forked from TrueCloudLab/frostfs-s3-gw
Denis Kirillov
bcfbcdc82f
* Remove native policy when remove bucket policy * Allow policies that contain only s3 compatible statements (now deny rules cannot be converted to native rules) Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
83 lines
2.5 KiB
Go
83 lines
2.5 KiB
Go
package policy
|
|
|
|
import (
|
|
policycontract "git.frostfs.info/TrueCloudLab/frostfs-contract/policy"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/cache"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/handler"
|
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
type Storage struct {
|
|
router engine.ChainRouter
|
|
|
|
morph *MorphRuleChainStorage
|
|
|
|
local engine.LocalOverrideStorage
|
|
}
|
|
|
|
type StorageConfig struct {
|
|
Contract Contract
|
|
Cache *cache.MorphPolicyCache
|
|
Log *zap.Logger
|
|
}
|
|
|
|
type MultiTransaction interface {
|
|
AddChain(entity policycontract.Kind, entityName string, name []byte, chain []byte)
|
|
RemoveChain(entity policycontract.Kind, entityName string, name []byte)
|
|
Scripts() ([][]byte, error)
|
|
}
|
|
|
|
type Contract interface {
|
|
GetChain(entity policycontract.Kind, entityName string, name []byte) ([]byte, error)
|
|
ListChains(entity policycontract.Kind, entityName string, prefix []byte) ([][]byte, error)
|
|
|
|
StartTx() MultiTransaction
|
|
SendTx(transaction MultiTransaction) error
|
|
}
|
|
|
|
var _ handler.APE = (*Storage)(nil)
|
|
|
|
func NewStorage(cfg StorageConfig) *Storage {
|
|
local := inmemory.NewInmemoryLocalStorage()
|
|
|
|
morph := NewMorphRuleChainStorage(&MorphRuleChainStorageConfig{
|
|
Contract: cfg.Contract,
|
|
Cache: cfg.Cache,
|
|
Log: cfg.Log,
|
|
})
|
|
|
|
return &Storage{
|
|
router: engine.NewDefaultChainRouterWithLocalOverrides(morph, local),
|
|
morph: morph,
|
|
local: local,
|
|
}
|
|
}
|
|
|
|
func (s *Storage) IsAllowed(name chain.Name, target engine.RequestTarget, r resource.Request) (status chain.Status, found bool, err error) {
|
|
return s.router.IsAllowed(name, target, r)
|
|
}
|
|
|
|
func (s *Storage) LocalStorage() engine.LocalOverrideStorage {
|
|
return s.local
|
|
}
|
|
|
|
func (s *Storage) PutBucketPolicy(ns string, cnrID cid.ID, policy []byte, policyChains []*chain.Chain) error {
|
|
return s.morph.PutBucketPolicy(ns, cnrID, policy, policyChains)
|
|
}
|
|
|
|
func (s *Storage) DeleteBucketPolicy(ns string, cnrID cid.ID, chainIDs []chain.ID) error {
|
|
return s.morph.DeleteBucketPolicy(ns, cnrID, chainIDs)
|
|
}
|
|
|
|
func (s *Storage) GetBucketPolicy(ns string, cnrID cid.ID) ([]byte, error) {
|
|
return s.morph.GetBucketPolicy(ns, cnrID)
|
|
}
|
|
|
|
func (s *Storage) SaveACLChains(ns string, chains []*chain.Chain) error {
|
|
return s.morph.SaveACLChains(ns, chains)
|
|
}
|