpMap[action]...)
res = append(res, actionToOpMap[trimmed]...)
}
return res, nil
return res
}

View file

@ -2,86 +2,13 @@ package iam
import (
"fmt"
"strings"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
)
var specialActionToS3OpMap = map[string][]string{
specialS3ActionsListAllMyBuckets: {"s3:ListBuckets"},
specialS3ActionsListBucket: {"s3:HeadBucket", "s3:GetBucketLocation", "s3:ListObjectsV1", "s3:ListObjectsV2"},
specialS3ActionsListBucketVersions: {"s3:ListBucketObjectVersions"},
specialS3ActionsListBucketMultipartUploads: {"s3:ListMultipartUploads"},
specialS3ActionsGetBucketObjectLockConfiguration: {"s3:GetBucketObjectLockConfig"},
specialS3ActionsGetEncryptionConfiguration: {"s3:GetBucketEncryption"},
specialS3ActionsGetLifecycleConfiguration: {"s3:GetBucketLifecycle"},
specialS3ActionsGetBucketACL: {"s3:GetBucketACL"},
specialS3ActionsGetBucketCORS: {"s3:GetBucketCors"},
specialS3ActionsPutBucketTagging: {"s3:PutBucketTagging", "s3:DeleteBucketTagging"},
specialS3ActionsPutBucketObjectLockConfiguration: {"s3:PutBucketObjectLockConfig"},
specialS3ActionsPutEncryptionConfiguration: {"s3:PutBucketEncryption", "s3:DeleteBucketEncryption"},
specialS3ActionsPutLifecycleConfiguration: {"s3:PutBucketLifecycle", "s3:DeleteBucketLifecycle"},
specialS3ActionsPutBucketACL: {"s3:PutBucketACL"},
specialS3ActionsPutBucketCORS: {"s3:PutBucketCors", "s3:DeleteBucketCors"},
specialS3ActionsDeleteBucketCORS: {"s3:DeleteBucketCors"},
specialS3ActionsListMultipartUploadParts: {"s3:ListParts"},
specialS3ActionsGetObjectACL: {"s3:GetObjectACL"},
specialS3ActionsGetObject: {"s3:GetObject", "s3:HeadObject"},
specialS3ActionsGetObjectVersion: {"s3:GetObject", "s3:HeadObject"},
specialS3ActionsGetObjectVersionACL: {"s3:GetObjectACL"},
specialS3ActionsGetObjectVersionAttributes: {"s3:GetObjectAttributes"},
specialS3ActionsGetObjectVersionTagging: {"s3:GetObjectTagging"},
specialS3ActionsPutObjectACL: {"s3:PutObjectACL"},
specialS3ActionsPutObjectVersionACL: {"s3:PutObjectACL"},
specialS3ActionsPutObjectVersionTagging: {"s3:PutObjectTagging"},
specialS3ActionsPutObject: {
"s3:PutObject", "s3:PostObject", "s3:CopyObject",
"s3:UploadPart", "s3:UploadPartCopy", "s3:CreateMultipartUpload", "s3:CompleteMultipartUpload",
},
specialS3ActionsDeleteObjectVersionTagging: {"s3:DeleteObjectTagging"},
specialS3ActionsDeleteObject: {"s3:DeleteObject", "s3:DeleteMultipleObjects"},
specialS3ActionsDeleteObjectVersion: {"s3:DeleteObject", "s3:DeleteMultipleObjects"},
}
const (
specialS3ActionsListAllMyBuckets = "s3:ListAllMyBuckets"
specialS3ActionsListBucket = "s3:ListBucket"
specialS3ActionsListBucketVersions = "s3:ListBucketVersions"
specialS3ActionsListBucketMultipartUploads = "s3:ListBucketMultipartUploads"
specialS3ActionsGetBucketObjectLockConfiguration = "s3:GetBucketObjectLockConfiguration"
specialS3ActionsGetEncryptionConfiguration = "s3:GetEncryptionConfiguration"
specialS3ActionsGetLifecycleConfiguration = "s3:GetLifecycleConfiguration"
specialS3ActionsGetBucketACL = "s3:GetBucketAcl"
specialS3ActionsGetBucketCORS = "s3:GetBucketCORS"
specialS3ActionsPutBucketTagging = "s3:PutBucketTagging"
specialS3ActionsPutBucketObjectLockConfiguration = "s3:PutBucketObjectLockConfiguration"
specialS3ActionsPutEncryptionConfiguration = "s3:PutEncryptionConfiguration"
specialS3ActionsPutLifecycleConfiguration = "s3:PutLifecycleConfiguration"
specialS3ActionsPutBucketACL = "s3:PutBucketAcl"
specialS3ActionsPutBucketCORS = "s3:PutBucketCORS"
specialS3ActionsDeleteBucketCORS = "s3:DeleteBucketCORS"
specialS3ActionsListMultipartUploadParts = "s3:ListMultipartUploadParts"
specialS3ActionsGetObjectACL = "s3:GetObjectAcl"
specialS3ActionsGetObject = "s3:GetObject"
specialS3ActionsGetObjectVersion = "s3:GetObjectVersion"
specialS3ActionsGetObjectVersionACL = "s3:GetObjectVersionAcl"
specialS3ActionsGetObjectVersionAttributes = "s3:GetObjectVersionAttributes"
specialS3ActionsGetObjectVersionTagging = "s3:GetObjectVersionTagging"
specialS3ActionsPutObjectACL = "s3:PutObjectAcl"
specialS3ActionsPutObjectVersionACL = "s3:PutObjectVersionAcl"
specialS3ActionsPutObjectVersionTagging = "s3:PutObjectVersionTagging"
specialS3ActionsPutObject = "s3:PutObject"
specialS3ActionsDeleteObjectVersionTagging = "s3:DeleteObjectVersionTagging"
specialS3ActionsDeleteObject = "s3:DeleteObject"
specialS3ActionsDeleteObjectVersion = "s3:DeleteObjectVersion"
)
type S3Resolver interface {
GetUserAddress(account, user string) (string, error)
}
func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
func ConvertToS3Chain(p Policy, resolver UserResolver) (*chain.Chain, error) {
if err := p.Validate(ResourceBasedPolicyType); err != nil {
return nil, err
}
@ -91,21 +18,11 @@ func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
for _, statement := range p.Statement {
status := formStatus(statement)
actions, actionInverted := statement.action()
s3Actions, err := formS3ActionNames(actions)
if err != nil {
return nil, err
}
ruleAction := chain.Actions{Inverted: actionInverted, Names: s3Actions}
if len(ruleAction.Names) == 0 {
continue
}
action, actionInverted := statement.action()
ruleAction := chain.Actions{Inverted: actionInverted, Names: formS3ActionNames(action)}
resources, resourceInverted := statement.resource()
if err := validateS3ResourceNames(resources); err != nil {
return nil, err
}
ruleResource := chain.Resources{Inverted: resourceInverted, Names: resources}
resource, resourceInverted := statement.resource()
ruleResource := chain.Resources{Inverted: resourceInverted, Names: formS3ResourceNamesAndConditions(resource)}
groupedConditions, err := convertToS3ChainCondition(statement.Conditions, resolver)
if err != nil {
@ -120,30 +37,21 @@ func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
for _, principal := range principals {
for _, conditions := range splitConditions {
var principalCondition []chain.Condition
if principal != Wildcard {
principalCondition = []chain.Condition{principalCondFn(principal)}
}
r := chain.Rule{
Status: status,
Actions: ruleAction,
Resources: ruleResource,
Condition: append(principalCondition, conditions...),
Condition: append([]chain.Condition{principalCondFn(principal)}, conditions...),
}
engineChain.Rules = append(engineChain.Rules, r)
}
}
}
if len(engineChain.Rules) == 0 {
return nil, ErrActionsNotApplicable
}
return &engineChain, nil
}
func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) ([]string, formPrincipalConditionFunc, error) {
func getS3PrincipalsAndConditionFunc(statement Statement, resolver UserResolver) ([]string, formPrincipalConditionFunc, error) {
var principals []string
var op chain.ConditionType
statementPrincipal, inverted := statement.principal()
@ -178,7 +86,7 @@ func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) (
}, nil
}
func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
func convertToS3ChainCondition(c Conditions, resolver UserResolver) ([]GroupedConditions, error) {
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
for i := range gr.Conditions {
if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
@ -195,7 +103,7 @@ func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedCond
})
}
func formS3Principal(principal []string, resolver S3Resolver) ([]string, error) {
func formS3Principal(principal []string, resolver UserResolver) ([]string, error) {
res := make([]string, len(principal))
var err error
@ -208,48 +116,34 @@ func formS3Principal(principal []string, resolver S3Resolver) ([]string, error)
return res, nil
}
func formPrincipalOwner(principal string, resolver S3Resolver) (string, error) {
func formPrincipalOwner(principal string, resolver UserResolver) (string, error) {
account, user, err := parsePrincipalAsIAMUser(principal)
if err != nil {
return "", err
}
address, err := resolver.GetUserAddress(account, user)
key, err := resolver.GetUserKey(account, user)
if err != nil {
return "", fmt.Errorf("get user address: %w", err)
return "", fmt.Errorf("resolve user: %w", err)
}
return address, nil
return key.Address(), nil
}
func validateS3ResourceNames(names []string) error {
func formS3ResourceNamesAndConditions(names []string) []string {
res := make([]string, len(names))
for i := range names {
if err := validateResource(names[i]); err != nil {
return err
}
res[i] = strings.TrimPrefix(names[i], s3ResourcePrefix)
}
return nil
return res
}
func formS3ActionNames(names []string) ([]string, error) {
res := make([]string, 0, len(names))
for _, action := range names {
if err := validateAction(action); err != nil {
return nil, err
}
if action == Wildcard {
return []string{Wildcard}, nil
}
if actions, ok := specialActionToS3OpMap[action]; ok {
res = append(res, actions...)
} else {
res = append(res, action)
}
func formS3ActionNames(names []string) []string {
res := make([]string, len(names))
for i := range names {
res[i] = strings.TrimPrefix(names[i], s3ActionPrefix)
}
return res, nil
return res
}

View file

@ -1,66 +1,60 @@
package iam
import (
"encoding/json"
"errors"
"fmt"
"strconv"
"testing"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/stretchr/testify/require"
)
type mockUserResolver struct {
users map[string]string
containers map[string]string
namespace string
users map[string]*keys.PublicKey
buckets map[string]cid.ID
}
func newMockUserResolver(accountUsers []string, buckets []string, namespace string) *mockUserResolver {
userMap := make(map[string]string, len(accountUsers))
func newMockUserResolver(t *testing.T, accountUsers []string, buckets []string) *mockUserResolver {
userMap := make(map[string]*keys.PublicKey, len(accountUsers))
for _, user := range accountUsers {
userMap[user] = user + "/resolvedValue"
key, err := keys.NewPrivateKey()
require.NoError(t, err)
userMap[user] = key.PublicKey()
}
containerMap := make(map[string]string, len(buckets))
bucketMap := make(map[string]cid.ID, len(buckets))
for _, bkt := range buckets {
containerMap[bkt] = bkt + "/resolvedValues"
bucketMap[bkt] = cidtest.ID()
}
return &mockUserResolver{users: userMap, containers: containerMap, namespace: namespace}
return &mockUserResolver{users: userMap, buckets: bucketMap}
}
func (m *mockUserResolver) GetUserAddress(account, user string) (string, error) {
func (m *mockUserResolver) GetUserKey(account, user string) (*keys.PublicKey, error) {
key, ok := m.users[account+"/"+user]
if !ok {
return "", errors.New("not found")
}
return key, nil
}
func (m *mockUserResolver) GetUserKey(account, user string) (string, error) {
key, ok := m.users[account+"/"+user]
if !ok {
return "", errors.New("not found")
}
return key, nil
}
func (m *mockUserResolver) GetBucketInfo(bkt string) (*BucketInfo, error) {
cnr, ok := m.containers[bkt]
if !ok {
return nil, errors.New("not found")
}
return &BucketInfo{Container: cnr, Namespace: m.namespace}, nil
return key, nil
}
func (m *mockUserResolver) GetBucketCID(bkt string) (cid.ID, error) {
cnrID, ok := m.buckets[bkt]
if !ok {
return cid.ID{}, errors.New("not found")
}
return cnrID, nil
}
func TestConverters(t *testing.T) {
@ -70,11 +64,10 @@ func TestConverters(t *testing.T) {
principal := "arn:aws:iam::" + namespace + ":user/" + userName
bktName := "DOC-EXAMPLE-BUCKET"
objName := "object-name"
resource := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName)
s3GetObjectAction := "s3:GetObject"
s3HeadObjectAction := "s3:HeadObject"
resource := bktName + "/*"
action := "PutObject"
mockResolver := newMockUserResolver([]string{user}, []string{bktName}, namespace)
mockResolver := newMockUserResolver(t, []string{user}, []string{bktName})
t.Run("valid policy", func(t *testing.T) {
p := Policy{
@ -84,8 +77,8 @@ func TestConverters(t *testing.T) {
AWSPrincipalType: {principal},
},
Effect: AllowEffect,
Action: []string{s3GetObjectAction},
Resource: []string{resource},
Action: []string{"s3:PutObject"},
Resource: []string{"arn:aws:s3:::" + resource},
Conditions: map[string]Condition{
CondStringEquals: {
"s3:RequestObjectTag/Department": {"Finance"},
@ -97,14 +90,14 @@ func TestConverters(t *testing.T) {
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{s3GetObjectAction, s3HeadObjectAction}},
Actions: chain.Actions{Names: []string{action}},
Resources: chain.Resources{Names: []string{resource}},
Condition: []chain.Condition{
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: s3.PropertyKeyOwner,
Value: mockResolver.users[user],
Value: mockResolver.users[user].Address(),
},
{
Op: chain.CondStringEquals,
@ -130,21 +123,21 @@ func TestConverters(t *testing.T) {
},
Effect: AllowEffect,
Action: []string{"s3:PutObject"},
Resource: []string{resource},
Resource: []string{"arn:aws:s3:::" + resource},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{native.MethodPutObject}},
Resources: chain.Resources{Names: []string{fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName])}},
Actions: chain.Actions{Names: []string{action}},
Resources: chain.Resources{Names: []string{fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName].EncodeToString())}},
Condition: []chain.Condition{
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: native.PropertyKeyActorPublicKey,
Value: mockResolver.users[user],
Value: string(mockResolver.users[user].Bytes()),
},
},
},
@ -163,22 +156,22 @@ func TestConverters(t *testing.T) {
AWSPrincipalType: {principal},
},
Effect: DenyEffect,
NotAction: []string{s3GetObjectAction},
NotResource: []string{resource},
NotAction: []string{"s3:PutObject"},
NotResource: []string{"arn:aws:s3:::" + resource},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.AccessDenied,
Actions: chain.Actions{Inverted: true, Names: []string{s3GetObjectAction, s3HeadObjectAction}},
Actions: chain.Actions{Inverted: true, Names: []string{action}},
Resources: chain.Resources{Inverted: true, Names: []string{resource}},
Condition: []chain.Condition{
{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
Key: s3.PropertyKeyOwner,
Value: mockResolver.users[user],
Value: mockResolver.users[user].Address(),
},
},
},
@ -189,35 +182,32 @@ func TestConverters(t *testing.T) {
require.Equal(t, expected, s3Chain)
})
t.Run("valid native policy map action", func(t *testing.T) {
t.Run("valid policy map get action", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: DenyEffect,
Action: []string{"s3:DeleteObject", "s3:DeleteBucket"},
Resource: []string{
fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName, objName),
fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName),
},
Effect: DenyEffect,
NotAction: []string{"s3:GetObject"},
NotResource: []string{"arn:aws:s3:::" + bktName + "/" + objName},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.AccessDenied,
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodDeleteContainer}},
Resources: chain.Resources{Names: []string{
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
Actions: chain.Actions{Inverted: true, Names: actionToOpMap["GetObject"]},
Resources: chain.Resources{Inverted: true, Names: []string{
fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName].EncodeToString()),
}},
Condition: []chain.Condition{
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: native.PropertyKeyActorPublicKey,
Value: mockResolver.users[user],
Value: string(mockResolver.users[user].Bytes()),
},
{
Op: chain.CondStringLike,
@ -227,19 +217,6 @@ func TestConverters(t *testing.T) {
},
},
},
{
Status: chain.AccessDenied,
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodDeleteContainer}},
Resources: chain.Resources{Names: []string{
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
}},
Condition: []chain.Condition{{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: native.PropertyKeyActorPublicKey,
Value: mockResolver.users[user],
}},
},
}}
nativeChain, err := ConvertToNativeChain(p, mockResolver)
@ -296,65 +273,6 @@ func TestConverters(t *testing.T) {
_, err := ConvertToNativeChain(p, mockResolver)
require.Error(t, err)
})
t.Run("invalid policy (missing s3 actions)", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: AllowEffect,
Resource: []string{"arn:aws:s3:::" + resource},
}},
}
_, err := ConvertToS3Chain(p, mockResolver)
require.Error(t, err)
})
t.Run("valid mixed iam/s3 actions", func(t *testing.T) {
p := Policy{
Statement: []Statement{{
Principal: map[PrincipalType][]string{AWSPrincipalType: {principal}},
Effect: AllowEffect,
Action: []string{"s3:DeleteObject", "iam:*"},
Resource: []string{"*"},
}},
}
s3Expected := &chain.Chain{Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{"s3:DeleteObject", "s3:DeleteMultipleObjects", "iam:*"}},
Resources: chain.Resources{Names: []string{"*"}},
Condition: []chain.Condition{{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: s3.PropertyKeyOwner,
Value: mockResolver.users[user],
}},
}}}
s3Chain, err := ConvertToS3Chain(p, mockResolver)
require.NoError(t, err)
require.Equal(t, s3Expected, s3Chain)
nativeExpected := &chain.Chain{Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject}},
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects}},
Condition: []chain.Condition{{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: native.PropertyKeyActorPublicKey,
Value: mockResolver.users[user],
}},
}}}
nativeChain, err := ConvertToNativeChain(p, mockResolver)
require.NoError(t, err)
require.Equal(t, nativeExpected, nativeChain)
})
}
func TestConvertToChainCondition(t *testing.T) {
@ -621,10 +539,10 @@ func TestComplexNativeConditions(t *testing.T) {
key1, key2 := "key1", "key2"
val0, val1, val2 := "val0", "val1", "val2"
mockResolver := newMockUserResolver([]string{user1, user2}, []string{bktName1, bktName2, bktName3}, "")
nativeResource1 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName1])
nativeResource2 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName2])
nativeResource3 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName3])
mockResolver := newMockUserResolver(t, []string{user1, user2}, []string{bktName1, bktName2, bktName3})
nativeResource1 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName1].EncodeToString())
nativeResource2 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName2].EncodeToString())
nativeResource3 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName3].EncodeToString())
p := Policy{
Version: "2012-10-17",
@ -643,12 +561,12 @@ func TestComplexNativeConditions(t *testing.T) {
}
expectedStatus := chain.AccessDenied
expectedActions := chain.Actions{Names: supportedActionToNativeOpMap["s3:"+action]}
expectedActions := chain.Actions{Names: actionToOpMap[action]}
expectedResource1 := chain.Resources{Names: []string{nativeResource1}}
expectedResource23 := chain.Resources{Names: []string{nativeResource2, nativeResource3}}
user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: mockResolver.users[user1]}
user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: mockResolver.users[user2]}
user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: string(mockResolver.users[user1].Bytes())}
user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: string(mockResolver.users[user2].Bytes())}
objectName1Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectResource, Key: PropertyKeyFilePath, Value: objName1}
key1val0Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val0}
key1val1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val1}
@ -746,7 +664,7 @@ func TestComplexNativeConditions(t *testing.T) {
requireChainRulesMatch(t, expected.Rules, nativeChain.Rules)
s := inmemory.NewInMemory()
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), nativeChain)
err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), nativeChain)
require.NoError(t, err)
for _, tc := range []struct {
@ -760,12 +678,12 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket resource1, all conditions matched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName2].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
key1: val0,
key2: val2,
},
@ -774,12 +692,12 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket resource3, all conditions matched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName3], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName3].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
key1: val0,
key2: val2,
},
@ -788,7 +706,7 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket resource, user condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName2].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
@ -801,12 +719,12 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket resource, key2 condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName3], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName3].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
key1: val0,
key2: val0,
},
@ -815,12 +733,12 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket resource, key1 condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName2].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
key2: val2,
},
status: chain.NoRuleFound,
@ -828,12 +746,12 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket/object resource, all conditions matched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
key1: val0,
key2: val2,
},
@ -842,7 +760,7 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket/object resource, user condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
@ -856,7 +774,7 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket/object resource, key1 condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
@ -869,7 +787,7 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket/object resource, key2 condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
@ -883,12 +801,12 @@ func TestComplexNativeConditions(t *testing.T) {
{
name: "bucket/object resource, object filepath condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
key1: val0,
key2: val2,
},
@ -902,7 +820,7 @@ func TestComplexNativeConditions(t *testing.T) {
PropertyKeyFilePath: objName1,
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
key1: val0,
key2: val2,
},
@ -911,7 +829,7 @@ func TestComplexNativeConditions(t *testing.T) {
} {
t.Run(tc.name, func(t *testing.T) {
req := testutil.NewRequest(tc.action, testutil.NewResource(tc.resource, tc.resourceMap), tc.requestMap)
status, _, err := s.IsAllowed("name", engine.NewRequestTargetWithNamespace("ns"), req)
status, _, err := s.IsAllowed("name", "ns", req)
require.NoError(t, err)
require.Equal(t, tc.status.String(), status.String())
})
@ -926,16 +844,15 @@ func TestComplexS3Conditions(t *testing.T) {
principal2 := "arn:aws:iam::" + namespace + ":user/" + userName2
bktName1, bktName2, bktName3 := "bktName", "bktName2", "bktName3"
objName1 := "objName1"
resource1 := fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName1, objName1)
resource2 := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName2)
resource3 := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName3)
action := "s3:DeleteObject"
action2 := "s3:DeleteMultipleObjects"
resource1 := bktName1 + "/" + objName1
resource2 := bktName2 + "/*"
resource3 := bktName3 + "/*"
action := "PutObject"
key1, key2 := "key1", "key2"
val0, val1, val2 := "val0", "val1", "val2"
mockResolver := newMockUserResolver([]string{user1, user2}, []string{bktName1, bktName2, bktName3}, "")
mockResolver := newMockUserResolver(t, []string{user1, user2}, []string{bktName1, bktName2, bktName3})
p := Policy{
Version: "2012-10-17",
@ -944,8 +861,8 @@ func TestComplexS3Conditions(t *testing.T) {
AWSPrincipalType: {principal1, principal2},
},
Effect: DenyEffect,
Action: []string{action},
Resource: []string{resource1, resource2, resource3},
Action: []string{"s3:" + action},
Resource: []string{"arn:aws:s3:::" + resource1, "arn:aws:s3:::" + resource2, "arn:aws:s3:::" + resource3},
Conditions: map[string]Condition{
CondStringEquals: {key1: {val0, val1}},
CondStringLike: {key2: {val2}},
@ -954,11 +871,11 @@ func TestComplexS3Conditions(t *testing.T) {
}
expectedStatus := chain.AccessDenied
expectedActions := chain.Actions{Names: []string{action, action2}}
expectedActions := chain.Actions{Names: actionToOpMap[action]}
expectedResources := chain.Resources{Names: []string{resource1, resource2, resource3}}
user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user1]}
user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user2]}
user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user1].Address()}
user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user2].Address()}
key1val0Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val0}
key1val1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val1}
key2val2Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: key2, Value: val2}
@ -1011,7 +928,7 @@ func TestComplexS3Conditions(t *testing.T) {
requireChainRulesMatch(t, expected.Rules, s3Chain.Rules)
s := inmemory.NewInMemory()
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), s3Chain)
err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), s3Chain)
require.NoError(t, err)
for _, tc := range []struct {
@ -1027,7 +944,7 @@ func TestComplexS3Conditions(t *testing.T) {
action: action,
resource: resource1,
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
key1: val0,
key2: val2,
},
@ -1036,9 +953,9 @@ func TestComplexS3Conditions(t *testing.T) {
{
name: "bucket resource3, all conditions matched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName3, "some-obj"),
resource: bktName3 + "/some-obj",
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
key1: val0,
key2: val2,
},
@ -1047,7 +964,7 @@ func TestComplexS3Conditions(t *testing.T) {
{
name: "bucket resource, user condition mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "some-obj"),
resource: bktName2 + "/some-obj",
requestMap: map[string]string{
key1: val0,
key2: val2,
@ -1057,9 +974,9 @@ func TestComplexS3Conditions(t *testing.T) {
{
name: "bucket resource, key2 condition mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName3, "some-obj"),
resource: bktName3 + "/some-obj",
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
key1: val0,
key2: val0,
},
@ -1068,9 +985,9 @@ func TestComplexS3Conditions(t *testing.T) {
{
name: "bucket resource, key1 condition mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "some-obj"),
resource: bktName2 + "/some-obj",
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
key2: val2,
},
status: chain.NoRuleFound,
@ -1080,7 +997,7 @@ func TestComplexS3Conditions(t *testing.T) {
action: action,
resource: resource1,
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
key1: val0,
key2: val2,
},
@ -1089,9 +1006,9 @@ func TestComplexS3Conditions(t *testing.T) {
{
name: "bucket/object resource, resource mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName1, "some-obj"),
resource: bktName1 + "/some-obj",
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
key1: val0,
key2: val2,
},
@ -1132,9 +1049,9 @@ func TestComplexS3Conditions(t *testing.T) {
{
name: "resource mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, "some-bkt", "some-obj"),
resource: "some-bkt/some-obj",
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
key1: val0,
key2: val2,
},
@ -1143,229 +1060,13 @@ func TestComplexS3Conditions(t *testing.T) {
} {
t.Run(tc.name, func(t *testing.T) {
req := testutil.NewRequest(tc.action, testutil.NewResource(tc.resource, tc.resourceMap), tc.requestMap)
status, _, err := s.IsAllowed("name", engine.NewRequestTargetWithNamespace("ns"), req)
status, _, err := s.IsAllowed("name", "ns", req)
require.NoError(t, err)
require.Equal(t, tc.status.String(), status.String())
})
}
}
func TestS3BucketResource(t *testing.T) {
namespace := "ns"
bktName1, bktName2 := "bucket1", "bucket2"
chainName := chain.Name("name")
mockResolver := newMockUserResolver([]string{}, []string{}, "")
p := Policy{
Version: "2012-10-17",
Statement: []Statement{
{
Principal: map[PrincipalType][]string{Wildcard: nil},
Effect: DenyEffect,
Action: []string{"s3:HeadBucket"},
Resource: []string{fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName1)},
},
{
Principal: map[PrincipalType][]string{Wildcard: nil},
Effect: AllowEffect,
Action: []string{"*"},
Resource: []string{s3.ResourceFormatS3All},
},
},
}
s3Chain, err := ConvertToS3Chain(p, mockResolver)
require.NoError(t, err)
s := inmemory.NewInMemory()
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chainName, engine.NamespaceTarget(namespace), s3Chain)
require.NoError(t, err)
// check we match just "bucket1" resource
req := testutil.NewRequest("s3:HeadBucket", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName1), nil), nil)
status, _, err := s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
require.NoError(t, err)
require.Equal(t, chain.AccessDenied.String(), status.String())
// check we match just "bucket2" resource
req = testutil.NewRequest("s3:HeadBucket", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName2), nil), nil)
status, _, err = s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
require.NoError(t, err)
require.Equal(t, chain.Allow.String(), status.String())
// check we also match "bucket2/object" resource
req = testutil.NewRequest("s3:PutObject", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "object"), nil), nil)
status, _, err = s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
require.NoError(t, err)
require.Equal(t, chain.Allow.String(), status.String())
}
func TestWildcardConverters(t *testing.T) {
policy := `{"Version":"2012-10-17","Statement":{"Effect":"Allow", "Principal": "*", "Action":"*","Resource":"*"}}`
var p Policy
err := json.Unmarshal([]byte(policy), &p)
require.NoError(t, err)
s3Expected := &chain.Chain{
Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{Wildcard}},
Resources: chain.Resources{Names: []string{Wildcard}},
}},
}
s3Chain, err := ConvertToS3Chain(p, newMockUserResolver(nil, nil, ""))
require.NoError(t, err)
require.Equal(t, s3Expected, s3Chain)
nativeExpected := &chain.Chain{
Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{Wildcard}},
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects, native.ResourceFormatAllContainers}},
}},
}
nativeChain, err := ConvertToNativeChain(p, newMockUserResolver(nil, nil, ""))
require.NoError(t, err)
require.Equal(t, nativeExpected, nativeChain)
}
func TestActionParsing(t *testing.T) {
for _, tc := range []struct {
action string
err bool
}{
{
action: "withoutPrefix",
err: true,
},
{
action: "s3:*Object",
err: true,
},
{
action: "*",
},
{
action: "s3:PutObject",
},
{
action: "s3:Put*",
},
{
action: "s3:*",
},
{
action: "s3:",
},
{
action: "iam:ListAccessKeys",
},
{
action: "iam:*",
},
} {
t.Run("", func(t *testing.T) {
err := validateAction(tc.action)
if tc.err {
require.Error(t, err)
} else {
require.NoError(t, err)
}
})
}
}
func TestPrincipalParsing(t *testing.T) {
for _, tc := range []struct {
principal string
expectedAccount string
expectedUser string
err bool
}{
{
principal: "withoutPrefix",
err: true,
},
{
principal: "*",
err: true,
},
{
principal: "arn:aws:iam:::dummy",
err: true,
},
{
principal: "arn:aws:iam::",
err: true,
},
{
principal: "arn:aws:iam:::dummy/test",
err: true,
},
{
principal: "arn:aws:iam:::user/",
err: true,
},
{
principal: "arn:aws:iam:::user/user/",
err: true,
},
{
principal: "arn:aws:iam:::user/name",
expectedUser: "name",
},
{
principal: "arn:aws:iam:::user/path/name",
expectedUser: "name",
},
{
principal: "arn:aws:iam::root:user/path/name",
expectedAccount: "root",
expectedUser: "name",
},
} {
t.Run("", func(t *testing.T) {
account, user, err := parsePrincipalAsIAMUser(tc.principal)
if tc.err {
require.Error(t, err)
return
}
require.NoError(t, err)
require.Equal(t, tc.expectedAccount, account)
require.Equal(t, tc.expectedUser, user)
})
}
}
func TestResourceParsing(t *testing.T) {
for _, tc := range []struct {
resource string
err bool
}{
{resource: "withoutPrefixAnd", err: true},
{resource: "arn:aws:s3:::*/obj", err: true},
{resource: "arn:aws:s3:::bkt/*"},
{resource: "arn:aws:s3:::bkt"},
{resource: "arn:aws:s3:::bkt/"},
{resource: "arn:aws:s3:::*"},
{resource: "*"},
} {
t.Run("", func(t *testing.T) {
err := validateResource(tc.resource)
if tc.err {
require.Error(t, err)
} else {
require.NoError(t, err)
}
})
}
}
func requireChainRulesMatch(t *testing.T, expected, actual []chain.Rule) {
require.Equal(t, len(expected), len(actual), "length of chain rules differ")

View file

@ -2,14 +2,8 @@ package iam
import (
"encoding/json"
"fmt"
"testing"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"github.com/stretchr/testify/require"
)
@ -434,70 +428,3 @@ func TestValidatePolicies(t *testing.T) {
})
}
}
func TestProcessDenyFirst(t *testing.T) {
identityBasedPolicyStr := `
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [ "arn:aws:iam::root:user/user-name" ]
},
"Action": ["s3:PutObject" ],
"Resource": "arn:aws:s3:::*"
}
]
}
`
resourceBasedPolicyStr := `
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [ "arn:aws:s3:::test-bucket/*" ]
}
]
}
`
var identityPolicy Policy
err := json.Unmarshal([]byte(identityBasedPolicyStr), &identityPolicy)
require.NoError(t, err)
var resourcePolicy Policy
err = json.Unmarshal([]byte(resourceBasedPolicyStr), &resourcePolicy)
require.NoError(t, err)
mockResolver := newMockUserResolver([]string{"root/user-name"}, []string{"test-bucket"}, "")
identityNativePolicy, err := ConvertToNativeChain(identityPolicy, mockResolver)
require.NoError(t, err)
identityNativePolicy.MatchType = chain.MatchTypeFirstMatch
resourceNativePolicy, err := ConvertToNativeChain(resourcePolicy, mockResolver)
require.NoError(t, err)
s := inmemory.NewInMemory()
target := engine.NamespaceTarget("ns")
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, target, identityNativePolicy)
require.NoError(t, err)
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, target, resourceNativePolicy)
require.NoError(t, err)
resource := testutil.NewResource(fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers["test-bucket"]), nil)
request := testutil.NewRequest("PutObject", resource, map[string]string{native.PropertyKeyActorPublicKey: mockResolver.users["root/user-name"]})
status, found, err := s.IsAllowed(chain.Ingress, engine.NewRequestTarget("ns", ""), request)
require.NoError(t, err)
require.True(t, found)
require.Equal(t, chain.AccessDenied, status)
}

View file

@ -1,38 +1,25 @@
package chain
import (
"encoding/json"
"fmt"
"strings"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
"git.frostfs.info/TrueCloudLab/policy-engine/util"
"golang.org/x/exp/slices"
)
// ID is the ID of rule chain.
type ID []byte
type ID string
// MatchType is the match type for chain rules.
type MatchType uint8
const (
// MatchTypeDenyPriority rejects the request if any `Deny` is specified.
MatchTypeDenyPriority MatchType = 0
// MatchTypeFirstMatch returns the first rule action matched to the request.
MatchTypeFirstMatch MatchType = 1
)
//easyjson:json
type Chain struct {
ID ID
Rules []Rule
MatchType MatchType
}
func (c *Chain) Bytes() []byte {
data, err := c.MarshalBinary()
data, err := json.Marshal(c)
if err != nil {
panic(err)
}
@ -40,7 +27,7 @@ func (c *Chain) Bytes() []byte {
}
func (c *Chain) DecodeBytes(b []byte) error {
return c.UnmarshalBinary(b)
return json.Unmarshal(b, c)
}
type Rule struct {
@ -77,8 +64,6 @@ type ObjectType byte
const (
ObjectResource ObjectType = iota
ObjectRequest
ContainerResource
ContainerRequest
)
type ConditionType byte
@ -106,48 +91,45 @@ const (
CondNumericLessThanEquals
CondNumericGreaterThan
CondNumericGreaterThanEquals
CondSliceContains
)
var condToStr = []struct {
ct ConditionType
str string
}{
{CondStringEquals, "StringEquals"},
{CondStringNotEquals, "StringNotEquals"},
{CondStringEqualsIgnoreCase, "StringEqualsIgnoreCase"},
{CondStringNotEqualsIgnoreCase, "StringNotEqualsIgnoreCase"},
{CondStringLike, "StringLike"},
{CondStringNotLike, "StringNotLike"},
{CondStringLessThan, "StringLessThan"},
{CondStringLessThanEquals, "StringLessThanEquals"},
{CondStringGreaterThan, "StringGreaterThan"},
{CondStringGreaterThanEquals, "StringGreaterThanEquals"},
{CondNumericEquals, "NumericEquals"},
{CondNumericNotEquals, "NumericNotEquals"},
{CondNumericLessThan, "NumericLessThan"},
{CondNumericLessThanEquals, "NumericLessThanEquals"},
{CondNumericGreaterThan, "NumericGreaterThan"},
{CondNumericGreaterThanEquals, "NumericGreaterThanEquals"},
{CondSliceContains, "SliceContains"},
}
func (c ConditionType) String() string {
for _, v := range condToStr {
if v.ct == c {
return v.str
}
switch c {
case CondStringEquals:
return "StringEquals"
case CondStringNotEquals:
return "StringNotEquals"
case CondStringEqualsIgnoreCase:
return "StringEqualsIgnoreCase"
case CondStringNotEqualsIgnoreCase:
return "StringNotEqualsIgnoreCase"
case CondStringLike:
return "StringLike"
case CondStringNotLike:
return "StringNotLike"
case CondStringLessThan:
return "StringLessThan"
case CondStringLessThanEquals:
return "StringLessThanEquals"
case CondStringGreaterThan:
return "StringGreaterThan"
case CondStringGreaterThanEquals:
return "StringGreaterThanEquals"
case CondNumericEquals:
return "NumericEquals"
case CondNumericNotEquals:
return "NumericNotEquals"
case CondNumericLessThan:
return "NumericLessThan"
case CondNumericLessThanEquals:
return "NumericLessThanEquals"
case CondNumericGreaterThan:
return "NumericGreaterThan"
case CondNumericGreaterThanEquals:
return "NumericGreaterThanEquals"
default:
return "unknown condition type"
}
return "unknown condition type"
}
const condSliceContainsDelimiter = "\x00"
// FormCondSliceContainsValue builds value for ObjectResource or ObjectRequest property
// that can be matched by CondSliceContains condition.
func FormCondSliceContainsValue(values []string) string {
return strings.Join(values, condSliceContainsDelimiter)
}
func (c *Condition) Match(req resource.Request) bool {
@ -184,8 +166,6 @@ func (c *Condition) Match(req resource.Request) bool {
return val > c.Value
case CondStringGreaterThanEquals:
return val >= c.Value
case CondSliceContains:
return slices.Contains(strings.Split(val, condSliceContainsDelimiter), c.Value)
}
}
@ -234,17 +214,6 @@ func (r *Rule) matchAll(obj resource.Request) (status Status, matched bool) {
}
func (c *Chain) Match(req resource.Request) (status Status, matched bool) {
switch c.MatchType {
case MatchTypeDenyPriority:
return c.denyPriority(req)
case MatchTypeFirstMatch:
return c.firstMatch(req)
default:
panic(fmt.Sprintf("unknown MatchType %d", c.MatchType))
}
}
func (c *Chain) firstMatch(req resource.Request) (status Status, matched bool) {
for i := range c.Rules {
status, matched := c.Rules[i].Match(req)
if matched {
@ -253,21 +222,3 @@ func (c *Chain) firstMatch(req resource.Request) (status Status, matched bool) {
}
return NoRuleFound, false
}
func (c *Chain) denyPriority(req resource.Request) (status Status, matched bool) {
var allowFound bool
for i := range c.Rules {
status, matched := c.Rules[i].Match(req)
if !matched {
continue
}
if status != Allow {
return status, true
}
allowFound = true
}
if allowFound {
return Allow, true
}
return NoRuleFound, false
}

Binary file not shown.

View file

@ -7,7 +7,4 @@ const (
// Ingress represents chains applied when crossing user/storage network boundary.
// It is not applied when talking between nodes.
Ingress Name = "ingress"
// S3 represents chains applied when crossing user/s3 network boundary.
S3 Name = "s3"
)

View file

@ -3,28 +3,11 @@ package chain
import (
"testing"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"github.com/stretchr/testify/require"
)
func TestChainIDSerialization(t *testing.T) {
chainIDBytes := []byte{93, 236, 80, 138, 168, 3, 144, 92, 173, 141, 16, 42, 249, 90, 97, 109, 211, 169, 54, 163}
chain1 := &Chain{ID: ID(chainIDBytes)}
data := chain1.Bytes()
var chain2 Chain
err := chain2.DecodeBytes(data)
require.NoError(t, err)
require.Equal(t, chain1.ID, chain2.ID)
}
func TestEncodeDecode(t *testing.T) {
expected := Chain{
MatchType: MatchTypeFirstMatch,
Rules: []Rule{
{
Status: Allow,
@ -48,104 +31,3 @@ func TestEncodeDecode(t *testing.T) {
require.NoError(t, actual.DecodeBytes(data))
require.Equal(t, expected, actual)
}
func TestReturnFirstMatch(t *testing.T) {
ch := Chain{
Rules: []Rule{
{
Status: Allow,
Actions: Actions{Names: []string{
native.MethodPutObject,
}},
Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
Condition: []Condition{},
},
{
Status: AccessDenied,
Actions: Actions{Names: []string{
native.MethodPutObject,
}},
Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
Condition: []Condition{},
},
},
}
resource := testutil.NewResource(native.ResourceFormatRootContainers, nil)
request := testutil.NewRequest(native.MethodPutObject, resource, nil)
t.Run("default match", func(t *testing.T) {
st, found := ch.Match(request)
require.True(t, found)
require.Equal(t, AccessDenied, st)
})
t.Run("return first match", func(t *testing.T) {
ch.MatchType = MatchTypeFirstMatch
st, found := ch.Match(request)
require.True(t, found)
require.Equal(t, Allow, st)
})
}
func TestCondSliceContainsMatch(t *testing.T) {
propKey := common.PropertyKeyFrostFSIDGroupID
groupID := "1"
ch := Chain{Rules: []Rule{{
Status: Allow,
Actions: Actions{Names: []string{native.MethodPutObject}},
Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
Condition: []Condition{{
Op: CondSliceContains,
Object: ObjectRequest,
Key: propKey,
Value: groupID,
}},
}}}
for _, tc := range []struct {
name string
value string
status Status
}{
{
name: "simple value",
value: groupID,
status: Allow,
},
{
name: "simple value by func",
value: FormCondSliceContainsValue([]string{groupID}),
status: Allow,
},
{
name: "multiple values by func",
value: FormCondSliceContainsValue([]string{groupID, "2", "3"}),
status: Allow,
},
{
name: "simple mismatched",
value: "3",
status: NoRuleFound,
},
{
name: "multiple mismatched",
value: FormCondSliceContainsValue([]string{"11", "12"}),
status: NoRuleFound,
},
{
name: "comma correct handling mismatched",
value: "1,11",
status: NoRuleFound,
},
} {
t.Run(tc.name, func(t *testing.T) {
resource := testutil.NewResource(native.ResourceFormatRootContainers, nil)
request := testutil.NewRequest(native.MethodPutObject, resource, map[string]string{propKey: tc.value})
st, _ := ch.Match(request)
require.Equal(t, tc.status.String(), st.String())
})
}
}

View file

@ -1,257 +0,0 @@
package chain
import (
"encoding"
"fmt"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/marshal"
)
const (
ChainMarshalVersion uint8 = 0 // increase if breaking change
)
var (
_ encoding.BinaryMarshaler = (*Chain)(nil)
_ encoding.BinaryUnmarshaler = (*Chain)(nil)
)
func (c *Chain) MarshalBinary() ([]byte, error) {
s := marshal.UInt8Size // Marshaller version
s += marshal.UInt8Size // Chain version
s += marshal.SliceSize(c.ID, func(byte) int { return marshal.ByteSize })
s += marshal.SliceSize(c.Rules, ruleSize)
s += marshal.UInt8Size // MatchType
buf := make([]byte, s)
var offset int
var err error
offset, err = marshal.UInt8Marshal(buf, offset, marshal.Version)
if err != nil {
return nil, err
}
offset, err = marshal.UInt8Marshal(buf, offset, ChainMarshalVersion)
if err != nil {
return nil, err
}
offset, err = marshal.SliceMarshal(buf, offset, c.ID, marshal.ByteMarshal)
if err != nil {
return nil, err
}
offset, err = marshal.SliceMarshal(buf, offset, c.Rules, marshalRule)
if err != nil {
return nil, err
}
offset, err = marshal.UInt8Marshal(buf, offset, uint8(c.MatchType))
if err != nil {
return nil, err
}
if err := marshal.VerifyMarshal(buf, offset); err != nil {
return nil, err
}
return buf, nil
}
func (c *Chain) UnmarshalBinary(data []byte) error {
var offset int
marshallerVersion, offset, err := marshal.UInt8Unmarshal(data, offset)
if err != nil {
return err
}
if marshallerVersion != marshal.Version {
return fmt.Errorf("unsupported marshaller version %d", marshallerVersion)
}
chainVersion, offset, err := marshal.UInt8Unmarshal(data, offset)
if err != nil {
return err
}
if chainVersion != ChainMarshalVersion {
return fmt.Errorf("unsupported chain version %d", chainVersion)
}
idBytes, offset, err := marshal.SliceUnmarshal(data, offset, marshal.ByteUnmarshal)
if err != nil {
return err
}
c.ID = ID(idBytes)
c.Rules, offset, err = marshal.SliceUnmarshal(data, offset, unmarshalRule)
if err != nil {
return err
}
matchTypeV, offset, err := marshal.UInt8Unmarshal(data, offset)
if err != nil {
return err
}
c.MatchType = MatchType(matchTypeV)
return marshal.VerifyUnmarshal(data, offset)
}
func ruleSize(r Rule) int {
s := marshal.ByteSize // Status
s += actionsSize(r.Actions)
s += resourcesSize(r.Resources)
s += marshal.BoolSize // Any
s += marshal.SliceSize(r.Condition, conditionSize)
return s
}
func marshalRule(buf []byte, offset int, r Rule) (int, error) {
offset, err := marshal.ByteMarshal(buf, offset, byte(r.Status))
if err != nil {
return 0, err
}
offset, err = marshalActions(buf, offset, r.Actions)
if err != nil {
return 0, err
}
offset, err = marshalResources(buf, offset, r.Resources)
if err != nil {
return 0, err
}
offset, err = marshal.BoolMarshal(buf, offset, r.Any)
if err != nil {
return 0, err
}
return marshal.SliceMarshal(buf, offset, r.Condition, marshalCondition)
}
func unmarshalRule(buf []byte, offset int) (Rule, int, error) {
var r Rule
statusV, offset, err := marshal.ByteUnmarshal(buf, offset)
if err != nil {
return Rule{}, 0, err
}
r.Status = Status(statusV)
r.Actions, offset, err = unmarshalActions(buf, offset)
if err != nil {
return Rule{}, 0, err
}
r.Resources, offset, err = unmarshalResources(buf, offset)
if err != nil {
return Rule{}, 0, err
}
r.Any, offset, err = marshal.BoolUnmarshal(buf, offset)
if err != nil {
return Rule{}, 0, err
}
r.Condition, offset, err = marshal.SliceUnmarshal(buf, offset, unmarshalCondition)
if err != nil {
return Rule{}, 0, err
}
return r, offset, nil
}
func actionsSize(a Actions) int {
return marshal.BoolSize + // Inverted
marshal.SliceSize(a.Names, marshal.StringSize)
}
func marshalActions(buf []byte, offset int, a Actions) (int, error) {
offset, err := marshal.BoolMarshal(buf, offset, a.Inverted)
if err != nil {
return 0, err
}
return marshal.SliceMarshal(buf, offset, a.Names, marshal.StringMarshal)
}
func unmarshalActions(buf []byte, offset int) (Actions, int, error) {
var a Actions
var err error
a.Inverted, offset, err = marshal.BoolUnmarshal(buf, offset)
if err != nil {
return Actions{}, 0, err
}
a.Names, offset, err = marshal.SliceUnmarshal(buf, offset, marshal.StringUnmarshal)
if err != nil {
return Actions{}, 0, err
}
return a, offset, nil
}
func resourcesSize(r Resources) int {
return marshal.BoolSize + // Inverted
marshal.SliceSize(r.Names, marshal.StringSize)
}
func marshalResources(buf []byte, offset int, r Resources) (int, error) {
offset, err := marshal.BoolMarshal(buf, offset, r.Inverted)
if err != nil {
return 0, err
}
return marshal.SliceMarshal(buf, offset, r.Names, marshal.StringMarshal)
}
func unmarshalResources(buf []byte, offset int) (Resources, int, error) {
var r Resources
var err error
r.Inverted, offset, err = marshal.BoolUnmarshal(buf, offset)
if err != nil {
return Resources{}, 0, err
}
r.Names, offset, err = marshal.SliceUnmarshal(buf, offset, marshal.StringUnmarshal)
if err != nil {
return Resources{}, 0, err
}
return r, offset, nil
}
func conditionSize(c Condition) int {
return marshal.ByteSize + // Op
marshal.ByteSize + // Object
marshal.StringSize(c.Key) +
marshal.StringSize(c.Value)
}
func marshalCondition(buf []byte, offset int, c Condition) (int, error) {
offset, err := marshal.ByteMarshal(buf, offset, byte(c.Op))
if err != nil {
return 0, err
}
offset, err = marshal.ByteMarshal(buf, offset, byte(c.Object))
if err != nil {
return 0, err
}
offset, err = marshal.StringMarshal(buf, offset, c.Key)
if err != nil {
return 0, err
}
return marshal.StringMarshal(buf, offset, c.Value)
}
func unmarshalCondition(buf []byte, offset int) (Condition, int, error) {
var c Condition
opV, offset, err := marshal.ByteUnmarshal(buf, offset)
if err != nil {
return Condition{}, 0, err
}
c.Op = ConditionType(opV)
obV, offset, err := marshal.ByteUnmarshal(buf, offset)
if err != nil {
return Condition{}, 0, err
}
c.Object = ObjectType(obV)
c.Key, offset, err = marshal.StringUnmarshal(buf, offset)
if err != nil {
return Condition{}, 0, err
}
c.Value, offset, err = marshal.StringUnmarshal(buf, offset)
if err != nil {
return Condition{}, 0, err
}
return c, offset, nil
}

View file

@ -1,272 +0,0 @@
package chain
import (
"fmt"
"testing"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"github.com/google/uuid"
"github.com/stretchr/testify/require"
)
func TestChainMarshalling(t *testing.T) {
t.Parallel()
for _, id := range generateTestIDs() {
for _, rules := range generateTestRules() {
for _, matchType := range generateTestMatchTypes() {
performMarshalTest(t, id, rules, matchType)
}
}
}
}
func TestInvalidChainData(t *testing.T) {
var ch Chain
require.Error(t, ch.UnmarshalBinary(nil))
require.Error(t, ch.UnmarshalBinary([]byte{}))
require.Error(t, ch.UnmarshalBinary([]byte{1, 2, 3}))
require.Error(t, ch.UnmarshalBinary([]byte("\x00\x00:aws:iam::namespace:group/so\x82\x82\x82\x82\x82\x82u\x82")))
}
func FuzzUnmarshal(f *testing.F) {
for _, id := range generateTestIDs() {
for _, rules := range generateTestRules() {
for _, matchType := range generateTestMatchTypes() {
chain := Chain{
ID: id,
Rules: rules,
MatchType: matchType,
}
data, err := chain.MarshalBinary()
require.NoError(f, err)
f.Add(data)
}
}
}
f.Fuzz(func(t *testing.T, data []byte) {
var ch Chain
require.NotPanics(t, func() {
_ = ch.UnmarshalBinary(data)
})
})
}
func performMarshalTest(t *testing.T, id ID, r []Rule, mt MatchType) {
chain := Chain{
ID: id,
Rules: r,
MatchType: mt,
}
data, err := chain.MarshalBinary()
require.NoError(t, err)
var unmarshalledChain Chain
require.NoError(t, unmarshalledChain.UnmarshalBinary(data))
require.Equal(t, chain, unmarshalledChain)
}
func generateTestIDs() []ID {
return []ID{
ID(""),
ID(uuid.New().String()),
ID("*::/"),
ID("avada kedavra"),
ID("arn:aws:iam::namespace:group/some_group"),
ID("$Object:homomorphicHash"),
ID("native:container/ns/9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
}
}
func generateTestRules() [][]Rule {
result := [][]Rule{
nil,
{},
{},
}
for _, st := range generateTestStatuses() {
for _, act := range generateTestActions() {
for _, res := range generateTestResources() {
for _, cond := range generateTestConditions() {
result[2] = append(result[2], Rule{
Status: st,
Actions: act,
Resources: res,
Condition: cond,
Any: true,
})
result[2] = append(result[2], Rule{
Status: st,
Actions: act,
Resources: res,
Condition: cond,
})
}
}
}
}
return result
}
func generateTestStatuses() []Status {
return []Status{
Allow,
NoRuleFound,
AccessDenied,
QuotaLimitReached,
}
}
func generateTestActions() []Actions {
return []Actions{
{
Inverted: true,
Names: nil,
},
{
Names: nil,
},
{
Inverted: true,
Names: []string{},
},
{
Names: []string{},
},
{
Inverted: true,
Names: []string{native.MethodPutObject},
},
{
Names: []string{native.MethodPutObject},
},
{
Inverted: true,
Names: []string{native.MethodPutObject, native.MethodDeleteContainer, native.MethodDeleteObject},
},
{
Names: []string{native.MethodPutObject, native.MethodDeleteContainer, native.MethodDeleteObject},
},
}
}
func generateTestResources() []Resources {
return []Resources{
{
Inverted: true,
Names: nil,
},
{
Names: nil,
},
{
Inverted: true,
Names: []string{},
},
{
Names: []string{},
},
{
Inverted: true,
Names: []string{native.ResourceFormatAllObjects},
},
{
Names: []string{native.ResourceFormatAllObjects},
},
{
Inverted: true,
Names: []string{
native.ResourceFormatAllObjects,
fmt.Sprintf(native.ResourceFormatRootContainer, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
},
},
{
Names: []string{
native.ResourceFormatAllObjects,
fmt.Sprintf(native.ResourceFormatRootContainer, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
},
},
}
}
func generateTestConditions() [][]Condition {
result := [][]Condition{
nil,
{},
{},
}
for _, ct := range generateTestConditionTypes() {
for _, ot := range generateObjectTypes() {
result[2] = append(result[2], Condition{
Op: ct,
Object: ot,
Key: "",
Value: "",
})
result[2] = append(result[2], Condition{
Op: ct,
Object: ot,
Key: "key",
Value: "",
})
result[2] = append(result[2], Condition{
Op: ct,
Object: ot,
Key: "",
Value: "value",
})
result[2] = append(result[2], Condition{
Op: ct,
Object: ot,
Key: "key",
Value: "value",
})
}
}
return result
}
func generateTestConditionTypes() []ConditionType {
return []ConditionType{
CondStringEquals,
CondStringNotEquals,
CondStringEqualsIgnoreCase,
CondStringNotEqualsIgnoreCase,
CondStringLike,
CondStringNotLike,
CondStringLessThan,
CondStringLessThanEquals,
CondStringGreaterThan,
CondStringGreaterThanEquals,
CondNumericEquals,
CondNumericNotEquals,
CondNumericLessThan,
CondNumericLessThanEquals,
CondNumericGreaterThan,
CondNumericGreaterThanEquals,
CondSliceContains,
}
}
func generateObjectTypes() []ObjectType {
return []ObjectType{
ObjectResource,
ObjectRequest,
}
}
func generateTestMatchTypes() []MatchType {
return []MatchType{
MatchTypeDenyPriority,
MatchTypeFirstMatch,
}
}

View file

@ -1,145 +0,0 @@
package chain
import (
"fmt"
"strconv"
jlexer "github.com/mailru/easyjson/jlexer"
jwriter "github.com/mailru/easyjson/jwriter"
)
// Run `make generate`` if types added or changed
var matchTypeToJSONValue = []struct {
mt MatchType
str string
}{
{MatchTypeDenyPriority, "DenyPriority"},
{MatchTypeFirstMatch, "FirstMatch"},
}
var statusToJSONValue = []struct {
s Status
str string
}{
{Allow, "Allow"},
{NoRuleFound, "NoRuleFound"},
{AccessDenied, "AccessDenied"},
{QuotaLimitReached, "QuotaLimitReached"},
}
var objectTypeToJSONValue = []struct {
t ObjectType
str string
}{
{ObjectRequest, "Request"},
{ObjectResource, "Resource"},
}
func (mt MatchType) MarshalEasyJSON(w *jwriter.Writer) {
for _, p := range matchTypeToJSONValue {
if p.mt == mt {
w.String(p.str)
return
}
}
w.String(strconv.FormatUint(uint64(mt), 10))
}
func (mt *MatchType) UnmarshalEasyJSON(l *jlexer.Lexer) {
str := l.String()
for _, p := range matchTypeToJSONValue {
if p.str == str {
*mt = p.mt
return
}
}
v, err := strconv.ParseUint(str, 10, 8)
if err != nil {
l.AddError(fmt.Errorf("failed to parse match type: %w", err))
return
}
*mt = MatchType(v)
}
func (st Status) MarshalEasyJSON(w *jwriter.Writer) {
for _, p := range statusToJSONValue {
if p.s == st {
w.String(p.str)
return
}
}
w.String(strconv.FormatUint(uint64(st), 10))
}
func (st *Status) UnmarshalEasyJSON(l *jlexer.Lexer) {
str := l.String()
for _, p := range statusToJSONValue {
if p.str == str {
*st = p.s
return
}
}
v, err := strconv.ParseUint(str, 10, 8)
if err != nil {
l.AddError(fmt.Errorf("failed to parse status: %w", err))
return
}
*st = Status(v)
}
func (ot ObjectType) MarshalEasyJSON(w *jwriter.Writer) {
for _, p := range objectTypeToJSONValue {
if p.t == ot {
w.String(p.str)
return
}
}
w.String(strconv.FormatUint(uint64(ot), 10))
}
func (ot *ObjectType) UnmarshalEasyJSON(l *jlexer.Lexer) {
str := l.String()
for _, p := range objectTypeToJSONValue {
if p.str == str {
*ot = p.t
return
}
}
v, err := strconv.ParseUint(str, 10, 8)
if err != nil {
l.AddError(fmt.Errorf("failed to parse object type: %w", err))
return
}
*ot = ObjectType(v)
}
func (ct ConditionType) MarshalEasyJSON(w *jwriter.Writer) {
for _, p := range condToStr {
if p.ct == ct {
w.String(p.str)
return
}
}
w.String(strconv.FormatUint(uint64(ct), 10))
}
func (ct *ConditionType) UnmarshalEasyJSON(l *jlexer.Lexer) {
str := l.String()
for _, p := range condToStr {
if p.str == str {
*ct = p.ct
return
}
}
v, err := strconv.ParseUint(str, 10, 8)
if err != nil {
l.AddError(fmt.Errorf("failed to parse condition type: %w", err))
return
}
*ct = ConditionType(v)
}

View file

@ -1,121 +0,0 @@
package chain
import (
"fmt"
"os"
"testing"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/stretchr/testify/require"
)
func TestID(t *testing.T) {
key, err := keys.NewPrivateKeyFromWIF("L5eVx6HcHaFpQpvjQ3fy29uKDZ8rQ34bfMVx4XfZMm52EqafpNMg") // s3-gw key
require.NoError(t, err)
chain1 := &Chain{ID: ID(key.PublicKey().GetScriptHash().BytesBE())}
data := chain1.Bytes()
var chain2 Chain
require.NoError(t, chain2.DecodeBytes(data))
require.Equal(t, chain1.ID, chain2.ID)
data, err = chain1.MarshalJSON()
require.NoError(t, err)
require.NoError(t, chain2.UnmarshalJSON(data))
require.Equal(t, chain1.ID, chain2.ID)
}
func TestMatchTypeJson(t *testing.T) {
for _, mt := range []MatchType{MatchTypeDenyPriority, MatchTypeFirstMatch, MatchType(100)} {
var chain Chain
chain.MatchType = mt
data, err := chain.MarshalJSON()
require.NoError(t, err)
if mt == MatchTypeDenyPriority {
require.Equal(t, []byte("{\"ID\":null,\"Rules\":null,\"MatchType\":\"DenyPriority\"}"), data)
} else if mt == MatchTypeFirstMatch {
require.Equal(t, []byte("{\"ID\":null,\"Rules\":null,\"MatchType\":\"FirstMatch\"}"), data)
} else {
require.Equal(t, []byte(fmt.Sprintf("{\"ID\":null,\"Rules\":null,\"MatchType\":\"%d\"}", mt)), data)
}
var parsed Chain
require.NoError(t, parsed.UnmarshalJSON(data))
require.Equal(t, chain, parsed)
require.Error(t, parsed.UnmarshalJSON([]byte("{\"ID\":\"\",\"Rules\":null,\"MatchType\":\"NotValid\"}")))
}
}
func TestJsonEnums(t *testing.T) {
chain := Chain{
ID: []byte("2cca5ae7-cee8-428d-b45f-567fb1d03f01"), // will be encoded to base64
MatchType: MatchTypeFirstMatch,
Rules: []Rule{
{
Status: AccessDenied,
Actions: Actions{
Names: []string{native.MethodDeleteObject, native.MethodGetContainer},
},
Resources: Resources{
Names: []string{native.ResourceFormatAllObjects},
},
Condition: []Condition{
{
Op: CondStringEquals,
Object: ObjectRequest,
Key: native.PropertyKeyActorRole,
Value: native.PropertyValueContainerRoleOthers,
},
},
},
{
Status: QuotaLimitReached,
Actions: Actions{
Inverted: true,
Names: []string{native.MethodPutObject},
},
Resources: Resources{
Names: []string{fmt.Sprintf(native.ResourceFormatRootContainerObjects, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J")},
},
Any: true,
Condition: []Condition{
{
Op: CondStringNotLike,
Object: ObjectResource,
Key: native.PropertyKeyObjectType,
Value: "regular",
},
},
},
{
Status: Status(100),
Condition: []Condition{
{
Op: ConditionType(255),
Object: ObjectType(128),
},
},
},
},
}
data, err := chain.MarshalJSON()
require.NoError(t, err)
var parsed Chain
require.NoError(t, parsed.UnmarshalJSON(data))
require.Equal(t, chain, parsed)
expected, err := os.ReadFile("./testdata/test_status_json.json")
require.NoError(t, err)
require.NoError(t, parsed.UnmarshalJSON(expected))
require.Equal(t, chain, parsed)
}

View file

@ -1,75 +0,0 @@
{
"ID": "MmNjYTVhZTctY2VlOC00MjhkLWI0NWYtNTY3ZmIxZDAzZjAx",
"Rules": [
{
"Status": "AccessDenied",
"Actions": {
"Inverted": false,
"Names": [
"DeleteObject",
"GetContainer"
]
},
"Resources": {
"Inverted": false,
"Names": [
"native:object/*"
]
},
"Any": false,
"Condition": [
{
"Op": "StringEquals",
"Object": "Request",
"Key": "$Actor:role",
"Value": "others"
}
]
},
{
"Status": "QuotaLimitReached",
"Actions": {
"Inverted": true,
"Names": [
"PutObject"
]
},
"Resources": {
"Inverted": false,
"Names": [
"native:object//9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J/*"
]
},
"Any": true,
"Condition": [
{
"Op": "StringNotLike",
"Object": "Resource",
"Key": "$Object:objectType",
"Value": "regular"
}
]
},
{
"Status": "100",
"Actions": {
"Inverted": false,
"Names": null
},
"Resources": {
"Inverted": false,
"Names": null
},
"Any": false,
"Condition": [
{
"Op": "255",
"Object": "128",
"Key": "",
"Value": ""
}
]
}
],
"MatchType": "FirstMatch"
}

View file

@ -6,111 +6,96 @@ import (
)
type defaultChainRouter struct {
morph MorphRuleChainStorageReader
morph MorphRuleChainStorage
local LocalOverrideStorage
}
func NewDefaultChainRouter(morph MorphRuleChainStorageReader) ChainRouter {
func NewDefaultChainRouter(morph MorphRuleChainStorage) ChainRouter {
return &defaultChainRouter{
morph: morph,
}
}
func NewDefaultChainRouterWithLocalOverrides(morph MorphRuleChainStorageReader, local LocalOverrideStorage) ChainRouter {
func NewDefaultChainRouterWithLocalOverrides(morph MorphRuleChainStorage, local LocalOverrideStorage) ChainRouter {
return &defaultChainRouter{
morph: morph,
local: local,
}
}
func (dr *defaultChainRouter) IsAllowed(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
status, ruleFound, err = dr.checkLocal(name, rt, r)
if err != nil {
return chain.NoRuleFound, false, err
} else if ruleFound {
// The local overrides have the highest priority and thus
// morph rules are not considered if a local one is found.
return
}
status, ruleFound, err = dr.checkMorph(name, rt, r)
return
}
func (dr *defaultChainRouter) checkLocal(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
if dr.local == nil {
return
}
var ruleFounds []bool
for _, target := range rt.Targets() {
status, ruleFound, err = dr.matchLocalOverrides(name, target, r)
if err != nil || ruleFound && status != chain.Allow {
func (dr *defaultChainRouter) IsAllowed(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
if dr.local != nil {
var localRuleFound bool
status, localRuleFound, err = dr.checkLocalOverrides(name, r)
if err != nil {
return chain.NoRuleFound, false, err
} else if localRuleFound {
ruleFound = true
return
}
ruleFounds = append(ruleFounds, ruleFound)
}
var namespaceRuleFound bool
status, namespaceRuleFound, err = dr.checkNamespaceChains(name, namespace, r)
if err != nil {
return
} else if namespaceRuleFound && status != chain.Allow {
ruleFound = true
return
}
var cnrRuleFound bool
status, cnrRuleFound, err = dr.checkContainerChains(name, r.Resource().Name(), r)
if err != nil {
return
} else if cnrRuleFound && status != chain.Allow {
ruleFound = true
return
}
status = chain.NoRuleFound
for _, ruleFound = range ruleFounds {
if ruleFound {
status = chain.Allow
break
}
if ruleFound = namespaceRuleFound || cnrRuleFound; ruleFound {
status = chain.Allow
}
return
}
func (dr *defaultChainRouter) checkMorph(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
var ruleFounds []bool
for _, target := range rt.Targets() {
status, ruleFound, err = dr.matchMorphRuleChains(name, target, r)
if err != nil || ruleFound && status != chain.Allow {
return
}
ruleFounds = append(ruleFounds, ruleFound)
}
status = chain.NoRuleFound
for _, ruleFound = range ruleFounds {
if ruleFound {
status = chain.Allow
break
}
}
return
}
func (dr *defaultChainRouter) matchLocalOverrides(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
localOverrides, err := dr.local.ListOverrides(name, target)
func (dr *defaultChainRouter) checkLocalOverrides(name chain.Name, r resource.Request) (status chain.Status, ruleFound bool, err error) {
localOverrides, err := dr.local.ListOverrides(name, r.Resource().Name())
if err != nil {
return
}
status, ruleFound = dr.getStatusFromChains(localOverrides, r)
return
}
func (dr *defaultChainRouter) matchMorphRuleChains(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
namespaceChains, err := dr.morph.ListMorphRuleChains(name, target)
if err != nil {
return chain.NoRuleFound, false, err
}
status, ruleFound = dr.getStatusFromChains(namespaceChains, r)
return
}
func (dr *defaultChainRouter) getStatusFromChains(chains []*chain.Chain, r resource.Request) (chain.Status, bool) {
var allow bool
for _, c := range chains {
if status, found := c.Match(r); found {
if status != chain.Allow {
return status, true
}
allow = true
for _, c := range localOverrides {
if status, ruleFound = c.Match(r); ruleFound && status != chain.Allow {
return
}
}
if allow {
return chain.Allow, true
}
return chain.NoRuleFound, false
return
}
func (dr *defaultChainRouter) checkNamespaceChains(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
namespaceChains, err := dr.morph.ListMorphRuleChains(name, NamespaceTarget(namespace))
if err != nil {
return
}
for _, c := range namespaceChains {
if status, ruleFound = c.Match(r); ruleFound {
return
}
}
return
}
func (dr *defaultChainRouter) checkContainerChains(name chain.Name, container string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
containerChains, err := dr.morph.ListMorphRuleChains(name, ContainerTarget(container))
if err != nil {
return
}
for _, c := range containerChains {
if status, ruleFound = c.Match(r); ruleFound {
return
}
}
return
}

View file

@ -43,6 +43,6 @@ func (im *inmemory) MorphRuleChainStorage() engine.MorphRuleChainStorage {
return im.morph
}
func (im *inmemory) IsAllowed(name chain.Name, rt engine.RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
return im.router.IsAllowed(name, rt, r)
func (im *inmemory) IsAllowed(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
return im.router.IsAllowed(name, namespace, r)
}

View file

@ -29,7 +29,7 @@ func TestInmemory(t *testing.T) {
"Actor": actor1,
})
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTargetWithNamespace(namespace), reqGood)
status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqGood)
require.Equal(t, chain.NoRuleFound, status)
require.False(t, ok)
@ -103,7 +103,7 @@ func TestInmemory(t *testing.T) {
"SourceIP": "10.122.1.20",
"Actor": actor1,
})
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadIP)
status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadIP)
require.Equal(t, chain.AccessDenied, status)
require.True(t, ok)
})
@ -113,7 +113,7 @@ func TestInmemory(t *testing.T) {
"SourceIP": "10.1.1.13",
"Actor": actor2,
})
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadActor)
status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadActor)
require.Equal(t, chain.AccessDenied, status)
require.True(t, ok)
})
@ -121,14 +121,14 @@ func TestInmemory(t *testing.T) {
objGood := resourcetest.NewResource("native::object::abc/id1", map[string]string{"Department": "HR"})
objBadAttr := resourcetest.NewResource("native::object::abc/id2", map[string]string{"Department": "Support"})
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), resourcetest.NewRequest("native::object::get", objGood, map[string]string{
status, ok, _ := s.IsAllowed(chain.Ingress, namespace, resourcetest.NewRequest("native::object::get", objGood, map[string]string{
"SourceIP": "10.1.1.14",
"Actor": actor2,
}))
require.Equal(t, chain.Allow, status)
require.True(t, ok)
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), resourcetest.NewRequest("native::object::get", objBadAttr, map[string]string{
status, ok, _ = s.IsAllowed(chain.Ingress, namespace, resourcetest.NewRequest("native::object::get", objBadAttr, map[string]string{
"SourceIP": "10.1.1.14",
"Actor": actor2,
}))
@ -141,33 +141,33 @@ func TestInmemory(t *testing.T) {
"SourceIP": "10.1.1.12",
"Actor": actor1,
})
status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadOperation)
status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadOperation)
require.Equal(t, chain.AccessDenied, status)
require.True(t, ok)
})
t.Run("inverted rules", func(t *testing.T) {
req := resourcetest.NewRequest("native::object::put", resourcetest.NewResource(object, nil), nil)
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
require.Equal(t, chain.NoRuleFound, status)
require.False(t, ok)
req = resourcetest.NewRequest("native::object::put", resourcetest.NewResource("native::object::cba/def", nil), nil)
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
require.Equal(t, chain.AccessDenied, status)
require.True(t, ok)
req = resourcetest.NewRequest("native::object::get", resourcetest.NewResource("native::object::cba/def", nil), nil)
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
require.Equal(t, chain.NoRuleFound, status)
require.False(t, ok)
})
t.Run("good", func(t *testing.T) {
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
require.Equal(t, chain.NoRuleFound, status)
require.False(t, ok)
t.Run("quota on a different container", func(t *testing.T) {
s.LocalStorage().AddOverride(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
s.LocalStorage().AddOverride(chain.Ingress, container, &chain.Chain{
Rules: []chain.Rule{{
Status: chain.QuotaLimitReached,
Actions: chain.Actions{Names: []string{"native::object::put"}},
@ -175,14 +175,14 @@ func TestInmemory(t *testing.T) {
}},
})
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
require.Equal(t, chain.NoRuleFound, status)
require.False(t, ok)
})
var quotaRuleChainID chain.ID
t.Run("quota on the request container", func(t *testing.T) {
quotaRuleChainID, _ = s.LocalStorage().AddOverride(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
quotaRuleChainID, _ = s.LocalStorage().AddOverride(chain.Ingress, container, &chain.Chain{
Rules: []chain.Rule{{
Status: chain.QuotaLimitReached,
Actions: chain.Actions{Names: []string{"native::object::put"}},
@ -190,15 +190,15 @@ func TestInmemory(t *testing.T) {
}},
})
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
require.Equal(t, chain.QuotaLimitReached, status)
require.True(t, ok)
})
t.Run("removed quota on the request container", func(t *testing.T) {
err := s.LocalStorage().RemoveOverride(chain.Ingress, engine.ContainerTarget(container), quotaRuleChainID)
err := s.LocalStorage().RemoveOverride(chain.Ingress, container, quotaRuleChainID)
require.NoError(t, err)
status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
require.Equal(t, chain.NoRuleFound, status)
require.False(t, ok)
})

View file

@ -1,136 +1,101 @@
package inmemory
import (
"bytes"
"fmt"
"math/rand"
"strings"
"sync"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"git.frostfs.info/TrueCloudLab/policy-engine/util"
)
type targetToChain map[engine.Target][]*chain.Chain
type targetToChain map[string][]*chain.Chain
type inmemoryLocalStorage struct {
usedChainID map[string]struct{}
usedChainID map[chain.ID]struct{}
nameToResourceChains map[chain.Name]targetToChain
guard *sync.RWMutex
}
func NewInmemoryLocalStorage() engine.LocalOverrideStorage {
return &inmemoryLocalStorage{
usedChainID: map[string]struct{}{},
usedChainID: map[chain.ID]struct{}{},
nameToResourceChains: make(map[chain.Name]targetToChain),
guard: &sync.RWMutex{},
}
}
func (s *inmemoryLocalStorage) generateChainID(name chain.Name, target engine.Target) chain.ID {
func (s *inmemoryLocalStorage) generateChainID(name chain.Name, resource string) chain.ID {
var id chain.ID
for {
suffix := rand.Uint32() % 100
sid := fmt.Sprintf("%s:%s/%d", name, target.Name, suffix)
sid := fmt.Sprintf("%s:%s/%d", name, resource, suffix)
sid = strings.ReplaceAll(sid, "*", "")
sid = strings.ReplaceAll(sid, "/", ":")
sid = strings.ReplaceAll(sid, "::", ":")
_, ok := s.usedChainID[sid]
id = chain.ID(sid)
_, ok := s.usedChainID[id]
if ok {
continue
}
s.usedChainID[sid] = struct{}{}
id = chain.ID(sid)
s.usedChainID[id] = struct{}{}
break
}
return id
}
func (s *inmemoryLocalStorage) AddOverride(name chain.Name, target engine.Target, c *chain.Chain) (chain.ID, error) {
s.guard.Lock()
defer s.guard.Unlock()
func (s *inmemoryLocalStorage) AddOverride(name chain.Name, resource string, c *chain.Chain) (chain.ID, error) {
// AddOverride assigns generated chain ID if it has not been assigned.
if len(c.ID) == 0 {
c.ID = s.generateChainID(name, target)
if c.ID == "" {
c.ID = s.generateChainID(name, resource)
}
if s.nameToResourceChains[name] == nil {
s.nameToResourceChains[name] = make(targetToChain)
}
rc := s.nameToResourceChains[name]
for i := range rc[target] {
if bytes.Equal(rc[target][i].ID, c.ID) {
rc[target][i] = c
return c.ID, nil
}
}
rc[target] = append(rc[target], c)
rc[resource] = append(rc[resource], c)
return c.ID, nil
}
func (s *inmemoryLocalStorage) GetOverride(name chain.Name, target engine.Target, chainID chain.ID) (*chain.Chain, error) {
s.guard.RLock()
defer s.guard.RUnlock()
func (s *inmemoryLocalStorage) GetOverride(name chain.Name, resource string, chainID chain.ID) (*chain.Chain, error) {
if _, ok := s.nameToResourceChains[name]; !ok {
return nil, engine.ErrChainNameNotFound
}
if target.Name == "" {
target.Name = "root"
}
chains, ok := s.nameToResourceChains[name][target]
chains, ok := s.nameToResourceChains[name][resource]
if !ok {
return nil, engine.ErrResourceNotFound
}
for _, c := range chains {
if bytes.Equal(c.ID, chainID) {
if c.ID == chainID {
return c, nil
}
}
return nil, engine.ErrChainNotFound
}
func (s *inmemoryLocalStorage) RemoveOverride(name chain.Name, target engine.Target, chainID chain.ID) error {
s.guard.Lock()
defer s.guard.Unlock()
func (s *inmemoryLocalStorage) RemoveOverride(name chain.Name, resource string, chainID chain.ID) error {
if _, ok := s.nameToResourceChains[name]; !ok {
return engine.ErrChainNameNotFound
}
if target.Name == "" {
target.Name = "root"
}
chains, ok := s.nameToResourceChains[name][target]
chains, ok := s.nameToResourceChains[name][resource]
if !ok {
return engine.ErrResourceNotFound
}
for i, c := range chains {
if bytes.Equal(c.ID, chainID) {
s.nameToResourceChains[name][target] = append(chains[:i], chains[i+1:]...)
if c.ID == chainID {
s.nameToResourceChains[name][resource] = append(chains[:i], chains[i+1:]...)
return nil
}
}
return engine.ErrChainNotFound
}
func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
s.guard.RLock()
defer s.guard.RUnlock()
func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, resource string) ([]*chain.Chain, error) {
rcs, ok := s.nameToResourceChains[name]
if !ok {
return []*chain.Chain{}, nil
}
if target.Name == "" {
target.Name = "root"
}
for t, chains := range rcs {
if t.Type != target.Type {
continue
}
if !util.GlobMatch(target.Name, t.Name) {
for container, chains := range rcs {
if !util.GlobMatch(resource, container) {
continue
}
return chains, nil
@ -139,20 +104,6 @@ func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, target engine.Targ
}
func (s *inmemoryLocalStorage) DropAllOverrides(name chain.Name) error {
s.guard.Lock()
defer s.guard.Unlock()
s.nameToResourceChains[name] = make(targetToChain)
return nil
}
func (s *inmemoryLocalStorage) ListOverrideDefinedTargets(name chain.Name) ([]engine.Target, error) {
s.guard.RLock()
defer s.guard.RUnlock()
ttc := s.nameToResourceChains[name]
var keys []engine.Target
for k := range ttc {
keys = append(keys, k)
}
return keys, nil
}

View file

@ -9,13 +9,11 @@ import (
)
const (
container = "native:::object/ExYw/*"
resrc = "native:::object/ExYw/*"
chainID = "ingress:ExYw"
nonExistChainId = "ingress:LxGyWyL"
)
var resrc = engine.ContainerTarget(container)
func testInmemLocalStorage() *inmemoryLocalStorage {
return NewInmemoryLocalStorage().(*inmemoryLocalStorage)
}
@ -184,9 +182,6 @@ func TestListOverrides(t *testing.T) {
inmem.AddOverride(chain.Ingress, resrc, addChain)
l, _ := inmem.ListOverrides(chain.Ingress, resrc)
require.Len(t, l, 1)
targets, err := inmem.ListOverrideDefinedTargets(chain.Ingress)
require.NoError(t, err)
require.Equal(t, []engine.Target{resrc}, targets)
})
t.Run("list after drop", func(t *testing.T) {
@ -211,12 +206,12 @@ func TestGenerateID(t *testing.T) {
}
func hasDuplicates(ids []chain.ID) bool {
seen := make(map[string]bool)
seen := make(map[chain.ID]bool)
for _, id := range ids {
if seen[string(id)] {
if seen[id] {
return true
}
seen[string(id)] = true
seen[id] = true
}
return false
}

View file

@ -3,7 +3,6 @@ package inmemory
import (
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"github.com/nspcc-dev/neo-go/pkg/util"
)
type inmemoryMorphRuleChainStorage struct {
@ -18,45 +17,36 @@ func NewInmemoryMorphRuleChainStorage() engine.MorphRuleChainStorage {
}
}
func (s *inmemoryMorphRuleChainStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (_ util.Uint256, _ uint32, err error) {
func (s *inmemoryMorphRuleChainStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (err error) {
switch target.Type {
case engine.Namespace:
_, err = s.nameToNamespaceChains.AddOverride(name, target, c)
_, err = s.nameToNamespaceChains.AddOverride(name, target.Name, c)
case engine.Container:
_, err = s.nameToContainerChains.AddOverride(name, target, c)
_, err = s.nameToContainerChains.AddOverride(name, target.Name, c)
default:
err = engine.ErrUnknownTarget
}
return
}
func (s *inmemoryMorphRuleChainStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) (_ util.Uint256, _ uint32, err error) {
func (s *inmemoryMorphRuleChainStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) error {
switch target.Type {
case engine.Namespace:
err = s.nameToNamespaceChains.RemoveOverride(name, target, chainID)
return s.nameToNamespaceChains.RemoveOverride(name, target.Name, chainID)
case engine.Container:
err = s.nameToContainerChains.RemoveOverride(name, target, chainID)
return s.nameToContainerChains.RemoveOverride(name, target.Name, chainID)
default:
err = engine.ErrUnknownTarget
return engine.ErrUnknownTarget
}
return
}
func (s *inmemoryMorphRuleChainStorage) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
switch target.Type {
case engine.Namespace:
return s.nameToNamespaceChains.ListOverrides(name, target)
return s.nameToNamespaceChains.ListOverrides(name, target.Name)
case engine.Container:
return s.nameToContainerChains.ListOverrides(name, target)
return s.nameToContainerChains.ListOverrides(name, target.Name)
default:
}
return nil, engine.ErrUnknownTarget
}
func (s *inmemoryMorphRuleChainStorage) GetAdmin() (util.Uint160, error) {
panic("not implemented")
}
func (s *inmemoryMorphRuleChainStorage) SetAdmin(_ util.Uint160) (util.Uint256, uint32, error) {
panic("not implemented")
}

View file

@ -3,29 +3,26 @@ package engine
import (
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
"github.com/nspcc-dev/neo-go/pkg/util"
)
type ChainRouter interface {
// IsAllowed returns status for the operation after all checks.
// The second return value signifies whether a matching rule was found.
IsAllowed(name chain.Name, reqTarget RequestTarget, r resource.Request) (status chain.Status, found bool, err error)
IsAllowed(name chain.Name, target string, r resource.Request) (status chain.Status, found bool, err error)
}
// LocalOverrideStorage is the interface to manage local overrides defined
// for a node. Local overrides have a higher priority than chains got from morph storage.
type LocalOverrideStorage interface {
AddOverride(name chain.Name, target Target, c *chain.Chain) (chain.ID, error)
AddOverride(name chain.Name, resource string, c *chain.Chain) (chain.ID, error)
GetOverride(name chain.Name, target Target, chainID chain.ID) (*chain.Chain, error)
GetOverride(name chain.Name, resource string, chainID chain.ID) (*chain.Chain, error)
RemoveOverride(name chain.Name, target Target, chainID chain.ID) error
RemoveOverride(name chain.Name, resource string, chainID chain.ID) error
ListOverrides(name chain.Name, target Target) ([]*chain.Chain, error)
ListOverrides(name chain.Name, resource string) ([]*chain.Chain, error)
DropAllOverrides(name chain.Name) error
ListOverrideDefinedTargets(name chain.Name) ([]Target, error)
}
type TargetType rune
@ -40,45 +37,6 @@ type Target struct {
Name string
}
// RequestTarget combines several targets on which the request is performed.
type RequestTarget struct {
Namespace *Target
Container *Target
}
func NewRequestTargetWithNamespace(namespace string) RequestTarget {
nt := NamespaceTarget(namespace)
return RequestTarget{
Namespace: &nt,
}
}
func NewRequestTargetWithContainer(container string) RequestTarget {
ct := ContainerTarget(container)
return RequestTarget{
Container: &ct,
}
}
func NewRequestTarget(namespace, container string) RequestTarget {
nt := NamespaceTarget(namespace)
ct := ContainerTarget(container)
return RequestTarget{
Namespace: &nt,
Container: &ct,
}
}
func (rt *RequestTarget) Targets() (targets []Target) {
if rt.Namespace != nil {
targets = append(targets, *rt.Namespace)
}
if rt.Container != nil {
targets = append(targets, *rt.Container)
}
return
}
func NamespaceTarget(namespace string) Target {
return Target{
Type: Namespace,
@ -93,27 +51,14 @@ func ContainerTarget(container string) Target {
}
}
// MorphRuleChainStorageReader is the interface that provides read-only methods to receive
// data like chains, target or admin from a chain storage.
type MorphRuleChainStorageReader interface {
// ListMorphRuleChains just lists deserialized chains.
ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
GetAdmin() (util.Uint160, error)
}
// MorphRuleChainStorage is the interface to read and manage data within a chain storage.
// MorphRuleChainStorage is the interface to manage chains from the chain storage.
// Basically, this implies that the storage manages rules stored in policy contract.
type MorphRuleChainStorage interface {
MorphRuleChainStorageReader
AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) error
// AddMorphRuleChain adds a chain rule to the policy contract and returns transaction hash, VUB and error.
AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) (util.Uint256, uint32, error)
RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) error
// RemoveMorphRuleChain removes a chain rule to the policy contract and returns transaction hash, VUB and error.
RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) (util.Uint256, uint32, error)
SetAdmin(addr util.Uint160) (util.Uint256, uint32, error)
ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
}
// Engine is the interface that provides methods to check request permissions checking

View file

@ -1,267 +0,0 @@
package marshal
import (
"encoding/binary"
"fmt"
)
const (
Version byte = 0 // increase if breaking change
ByteSize int = 1
UInt8Size int = ByteSize
BoolSize int = ByteSize
nilSlice int64 = -1
nilSliceSize int = 1
byteTrue uint8 = 1
byteFalse uint8 = 0
// maxSliceLen taken from https://github.com/neo-project/neo/blob/38218bbee5bbe8b33cd8f9453465a19381c9a547/src/Neo/IO/Helper.cs#L77
maxSliceLen = 0x1000000
)
type MarshallerError struct {
errMsg string
offset int
}
func (e *MarshallerError) Error() string {
if e == nil {
return ""
}
if e.offset < 0 {
return e.errMsg
}
return fmt.Sprintf("%s (offset: %d)", e.errMsg, e.offset)
}
func errBufTooSmall(t string, marshal bool, offset int) error {
action := "unmarshal"
if marshal {
action = "marshal"
}
return &MarshallerError{
errMsg: fmt.Sprintf("not enough bytes left to %s value of type '%s'", action, t),
offset: offset,
}
}
func VerifyMarshal(buf []byte, lastOffset int) error {
if len(buf) != lastOffset {
return &MarshallerError{
errMsg: "actual data size differs from expected",
offset: -1,
}
}
return nil
}
func VerifyUnmarshal(buf []byte, lastOffset int) error {
if len(buf) != lastOffset {
return &MarshallerError{
errMsg: "unmarshalled bytes left",
}
}
return nil
}
func SliceSize[T any](slice []T, sizeOf func(T) int) int {
if slice == nil {
return nilSliceSize
}
s := Int64Size(int64(len(slice)))
for _, v := range slice {
s += sizeOf(v)
}
return s
}
func SliceMarshal[T any](buf []byte, offset int, slice []T, marshalT func([]byte, int, T) (int, error)) (int, error) {
if slice == nil {
return Int64Marshal(buf, offset, nilSlice)
}
if len(slice) > maxSliceLen {
return 0, &MarshallerError{
errMsg: fmt.Sprintf("slice size if too big: '%d'", len(slice)),
offset: offset,
}
}
offset, err := Int64Marshal(buf, offset, int64(len(slice)))
if err != nil {
return 0, err
}
for _, v := range slice {
offset, err = marshalT(buf, offset, v)
if err != nil {
return 0, err
}
}
return offset, nil
}
func SliceUnmarshal[T any](buf []byte, offset int, unmarshalT func(buf []byte, offset int) (T, int, error)) ([]T, int, error) {
size, offset, err := Int64Unmarshal(buf, offset)
if err != nil {
return nil, 0, err
}
if size == nilSlice {
return nil, offset, nil
}
if size > maxSliceLen {
return nil, 0, &MarshallerError{
errMsg: fmt.Sprintf("slice size if too big: '%d'", size),
offset: offset,
}
}
if size < 0 {
return nil, 0, &MarshallerError{
errMsg: fmt.Sprintf("invalid slice size: '%d'", size),
offset: offset,
}
}
result := make([]T, size)
for idx := 0; idx < len(result); idx++ {
result[idx], offset, err = unmarshalT(buf, offset)
if err != nil {
return nil, 0, err
}
}
return result, offset, nil
}
func Int64Size(v int64) int {
// https://cs.opensource.google/go/go/+/master:src/encoding/binary/varint.go;l=92;drc=dac9b9ddbd5160c5f4552410f5f8281bd5eed38c
// and
// https://cs.opensource.google/go/go/+/master:src/encoding/binary/varint.go;l=41;drc=dac9b9ddbd5160c5f4552410f5f8281bd5eed38c
ux := uint64(v) << 1
if v < 0 {
ux = ^ux
}
s := 0
for ux >= 0x80 {
s++
ux >>= 7
}
return s + 1
}
func Int64Marshal(buf []byte, offset int, v int64) (int, error) {
if len(buf)-offset < Int64Size(v) {
return 0, errBufTooSmall("int64", true, offset)
}
return offset + binary.PutVarint(buf[offset:], v), nil
}
func Int64Unmarshal(buf []byte, offset int) (int64, int, error) {
v, read := binary.Varint(buf[offset:])
if read == 0 {
return 0, 0, errBufTooSmall("int64", false, offset)
}
if read < 0 {
return 0, 0, &MarshallerError{
errMsg: "int64 unmarshal overflow",
offset: offset,
}
}
return v, offset + read, nil
}
func StringSize(s string) int {
return Int64Size(int64(len(s))) + len(s)
}
func StringMarshal(buf []byte, offset int, s string) (int, error) {
if len(s) > maxSliceLen {
return 0, &MarshallerError{
errMsg: fmt.Sprintf("string is too long: '%d'", len(s)),
offset: offset,
}
}
if len(buf)-offset < Int64Size(int64(len(s)))+len(s) {
return 0, errBufTooSmall("string", true, offset)
}
offset, err := Int64Marshal(buf, offset, int64(len(s)))
if err != nil {
return 0, err
}
if s == "" {
return offset, nil
}
return offset + copy(buf[offset:], s), nil
}
func StringUnmarshal(buf []byte, offset int) (string, int, error) {
size, offset, err := Int64Unmarshal(buf, offset)
if err != nil {
return "", 0, err
}
if size == 0 {
return "", offset, nil
}
if size > maxSliceLen {
return "", 0, &MarshallerError{
errMsg: fmt.Sprintf("string is too long: '%d'", size),
offset: offset,
}
}
if size < 0 {
return "", 0, &MarshallerError{
errMsg: fmt.Sprintf("invalid string size: '%d'", size),
offset: offset,
}
}
if len(buf)-offset < int(size) {
return "", 0, errBufTooSmall("string", false, offset)
}
return string(buf[offset : offset+int(size)]), offset + int(size), nil
}
func UInt8Marshal(buf []byte, offset int, value uint8) (int, error) {
if len(buf)-offset < 1 {
return 0, errBufTooSmall("uint8", true, offset)
}
buf[offset] = value
return offset + 1, nil
}
func UInt8Unmarshal(buf []byte, offset int) (uint8, int, error) {
if len(buf)-offset < 1 {
return 0, 0, errBufTooSmall("uint8", false, offset)
}
return buf[offset], offset + 1, nil
}
func ByteMarshal(buf []byte, offset int, value byte) (int, error) {
return UInt8Marshal(buf, offset, value)
}
func ByteUnmarshal(buf []byte, offset int) (byte, int, error) {
return UInt8Unmarshal(buf, offset)
}
func BoolMarshal(buf []byte, offset int, value bool) (int, error) {
if value {
return UInt8Marshal(buf, offset, byteTrue)
}
return UInt8Marshal(buf, offset, byteFalse)
}
func BoolUnmarshal(buf []byte, offset int) (bool, int, error) {
v, offset, err := UInt8Unmarshal(buf, offset)
if err != nil {
return false, 0, err
}
if v == byteTrue {
return true, offset, nil
}
if v == byteFalse {
return false, offset, nil
}
return false, 0, &MarshallerError{
errMsg: fmt.Sprintf("invalid marshalled value for bool: %d", v),
offset: offset - BoolSize,
}
}

View file

@ -1,313 +0,0 @@
package marshal
import (
"encoding/binary"
"math"
"testing"
"github.com/stretchr/testify/require"
)
func TestMarshalling(t *testing.T) {
t.Parallel()
t.Run("slice", func(t *testing.T) {
t.Parallel()
t.Run("nil slice", func(t *testing.T) {
t.Parallel()
var int64s []int64
expectedSize := SliceSize(int64s, Int64Size)
require.Equal(t, 1, expectedSize)
buf := make([]byte, expectedSize)
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
require.NoError(t, err)
require.NoError(t, VerifyUnmarshal(buf, offset))
require.Nil(t, result)
})
t.Run("empty slice", func(t *testing.T) {
t.Parallel()
int64s := make([]int64, 0)
expectedSize := SliceSize(int64s, Int64Size)
require.Equal(t, 1, expectedSize)
buf := make([]byte, expectedSize)
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
require.NoError(t, err)
require.NoError(t, VerifyUnmarshal(buf, offset))
require.NotNil(t, result)
require.Len(t, result, 0)
})
t.Run("non empty slice", func(t *testing.T) {
t.Parallel()
int64s := make([]int64, 100)
for i := range int64s {
int64s[i] = int64(i)
}
expectedSize := SliceSize(int64s, Int64Size)
buf := make([]byte, expectedSize)
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
require.NoError(t, err)
require.NoError(t, VerifyUnmarshal(buf, offset))
require.Equal(t, int64s, result)
})
t.Run("corrupted slice size", func(t *testing.T) {
t.Parallel()
int64s := make([]int64, 100)
for i := range int64s {
int64s[i] = int64(i)
}
expectedSize := SliceSize(int64s, Int64Size)
buf := make([]byte, expectedSize)
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
for i := 0; i < binary.MaxVarintLen64; i++ {
buf[i] = 129
}
_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
var mErr *MarshallerError
require.ErrorAs(t, err, &mErr)
for i := 0; i < binary.MaxVarintLen64; i++ {
buf[i] = 127
}
_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
require.ErrorAs(t, err, &mErr)
})
t.Run("corrupted slice item", func(t *testing.T) {
t.Parallel()
int64s := make([]int64, 100)
for i := range int64s {
int64s[i] = int64(i)
}
expectedSize := SliceSize(int64s, Int64Size)
buf := make([]byte, expectedSize)
offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
for i := 2; i < binary.MaxVarintLen64+2; i++ {
buf[i] = 129
}
_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
var mErr *MarshallerError
require.ErrorAs(t, err, &mErr)
})
t.Run("small buffer", func(t *testing.T) {
t.Parallel()
int64s := make([]int64, 100)
for i := range int64s {
int64s[i] = int64(i)
}
buf := make([]byte, 1)
_, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
var mErr *MarshallerError
require.ErrorAs(t, err, &mErr)
buf = make([]byte, 10)
_, err = SliceMarshal(buf, 0, int64s, Int64Marshal)
require.ErrorAs(t, err, &mErr)
})
})
t.Run("int64", func(t *testing.T) {
t.Parallel()
t.Run("success", func(t *testing.T) {
t.Parallel()
require.Equal(t, 1, Int64Size(0))
require.Equal(t, binary.MaxVarintLen64, Int64Size(math.MaxInt64))
require.Equal(t, binary.MaxVarintLen64, Int64Size(math.MinInt64))
for _, v := range []int64{0, math.MinInt64, math.MaxInt64} {
size := Int64Size(v)
buf := make([]byte, size)
offset, err := Int64Marshal(buf, 0, v)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
uv, offset, err := Int64Unmarshal(buf, 0)
require.NoError(t, err)
require.NoError(t, VerifyUnmarshal(buf, offset))
require.Equal(t, v, uv)
}
})
t.Run("invalid buffer", func(t *testing.T) {
t.Parallel()
var mErr *MarshallerError
_, err := Int64Marshal([]byte{}, 0, 100500)
require.ErrorAs(t, err, &mErr)
_, _, err = Int64Unmarshal(nil, 0)
require.ErrorAs(t, err, &mErr)
})
t.Run("overflow", func(t *testing.T) {
t.Parallel()
var mErr *MarshallerError
var v int64 = math.MaxInt64
buf := make([]byte, Int64Size(v))
_, err := Int64Marshal(buf, 0, v)
require.NoError(t, err)
buf[9] = 2
_, _, err = Int64Unmarshal(buf, 0)
require.ErrorAs(t, err, &mErr)
})
})
t.Run("string", func(t *testing.T) {
t.Parallel()
t.Run("success", func(t *testing.T) {
t.Parallel()
for _, v := range []string{
"", "arn:aws:iam::namespace:group/some_group", "$Object:homomorphicHash",
"native:container/ns/9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J",
} {
size := StringSize(v)
buf := make([]byte, size)
offset, err := StringMarshal(buf, 0, v)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
uv, offset, err := StringUnmarshal(buf, 0)
require.NoError(t, err)
require.NoError(t, VerifyUnmarshal(buf, offset))
require.Equal(t, v, uv)
}
})
t.Run("invalid buffer", func(t *testing.T) {
t.Parallel()
str := "avada kedavra"
var mErr *MarshallerError
_, err := StringMarshal(nil, 0, str)
require.ErrorAs(t, err, &mErr)
_, _, err = StringUnmarshal(nil, 0)
require.ErrorAs(t, err, &mErr)
buf := make([]byte, StringSize(str))
offset, err := StringMarshal(buf, 0, str)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
buf = buf[:len(buf)-1]
_, _, err = StringUnmarshal(buf, 0)
require.ErrorAs(t, err, &mErr)
})
})
t.Run("uint8, byte", func(t *testing.T) {
t.Parallel()
for _, v := range []byte{0, 8, 16, 32, 64, 128, 255} {
buf := make([]byte, ByteSize)
offset, err := ByteMarshal(buf, 0, v)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
ub, offset, err := ByteUnmarshal(buf, 0)
require.NoError(t, err)
require.NoError(t, VerifyUnmarshal(buf, offset))
require.Equal(t, v, ub)
buf = make([]byte, UInt8Size)
offset, err = UInt8Marshal(buf, 0, v)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
uu, offset, err := UInt8Unmarshal(buf, 0)
require.NoError(t, err)
require.NoError(t, VerifyUnmarshal(buf, offset))
require.Equal(t, v, uu)
}
})
t.Run("bool", func(t *testing.T) {
t.Parallel()
t.Run("success", func(t *testing.T) {
t.Parallel()
for _, v := range []bool{false, true} {
buf := make([]byte, BoolSize)
offset, err := BoolMarshal(buf, 0, v)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
ub, offset, err := BoolUnmarshal(buf, 0)
require.NoError(t, err)
require.NoError(t, VerifyUnmarshal(buf, offset))
require.Equal(t, v, ub)
}
})
t.Run("invalid value", func(t *testing.T) {
t.Parallel()
buf := make([]byte, BoolSize)
offset, err := BoolMarshal(buf, 0, true)
require.NoError(t, err)
require.NoError(t, VerifyMarshal(buf, offset))
buf[0] = 2
_, _, err = BoolUnmarshal(buf, 0)
var mErr *MarshallerError
require.ErrorAs(t, err, &mErr)
})
t.Run("invalid buffer", func(t *testing.T) {
t.Parallel()
var mErr *MarshallerError
_, err := BoolMarshal(nil, 0, true)
require.ErrorAs(t, err, &mErr)
buf := append(make([]byte, BoolSize), 100)
offset, err := BoolMarshal(buf, 0, true)
require.NoError(t, err)
require.ErrorAs(t, VerifyMarshal(buf, offset), &mErr)
v, offset, err := BoolUnmarshal(buf, 0)
require.NoError(t, err)
require.True(t, v)
require.ErrorAs(t, VerifyUnmarshal(buf, offset), &mErr)
_, _, err = BoolUnmarshal(nil, 0)
require.ErrorAs(t, err, &mErr)
})
})
}

View file

@ -1,184 +0,0 @@
package policy
import (
"errors"
"fmt"
"math/big"
"strings"
"git.frostfs.info/TrueCloudLab/frostfs-contract/policy"
client "git.frostfs.info/TrueCloudLab/frostfs-contract/rpcclient/policy"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
"github.com/nspcc-dev/neo-go/pkg/util"
"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
"github.com/nspcc-dev/neo-go/pkg/wallet"
)
var (
ErrEmptyChainID = errors.New("chain id is not set")
ErrEngineTargetTypeUnsupported = errors.New("this target type is not supported yet")
)
// ContractStorage is the interface to manage chain rules within Policy contract.
type ContractStorage struct {
contractInterface *client.Contract
}
var _ engine.MorphRuleChainStorage = (*ContractStorage)(nil)
// ContractStorageReader is the interface to read data from Policy contract.
type ContractStorageReader struct {
contractReaderInterface *client.ContractReader
}
var _ engine.MorphRuleChainStorageReader = (*ContractStorageReader)(nil)
func NewContractStorage(actor client.Actor, contract util.Uint160) *ContractStorage {
return &ContractStorage{
contractInterface: client.New(actor, contract),
}
}
func NewContractStorageWithSimpleActor(rpcActor actor.RPCActor, acc *wallet.Account, contract util.Uint160) (*ContractStorage, error) {
act, err := actor.NewSimple(rpcActor, acc)
if err != nil {
return nil, fmt.Errorf("failed to create simple actor: %w", err)
}
return NewContractStorage(act, contract), nil
}
func (s *ContractStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (txHash util.Uint256, vub uint32, err error) {
if len(c.ID) == 0 {
err = ErrEmptyChainID
return
}
var kind policy.Kind
kind, err = policyKind(target.Type)
if err != nil {
return
}
fullName := prefixedChainName(name, c.ID)
txHash, vub, err = s.contractInterface.AddChain(big.NewInt(int64(kind)), target.Name, fullName, c.Bytes())
return
}
func (s *ContractStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) (txHash util.Uint256, vub uint32, err error) {
if len(chainID) == 0 {
err = ErrEmptyChainID
return
}
var kind policy.Kind
kind, err = policyKind(target.Type)
if err != nil {
return
}
fullName := prefixedChainName(name, chainID)
txHash, vub, err = s.contractInterface.RemoveChain(big.NewInt(int64(kind)), target.Name, fullName)
return
}
func (s *ContractStorage) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
kind, err := policyKind(target.Type)
if err != nil {
return nil, err
}
items, err := s.contractInterface.ListChainsByPrefix(big.NewInt(int64(kind)), target.Name, []byte(name))
if err != nil {
return nil, err
}
var chains []*chain.Chain
for _, item := range items {
serialized, err := bytesFromStackItem(item)
if err != nil {
return nil, err
}
c := new(chain.Chain)
if err := c.DecodeBytes(serialized); err != nil {
return nil, err
}
chains = append(chains, c)
}
return chains, nil
}
func (s *ContractStorage) GetAdmin() (util.Uint160, error) {
return s.contractInterface.GetAdmin()
}
func (s *ContractStorage) SetAdmin(addr util.Uint160) (util.Uint256, uint32, error) {
return s.contractInterface.SetAdmin(addr)
}
func NewContractStorageReader(inv client.Invoker, contract util.Uint160) *ContractStorageReader {
return &ContractStorageReader{
contractReaderInterface: client.NewReader(inv, contract),
}
}
func (s *ContractStorageReader) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
kind, err := policyKind(target.Type)
if err != nil {
return nil, err
}
items, err := s.contractReaderInterface.ListChainsByPrefix(big.NewInt(int64(kind)), target.Name, []byte(name))
if err != nil {
return nil, err
}
var chains []*chain.Chain
for _, item := range items {
serialized, err := bytesFromStackItem(item)
if err != nil {
return nil, err
}
c := new(chain.Chain)
if err := c.DecodeBytes(serialized); err != nil {
return nil, err
}
chains = append(chains, c)
}
return chains, nil
}
func (s *ContractStorageReader) GetAdmin() (util.Uint160, error) {
return s.contractReaderInterface.GetAdmin()
}
func bytesFromStackItem(param stackitem.Item) ([]byte, error) {
switch param.Type() {
case stackitem.BufferT, stackitem.ByteArrayT, stackitem.IntegerT:
return param.TryBytes()
case stackitem.AnyT:
if param.Value() == nil {
return nil, nil
}
fallthrough
default:
return nil, fmt.Errorf("chain/client: %s is not a byte array type", param.Type())
}
}
func prefixedChainName(name chain.Name, chainID chain.ID) []byte {
return []byte(strings.ToLower(fmt.Sprintf("%s:%s", name, chainID)))
}
func policyKind(typ engine.TargetType) (policy.Kind, error) {
if typ == engine.Namespace {
return policy.Namespace, nil
} else if typ == engine.Container {
return policy.Container, nil
}
return policy.Kind(0), ErrEngineTargetTypeUnsupported
}

View file

@ -1,5 +0,0 @@
package common
const (
PropertyKeyFrostFSIDGroupID = "frostfsid:groupID"
)

View file

@ -9,16 +9,6 @@ const (
MethodRangeObject = "RangeObject"
MethodHashObject = "HashObject"
MethodPutContainer = "PutContainer"
MethodDeleteContainer = "DeleteContainer"
MethodGetContainer = "GetContainer"
MethodListContainers = "ListContainers"
MethodSetContainerEACL = "SetContainerEACL"
MethodGetContainerEACL = "GetContainerEACL"
ObjectPrefix = "native:object"
ContainerPrefix = "native:container"
ResourceFormatNamespaceObjects = "native:object/%s/*"
ResourceFormatNamespaceContainerObjects = "native:object/%s/%s/*"
ResourceFormatNamespaceContainerObject = "native:object/%s/%s/%s"
@ -37,9 +27,8 @@ const (
ResourceFormatAllContainers = "native:container/*"
PropertyKeyActorPublicKey = "$Actor:publicKey"
PropertyKeyActorRole = "$Actor:role"
PropertyKeyActorPublicKey = "$Actor:publicKey"
PropertyKeyActorRole = "$Actor:role"
PropertyKeyObjectVersion = "$Object:version"
PropertyKeyObjectID = "$Object:objectID"
PropertyKeyObjectContainerID = "$Object:containerID"
@ -49,11 +38,4 @@ const (
PropertyKeyObjectPayloadHash = "$Object:payloadHash"
PropertyKeyObjectType = "$Object:objectType"
PropertyKeyObjectHomomorphicHash = "$Object:homomorphicHash"
PropertyKeyContainerOwnerID = "$Container:ownerID"
PropertyValueContainerRoleOwner = "owner"
PropertyValueContainerRoleIR = "ir"
PropertyValueContainerRoleContainer = "container"
PropertyValueContainerRoleOthers = "others"
)

View file

@ -1,45 +0,0 @@
package util
import (
"strings"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
)
var nativePatterns = []string{
native.ResourceFormatNamespaceObjects, native.ResourceFormatNamespaceContainerObjects,
native.ResourceFormatNamespaceContainerObject, native.ResourceFormatRootObjects,
native.ResourceFormatRootContainerObjects, native.ResourceFormatRootContainerObject,
native.ResourceFormatAllObjects, native.ResourceFormatNamespaceContainer,
native.ResourceFormatNamespaceContainers, native.ResourceFormatRootContainer,
native.ResourceFormatRootContainers, native.ResourceFormatAllContainers,
}
func match(resource, pattern string) bool {
rTokens := strings.Split(resource, "/")
pToken := strings.Split(pattern, "/")
if len(rTokens) != len(pToken) {
return false
}
for i := range rTokens {
if pToken[i] == "%s" {
continue
}
if pToken[i] != rTokens[i] {
return false
}
}
return true
}
func IsNativeResourceNameValid(resource string) bool {
for _, pattern := range nativePatterns {
if match(resource, pattern) {
return true
}
}
return false
}

View file

@ -1,97 +0,0 @@
package util
import (
"testing"
"github.com/stretchr/testify/require"
)
var tests = []struct {
name string
expected bool
resource string
}{
{
name: "ResourceFormatNamespaceObjects",
expected: true,
resource: "native:object/RootNamespace/*",
},
{
name: "ResourceFormatNamespaceContainerObjects",
expected: true,
resource: "native:object/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/*",
},
{
name: "ResourceFormatNamespaceContainerObject",
expected: true,
resource: "native:object/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/AeZa5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB4E",
},
{
name: "ResourceFormatRootObjects",
expected: true,
resource: "native:object//*",
},
{
name: "ResourceFormatRootContainerObjects",
expected: true,
resource: "native:object//BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/*",
},
{
name: "ResourceFormatRootContainerObject",
expected: true,
resource: "native:object//BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/AeZa5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB4E",
},
{
name: "ResourceFormatAllObjects",
expected: true,
resource: "native:object/*",
},
{
name: "ResourceFormatNamespaceContainer",
expected: true,
resource: "native:container/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R",
},
{
name: "ResourceFormatNamespaceContainers",
expected: true,
resource: "native:container/RootNamespace/*",
},
{
name: "ResourceFormatRootContainers",
expected: true,
resource: "native:container//*",
},
{
name: "ResourceFormatAllContainers",
expected: true,
resource: "native:container/*",
},
{
name: "Invalid resource 1",
expected: false,
resource: "native:::container/*",
},
{
name: "Invalid resource 2",
expected: false,
resource: "native:container/RootNamespace/w5HH3feoxFDD5tCTtoRzB3R/Bz726qzgLfxEE7wgtoRzB3R/RootNamespace",
},
}
func TestIsNativeResourceNameValid(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
require.Equal(t, test.expected, IsNativeResourceNameValid(test.resource))
})
}
}
func BenchmarkIsNativeResourceNameValid(b *testing.B) {
for _, test := range tests {
b.Run(test.name, func(b *testing.B) {
for i := 0; i < b.N; i++ {
_ = IsNativeResourceNameValid(test.resource)
}
})
}
}

View file

@ -6,12 +6,4 @@ const (
PropertyKeyDelimiter = "s3:delimiter"
PropertyKeyPrefix = "s3:prefix"
PropertyKeyVersionID = "s3:VersionId"
ResourceFormatS3All = "arn:aws:s3:::*"
ResourceFormatS3Bucket = "arn:aws:s3:::%s"
ResourceFormatS3BucketObjects = "arn:aws:s3:::%s/*"
ResourceFormatS3BucketObject = "arn:aws:s3:::%s/%s"
ResourceFormatIAMNamespaceUser = "arn:aws:iam::%s:user/%s"
ResourceFormatIAMNamespaceGroup = "arn:aws:iam::%s:group/%s"
)