[#XX] Test policy engine check

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2023-12-01 12:58:45 +03:00
parent b2c63e57ba
commit 4628c9ba8e
7 changed files with 28 additions and 11 deletions

2
go.mod
View file

@ -8,7 +8,7 @@ require (
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65 git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231122162120-56debcfa569e git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231122162120-56debcfa569e
git.frostfs.info/TrueCloudLab/hrw v1.2.1 git.frostfs.info/TrueCloudLab/hrw v1.2.1
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231115094736-5db67021e10f git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231128145636-a0a35bf4bf31
git.frostfs.info/TrueCloudLab/tzhash v1.8.0 git.frostfs.info/TrueCloudLab/tzhash v1.8.0
github.com/cheggaaa/pb v1.0.29 github.com/cheggaaa/pb v1.0.29
github.com/chzyer/readline v1.5.1 github.com/chzyer/readline v1.5.1

BIN
go.sum

Binary file not shown.

View file

@ -8,7 +8,7 @@ import (
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
engine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"google.golang.org/grpc/codes" "google.golang.org/grpc/codes"
"google.golang.org/grpc/status" "google.golang.org/grpc/status"
@ -37,10 +37,8 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL
s.apeChainCounter.Add(1) s.apeChainCounter.Add(1)
// TODO (aarifullin): the such chain id is not well-designed yet. // TODO (aarifullin): the such chain id is not well-designed yet.
chain.ID = apechain.ID(fmt.Sprintf("%s:%d", apechain.Ingress, s.apeChainCounter.Load()))
resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString()) if err = src.MorphRuleChainStorage().AddMorphRuleChain(apechain.Ingress, engine.NamespaceTarget(""), &chain); err != nil {
if _, err = src.LocalStorage().AddOverride(apechain.Ingress, resource, &chain); err != nil {
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error()) return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
} }
@ -144,8 +142,8 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
return nil, status.Error(codes.Internal, err.Error()) return nil, status.Error(codes.Internal, err.Error())
} }
resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString()) //resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
if err = src.LocalStorage().RemoveOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId())); err != nil { if err = src.MorphRuleChainStorage().RemoveMorphRuleChain(apechain.Ingress, engine.NamespaceTarget(""), apechain.ID(req.GetBody().GetChainId())); err != nil {
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error()) return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
} }
resp := &control.RemoveChainLocalOverrideResponse{ resp := &control.RemoveChainLocalOverrideResponse{

View file

@ -8,6 +8,7 @@ import (
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2" v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status" apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
) )
@ -26,7 +27,8 @@ func NewAPEChecker(log *logger.Logger, apeSrc container.AccessPolicyEngineChainS
} }
func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error { func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
cnr := reqInfo.ContainerID() //cnr := reqInfo.ContainerID()
var cnr cid.ID
chainCache, err := c.apeSrc.GetChainSource(cnr) chainCache, err := c.apeSrc.GetChainSource(cnr)
if err != nil { if err != nil {

View file

@ -1,6 +1,7 @@
package acl package acl
import ( import (
"encoding/hex"
"fmt" "fmt"
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2" v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
@ -40,15 +41,21 @@ func getResource(reqInfo v2.RequestInfo) *resource {
} else { } else {
name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString()) name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
} }
properties := make(map[string]string, len(reqInfo.ObjectAttributes()))
for _, attr := range reqInfo.ObjectAttributes() {
properties[attr.GetKey()] = attr.GetValue()
}
return &resource{ return &resource{
name: name, name: name,
properties: make(map[string]string), properties: properties,
} }
} }
func getProperties(_ v2.RequestInfo) map[string]string { func getProperties(reqInfo v2.RequestInfo) map[string]string {
return map[string]string{ return map[string]string{
nativeschema.PropertyKeyActorPublicKey: "", nativeschema.PropertyKeyActorPublicKey: hex.EncodeToString(reqInfo.SenderKey()),
nativeschema.PropertyKeyActorRole: "", nativeschema.PropertyKeyActorRole: "",
} }
} }

View file

@ -4,6 +4,7 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"fmt" "fmt"
objectv2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
sessionV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session" sessionV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
@ -28,6 +29,8 @@ type RequestInfo struct {
// e.g. Put, Search // e.g. Put, Search
obj *oid.ID obj *oid.ID
objectAttributes []objectv2.Attribute
senderKey []byte senderKey []byte
bearer *bearer.Token // bearer token of request bearer *bearer.Token // bearer token of request
@ -67,6 +70,11 @@ func (r RequestInfo) ContainerID() cid.ID {
return r.idCnr return r.idCnr
} }
// ObjectAttributes return object attributes.
func (r RequestInfo) ObjectAttributes() []objectv2.Attribute {
return r.objectAttributes
}
// CleanBearer forces cleaning bearer token information. // CleanBearer forces cleaning bearer token information.
func (r *RequestInfo) CleanBearer() { func (r *RequestInfo) CleanBearer() {
r.bearer = nil r.bearer = nil

View file

@ -566,6 +566,8 @@ func (p putStreamBasicChecker) Send(ctx context.Context, request *objectV2.PutRe
reqInfo.obj = obj reqInfo.obj = obj
reqInfo.objectAttributes = part.GetHeader().GetAttributes()
if err := p.source.apeChecker.CheckIfRequestPermitted(reqInfo); err != nil { if err := p.source.apeChecker.CheckIfRequestPermitted(reqInfo); err != nil {
return err return err
} }