forked from TrueCloudLab/frostfs-node
[#811] ape: Update policy-engine module version and rebase
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
fd9128d051
commit
4d5be5ccb5
14 changed files with 149 additions and 129 deletions
|
@ -12,7 +12,7 @@ import (
|
||||||
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
ape "git.frostfs.info/TrueCloudLab/policy-engine"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -50,7 +50,7 @@ func addRule(cmd *cobra.Command, _ []string) {
|
||||||
|
|
||||||
rule, _ := cmd.Flags().GetString(ruleFlag)
|
rule, _ := cmd.Flags().GetString(ruleFlag)
|
||||||
|
|
||||||
chain := new(ape.Chain)
|
chain := new(apechain.Chain)
|
||||||
commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, []string{rule}))
|
commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, []string{rule}))
|
||||||
serializedChain := chain.Bytes()
|
serializedChain := chain.Bytes()
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ import (
|
||||||
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -53,7 +53,7 @@ func getRule(cmd *cobra.Command, _ []string) {
|
||||||
|
|
||||||
verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
|
verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
|
||||||
|
|
||||||
var chain policyengine.Chain
|
var chain apechain.Chain
|
||||||
commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(resp.GetBody().GetChain()))
|
commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(resp.GetBody().GetChain()))
|
||||||
|
|
||||||
// TODO (aarifullin): make pretty-formatted output for chains.
|
// TODO (aarifullin): make pretty-formatted output for chains.
|
||||||
|
|
|
@ -9,7 +9,7 @@ import (
|
||||||
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ func listRules(cmd *cobra.Command, _ []string) {
|
||||||
|
|
||||||
for _, c := range chains {
|
for _, c := range chains {
|
||||||
// TODO (aarifullin): make pretty-formatted output for chains.
|
// TODO (aarifullin): make pretty-formatted output for chains.
|
||||||
var chain policyengine.Chain
|
var chain apechain.Chain
|
||||||
commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(c))
|
commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(c))
|
||||||
cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, chain.Bytes()))
|
cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, chain.Bytes()))
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,7 +5,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||||
"github.com/flynn-archive/go-shlex"
|
"github.com/flynn-archive/go-shlex"
|
||||||
)
|
)
|
||||||
|
@ -21,13 +21,13 @@ var (
|
||||||
)
|
)
|
||||||
|
|
||||||
// ParseAPEChain parses APE chain rules.
|
// ParseAPEChain parses APE chain rules.
|
||||||
func ParseAPEChain(chain *policyengine.Chain, rules []string) error {
|
func ParseAPEChain(chain *apechain.Chain, rules []string) error {
|
||||||
if len(rules) == 0 {
|
if len(rules) == 0 {
|
||||||
return errors.New("no APE rules provided")
|
return errors.New("no APE rules provided")
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, rule := range rules {
|
for _, rule := range rules {
|
||||||
r := new(policyengine.Rule)
|
r := new(apechain.Rule)
|
||||||
if err := ParseAPERule(r, rule); err != nil {
|
if err := ParseAPERule(r, rule); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -47,7 +47,7 @@ func ParseAPEChain(chain *policyengine.Chain, rules []string) error {
|
||||||
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
|
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
|
||||||
//
|
//
|
||||||
//nolint:godot
|
//nolint:godot
|
||||||
func ParseAPERule(r *policyengine.Rule, rule string) error {
|
func ParseAPERule(r *apechain.Rule, rule string) error {
|
||||||
lexemes, err := shlex.Split(rule)
|
lexemes, err := shlex.Split(rule)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("can't parse rule '%s': %v", rule, err)
|
return fmt.Errorf("can't parse rule '%s': %v", rule, err)
|
||||||
|
@ -55,7 +55,7 @@ func ParseAPERule(r *policyengine.Rule, rule string) error {
|
||||||
return parseRuleLexemes(r, lexemes)
|
return parseRuleLexemes(r, lexemes)
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseRuleLexemes(r *policyengine.Rule, lexemes []string) error {
|
func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
|
||||||
if len(lexemes) < 2 {
|
if len(lexemes) < 2 {
|
||||||
return errInvalidStatementFormat
|
return errInvalidStatementFormat
|
||||||
}
|
}
|
||||||
|
@ -80,14 +80,14 @@ func parseRuleLexemes(r *policyengine.Rule, lexemes []string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseStatus(lexeme string) (policyengine.Status, error) {
|
func parseStatus(lexeme string) (apechain.Status, error) {
|
||||||
action, expression, found := strings.Cut(lexeme, ":")
|
action, expression, found := strings.Cut(lexeme, ":")
|
||||||
switch action = strings.ToLower(action); action {
|
switch action = strings.ToLower(action); action {
|
||||||
case "deny":
|
case "deny":
|
||||||
if !found {
|
if !found {
|
||||||
return policyengine.AccessDenied, nil
|
return apechain.AccessDenied, nil
|
||||||
} else if strings.EqualFold(expression, "QuotaLimitReached") {
|
} else if strings.EqualFold(expression, "QuotaLimitReached") {
|
||||||
return policyengine.QuotaLimitReached, nil
|
return apechain.QuotaLimitReached, nil
|
||||||
} else {
|
} else {
|
||||||
return 0, fmt.Errorf("%w: %s", errUnknownActionDetail, expression)
|
return 0, fmt.Errorf("%w: %s", errUnknownActionDetail, expression)
|
||||||
}
|
}
|
||||||
|
@ -95,38 +95,38 @@ func parseStatus(lexeme string) (policyengine.Status, error) {
|
||||||
if found {
|
if found {
|
||||||
return 0, errUnknownActionDetail
|
return 0, errUnknownActionDetail
|
||||||
}
|
}
|
||||||
return policyengine.Allow, nil
|
return apechain.Allow, nil
|
||||||
default:
|
default:
|
||||||
return 0, errUnknownAction
|
return 0, errUnknownAction
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseAction(lexeme string) (policyengine.Actions, error) {
|
func parseAction(lexeme string) (apechain.Actions, error) {
|
||||||
switch strings.ToLower(lexeme) {
|
switch strings.ToLower(lexeme) {
|
||||||
case "object.put":
|
case "object.put":
|
||||||
return policyengine.Actions{Names: []string{nativeschema.MethodPutObject}}, nil
|
return apechain.Actions{Names: []string{nativeschema.MethodPutObject}}, nil
|
||||||
case "object.get":
|
case "object.get":
|
||||||
return policyengine.Actions{Names: []string{nativeschema.MethodGetObject}}, nil
|
return apechain.Actions{Names: []string{nativeschema.MethodGetObject}}, nil
|
||||||
case "object.head":
|
case "object.head":
|
||||||
return policyengine.Actions{Names: []string{nativeschema.MethodHeadObject}}, nil
|
return apechain.Actions{Names: []string{nativeschema.MethodHeadObject}}, nil
|
||||||
case "object.delete":
|
case "object.delete":
|
||||||
return policyengine.Actions{Names: []string{nativeschema.MethodDeleteObject}}, nil
|
return apechain.Actions{Names: []string{nativeschema.MethodDeleteObject}}, nil
|
||||||
case "object.search":
|
case "object.search":
|
||||||
return policyengine.Actions{Names: []string{nativeschema.MethodSearchObject}}, nil
|
return apechain.Actions{Names: []string{nativeschema.MethodSearchObject}}, nil
|
||||||
case "object.range":
|
case "object.range":
|
||||||
return policyengine.Actions{Names: []string{nativeschema.MethodRangeObject}}, nil
|
return apechain.Actions{Names: []string{nativeschema.MethodRangeObject}}, nil
|
||||||
case "object.hash":
|
case "object.hash":
|
||||||
return policyengine.Actions{Names: []string{nativeschema.MethodHashObject}}, nil
|
return apechain.Actions{Names: []string{nativeschema.MethodHashObject}}, nil
|
||||||
default:
|
default:
|
||||||
}
|
}
|
||||||
return policyengine.Actions{}, fmt.Errorf("%w: %s", errUnknownOperation, lexeme)
|
return apechain.Actions{}, fmt.Errorf("%w: %s", errUnknownOperation, lexeme)
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseResource(lexeme string) (policyengine.Resources, error) {
|
func parseResource(lexeme string) (apechain.Resources, error) {
|
||||||
if lexeme == "*" {
|
if lexeme == "*" {
|
||||||
return policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, nil
|
return apechain.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, nil
|
||||||
}
|
}
|
||||||
return policyengine.Resources{Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, lexeme)}}, nil
|
return apechain.Resources{Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, lexeme)}}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -134,13 +134,13 @@ const (
|
||||||
ObjectRequest = "object.request"
|
ObjectRequest = "object.request"
|
||||||
)
|
)
|
||||||
|
|
||||||
var typeToCondObject = map[string]policyengine.ObjectType{
|
var typeToCondObject = map[string]apechain.ObjectType{
|
||||||
ObjectResource: policyengine.ObjectResource,
|
ObjectResource: apechain.ObjectResource,
|
||||||
ObjectRequest: policyengine.ObjectRequest,
|
ObjectRequest: apechain.ObjectRequest,
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseConditions(lexemes []string) ([]policyengine.Condition, error) {
|
func parseConditions(lexemes []string) ([]apechain.Condition, error) {
|
||||||
conds := make([]policyengine.Condition, 0)
|
conds := make([]apechain.Condition, 0)
|
||||||
|
|
||||||
for _, lexeme := range lexemes {
|
for _, lexeme := range lexemes {
|
||||||
typ, expression, found := strings.Cut(lexeme, ":")
|
typ, expression, found := strings.Cut(lexeme, ":")
|
||||||
|
@ -155,7 +155,7 @@ func parseConditions(lexemes []string) ([]policyengine.Condition, error) {
|
||||||
var lhs, rhs string
|
var lhs, rhs string
|
||||||
var binExpFound bool
|
var binExpFound bool
|
||||||
|
|
||||||
var cond policyengine.Condition
|
var cond apechain.Condition
|
||||||
cond.Object = objType
|
cond.Object = objType
|
||||||
|
|
||||||
lhs, rhs, binExpFound = strings.Cut(expression, "!=")
|
lhs, rhs, binExpFound = strings.Cut(expression, "!=")
|
||||||
|
@ -164,9 +164,9 @@ func parseConditions(lexemes []string) ([]policyengine.Condition, error) {
|
||||||
if !binExpFound {
|
if !binExpFound {
|
||||||
return nil, fmt.Errorf("%w: %s", errUnknownBinaryOperator, expression)
|
return nil, fmt.Errorf("%w: %s", errUnknownBinaryOperator, expression)
|
||||||
}
|
}
|
||||||
cond.Op = policyengine.CondStringEquals
|
cond.Op = apechain.CondStringEquals
|
||||||
} else {
|
} else {
|
||||||
cond.Op = policyengine.CondStringNotEquals
|
cond.Op = apechain.CondStringNotEquals
|
||||||
}
|
}
|
||||||
|
|
||||||
cond.Key, cond.Value = lhs, rhs
|
cond.Key, cond.Value = lhs, rhs
|
||||||
|
|
|
@ -3,7 +3,7 @@ package util
|
||||||
import (
|
import (
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
|
|
@ -5,23 +5,24 @@ import (
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||||
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
||||||
)
|
)
|
||||||
|
|
||||||
type apeChainSourceImpl struct {
|
type apeChainSourceImpl struct {
|
||||||
mtx sync.Mutex
|
mtx sync.Mutex
|
||||||
localChainStorage map[cid.ID]policyengine.CachedChainStorage
|
localChainStorage map[cid.ID]engine.LocalOverrideEngine
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewAPESource() container.AccessPolicyEngineChainSource {
|
func NewAPESource() container.AccessPolicyEngineChainSource {
|
||||||
return &apeChainSourceImpl{
|
return &apeChainSourceImpl{
|
||||||
localChainStorage: make(map[cid.ID]policyengine.CachedChainStorage),
|
localChainStorage: make(map[cid.ID]engine.LocalOverrideEngine),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ container.AccessPolicyEngineChainSource = (*apeChainSourceImpl)(nil)
|
var _ container.AccessPolicyEngineChainSource = (*apeChainSourceImpl)(nil)
|
||||||
|
|
||||||
func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error) {
|
func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (engine.LocalOverrideEngine, error) {
|
||||||
c.mtx.Lock()
|
c.mtx.Lock()
|
||||||
defer c.mtx.Unlock()
|
defer c.mtx.Unlock()
|
||||||
|
|
||||||
|
@ -29,6 +30,6 @@ func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (policyengine.CachedChai
|
||||||
if ok {
|
if ok {
|
||||||
return s, nil
|
return s, nil
|
||||||
}
|
}
|
||||||
c.localChainStorage[cid] = policyengine.NewInMemory()
|
c.localChainStorage[cid] = inmemory.NewInMemoryLocalOverrides()
|
||||||
return c.localChainStorage[cid], nil
|
return c.localChainStorage[cid], nil
|
||||||
}
|
}
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -8,7 +8,7 @@ require (
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
|
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
|
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
|
||||||
git.frostfs.info/TrueCloudLab/hrw v1.2.1
|
git.frostfs.info/TrueCloudLab/hrw v1.2.1
|
||||||
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231114100951-38985e4ec86b
|
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231115094736-5db67021e10f
|
||||||
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
||||||
github.com/cheggaaa/pb v1.0.29
|
github.com/cheggaaa/pb v1.0.29
|
||||||
github.com/chzyer/readline v1.5.1
|
github.com/chzyer/readline v1.5.1
|
||||||
|
|
BIN
go.sum
BIN
go.sum
Binary file not shown.
|
@ -6,7 +6,7 @@ import (
|
||||||
|
|
||||||
v2acl "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
|
v2acl "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -28,12 +28,12 @@ func (e *ConvertEACLError) Unwrap() error {
|
||||||
return e.nested
|
return e.nested
|
||||||
}
|
}
|
||||||
|
|
||||||
// ConvertEACLToAPE converts eacl.Table to policyengine.Chain.
|
// ConvertEACLToAPE converts eacl.Table to apechain.Chain.
|
||||||
func ConvertEACLToAPE(eaclTable *eacl.Table) (*policyengine.Chain, error) {
|
func ConvertEACLToAPE(eaclTable *eacl.Table) (*apechain.Chain, error) {
|
||||||
if eaclTable == nil {
|
if eaclTable == nil {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
res := &policyengine.Chain{}
|
res := &apechain.Chain{}
|
||||||
|
|
||||||
resource := getResource(eaclTable)
|
resource := getResource(eaclTable)
|
||||||
|
|
||||||
|
@ -67,53 +67,53 @@ func ConvertEACLToAPE(eaclTable *eacl.Table) (*policyengine.Chain, error) {
|
||||||
return res, nil
|
return res, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func appendTargetsOnly(source []policyengine.Rule, st policyengine.Status, act policyengine.Actions, res policyengine.Resources, targets []eacl.Target) []policyengine.Rule {
|
func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.Actions, res apechain.Resources, targets []eacl.Target) []apechain.Rule {
|
||||||
// see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101
|
// see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101
|
||||||
// role OR public key must be equal
|
// role OR public key must be equal
|
||||||
rule := policyengine.Rule{
|
rule := apechain.Rule{
|
||||||
Status: st,
|
Status: st,
|
||||||
Actions: act,
|
Actions: act,
|
||||||
Resources: res,
|
Resources: res,
|
||||||
Any: true,
|
Any: true,
|
||||||
}
|
}
|
||||||
for _, target := range targets {
|
for _, target := range targets {
|
||||||
var roleCondition policyengine.Condition
|
var roleCondition apechain.Condition
|
||||||
roleCondition.Object = policyengine.ObjectRequest
|
roleCondition.Object = apechain.ObjectRequest
|
||||||
roleCondition.Key = nativeschema.PropertyKeyActorRole
|
roleCondition.Key = nativeschema.PropertyKeyActorRole
|
||||||
roleCondition.Value = target.Role().String()
|
roleCondition.Value = target.Role().String()
|
||||||
roleCondition.Op = policyengine.CondStringEquals
|
roleCondition.Op = apechain.CondStringEquals
|
||||||
rule.Condition = append(rule.Condition, roleCondition)
|
rule.Condition = append(rule.Condition, roleCondition)
|
||||||
|
|
||||||
for _, binKey := range target.BinaryKeys() {
|
for _, binKey := range target.BinaryKeys() {
|
||||||
var pubKeyCondition policyengine.Condition
|
var pubKeyCondition apechain.Condition
|
||||||
pubKeyCondition.Object = policyengine.ObjectRequest
|
pubKeyCondition.Object = apechain.ObjectRequest
|
||||||
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
|
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
|
||||||
pubKeyCondition.Value = hex.EncodeToString(binKey)
|
pubKeyCondition.Value = hex.EncodeToString(binKey)
|
||||||
pubKeyCondition.Op = policyengine.CondStringEquals
|
pubKeyCondition.Op = apechain.CondStringEquals
|
||||||
rule.Condition = append(rule.Condition, pubKeyCondition)
|
rule.Condition = append(rule.Condition, pubKeyCondition)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return append(source, rule)
|
return append(source, rule)
|
||||||
}
|
}
|
||||||
|
|
||||||
func appendTargetsAndFilters(source []policyengine.Rule, st policyengine.Status, act policyengine.Actions, res policyengine.Resources,
|
func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act apechain.Actions, res apechain.Resources,
|
||||||
targets []eacl.Target, filters []eacl.Filter,
|
targets []eacl.Target, filters []eacl.Filter,
|
||||||
) ([]policyengine.Rule, error) {
|
) ([]apechain.Rule, error) {
|
||||||
// see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101
|
// see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101
|
||||||
// role OR public key must be equal
|
// role OR public key must be equal
|
||||||
// so filters are repeated for each role and public key
|
// so filters are repeated for each role and public key
|
||||||
var err error
|
var err error
|
||||||
for _, target := range targets {
|
for _, target := range targets {
|
||||||
rule := policyengine.Rule{
|
rule := apechain.Rule{
|
||||||
Status: st,
|
Status: st,
|
||||||
Actions: act,
|
Actions: act,
|
||||||
Resources: res,
|
Resources: res,
|
||||||
}
|
}
|
||||||
var roleCondition policyengine.Condition
|
var roleCondition apechain.Condition
|
||||||
roleCondition.Object = policyengine.ObjectRequest
|
roleCondition.Object = apechain.ObjectRequest
|
||||||
roleCondition.Key = nativeschema.PropertyKeyActorRole
|
roleCondition.Key = nativeschema.PropertyKeyActorRole
|
||||||
roleCondition.Value = target.Role().String()
|
roleCondition.Value = target.Role().String()
|
||||||
roleCondition.Op = policyengine.CondStringEquals
|
roleCondition.Op = apechain.CondStringEquals
|
||||||
|
|
||||||
rule.Condition = append(rule.Condition, roleCondition)
|
rule.Condition = append(rule.Condition, roleCondition)
|
||||||
rule.Condition, err = appendFilters(rule.Condition, filters)
|
rule.Condition, err = appendFilters(rule.Condition, filters)
|
||||||
|
@ -124,16 +124,16 @@ func appendTargetsAndFilters(source []policyengine.Rule, st policyengine.Status,
|
||||||
source = append(source, rule)
|
source = append(source, rule)
|
||||||
|
|
||||||
for _, binKey := range target.BinaryKeys() {
|
for _, binKey := range target.BinaryKeys() {
|
||||||
rule := policyengine.Rule{
|
rule := apechain.Rule{
|
||||||
Status: st,
|
Status: st,
|
||||||
Actions: act,
|
Actions: act,
|
||||||
Resources: res,
|
Resources: res,
|
||||||
}
|
}
|
||||||
var pubKeyCondition policyengine.Condition
|
var pubKeyCondition apechain.Condition
|
||||||
pubKeyCondition.Object = policyengine.ObjectRequest
|
pubKeyCondition.Object = apechain.ObjectRequest
|
||||||
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
|
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
|
||||||
pubKeyCondition.Value = hex.EncodeToString(binKey)
|
pubKeyCondition.Value = hex.EncodeToString(binKey)
|
||||||
pubKeyCondition.Op = policyengine.CondStringEquals
|
pubKeyCondition.Op = apechain.CondStringEquals
|
||||||
|
|
||||||
rule.Condition = append(rule.Condition, pubKeyCondition)
|
rule.Condition = append(rule.Condition, pubKeyCondition)
|
||||||
rule.Condition, err = appendFilters(rule.Condition, filters)
|
rule.Condition, err = appendFilters(rule.Condition, filters)
|
||||||
|
@ -148,23 +148,23 @@ func appendTargetsAndFilters(source []policyengine.Rule, st policyengine.Status,
|
||||||
return source, nil
|
return source, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func appendFilters(source []policyengine.Condition, filters []eacl.Filter) ([]policyengine.Condition, error) {
|
func appendFilters(source []apechain.Condition, filters []eacl.Filter) ([]apechain.Condition, error) {
|
||||||
for _, filter := range filters {
|
for _, filter := range filters {
|
||||||
var cond policyengine.Condition
|
var cond apechain.Condition
|
||||||
var isObject bool
|
var isObject bool
|
||||||
if filter.From() == eacl.HeaderFromObject {
|
if filter.From() == eacl.HeaderFromObject {
|
||||||
cond.Object = policyengine.ObjectResource
|
cond.Object = apechain.ObjectResource
|
||||||
isObject = true
|
isObject = true
|
||||||
} else if filter.From() == eacl.HeaderFromRequest {
|
} else if filter.From() == eacl.HeaderFromRequest {
|
||||||
cond.Object = policyengine.ObjectRequest
|
cond.Object = apechain.ObjectRequest
|
||||||
} else {
|
} else {
|
||||||
return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter from: %d", filter.From())}
|
return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter from: %d", filter.From())}
|
||||||
}
|
}
|
||||||
|
|
||||||
if filter.Matcher() == eacl.MatchStringEqual {
|
if filter.Matcher() == eacl.MatchStringEqual {
|
||||||
cond.Op = policyengine.CondStringEquals
|
cond.Op = apechain.CondStringEquals
|
||||||
} else if filter.Matcher() == eacl.MatchStringNotEqual {
|
} else if filter.Matcher() == eacl.MatchStringNotEqual {
|
||||||
cond.Op = policyengine.CondStringNotEquals
|
cond.Op = apechain.CondStringNotEquals
|
||||||
} else {
|
} else {
|
||||||
return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter matcher: %d", filter.Matcher())}
|
return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter matcher: %d", filter.Matcher())}
|
||||||
}
|
}
|
||||||
|
@ -205,30 +205,30 @@ func eaclKeyToAPEKey(key string, isObject bool) string {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func getResource(eaclTable *eacl.Table) policyengine.Resources {
|
func getResource(eaclTable *eacl.Table) apechain.Resources {
|
||||||
cnrID, isSet := eaclTable.CID()
|
cnrID, isSet := eaclTable.CID()
|
||||||
if isSet {
|
if isSet {
|
||||||
return policyengine.Resources{
|
return apechain.Resources{
|
||||||
Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cnrID.EncodeToString())},
|
Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cnrID.EncodeToString())},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return policyengine.Resources{
|
return apechain.Resources{
|
||||||
Names: []string{nativeschema.ResourceFormatRootObjects},
|
Names: []string{nativeschema.ResourceFormatRootObjects},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func actionToStatus(a eacl.Action) (policyengine.Status, error) {
|
func actionToStatus(a eacl.Action) (apechain.Status, error) {
|
||||||
switch a {
|
switch a {
|
||||||
case eacl.ActionAllow:
|
case eacl.ActionAllow:
|
||||||
return policyengine.Allow, nil
|
return apechain.Allow, nil
|
||||||
case eacl.ActionDeny:
|
case eacl.ActionDeny:
|
||||||
return policyengine.AccessDenied, nil
|
return apechain.AccessDenied, nil
|
||||||
default:
|
default:
|
||||||
return policyengine.NoRuleFound, &ConvertEACLError{nested: fmt.Errorf("unknown action: %d", a)}
|
return apechain.NoRuleFound, &ConvertEACLError{nested: fmt.Errorf("unknown action: %d", a)}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var eaclOperationToEngineAction = map[eacl.Operation]policyengine.Actions{
|
var eaclOperationToEngineAction = map[eacl.Operation]apechain.Actions{
|
||||||
eacl.OperationGet: {Names: []string{nativeschema.MethodGetObject}},
|
eacl.OperationGet: {Names: []string{nativeschema.MethodGetObject}},
|
||||||
eacl.OperationHead: {Names: []string{nativeschema.MethodHeadObject}},
|
eacl.OperationHead: {Names: []string{nativeschema.MethodHeadObject}},
|
||||||
eacl.OperationPut: {Names: []string{nativeschema.MethodPutObject}},
|
eacl.OperationPut: {Names: []string{nativeschema.MethodPutObject}},
|
||||||
|
@ -238,9 +238,9 @@ var eaclOperationToEngineAction = map[eacl.Operation]policyengine.Actions{
|
||||||
eacl.OperationRangeHash: {Names: []string{nativeschema.MethodHashObject}},
|
eacl.OperationRangeHash: {Names: []string{nativeschema.MethodHashObject}},
|
||||||
}
|
}
|
||||||
|
|
||||||
func operationToAction(op eacl.Operation) (policyengine.Actions, error) {
|
func operationToAction(op eacl.Operation) (apechain.Actions, error) {
|
||||||
if v, ok := eaclOperationToEngineAction[op]; ok {
|
if v, ok := eaclOperationToEngineAction[op]; ok {
|
||||||
return v, nil
|
return v, nil
|
||||||
}
|
}
|
||||||
return policyengine.Actions{}, &ConvertEACLError{nested: fmt.Errorf("unknown operation: %d", op)}
|
return apechain.Actions{}, &ConvertEACLError{nested: fmt.Errorf("unknown operation: %d", op)}
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,7 +7,8 @@ import (
|
||||||
|
|
||||||
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
|
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
@ -393,7 +394,7 @@ func TestNoHeader(t *testing.T) {
|
||||||
compare(t, tb, vu, ch, req)
|
compare(t, tb, vu, ch, req)
|
||||||
}
|
}
|
||||||
|
|
||||||
func compare(t *testing.T, eaclTable *eacl.Table, vu *eacl.ValidationUnit, ch *policyengine.Chain, req *testRequest) {
|
func compare(t *testing.T, eaclTable *eacl.Table, vu *eacl.ValidationUnit, ch *apechain.Chain, req *testRequest) {
|
||||||
validator := eacl.NewValidator()
|
validator := eacl.NewValidator()
|
||||||
for eaclOp, apeOp := range eaclOperationToEngineAction {
|
for eaclOp, apeOp := range eaclOperationToEngineAction {
|
||||||
vu.WithOperation(eaclOp)
|
vu.WithOperation(eaclOp)
|
||||||
|
@ -406,12 +407,12 @@ func compare(t *testing.T, eaclTable *eacl.Table, vu *eacl.ValidationUnit, ch *p
|
||||||
require.NotEqual(t, eacl.ActionUnknown, eaclAct)
|
require.NotEqual(t, eacl.ActionUnknown, eaclAct)
|
||||||
if eaclAct == eacl.ActionAllow {
|
if eaclAct == eacl.ActionAllow {
|
||||||
if recordFound {
|
if recordFound {
|
||||||
require.Equal(t, policyengine.Allow, apeSt)
|
require.Equal(t, apechain.Allow, apeSt)
|
||||||
} else {
|
} else {
|
||||||
require.Equal(t, policyengine.NoRuleFound, apeSt)
|
require.Equal(t, apechain.NoRuleFound, apeSt)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
require.Equal(t, policyengine.AccessDenied, apeSt)
|
require.Equal(t, apechain.AccessDenied, apeSt)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -433,7 +434,7 @@ func (r *testRequest) Property(key string) string {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *testRequest) Resource() policyengine.Resource {
|
func (r *testRequest) Resource() resource.Resource {
|
||||||
return r.res
|
return r.res
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Container groups information about the FrostFS container stored in the FrostFS network.
|
// Container groups information about the FrostFS container stored in the FrostFS network.
|
||||||
|
@ -77,5 +77,5 @@ type EACLSource interface {
|
||||||
// policy engine chain storage.
|
// policy engine chain storage.
|
||||||
type AccessPolicyEngineChainSource interface {
|
type AccessPolicyEngineChainSource interface {
|
||||||
// TODO (aarifullin): Better to use simpler interface instead CachedChainStorage.
|
// TODO (aarifullin): Better to use simpler interface instead CachedChainStorage.
|
||||||
GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error)
|
GetChainSource(cid cid.ID) (engine.LocalOverrideEngine, error)
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,11 +2,14 @@ package control
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
|
engine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||||
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||||
"google.golang.org/grpc/codes"
|
"google.golang.org/grpc/codes"
|
||||||
"google.golang.org/grpc/status"
|
"google.golang.org/grpc/status"
|
||||||
)
|
)
|
||||||
|
@ -22,7 +25,7 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL
|
||||||
return nil, status.Error(codes.InvalidArgument, err.Error())
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
var chain policyengine.Chain
|
var chain apechain.Chain
|
||||||
if err = chain.DecodeBytes(req.GetBody().GetChain()); err != nil {
|
if err = chain.DecodeBytes(req.GetBody().GetChain()); err != nil {
|
||||||
return nil, status.Error(codes.InvalidArgument, err.Error())
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
||||||
}
|
}
|
||||||
|
@ -34,9 +37,12 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL
|
||||||
|
|
||||||
s.apeChainCounter.Add(1)
|
s.apeChainCounter.Add(1)
|
||||||
// TODO (aarifullin): the such chain id is not well-designed yet.
|
// TODO (aarifullin): the such chain id is not well-designed yet.
|
||||||
chain.ID = policyengine.ChainID(fmt.Sprintf("%s:%d", policyengine.Ingress, s.apeChainCounter.Load()))
|
chain.ID = apechain.ID(fmt.Sprintf("%s:%d", apechain.Ingress, s.apeChainCounter.Load()))
|
||||||
|
|
||||||
src.AddOverride(policyengine.Ingress, &chain)
|
resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
||||||
|
if _, err = src.LocalStorage().AddOverride(apechain.Ingress, resource, &chain); err != nil {
|
||||||
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
resp := &control.AddChainLocalOverrideResponse{
|
resp := &control.AddChainLocalOverrideResponse{
|
||||||
Body: &control.AddChainLocalOverrideResponse_Body{
|
Body: &control.AddChainLocalOverrideResponse_Body{
|
||||||
|
@ -66,10 +72,10 @@ func (s *Server) GetChainLocalOverride(_ context.Context, req *control.GetChainL
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
chain, found := src.GetOverride(policyengine.Ingress, policyengine.ChainID(req.GetBody().GetChainId()))
|
resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
||||||
if !found {
|
chain, err := src.LocalStorage().GetOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId()))
|
||||||
err = fmt.Errorf("local override has not been found")
|
if err != nil {
|
||||||
return nil, status.Error(codes.NotFound, err.Error())
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
resp := &control.GetChainLocalOverrideResponse{
|
resp := &control.GetChainLocalOverrideResponse{
|
||||||
|
@ -100,7 +106,11 @@ func (s *Server) ListChainLocalOverrides(_ context.Context, req *control.ListCha
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
chains := src.ListOverrides(policyengine.Ingress)
|
resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
||||||
|
chains, err := src.LocalStorage().ListOverrides(apechain.Ingress, resource)
|
||||||
|
if err != nil {
|
||||||
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
||||||
|
}
|
||||||
serializedChains := make([][]byte, 0, len(chains))
|
serializedChains := make([][]byte, 0, len(chains))
|
||||||
for _, chain := range chains {
|
for _, chain := range chains {
|
||||||
serializedChains = append(serializedChains, chain.Bytes())
|
serializedChains = append(serializedChains, chain.Bytes())
|
||||||
|
@ -134,10 +144,13 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
removed := src.RemoveOverride(policyengine.Ingress, policyengine.ChainID(req.GetBody().GetChainId()))
|
resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
||||||
|
if err = src.LocalStorage().RemoveOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId())); err != nil {
|
||||||
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
||||||
|
}
|
||||||
resp := &control.RemoveChainLocalOverrideResponse{
|
resp := &control.RemoveChainLocalOverrideResponse{
|
||||||
Body: &control.RemoveChainLocalOverrideResponse_Body{
|
Body: &control.RemoveChainLocalOverrideResponse_Body{
|
||||||
Removed: removed,
|
Removed: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
err = SignMessage(s.key, resp)
|
err = SignMessage(s.key, resp)
|
||||||
|
@ -146,3 +159,10 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
|
||||||
}
|
}
|
||||||
return resp, nil
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getCodeByLocalStorageErr(err error) codes.Code {
|
||||||
|
if errors.Is(err, engine.ErrChainNotFound) {
|
||||||
|
return codes.NotFound
|
||||||
|
}
|
||||||
|
return codes.Internal
|
||||||
|
}
|
||||||
|
|
|
@ -8,7 +8,7 @@ import (
|
||||||
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
||||||
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
)
|
)
|
||||||
|
|
||||||
var errAPEChainNoSource = errors.New("could not get ape chain source for the container")
|
var errAPEChainNoSource = errors.New("could not get ape chain source for the container")
|
||||||
|
@ -36,9 +36,12 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
|
||||||
request := new(Request)
|
request := new(Request)
|
||||||
request.FromRequestInfo(reqInfo)
|
request.FromRequestInfo(reqInfo)
|
||||||
|
|
||||||
status, ruleFound := chainCache.IsAllowed(policyengine.Ingress, "", request)
|
status, ruleFound, err := chainCache.IsAllowed(apechain.Ingress, "", request)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
if !ruleFound || status == policyengine.Allow {
|
if !ruleFound || status == apechain.Allow {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -47,7 +50,7 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
|
||||||
|
|
||||||
const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s"
|
const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s"
|
||||||
|
|
||||||
func apeErr(req v2.RequestInfo, status policyengine.Status) error {
|
func apeErr(req v2.RequestInfo, status apechain.Status) error {
|
||||||
errAccessDenied := &apistatus.ObjectAccessDenied{}
|
errAccessDenied := &apistatus.ObjectAccessDenied{}
|
||||||
errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, req.Operation(), status.String()))
|
errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, req.Operation(), status.String()))
|
||||||
return errAccessDenied
|
return errAccessDenied
|
||||||
|
|
|
@ -5,7 +5,8 @@ import (
|
||||||
|
|
||||||
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
||||||
aclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
aclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
||||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
aperesource "git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
||||||
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||||
)
|
)
|
||||||
|
|
||||||
type Request struct {
|
type Request struct {
|
||||||
|
@ -14,14 +15,14 @@ type Request struct {
|
||||||
properties map[string]string
|
properties map[string]string
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ policyengine.Request = (*Request)(nil)
|
var _ aperesource.Request = (*Request)(nil)
|
||||||
|
|
||||||
type resource struct {
|
type resource struct {
|
||||||
name string
|
name string
|
||||||
properties map[string]string
|
properties map[string]string
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ policyengine.Resource = (*resource)(nil)
|
var _ aperesource.Resource = (*resource)(nil)
|
||||||
|
|
||||||
func (r *resource) Name() string {
|
func (r *resource) Name() string {
|
||||||
return r.name
|
return r.name
|
||||||
|
@ -31,18 +32,14 @@ func (r *resource) Property(key string) string {
|
||||||
return r.properties[key]
|
return r.properties[key]
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO (aarifullin): these stringified verbs, properties and namespaces
|
|
||||||
// should be non-implementation-specific.
|
|
||||||
func getResource(reqInfo v2.RequestInfo) *resource {
|
func getResource(reqInfo v2.RequestInfo) *resource {
|
||||||
|
var name string
|
||||||
cid := reqInfo.ContainerID()
|
cid := reqInfo.ContainerID()
|
||||||
oid := "*"
|
if oid := reqInfo.ObjectID(); oid != nil {
|
||||||
if reqOID := reqInfo.ObjectID(); reqOID != nil {
|
name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObject, cid.EncodeToString(), oid.EncodeToString())
|
||||||
oid = reqOID.EncodeToString()
|
} else {
|
||||||
|
name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
||||||
}
|
}
|
||||||
name := fmt.Sprintf("native:::object/%s/%s",
|
|
||||||
cid,
|
|
||||||
oid)
|
|
||||||
|
|
||||||
return &resource{
|
return &resource{
|
||||||
name: name,
|
name: name,
|
||||||
properties: make(map[string]string),
|
properties: make(map[string]string),
|
||||||
|
@ -51,32 +48,30 @@ func getResource(reqInfo v2.RequestInfo) *resource {
|
||||||
|
|
||||||
func getProperties(_ v2.RequestInfo) map[string]string {
|
func getProperties(_ v2.RequestInfo) map[string]string {
|
||||||
return map[string]string{
|
return map[string]string{
|
||||||
"Actor": "",
|
nativeschema.PropertyKeyActorPublicKey: "",
|
||||||
|
nativeschema.PropertyKeyActorRole: "",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO (aarifullin): these stringified verbs, properties and namespaces
|
|
||||||
// should be non-implementation-specific.
|
|
||||||
func getOperation(reqInfo v2.RequestInfo) string {
|
func getOperation(reqInfo v2.RequestInfo) string {
|
||||||
var verb string
|
|
||||||
switch op := reqInfo.Operation(); op {
|
switch op := reqInfo.Operation(); op {
|
||||||
case aclSDK.OpObjectGet:
|
case aclSDK.OpObjectGet:
|
||||||
verb = "GetObject"
|
return nativeschema.MethodGetObject
|
||||||
case aclSDK.OpObjectHead:
|
case aclSDK.OpObjectHead:
|
||||||
verb = "HeadObject"
|
return nativeschema.MethodHeadObject
|
||||||
case aclSDK.OpObjectPut:
|
case aclSDK.OpObjectPut:
|
||||||
verb = "PutObject"
|
return nativeschema.MethodPutObject
|
||||||
case aclSDK.OpObjectDelete:
|
case aclSDK.OpObjectDelete:
|
||||||
verb = "DeleteObject"
|
return nativeschema.MethodDeleteObject
|
||||||
case aclSDK.OpObjectSearch:
|
case aclSDK.OpObjectSearch:
|
||||||
verb = "SearchObject"
|
return nativeschema.MethodSearchObject
|
||||||
case aclSDK.OpObjectRange:
|
case aclSDK.OpObjectRange:
|
||||||
verb = "RangeObject"
|
return nativeschema.MethodRangeObject
|
||||||
case aclSDK.OpObjectHash:
|
case aclSDK.OpObjectHash:
|
||||||
verb = "HashObject"
|
return nativeschema.MethodHashObject
|
||||||
|
default:
|
||||||
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
return "native:" + verb
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewRequest() *Request {
|
func NewRequest() *Request {
|
||||||
|
@ -100,6 +95,6 @@ func (r *Request) Property(key string) string {
|
||||||
return r.properties[key]
|
return r.properties[key]
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *Request) Resource() policyengine.Resource {
|
func (r *Request) Resource() aperesource.Resource {
|
||||||
return r.resource
|
return r.resource
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue