wip

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
2024-11-15 14:35:37 +03:00 · 2024-11-15 14:35:37 +03:00 · 6a28d9edbe
commit 6a28d9edbe
parent eff0de43d5
4 changed files with 62 additions and 11 deletions
--- a/api/layer/frostfs/frostfs.go
+++ b/api/layer/frostfs/frostfs.go
@ -7,6 +7,7 @@ import (
 	"io"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
@ -45,6 +46,11 @@ type PrmContainerCreate struct {
 	AdditionalAttributes [][2]string
 }

+type PrmAddContainerPolicyChain struct {
+	ContainerID cid.ID
+	Chain       ape.Chain
+}
+
 // PrmContainer groups parameters of FrostFS.Container operation.
 type PrmContainer struct {
 	// Container identifier.
@ -239,6 +245,8 @@ type FrostFS interface {
 	// prevented the container from being created.
 	CreateContainer(context.Context, PrmContainerCreate) (*ContainerCreateResult, error)

+	AddContainerPolicyChain(context.Context, PrmAddContainerPolicyChain) error
+
 	// Container reads a container from FrostFS by ID.
 	//
 	// It returns exactly one non-nil value. It returns any error encountered which
--- a/go.mod
+++ b/go.mod
@ -14,6 +14,7 @@ require (
 	github.com/aws/aws-sdk-go-v2 v1.30.3
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.27
 	github.com/bluele/gcache v0.0.2
+	github.com/davecgh/go-spew v1.1.1
 	github.com/go-chi/chi/v5 v5.0.8
 	github.com/google/uuid v1.6.0
 	github.com/minio/sio v0.3.0
@ -54,7 +55,6 @@ require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
--- a/internal/frostfs/authmate.go
+++ b/internal/frostfs/authmate.go
@ -16,10 +16,13 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/crdt"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
+	"github.com/davecgh/go-spew/spew"
 	"go.uber.org/zap"
 )

@ -55,21 +58,49 @@ func (x *AuthmateFrostFS) TimeToEpoch(ctx context.Context, futureTime time.Time)

 // CreateContainer implements authmate.FrostFS interface method.
 func (x *AuthmateFrostFS) CreateContainer(ctx context.Context, prm authmate.PrmContainerCreate) (cid.ID, error) {
-	basicACL := acl.Private
-	// allow reading objects to OTHERS in order to provide read access to S3 gateways
-	basicACL.AllowOp(acl.OpObjectGet, acl.RoleOthers)
-	basicACL.AllowOp(acl.OpObjectHead, acl.RoleOthers)
-	basicACL.AllowOp(acl.OpObjectSearch, acl.RoleOthers)
+	// basicACL := acl.Private
+	// // allow reading objects to OTHERS in order to provide read access to S3 gateways
+	// basicACL.AllowOp(acl.OpObjectGet, acl.RoleOthers)
+	// basicACL.AllowOp(acl.OpObjectHead, acl.RoleOthers)
+	// basicACL.AllowOp(acl.OpObjectSearch, acl.RoleOthers)

 	res, err := x.frostFS.CreateContainer(ctx, frostfs.PrmContainerCreate{
-		Creator:  prm.Owner,
-		Policy:   prm.Policy,
-		Name:     prm.FriendlyName,
-		BasicACL: basicACL,
+		Creator: prm.Owner,
+		Policy:  prm.Policy,
+		Name:    prm.FriendlyName,
 	})
 	if err != nil {
 		return cid.ID{}, err
 	}
+
+	ch := chain.Chain{
+		ID: chain.ID("authmate"),
+		Rules: []chain.Rule{{
+			Status:  chain.Allow,
+			Actions: chain.Actions{Names: []string{"*"}},
+			Resources: chain.Resources{Names: []string{
+				fmt.Sprintf(native.ResourceFormatNamespaceContainer, "root", res.ContainerID),
+			}},
+		}},
+	}
+
+	data, err := ch.MarshalBinary()
+	if err != nil {
+		return cid.ID{}, err
+	}
+
+	spew.Dump(ch)
+
+	err = x.frostFS.AddContainerPolicyChain(ctx, frostfs.PrmAddContainerPolicyChain{
+		ContainerID: res.ContainerID,
+		Chain: ape.Chain{
+			Raw: data,
+		},
+	})
+	if err != nil {
+		return cid.ID{}, err
+	}
+
 	return res.ContainerID, nil
 }

--- a/internal/frostfs/frostfs.go
+++ b/internal/frostfs/frostfs.go
@ -12,6 +12,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
 	frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/util"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
@ -135,6 +136,17 @@ func (x *FrostFS) CreateContainer(ctx context.Context, prm frostfs.PrmContainerC
 	}, handleObjectError("save container via connection pool", err)
 }

+func (x *FrostFS) AddContainerPolicyChain(ctx context.Context, prm frostfs.PrmAddContainerPolicyChain) error {
+	var prmAddAPEChain pool.PrmAddAPEChain
+	prmAddAPEChain.Target = ape.ChainTarget{
+		TargetType: ape.TargetTypeContainer,
+		Name:       prm.ContainerID.String(),
+	}
+	prmAddAPEChain.Chain = prm.Chain
+
+	return x.pool.AddAPEChain(ctx, prmAddAPEChain)
+}
+
 // UserContainers implements layer.FrostFS interface method.
 func (x *FrostFS) UserContainers(ctx context.Context, layerPrm frostfs.PrmUserContainers) ([]cid.ID, error) {
 	prm := pool.PrmContainerList{