forked from TrueCloudLab/frostfs-node
[#XX] Test policy engine check
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
b2c63e57ba
commit
4628c9ba8e
7 changed files with 28 additions and 11 deletions
2
go.mod
2
go.mod
|
@ -8,7 +8,7 @@ require (
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
|
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231122162120-56debcfa569e
|
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231122162120-56debcfa569e
|
||||||
git.frostfs.info/TrueCloudLab/hrw v1.2.1
|
git.frostfs.info/TrueCloudLab/hrw v1.2.1
|
||||||
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231115094736-5db67021e10f
|
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231128145636-a0a35bf4bf31
|
||||||
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
||||||
github.com/cheggaaa/pb v1.0.29
|
github.com/cheggaaa/pb v1.0.29
|
||||||
github.com/chzyer/readline v1.5.1
|
github.com/chzyer/readline v1.5.1
|
||||||
|
|
BIN
go.sum
BIN
go.sum
Binary file not shown.
|
@ -8,7 +8,7 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
engine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||||
"google.golang.org/grpc/codes"
|
"google.golang.org/grpc/codes"
|
||||||
"google.golang.org/grpc/status"
|
"google.golang.org/grpc/status"
|
||||||
|
@ -37,10 +37,8 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL
|
||||||
|
|
||||||
s.apeChainCounter.Add(1)
|
s.apeChainCounter.Add(1)
|
||||||
// TODO (aarifullin): the such chain id is not well-designed yet.
|
// TODO (aarifullin): the such chain id is not well-designed yet.
|
||||||
chain.ID = apechain.ID(fmt.Sprintf("%s:%d", apechain.Ingress, s.apeChainCounter.Load()))
|
|
||||||
|
|
||||||
resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
if err = src.MorphRuleChainStorage().AddMorphRuleChain(apechain.Ingress, engine.NamespaceTarget(""), &chain); err != nil {
|
||||||
if _, err = src.LocalStorage().AddOverride(apechain.Ingress, resource, &chain); err != nil {
|
|
||||||
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -144,8 +142,8 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
//resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
||||||
if err = src.LocalStorage().RemoveOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId())); err != nil {
|
if err = src.MorphRuleChainStorage().RemoveMorphRuleChain(apechain.Ingress, engine.NamespaceTarget(""), apechain.ID(req.GetBody().GetChainId())); err != nil {
|
||||||
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
|
||||||
}
|
}
|
||||||
resp := &control.RemoveChainLocalOverrideResponse{
|
resp := &control.RemoveChainLocalOverrideResponse{
|
||||||
|
|
|
@ -8,6 +8,7 @@ import (
|
||||||
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
||||||
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
||||||
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -26,7 +27,8 @@ func NewAPEChecker(log *logger.Logger, apeSrc container.AccessPolicyEngineChainS
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
|
func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
|
||||||
cnr := reqInfo.ContainerID()
|
//cnr := reqInfo.ContainerID()
|
||||||
|
var cnr cid.ID
|
||||||
|
|
||||||
chainCache, err := c.apeSrc.GetChainSource(cnr)
|
chainCache, err := c.apeSrc.GetChainSource(cnr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package acl
|
package acl
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/hex"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
||||||
|
@ -40,15 +41,21 @@ func getResource(reqInfo v2.RequestInfo) *resource {
|
||||||
} else {
|
} else {
|
||||||
name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
properties := make(map[string]string, len(reqInfo.ObjectAttributes()))
|
||||||
|
for _, attr := range reqInfo.ObjectAttributes() {
|
||||||
|
properties[attr.GetKey()] = attr.GetValue()
|
||||||
|
}
|
||||||
|
|
||||||
return &resource{
|
return &resource{
|
||||||
name: name,
|
name: name,
|
||||||
properties: make(map[string]string),
|
properties: properties,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func getProperties(_ v2.RequestInfo) map[string]string {
|
func getProperties(reqInfo v2.RequestInfo) map[string]string {
|
||||||
return map[string]string{
|
return map[string]string{
|
||||||
nativeschema.PropertyKeyActorPublicKey: "",
|
nativeschema.PropertyKeyActorPublicKey: hex.EncodeToString(reqInfo.SenderKey()),
|
||||||
nativeschema.PropertyKeyActorRole: "",
|
nativeschema.PropertyKeyActorRole: "",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
|
objectv2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
|
||||||
sessionV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
|
sessionV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
||||||
|
@ -28,6 +29,8 @@ type RequestInfo struct {
|
||||||
// e.g. Put, Search
|
// e.g. Put, Search
|
||||||
obj *oid.ID
|
obj *oid.ID
|
||||||
|
|
||||||
|
objectAttributes []objectv2.Attribute
|
||||||
|
|
||||||
senderKey []byte
|
senderKey []byte
|
||||||
|
|
||||||
bearer *bearer.Token // bearer token of request
|
bearer *bearer.Token // bearer token of request
|
||||||
|
@ -67,6 +70,11 @@ func (r RequestInfo) ContainerID() cid.ID {
|
||||||
return r.idCnr
|
return r.idCnr
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ObjectAttributes return object attributes.
|
||||||
|
func (r RequestInfo) ObjectAttributes() []objectv2.Attribute {
|
||||||
|
return r.objectAttributes
|
||||||
|
}
|
||||||
|
|
||||||
// CleanBearer forces cleaning bearer token information.
|
// CleanBearer forces cleaning bearer token information.
|
||||||
func (r *RequestInfo) CleanBearer() {
|
func (r *RequestInfo) CleanBearer() {
|
||||||
r.bearer = nil
|
r.bearer = nil
|
||||||
|
|
|
@ -566,6 +566,8 @@ func (p putStreamBasicChecker) Send(ctx context.Context, request *objectV2.PutRe
|
||||||
|
|
||||||
reqInfo.obj = obj
|
reqInfo.obj = obj
|
||||||
|
|
||||||
|
reqInfo.objectAttributes = part.GetHeader().GetAttributes()
|
||||||
|
|
||||||
if err := p.source.apeChecker.CheckIfRequestPermitted(reqInfo); err != nil {
|
if err := p.source.apeChecker.CheckIfRequestPermitted(reqInfo); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue