[#811] ape: Update policy-engine module version and rebase

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2023-11-16 10:58:55 +03:00
parent fd9128d051
commit 4d5be5ccb5
14 changed files with 149 additions and 129 deletions

View file

@ -12,7 +12,7 @@ import (
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common" commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
ape "git.frostfs.info/TrueCloudLab/policy-engine" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"github.com/spf13/cobra" "github.com/spf13/cobra"
) )
@ -50,7 +50,7 @@ func addRule(cmd *cobra.Command, _ []string) {
rule, _ := cmd.Flags().GetString(ruleFlag) rule, _ := cmd.Flags().GetString(ruleFlag)
chain := new(ape.Chain) chain := new(apechain.Chain)
commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, []string{rule})) commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, []string{rule}))
serializedChain := chain.Bytes() serializedChain := chain.Bytes()

View file

@ -9,7 +9,7 @@ import (
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common" commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"github.com/spf13/cobra" "github.com/spf13/cobra"
) )
@ -53,7 +53,7 @@ func getRule(cmd *cobra.Command, _ []string) {
verifyResponse(cmd, resp.GetSignature(), resp.GetBody()) verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
var chain policyengine.Chain var chain apechain.Chain
commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(resp.GetBody().GetChain())) commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(resp.GetBody().GetChain()))
// TODO (aarifullin): make pretty-formatted output for chains. // TODO (aarifullin): make pretty-formatted output for chains.

View file

@ -9,7 +9,7 @@ import (
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common" commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"github.com/spf13/cobra" "github.com/spf13/cobra"
) )
@ -58,7 +58,7 @@ func listRules(cmd *cobra.Command, _ []string) {
for _, c := range chains { for _, c := range chains {
// TODO (aarifullin): make pretty-formatted output for chains. // TODO (aarifullin): make pretty-formatted output for chains.
var chain policyengine.Chain var chain apechain.Chain
commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(c)) commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(c))
cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, chain.Bytes())) cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, chain.Bytes()))
} }

View file

@ -5,7 +5,7 @@ import (
"fmt" "fmt"
"strings" "strings"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"github.com/flynn-archive/go-shlex" "github.com/flynn-archive/go-shlex"
) )
@ -21,13 +21,13 @@ var (
) )
// ParseAPEChain parses APE chain rules. // ParseAPEChain parses APE chain rules.
func ParseAPEChain(chain *policyengine.Chain, rules []string) error { func ParseAPEChain(chain *apechain.Chain, rules []string) error {
if len(rules) == 0 { if len(rules) == 0 {
return errors.New("no APE rules provided") return errors.New("no APE rules provided")
} }
for _, rule := range rules { for _, rule := range rules {
r := new(policyengine.Rule) r := new(apechain.Rule)
if err := ParseAPERule(r, rule); err != nil { if err := ParseAPERule(r, rule); err != nil {
return err return err
} }
@ -47,7 +47,7 @@ func ParseAPEChain(chain *policyengine.Chain, rules []string) error {
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA * // allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
// //
//nolint:godot //nolint:godot
func ParseAPERule(r *policyengine.Rule, rule string) error { func ParseAPERule(r *apechain.Rule, rule string) error {
lexemes, err := shlex.Split(rule) lexemes, err := shlex.Split(rule)
if err != nil { if err != nil {
return fmt.Errorf("can't parse rule '%s': %v", rule, err) return fmt.Errorf("can't parse rule '%s': %v", rule, err)
@ -55,7 +55,7 @@ func ParseAPERule(r *policyengine.Rule, rule string) error {
return parseRuleLexemes(r, lexemes) return parseRuleLexemes(r, lexemes)
} }
func parseRuleLexemes(r *policyengine.Rule, lexemes []string) error { func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
if len(lexemes) < 2 { if len(lexemes) < 2 {
return errInvalidStatementFormat return errInvalidStatementFormat
} }
@ -80,14 +80,14 @@ func parseRuleLexemes(r *policyengine.Rule, lexemes []string) error {
return err return err
} }
func parseStatus(lexeme string) (policyengine.Status, error) { func parseStatus(lexeme string) (apechain.Status, error) {
action, expression, found := strings.Cut(lexeme, ":") action, expression, found := strings.Cut(lexeme, ":")
switch action = strings.ToLower(action); action { switch action = strings.ToLower(action); action {
case "deny": case "deny":
if !found { if !found {
return policyengine.AccessDenied, nil return apechain.AccessDenied, nil
} else if strings.EqualFold(expression, "QuotaLimitReached") { } else if strings.EqualFold(expression, "QuotaLimitReached") {
return policyengine.QuotaLimitReached, nil return apechain.QuotaLimitReached, nil
} else { } else {
return 0, fmt.Errorf("%w: %s", errUnknownActionDetail, expression) return 0, fmt.Errorf("%w: %s", errUnknownActionDetail, expression)
} }
@ -95,38 +95,38 @@ func parseStatus(lexeme string) (policyengine.Status, error) {
if found { if found {
return 0, errUnknownActionDetail return 0, errUnknownActionDetail
} }
return policyengine.Allow, nil return apechain.Allow, nil
default: default:
return 0, errUnknownAction return 0, errUnknownAction
} }
} }
func parseAction(lexeme string) (policyengine.Actions, error) { func parseAction(lexeme string) (apechain.Actions, error) {
switch strings.ToLower(lexeme) { switch strings.ToLower(lexeme) {
case "object.put": case "object.put":
return policyengine.Actions{Names: []string{nativeschema.MethodPutObject}}, nil return apechain.Actions{Names: []string{nativeschema.MethodPutObject}}, nil
case "object.get": case "object.get":
return policyengine.Actions{Names: []string{nativeschema.MethodGetObject}}, nil return apechain.Actions{Names: []string{nativeschema.MethodGetObject}}, nil
case "object.head": case "object.head":
return policyengine.Actions{Names: []string{nativeschema.MethodHeadObject}}, nil return apechain.Actions{Names: []string{nativeschema.MethodHeadObject}}, nil
case "object.delete": case "object.delete":
return policyengine.Actions{Names: []string{nativeschema.MethodDeleteObject}}, nil return apechain.Actions{Names: []string{nativeschema.MethodDeleteObject}}, nil
case "object.search": case "object.search":
return policyengine.Actions{Names: []string{nativeschema.MethodSearchObject}}, nil return apechain.Actions{Names: []string{nativeschema.MethodSearchObject}}, nil
case "object.range": case "object.range":
return policyengine.Actions{Names: []string{nativeschema.MethodRangeObject}}, nil return apechain.Actions{Names: []string{nativeschema.MethodRangeObject}}, nil
case "object.hash": case "object.hash":
return policyengine.Actions{Names: []string{nativeschema.MethodHashObject}}, nil return apechain.Actions{Names: []string{nativeschema.MethodHashObject}}, nil
default: default:
} }
return policyengine.Actions{}, fmt.Errorf("%w: %s", errUnknownOperation, lexeme) return apechain.Actions{}, fmt.Errorf("%w: %s", errUnknownOperation, lexeme)
} }
func parseResource(lexeme string) (policyengine.Resources, error) { func parseResource(lexeme string) (apechain.Resources, error) {
if lexeme == "*" { if lexeme == "*" {
return policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, nil return apechain.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, nil
} }
return policyengine.Resources{Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, lexeme)}}, nil return apechain.Resources{Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, lexeme)}}, nil
} }
const ( const (
@ -134,13 +134,13 @@ const (
ObjectRequest = "object.request" ObjectRequest = "object.request"
) )
var typeToCondObject = map[string]policyengine.ObjectType{ var typeToCondObject = map[string]apechain.ObjectType{
ObjectResource: policyengine.ObjectResource, ObjectResource: apechain.ObjectResource,
ObjectRequest: policyengine.ObjectRequest, ObjectRequest: apechain.ObjectRequest,
} }
func parseConditions(lexemes []string) ([]policyengine.Condition, error) { func parseConditions(lexemes []string) ([]apechain.Condition, error) {
conds := make([]policyengine.Condition, 0) conds := make([]apechain.Condition, 0)
for _, lexeme := range lexemes { for _, lexeme := range lexemes {
typ, expression, found := strings.Cut(lexeme, ":") typ, expression, found := strings.Cut(lexeme, ":")
@ -155,7 +155,7 @@ func parseConditions(lexemes []string) ([]policyengine.Condition, error) {
var lhs, rhs string var lhs, rhs string
var binExpFound bool var binExpFound bool
var cond policyengine.Condition var cond apechain.Condition
cond.Object = objType cond.Object = objType
lhs, rhs, binExpFound = strings.Cut(expression, "!=") lhs, rhs, binExpFound = strings.Cut(expression, "!=")
@ -164,9 +164,9 @@ func parseConditions(lexemes []string) ([]policyengine.Condition, error) {
if !binExpFound { if !binExpFound {
return nil, fmt.Errorf("%w: %s", errUnknownBinaryOperator, expression) return nil, fmt.Errorf("%w: %s", errUnknownBinaryOperator, expression)
} }
cond.Op = policyengine.CondStringEquals cond.Op = apechain.CondStringEquals
} else { } else {
cond.Op = policyengine.CondStringNotEquals cond.Op = apechain.CondStringNotEquals
} }
cond.Key, cond.Value = lhs, rhs cond.Key, cond.Value = lhs, rhs

View file

@ -3,7 +3,7 @@ package util
import ( import (
"testing" "testing"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )

View file

@ -5,23 +5,24 @@ import (
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
) )
type apeChainSourceImpl struct { type apeChainSourceImpl struct {
mtx sync.Mutex mtx sync.Mutex
localChainStorage map[cid.ID]policyengine.CachedChainStorage localChainStorage map[cid.ID]engine.LocalOverrideEngine
} }
func NewAPESource() container.AccessPolicyEngineChainSource { func NewAPESource() container.AccessPolicyEngineChainSource {
return &apeChainSourceImpl{ return &apeChainSourceImpl{
localChainStorage: make(map[cid.ID]policyengine.CachedChainStorage), localChainStorage: make(map[cid.ID]engine.LocalOverrideEngine),
} }
} }
var _ container.AccessPolicyEngineChainSource = (*apeChainSourceImpl)(nil) var _ container.AccessPolicyEngineChainSource = (*apeChainSourceImpl)(nil)
func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error) { func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (engine.LocalOverrideEngine, error) {
c.mtx.Lock() c.mtx.Lock()
defer c.mtx.Unlock() defer c.mtx.Unlock()
@ -29,6 +30,6 @@ func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (policyengine.CachedChai
if ok { if ok {
return s, nil return s, nil
} }
c.localChainStorage[cid] = policyengine.NewInMemory() c.localChainStorage[cid] = inmemory.NewInMemoryLocalOverrides()
return c.localChainStorage[cid], nil return c.localChainStorage[cid], nil
} }

2
go.mod
View file

@ -8,7 +8,7 @@ require (
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65 git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
git.frostfs.info/TrueCloudLab/hrw v1.2.1 git.frostfs.info/TrueCloudLab/hrw v1.2.1
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231114100951-38985e4ec86b git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231115094736-5db67021e10f
git.frostfs.info/TrueCloudLab/tzhash v1.8.0 git.frostfs.info/TrueCloudLab/tzhash v1.8.0
github.com/cheggaaa/pb v1.0.29 github.com/cheggaaa/pb v1.0.29
github.com/chzyer/readline v1.5.1 github.com/chzyer/readline v1.5.1

BIN
go.sum

Binary file not shown.

View file

@ -6,7 +6,7 @@ import (
v2acl "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl" v2acl "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
) )
@ -28,12 +28,12 @@ func (e *ConvertEACLError) Unwrap() error {
return e.nested return e.nested
} }
// ConvertEACLToAPE converts eacl.Table to policyengine.Chain. // ConvertEACLToAPE converts eacl.Table to apechain.Chain.
func ConvertEACLToAPE(eaclTable *eacl.Table) (*policyengine.Chain, error) { func ConvertEACLToAPE(eaclTable *eacl.Table) (*apechain.Chain, error) {
if eaclTable == nil { if eaclTable == nil {
return nil, nil return nil, nil
} }
res := &policyengine.Chain{} res := &apechain.Chain{}
resource := getResource(eaclTable) resource := getResource(eaclTable)
@ -67,53 +67,53 @@ func ConvertEACLToAPE(eaclTable *eacl.Table) (*policyengine.Chain, error) {
return res, nil return res, nil
} }
func appendTargetsOnly(source []policyengine.Rule, st policyengine.Status, act policyengine.Actions, res policyengine.Resources, targets []eacl.Target) []policyengine.Rule { func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.Actions, res apechain.Resources, targets []eacl.Target) []apechain.Rule {
// see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101 // see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101
// role OR public key must be equal // role OR public key must be equal
rule := policyengine.Rule{ rule := apechain.Rule{
Status: st, Status: st,
Actions: act, Actions: act,
Resources: res, Resources: res,
Any: true, Any: true,
} }
for _, target := range targets { for _, target := range targets {
var roleCondition policyengine.Condition var roleCondition apechain.Condition
roleCondition.Object = policyengine.ObjectRequest roleCondition.Object = apechain.ObjectRequest
roleCondition.Key = nativeschema.PropertyKeyActorRole roleCondition.Key = nativeschema.PropertyKeyActorRole
roleCondition.Value = target.Role().String() roleCondition.Value = target.Role().String()
roleCondition.Op = policyengine.CondStringEquals roleCondition.Op = apechain.CondStringEquals
rule.Condition = append(rule.Condition, roleCondition) rule.Condition = append(rule.Condition, roleCondition)
for _, binKey := range target.BinaryKeys() { for _, binKey := range target.BinaryKeys() {
var pubKeyCondition policyengine.Condition var pubKeyCondition apechain.Condition
pubKeyCondition.Object = policyengine.ObjectRequest pubKeyCondition.Object = apechain.ObjectRequest
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
pubKeyCondition.Value = hex.EncodeToString(binKey) pubKeyCondition.Value = hex.EncodeToString(binKey)
pubKeyCondition.Op = policyengine.CondStringEquals pubKeyCondition.Op = apechain.CondStringEquals
rule.Condition = append(rule.Condition, pubKeyCondition) rule.Condition = append(rule.Condition, pubKeyCondition)
} }
} }
return append(source, rule) return append(source, rule)
} }
func appendTargetsAndFilters(source []policyengine.Rule, st policyengine.Status, act policyengine.Actions, res policyengine.Resources, func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act apechain.Actions, res apechain.Resources,
targets []eacl.Target, filters []eacl.Filter, targets []eacl.Target, filters []eacl.Filter,
) ([]policyengine.Rule, error) { ) ([]apechain.Rule, error) {
// see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101 // see https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/ab75edd70939564421936d207ef80d6c1398b51b/eacl/validator.go#L101
// role OR public key must be equal // role OR public key must be equal
// so filters are repeated for each role and public key // so filters are repeated for each role and public key
var err error var err error
for _, target := range targets { for _, target := range targets {
rule := policyengine.Rule{ rule := apechain.Rule{
Status: st, Status: st,
Actions: act, Actions: act,
Resources: res, Resources: res,
} }
var roleCondition policyengine.Condition var roleCondition apechain.Condition
roleCondition.Object = policyengine.ObjectRequest roleCondition.Object = apechain.ObjectRequest
roleCondition.Key = nativeschema.PropertyKeyActorRole roleCondition.Key = nativeschema.PropertyKeyActorRole
roleCondition.Value = target.Role().String() roleCondition.Value = target.Role().String()
roleCondition.Op = policyengine.CondStringEquals roleCondition.Op = apechain.CondStringEquals
rule.Condition = append(rule.Condition, roleCondition) rule.Condition = append(rule.Condition, roleCondition)
rule.Condition, err = appendFilters(rule.Condition, filters) rule.Condition, err = appendFilters(rule.Condition, filters)
@ -124,16 +124,16 @@ func appendTargetsAndFilters(source []policyengine.Rule, st policyengine.Status,
source = append(source, rule) source = append(source, rule)
for _, binKey := range target.BinaryKeys() { for _, binKey := range target.BinaryKeys() {
rule := policyengine.Rule{ rule := apechain.Rule{
Status: st, Status: st,
Actions: act, Actions: act,
Resources: res, Resources: res,
} }
var pubKeyCondition policyengine.Condition var pubKeyCondition apechain.Condition
pubKeyCondition.Object = policyengine.ObjectRequest pubKeyCondition.Object = apechain.ObjectRequest
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
pubKeyCondition.Value = hex.EncodeToString(binKey) pubKeyCondition.Value = hex.EncodeToString(binKey)
pubKeyCondition.Op = policyengine.CondStringEquals pubKeyCondition.Op = apechain.CondStringEquals
rule.Condition = append(rule.Condition, pubKeyCondition) rule.Condition = append(rule.Condition, pubKeyCondition)
rule.Condition, err = appendFilters(rule.Condition, filters) rule.Condition, err = appendFilters(rule.Condition, filters)
@ -148,23 +148,23 @@ func appendTargetsAndFilters(source []policyengine.Rule, st policyengine.Status,
return source, nil return source, nil
} }
func appendFilters(source []policyengine.Condition, filters []eacl.Filter) ([]policyengine.Condition, error) { func appendFilters(source []apechain.Condition, filters []eacl.Filter) ([]apechain.Condition, error) {
for _, filter := range filters { for _, filter := range filters {
var cond policyengine.Condition var cond apechain.Condition
var isObject bool var isObject bool
if filter.From() == eacl.HeaderFromObject { if filter.From() == eacl.HeaderFromObject {
cond.Object = policyengine.ObjectResource cond.Object = apechain.ObjectResource
isObject = true isObject = true
} else if filter.From() == eacl.HeaderFromRequest { } else if filter.From() == eacl.HeaderFromRequest {
cond.Object = policyengine.ObjectRequest cond.Object = apechain.ObjectRequest
} else { } else {
return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter from: %d", filter.From())} return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter from: %d", filter.From())}
} }
if filter.Matcher() == eacl.MatchStringEqual { if filter.Matcher() == eacl.MatchStringEqual {
cond.Op = policyengine.CondStringEquals cond.Op = apechain.CondStringEquals
} else if filter.Matcher() == eacl.MatchStringNotEqual { } else if filter.Matcher() == eacl.MatchStringNotEqual {
cond.Op = policyengine.CondStringNotEquals cond.Op = apechain.CondStringNotEquals
} else { } else {
return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter matcher: %d", filter.Matcher())} return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter matcher: %d", filter.Matcher())}
} }
@ -205,30 +205,30 @@ func eaclKeyToAPEKey(key string, isObject bool) string {
} }
} }
func getResource(eaclTable *eacl.Table) policyengine.Resources { func getResource(eaclTable *eacl.Table) apechain.Resources {
cnrID, isSet := eaclTable.CID() cnrID, isSet := eaclTable.CID()
if isSet { if isSet {
return policyengine.Resources{ return apechain.Resources{
Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cnrID.EncodeToString())}, Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cnrID.EncodeToString())},
} }
} }
return policyengine.Resources{ return apechain.Resources{
Names: []string{nativeschema.ResourceFormatRootObjects}, Names: []string{nativeschema.ResourceFormatRootObjects},
} }
} }
func actionToStatus(a eacl.Action) (policyengine.Status, error) { func actionToStatus(a eacl.Action) (apechain.Status, error) {
switch a { switch a {
case eacl.ActionAllow: case eacl.ActionAllow:
return policyengine.Allow, nil return apechain.Allow, nil
case eacl.ActionDeny: case eacl.ActionDeny:
return policyengine.AccessDenied, nil return apechain.AccessDenied, nil
default: default:
return policyengine.NoRuleFound, &ConvertEACLError{nested: fmt.Errorf("unknown action: %d", a)} return apechain.NoRuleFound, &ConvertEACLError{nested: fmt.Errorf("unknown action: %d", a)}
} }
} }
var eaclOperationToEngineAction = map[eacl.Operation]policyengine.Actions{ var eaclOperationToEngineAction = map[eacl.Operation]apechain.Actions{
eacl.OperationGet: {Names: []string{nativeschema.MethodGetObject}}, eacl.OperationGet: {Names: []string{nativeschema.MethodGetObject}},
eacl.OperationHead: {Names: []string{nativeschema.MethodHeadObject}}, eacl.OperationHead: {Names: []string{nativeschema.MethodHeadObject}},
eacl.OperationPut: {Names: []string{nativeschema.MethodPutObject}}, eacl.OperationPut: {Names: []string{nativeschema.MethodPutObject}},
@ -238,9 +238,9 @@ var eaclOperationToEngineAction = map[eacl.Operation]policyengine.Actions{
eacl.OperationRangeHash: {Names: []string{nativeschema.MethodHashObject}}, eacl.OperationRangeHash: {Names: []string{nativeschema.MethodHashObject}},
} }
func operationToAction(op eacl.Operation) (policyengine.Actions, error) { func operationToAction(op eacl.Operation) (apechain.Actions, error) {
if v, ok := eaclOperationToEngineAction[op]; ok { if v, ok := eaclOperationToEngineAction[op]; ok {
return v, nil return v, nil
} }
return policyengine.Actions{}, &ConvertEACLError{nested: fmt.Errorf("unknown operation: %d", op)} return apechain.Actions{}, &ConvertEACLError{nested: fmt.Errorf("unknown operation: %d", op)}
} }

View file

@ -7,7 +7,8 @@ import (
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test" cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -393,7 +394,7 @@ func TestNoHeader(t *testing.T) {
compare(t, tb, vu, ch, req) compare(t, tb, vu, ch, req)
} }
func compare(t *testing.T, eaclTable *eacl.Table, vu *eacl.ValidationUnit, ch *policyengine.Chain, req *testRequest) { func compare(t *testing.T, eaclTable *eacl.Table, vu *eacl.ValidationUnit, ch *apechain.Chain, req *testRequest) {
validator := eacl.NewValidator() validator := eacl.NewValidator()
for eaclOp, apeOp := range eaclOperationToEngineAction { for eaclOp, apeOp := range eaclOperationToEngineAction {
vu.WithOperation(eaclOp) vu.WithOperation(eaclOp)
@ -406,12 +407,12 @@ func compare(t *testing.T, eaclTable *eacl.Table, vu *eacl.ValidationUnit, ch *p
require.NotEqual(t, eacl.ActionUnknown, eaclAct) require.NotEqual(t, eacl.ActionUnknown, eaclAct)
if eaclAct == eacl.ActionAllow { if eaclAct == eacl.ActionAllow {
if recordFound { if recordFound {
require.Equal(t, policyengine.Allow, apeSt) require.Equal(t, apechain.Allow, apeSt)
} else { } else {
require.Equal(t, policyengine.NoRuleFound, apeSt) require.Equal(t, apechain.NoRuleFound, apeSt)
} }
} else { } else {
require.Equal(t, policyengine.AccessDenied, apeSt) require.Equal(t, apechain.AccessDenied, apeSt)
} }
} }
} }
@ -433,7 +434,7 @@ func (r *testRequest) Property(key string) string {
return "" return ""
} }
func (r *testRequest) Resource() policyengine.Resource { func (r *testRequest) Resource() resource.Resource {
return r.res return r.res
} }

View file

@ -7,7 +7,7 @@ import (
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
) )
// Container groups information about the FrostFS container stored in the FrostFS network. // Container groups information about the FrostFS container stored in the FrostFS network.
@ -77,5 +77,5 @@ type EACLSource interface {
// policy engine chain storage. // policy engine chain storage.
type AccessPolicyEngineChainSource interface { type AccessPolicyEngineChainSource interface {
// TODO (aarifullin): Better to use simpler interface instead CachedChainStorage. // TODO (aarifullin): Better to use simpler interface instead CachedChainStorage.
GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error) GetChainSource(cid cid.ID) (engine.LocalOverrideEngine, error)
} }

View file

@ -2,11 +2,14 @@ package control
import ( import (
"context" "context"
"errors"
"fmt" "fmt"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
engine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"google.golang.org/grpc/codes" "google.golang.org/grpc/codes"
"google.golang.org/grpc/status" "google.golang.org/grpc/status"
) )
@ -22,7 +25,7 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL
return nil, status.Error(codes.InvalidArgument, err.Error()) return nil, status.Error(codes.InvalidArgument, err.Error())
} }
var chain policyengine.Chain var chain apechain.Chain
if err = chain.DecodeBytes(req.GetBody().GetChain()); err != nil { if err = chain.DecodeBytes(req.GetBody().GetChain()); err != nil {
return nil, status.Error(codes.InvalidArgument, err.Error()) return nil, status.Error(codes.InvalidArgument, err.Error())
} }
@ -34,9 +37,12 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL
s.apeChainCounter.Add(1) s.apeChainCounter.Add(1)
// TODO (aarifullin): the such chain id is not well-designed yet. // TODO (aarifullin): the such chain id is not well-designed yet.
chain.ID = policyengine.ChainID(fmt.Sprintf("%s:%d", policyengine.Ingress, s.apeChainCounter.Load())) chain.ID = apechain.ID(fmt.Sprintf("%s:%d", apechain.Ingress, s.apeChainCounter.Load()))
src.AddOverride(policyengine.Ingress, &chain) resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
if _, err = src.LocalStorage().AddOverride(apechain.Ingress, resource, &chain); err != nil {
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
}
resp := &control.AddChainLocalOverrideResponse{ resp := &control.AddChainLocalOverrideResponse{
Body: &control.AddChainLocalOverrideResponse_Body{ Body: &control.AddChainLocalOverrideResponse_Body{
@ -66,10 +72,10 @@ func (s *Server) GetChainLocalOverride(_ context.Context, req *control.GetChainL
return nil, status.Error(codes.Internal, err.Error()) return nil, status.Error(codes.Internal, err.Error())
} }
chain, found := src.GetOverride(policyengine.Ingress, policyengine.ChainID(req.GetBody().GetChainId())) resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
if !found { chain, err := src.LocalStorage().GetOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId()))
err = fmt.Errorf("local override has not been found") if err != nil {
return nil, status.Error(codes.NotFound, err.Error()) return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
} }
resp := &control.GetChainLocalOverrideResponse{ resp := &control.GetChainLocalOverrideResponse{
@ -100,7 +106,11 @@ func (s *Server) ListChainLocalOverrides(_ context.Context, req *control.ListCha
return nil, status.Error(codes.Internal, err.Error()) return nil, status.Error(codes.Internal, err.Error())
} }
chains := src.ListOverrides(policyengine.Ingress) resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
chains, err := src.LocalStorage().ListOverrides(apechain.Ingress, resource)
if err != nil {
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
}
serializedChains := make([][]byte, 0, len(chains)) serializedChains := make([][]byte, 0, len(chains))
for _, chain := range chains { for _, chain := range chains {
serializedChains = append(serializedChains, chain.Bytes()) serializedChains = append(serializedChains, chain.Bytes())
@ -134,10 +144,13 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
return nil, status.Error(codes.Internal, err.Error()) return nil, status.Error(codes.Internal, err.Error())
} }
removed := src.RemoveOverride(policyengine.Ingress, policyengine.ChainID(req.GetBody().GetChainId())) resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
if err = src.LocalStorage().RemoveOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId())); err != nil {
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
}
resp := &control.RemoveChainLocalOverrideResponse{ resp := &control.RemoveChainLocalOverrideResponse{
Body: &control.RemoveChainLocalOverrideResponse_Body{ Body: &control.RemoveChainLocalOverrideResponse_Body{
Removed: removed, Removed: true,
}, },
} }
err = SignMessage(s.key, resp) err = SignMessage(s.key, resp)
@ -146,3 +159,10 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
} }
return resp, nil return resp, nil
} }
func getCodeByLocalStorageErr(err error) codes.Code {
if errors.Is(err, engine.ErrChainNotFound) {
return codes.NotFound
}
return codes.Internal
}

View file

@ -8,7 +8,7 @@ import (
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2" v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status" apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
) )
var errAPEChainNoSource = errors.New("could not get ape chain source for the container") var errAPEChainNoSource = errors.New("could not get ape chain source for the container")
@ -36,9 +36,12 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
request := new(Request) request := new(Request)
request.FromRequestInfo(reqInfo) request.FromRequestInfo(reqInfo)
status, ruleFound := chainCache.IsAllowed(policyengine.Ingress, "", request) status, ruleFound, err := chainCache.IsAllowed(apechain.Ingress, "", request)
if err != nil {
return err
}
if !ruleFound || status == policyengine.Allow { if !ruleFound || status == apechain.Allow {
return nil return nil
} }
@ -47,7 +50,7 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s" const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s"
func apeErr(req v2.RequestInfo, status policyengine.Status) error { func apeErr(req v2.RequestInfo, status apechain.Status) error {
errAccessDenied := &apistatus.ObjectAccessDenied{} errAccessDenied := &apistatus.ObjectAccessDenied{}
errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, req.Operation(), status.String())) errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, req.Operation(), status.String()))
return errAccessDenied return errAccessDenied

View file

@ -5,7 +5,8 @@ import (
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2" v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
aclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl" aclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine" aperesource "git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
) )
type Request struct { type Request struct {
@ -14,14 +15,14 @@ type Request struct {
properties map[string]string properties map[string]string
} }
var _ policyengine.Request = (*Request)(nil) var _ aperesource.Request = (*Request)(nil)
type resource struct { type resource struct {
name string name string
properties map[string]string properties map[string]string
} }
var _ policyengine.Resource = (*resource)(nil) var _ aperesource.Resource = (*resource)(nil)
func (r *resource) Name() string { func (r *resource) Name() string {
return r.name return r.name
@ -31,18 +32,14 @@ func (r *resource) Property(key string) string {
return r.properties[key] return r.properties[key]
} }
// TODO (aarifullin): these stringified verbs, properties and namespaces
// should be non-implementation-specific.
func getResource(reqInfo v2.RequestInfo) *resource { func getResource(reqInfo v2.RequestInfo) *resource {
var name string
cid := reqInfo.ContainerID() cid := reqInfo.ContainerID()
oid := "*" if oid := reqInfo.ObjectID(); oid != nil {
if reqOID := reqInfo.ObjectID(); reqOID != nil { name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObject, cid.EncodeToString(), oid.EncodeToString())
oid = reqOID.EncodeToString() } else {
name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
} }
name := fmt.Sprintf("native:::object/%s/%s",
cid,
oid)
return &resource{ return &resource{
name: name, name: name,
properties: make(map[string]string), properties: make(map[string]string),
@ -51,32 +48,30 @@ func getResource(reqInfo v2.RequestInfo) *resource {
func getProperties(_ v2.RequestInfo) map[string]string { func getProperties(_ v2.RequestInfo) map[string]string {
return map[string]string{ return map[string]string{
"Actor": "", nativeschema.PropertyKeyActorPublicKey: "",
nativeschema.PropertyKeyActorRole: "",
} }
} }
// TODO (aarifullin): these stringified verbs, properties and namespaces
// should be non-implementation-specific.
func getOperation(reqInfo v2.RequestInfo) string { func getOperation(reqInfo v2.RequestInfo) string {
var verb string
switch op := reqInfo.Operation(); op { switch op := reqInfo.Operation(); op {
case aclSDK.OpObjectGet: case aclSDK.OpObjectGet:
verb = "GetObject" return nativeschema.MethodGetObject
case aclSDK.OpObjectHead: case aclSDK.OpObjectHead:
verb = "HeadObject" return nativeschema.MethodHeadObject
case aclSDK.OpObjectPut: case aclSDK.OpObjectPut:
verb = "PutObject" return nativeschema.MethodPutObject
case aclSDK.OpObjectDelete: case aclSDK.OpObjectDelete:
verb = "DeleteObject" return nativeschema.MethodDeleteObject
case aclSDK.OpObjectSearch: case aclSDK.OpObjectSearch:
verb = "SearchObject" return nativeschema.MethodSearchObject
case aclSDK.OpObjectRange: case aclSDK.OpObjectRange:
verb = "RangeObject" return nativeschema.MethodRangeObject
case aclSDK.OpObjectHash: case aclSDK.OpObjectHash:
verb = "HashObject" return nativeschema.MethodHashObject
default:
return ""
} }
return "native:" + verb
} }
func NewRequest() *Request { func NewRequest() *Request {
@ -100,6 +95,6 @@ func (r *Request) Property(key string) string {
return r.properties[key] return r.properties[key]
} }
func (r *Request) Resource() policyengine.Resource { func (r *Request) Resource() aperesource.Resource {
return r.resource return r.resource
} }