From 4628c9ba8edbc42820795ecc613e6ffedef97c00 Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Fri, 1 Dec 2023 12:58:45 +0300 Subject: [PATCH] [#XX] Test policy engine check Signed-off-by: Denis Kirillov --- go.mod | 2 +- go.sum | 4 ++-- pkg/services/control/server/policy_engine.go | 10 ++++------ pkg/services/object/acl/ape.go | 4 +++- pkg/services/object/acl/ape_request.go | 13 ++++++++++--- pkg/services/object/acl/v2/request.go | 8 ++++++++ pkg/services/object/acl/v2/service.go | 2 ++ 7 files changed, 30 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index cfa6dd7a6..532397e7a 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231122162120-56debcfa569e git.frostfs.info/TrueCloudLab/hrw v1.2.1 - git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231115094736-5db67021e10f + git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231128145636-a0a35bf4bf31 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 github.com/cheggaaa/pb v1.0.29 github.com/chzyer/readline v1.5.1 diff --git a/go.sum b/go.sum index 8c3689023..6dfde8f8b 100644 --- a/go.sum +++ b/go.sum @@ -736,8 +736,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231122162120-56debcfa569e git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231122162120-56debcfa569e/go.mod h1:t1akKcUH7iBrFHX8rSXScYMP17k2kYQXMbZooiL5Juw= git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc= git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM= -git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231115094736-5db67021e10f h1:Rq95TuEkqc3T1EN5ZU1Vgf6H33TR95hz97ca8jrUciQ= -git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231115094736-5db67021e10f/go.mod h1:qf3B9hSz6gCMfcfvqkhTu5ak+Gx2R+wo4Hc87LnKxPg= +git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231128145636-a0a35bf4bf31 h1:31tE+hNkHar7IMduhzj8LFY8+LT2EswiVI873MEfZj0= +git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231128145636-a0a35bf4bf31/go.mod h1:ekrDiIySdYhji5rBNAkxYMztFWMXyC9Q8LVz6gGVDu0= git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA= git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc= git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA= diff --git a/pkg/services/control/server/policy_engine.go b/pkg/services/control/server/policy_engine.go index 8565cd9c1..10109eef6 100644 --- a/pkg/services/control/server/policy_engine.go +++ b/pkg/services/control/server/policy_engine.go @@ -8,7 +8,7 @@ import ( "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" - engine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" + "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -37,10 +37,8 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL s.apeChainCounter.Add(1) // TODO (aarifullin): the such chain id is not well-designed yet. - chain.ID = apechain.ID(fmt.Sprintf("%s:%d", apechain.Ingress, s.apeChainCounter.Load())) - resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString()) - if _, err = src.LocalStorage().AddOverride(apechain.Ingress, resource, &chain); err != nil { + if err = src.MorphRuleChainStorage().AddMorphRuleChain(apechain.Ingress, engine.NamespaceTarget(""), &chain); err != nil { return nil, status.Error(getCodeByLocalStorageErr(err), err.Error()) } @@ -144,8 +142,8 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove return nil, status.Error(codes.Internal, err.Error()) } - resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString()) - if err = src.LocalStorage().RemoveOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId())); err != nil { + //resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString()) + if err = src.MorphRuleChainStorage().RemoveMorphRuleChain(apechain.Ingress, engine.NamespaceTarget(""), apechain.ID(req.GetBody().GetChainId())); err != nil { return nil, status.Error(getCodeByLocalStorageErr(err), err.Error()) } resp := &control.RemoveChainLocalOverrideResponse{ diff --git a/pkg/services/object/acl/ape.go b/pkg/services/object/acl/ape.go index 525ed5930..8d4218fc2 100644 --- a/pkg/services/object/acl/ape.go +++ b/pkg/services/object/acl/ape.go @@ -8,6 +8,7 @@ import ( v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger" apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status" + cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" ) @@ -26,7 +27,8 @@ func NewAPEChecker(log *logger.Logger, apeSrc container.AccessPolicyEngineChainS } func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error { - cnr := reqInfo.ContainerID() + //cnr := reqInfo.ContainerID() + var cnr cid.ID chainCache, err := c.apeSrc.GetChainSource(cnr) if err != nil { diff --git a/pkg/services/object/acl/ape_request.go b/pkg/services/object/acl/ape_request.go index accbdce5f..50a356a2d 100644 --- a/pkg/services/object/acl/ape_request.go +++ b/pkg/services/object/acl/ape_request.go @@ -1,6 +1,7 @@ package acl import ( + "encoding/hex" "fmt" v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2" @@ -40,15 +41,21 @@ func getResource(reqInfo v2.RequestInfo) *resource { } else { name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString()) } + + properties := make(map[string]string, len(reqInfo.ObjectAttributes())) + for _, attr := range reqInfo.ObjectAttributes() { + properties[attr.GetKey()] = attr.GetValue() + } + return &resource{ name: name, - properties: make(map[string]string), + properties: properties, } } -func getProperties(_ v2.RequestInfo) map[string]string { +func getProperties(reqInfo v2.RequestInfo) map[string]string { return map[string]string{ - nativeschema.PropertyKeyActorPublicKey: "", + nativeschema.PropertyKeyActorPublicKey: hex.EncodeToString(reqInfo.SenderKey()), nativeschema.PropertyKeyActorRole: "", } } diff --git a/pkg/services/object/acl/v2/request.go b/pkg/services/object/acl/v2/request.go index 675768969..02e8c1b4f 100644 --- a/pkg/services/object/acl/v2/request.go +++ b/pkg/services/object/acl/v2/request.go @@ -4,6 +4,7 @@ import ( "crypto/ecdsa" "fmt" + objectv2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object" sessionV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl" @@ -28,6 +29,8 @@ type RequestInfo struct { // e.g. Put, Search obj *oid.ID + objectAttributes []objectv2.Attribute + senderKey []byte bearer *bearer.Token // bearer token of request @@ -67,6 +70,11 @@ func (r RequestInfo) ContainerID() cid.ID { return r.idCnr } +// ObjectAttributes return object attributes. +func (r RequestInfo) ObjectAttributes() []objectv2.Attribute { + return r.objectAttributes +} + // CleanBearer forces cleaning bearer token information. func (r *RequestInfo) CleanBearer() { r.bearer = nil diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go index ee167d0e4..191fe02bb 100644 --- a/pkg/services/object/acl/v2/service.go +++ b/pkg/services/object/acl/v2/service.go @@ -566,6 +566,8 @@ func (p putStreamBasicChecker) Send(ctx context.Context, request *objectV2.PutRe reqInfo.obj = obj + reqInfo.objectAttributes = part.GetHeader().GetAttributes() + if err := p.source.apeChecker.CheckIfRequestPermitted(reqInfo); err != nil { return err }