frostfs-s3-gw/internal/frostfs/policy/storage.go
Denis Kirillov bcfbcdc82f [#345] acl: Update APE and fix using
* Remove native policy when remove bucket policy
* Allow policies that contain only s3 compatible statements
(now deny rules cannot be converted to native rules)

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-04-02 12:42:43 +00:00

83 lines
2.5 KiB
Go

package policy
import (
policycontract "git.frostfs.info/TrueCloudLab/frostfs-contract/policy"
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/cache"
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/handler"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
"go.uber.org/zap"
)
type Storage struct {
router engine.ChainRouter
morph *MorphRuleChainStorage
local engine.LocalOverrideStorage
}
type StorageConfig struct {
Contract Contract
Cache *cache.MorphPolicyCache
Log *zap.Logger
}
type MultiTransaction interface {
AddChain(entity policycontract.Kind, entityName string, name []byte, chain []byte)
RemoveChain(entity policycontract.Kind, entityName string, name []byte)
Scripts() ([][]byte, error)
}
type Contract interface {
GetChain(entity policycontract.Kind, entityName string, name []byte) ([]byte, error)
ListChains(entity policycontract.Kind, entityName string, prefix []byte) ([][]byte, error)
StartTx() MultiTransaction
SendTx(transaction MultiTransaction) error
}
var _ handler.APE = (*Storage)(nil)
func NewStorage(cfg StorageConfig) *Storage {
local := inmemory.NewInmemoryLocalStorage()
morph := NewMorphRuleChainStorage(&MorphRuleChainStorageConfig{
Contract: cfg.Contract,
Cache: cfg.Cache,
Log: cfg.Log,
})
return &Storage{
router: engine.NewDefaultChainRouterWithLocalOverrides(morph, local),
morph: morph,
local: local,
}
}
func (s *Storage) IsAllowed(name chain.Name, target engine.RequestTarget, r resource.Request) (status chain.Status, found bool, err error) {
return s.router.IsAllowed(name, target, r)
}
func (s *Storage) LocalStorage() engine.LocalOverrideStorage {
return s.local
}
func (s *Storage) PutBucketPolicy(ns string, cnrID cid.ID, policy []byte, policyChains []*chain.Chain) error {
return s.morph.PutBucketPolicy(ns, cnrID, policy, policyChains)
}
func (s *Storage) DeleteBucketPolicy(ns string, cnrID cid.ID, chainIDs []chain.ID) error {
return s.morph.DeleteBucketPolicy(ns, cnrID, chainIDs)
}
func (s *Storage) GetBucketPolicy(ns string, cnrID cid.ID) ([]byte, error) {
return s.morph.GetBucketPolicy(ns, cnrID)
}
func (s *Storage) SaveACLChains(ns string, chains []*chain.Chain) error {
return s.morph.SaveACLChains(ns, chains)
}