forked from TrueCloudLab/frostfs-node
94 lines
2.8 KiB
Go
94 lines
2.8 KiB
Go
package control
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha256"
|
|
"encoding/json"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
|
|
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
const (
|
|
ruleFlag = "rule"
|
|
)
|
|
|
|
var addRuleCmd = &cobra.Command{
|
|
Use: "add-rule",
|
|
Short: "Add local override",
|
|
Long: "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",
|
|
Example: `allow Object.Get *
|
|
deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*
|
|
deny:QuotaLimitReached Object.Put Object.Resource:Department=HR *
|
|
`,
|
|
Run: addRule,
|
|
}
|
|
|
|
func prettyJSONFormat(cmd *cobra.Command, serializedChain []byte) string {
|
|
wr := bytes.NewBufferString("")
|
|
err := json.Indent(wr, serializedChain, "", " ")
|
|
commonCmd.ExitOnErr(cmd, "%w", err)
|
|
return wr.String()
|
|
}
|
|
|
|
func addRule(cmd *cobra.Command, _ []string) {
|
|
pk := key.Get(cmd)
|
|
|
|
chainID, _ := cmd.Flags().GetString(chainIDFlag)
|
|
|
|
var cnr cid.ID
|
|
cidStr, _ := cmd.Flags().GetString(commonflags.CIDFlag)
|
|
commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(cidStr))
|
|
|
|
rawCID := make([]byte, sha256.Size)
|
|
cnr.Encode(rawCID)
|
|
|
|
rule, _ := cmd.Flags().GetString(ruleFlag)
|
|
|
|
chain := new(apechain.Chain)
|
|
commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, []string{rule}))
|
|
chain.ID = apechain.ID(chainID)
|
|
serializedChain := chain.Bytes()
|
|
|
|
cmd.Println("Container ID: " + cidStr)
|
|
cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, serializedChain))
|
|
|
|
req := &control.AddChainLocalOverrideRequest{
|
|
Body: &control.AddChainLocalOverrideRequest_Body{
|
|
ContainerId: rawCID,
|
|
Chain: serializedChain,
|
|
},
|
|
}
|
|
|
|
signRequest(cmd, pk, req)
|
|
|
|
cli := getClient(cmd, pk)
|
|
|
|
var resp *control.AddChainLocalOverrideResponse
|
|
var err error
|
|
err = cli.ExecRaw(func(client *client.Client) error {
|
|
resp, err = control.AddChainLocalOverride(client, req)
|
|
return err
|
|
})
|
|
commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
|
|
|
|
verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
|
|
|
|
cmd.Println("Rule has been added. Chain id: ", resp.GetBody().GetChainId())
|
|
}
|
|
|
|
func initControlAddRuleCmd() {
|
|
initControlFlags(addRuleCmd)
|
|
|
|
ff := addRuleCmd.Flags()
|
|
ff.String(commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
|
|
ff.String(ruleFlag, "", "Rule statement")
|
|
ff.String(chainIDFlag, "", "Assign ID to the parsed chain")
|
|
}
|