forked from TrueCloudLab/frostfs-testlib
186 lines
5.9 KiB
Python
186 lines
5.9 KiB
Python
import base64
|
|
import json
|
|
import logging
|
|
import os
|
|
import uuid
|
|
from time import sleep
|
|
from typing import List, Optional, Union
|
|
|
|
import base58
|
|
|
|
from frostfs_testlib import reporter
|
|
from frostfs_testlib.cli import FrostfsCli
|
|
from frostfs_testlib.resources.cli import FROSTFS_CLI_EXEC
|
|
from frostfs_testlib.resources.common import ASSETS_DIR, DEFAULT_WALLET_CONFIG
|
|
from frostfs_testlib.shell import Shell
|
|
from frostfs_testlib.storage.dataclasses.acl import (
|
|
EACL_LIFETIME,
|
|
FROSTFS_CONTRACT_CACHE_TIMEOUT,
|
|
EACLPubKey,
|
|
EACLRole,
|
|
EACLRule,
|
|
)
|
|
from frostfs_testlib.utils import wallet_utils
|
|
|
|
logger = logging.getLogger("NeoLogger")
|
|
|
|
|
|
@reporter.step("Get extended ACL")
|
|
def get_eacl(wallet_path: str, cid: str, shell: Shell, endpoint: str) -> Optional[str]:
|
|
cli = FrostfsCli(shell, FROSTFS_CLI_EXEC, DEFAULT_WALLET_CONFIG)
|
|
try:
|
|
result = cli.container.get_eacl(wallet=wallet_path, rpc_endpoint=endpoint, cid=cid)
|
|
except RuntimeError as exc:
|
|
logger.info("Extended ACL table is not set for this container")
|
|
logger.info(f"Got exception while getting eacl: {exc}")
|
|
return None
|
|
if "extended ACL table is not set for this container" in result.stdout:
|
|
return None
|
|
return result.stdout
|
|
|
|
|
|
@reporter.step("Set extended ACL")
|
|
def set_eacl(
|
|
wallet_path: str,
|
|
cid: str,
|
|
eacl_table_path: str,
|
|
shell: Shell,
|
|
endpoint: str,
|
|
session_token: Optional[str] = None,
|
|
) -> None:
|
|
cli = FrostfsCli(shell, FROSTFS_CLI_EXEC, DEFAULT_WALLET_CONFIG)
|
|
cli.container.set_eacl(
|
|
wallet=wallet_path,
|
|
rpc_endpoint=endpoint,
|
|
cid=cid,
|
|
table=eacl_table_path,
|
|
await_mode=True,
|
|
session=session_token,
|
|
)
|
|
|
|
|
|
def _encode_cid_for_eacl(cid: str) -> str:
|
|
cid_base58 = base58.b58decode(cid)
|
|
return base64.b64encode(cid_base58).decode("utf-8")
|
|
|
|
|
|
def create_eacl(cid: str, rules_list: List[EACLRule], shell: Shell) -> str:
|
|
table_file_path = os.path.join(os.getcwd(), ASSETS_DIR, f"eacl_table_{str(uuid.uuid4())}.json")
|
|
cli = FrostfsCli(shell, FROSTFS_CLI_EXEC, DEFAULT_WALLET_CONFIG)
|
|
cli.acl.extended_create(cid=cid, out=table_file_path, rule=rules_list)
|
|
|
|
with open(table_file_path, "r") as file:
|
|
table_data = file.read()
|
|
logger.info(f"Generated eACL:\n{table_data}")
|
|
|
|
return table_file_path
|
|
|
|
|
|
def form_bearertoken_file(
|
|
wif: str,
|
|
cid: str,
|
|
eacl_rule_list: List[Union[EACLRule, EACLPubKey]],
|
|
shell: Shell,
|
|
endpoint: str,
|
|
sign: Optional[bool] = True,
|
|
) -> str:
|
|
"""
|
|
This function fetches eACL for given <cid> on behalf of <wif>,
|
|
then extends it with filters taken from <eacl_rules>, signs
|
|
with bearer token and writes to file
|
|
"""
|
|
enc_cid = _encode_cid_for_eacl(cid) if cid else None
|
|
file_path = os.path.join(os.getcwd(), ASSETS_DIR, str(uuid.uuid4()))
|
|
|
|
eacl = get_eacl(wif, cid, shell, endpoint)
|
|
json_eacl = dict()
|
|
if eacl:
|
|
eacl = eacl.replace("eACL: ", "").split("Signature")[0]
|
|
json_eacl = json.loads(eacl)
|
|
logger.info(json_eacl)
|
|
eacl_result = {
|
|
"body": {
|
|
"eaclTable": {"containerID": {"value": enc_cid} if cid else enc_cid, "records": []},
|
|
"lifetime": {"exp": EACL_LIFETIME, "nbf": "1", "iat": "0"},
|
|
}
|
|
}
|
|
|
|
assert eacl_rules, "Got empty eacl_records list"
|
|
for rule in eacl_rule_list:
|
|
op_data = {
|
|
"operation": rule.operation.value.upper(),
|
|
"action": rule.access.value.upper(),
|
|
"filters": rule.filters or [],
|
|
"targets": [],
|
|
}
|
|
|
|
if isinstance(rule.role, EACLRole):
|
|
op_data["targets"] = [{"role": rule.role.value.upper()}]
|
|
elif isinstance(rule.role, EACLPubKey):
|
|
op_data["targets"] = [{"keys": rule.role.keys}]
|
|
|
|
eacl_result["body"]["eaclTable"]["records"].append(op_data)
|
|
|
|
# Add records from current eACL
|
|
if "records" in json_eacl.keys():
|
|
for record in json_eacl["records"]:
|
|
eacl_result["body"]["eaclTable"]["records"].append(record)
|
|
|
|
with open(file_path, "w", encoding="utf-8") as eacl_file:
|
|
json.dump(eacl_result, eacl_file, ensure_ascii=False, indent=4)
|
|
|
|
logger.info(f"Got these extended ACL records: {eacl_result}")
|
|
if sign:
|
|
sign_bearer(
|
|
shell=shell,
|
|
wallet_path=wif,
|
|
eacl_rules_file_from=file_path,
|
|
eacl_rules_file_to=file_path,
|
|
json=True,
|
|
)
|
|
return file_path
|
|
|
|
|
|
def eacl_rules(access: str, verbs: list, user: str) -> list[str]:
|
|
"""
|
|
This function creates a list of eACL rules.
|
|
Args:
|
|
access (str): identifies if the following operation(s)
|
|
is allowed or denied
|
|
verbs (list): a list of operations to set rules for
|
|
user (str): a group of users (user/others) or a wallet of
|
|
a certain user for whom rules are set
|
|
Returns:
|
|
(list): a list of eACL rules
|
|
"""
|
|
if user not in ("others", "user"):
|
|
pubkey = wallet_utils.get_wallet_public_key(user, wallet_password="")
|
|
user = f"pubkey:{pubkey}"
|
|
|
|
rules = []
|
|
for verb in verbs:
|
|
rule = f"{access} {verb} {user}"
|
|
rules.append(rule)
|
|
return rules
|
|
|
|
|
|
def sign_bearer(shell: Shell, wallet_path: str, eacl_rules_file_from: str, eacl_rules_file_to: str, json: bool) -> None:
|
|
frostfscli = FrostfsCli(shell=shell, frostfs_cli_exec_path=FROSTFS_CLI_EXEC, config_file=DEFAULT_WALLET_CONFIG)
|
|
frostfscli.util.sign_bearer_token(
|
|
wallet=wallet_path, from_file=eacl_rules_file_from, to_file=eacl_rules_file_to, json=json
|
|
)
|
|
|
|
|
|
@reporter.step("Wait for eACL cache expired")
|
|
def wait_for_cache_expired():
|
|
sleep(FROSTFS_CONTRACT_CACHE_TIMEOUT)
|
|
return
|
|
|
|
|
|
@reporter.step("Return bearer token in base64 to caller")
|
|
def bearer_token_base64_from_file(
|
|
bearer_path: str,
|
|
) -> str:
|
|
with open(bearer_path, "rb") as file:
|
|
signed = file.read()
|
|
return base64.b64encode(signed).decode("utf-8")
|