george.bartolomey/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Pull requests Activity

[#876] cli: Add support for container in local rules

Browse source 
Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
This commit is contained in:
Anton Nikiforov 2024-01-25 20:25:23 +03:00
parent b6fc3321c5
commit 51d1d935ef
5 changed files with 351 additions and 117 deletions
Download patch file Download diff file Expand all files Collapse all files

214
cmd/frostfs-cli/modules/util/ape_test.go
View file

@ -1,6 +1,7 @@
package util
import (
"fmt"
"testing"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
@ -16,13 +17,76 @@ func TestParseAPERule(t *testing.T) {
expectRule policyengine.Rule
}{
{
name: "Valid allow rule",
name: "Valid allow rule for all objects",
rule: "allow Object.Put *",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
},
},
{
name: "Valid rule for all objects in root namespace",
rule: "allow Object.Put /*",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}},
Condition: []policyengine.Condition{},
},
},
{
name: "Valid rule for all objects in root namespace and container",
rule: "allow Object.Put /cid/*",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, "cid"),
}},
},
},
{
name: "Valid rule for object in root namespace and container",
rule: "allow Object.Put /cid/oid",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatRootContainerObject, "cid", "oid"),
}},
},
},
{
name: "Valid rule for all objects in namespace",
rule: "allow Object.Put ns/*",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatNamespaceObjects, "ns"),
}},
},
},
{
name: "Valid rule for all objects in namespace and container",
rule: "allow Object.Put ns/cid/*",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatNamespaceContainerObjects, "ns", "cid"),
}},
},
},
{
name: "Valid rule for object in namespace and container",
rule: "allow Object.Put ns/cid/oid",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatNamespaceContainerObject, "ns", "cid", "oid"),
}},
},
},
{
@ -31,8 +95,7 @@ func TestParseAPERule(t *testing.T) {
expectRule: policyengine.Rule{
Status: policyengine.AccessDenied,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}},
Condition: []policyengine.Condition{},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
},
},
{
@ -41,8 +104,7 @@ func TestParseAPERule(t *testing.T) {
expectRule: policyengine.Rule{
Status: policyengine.QuotaLimitReached,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}},
Condition: []policyengine.Condition{},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
},
},
{
@ -51,7 +113,7 @@ func TestParseAPERule(t *testing.T) {
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
Condition: []policyengine.Condition{
{
Op: policyengine.CondStringEquals,
@ -69,12 +131,12 @@ func TestParseAPERule(t *testing.T) {
},
},
{
name: "Valid rule with conditions with action detail",
name: "Valid rule for object with conditions with action detail",
rule: "deny:QuotaLimitReached Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
expectRule: policyengine.Rule{
Status: policyengine.QuotaLimitReached,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
Condition: []policyengine.Condition{
{
Op: policyengine.CondStringEquals,
@ -92,19 +154,19 @@ func TestParseAPERule(t *testing.T) {
},
},
{
name: "Invalid rule with unknown action",
name: "Invalid rule with unknown status",
rule: "permit Object.Put *",
expectErr: errUnknownStatus,
},
{
name: "Invalid rule with unknown action",
rule: "allow Object.PutOut *",
expectErr: errUnknownAction,
},
{
name: "Invalid rule with unknown operation",
rule: "allow Object.PutOut *",
expectErr: errUnknownOperation,
},
{
name: "Invalid rule with unknown action detail",
name: "Invalid rule with unknown status detail",
rule: "deny:UnknownActionDetail Object.Put *",
expectErr: errUnknownActionDetail,
expectErr: errUnknownStatusDetail,
},
{
name: "Invalid rule with unknown condition binary operator",
@ -116,6 +178,124 @@ func TestParseAPERule(t *testing.T) {
rule: "deny Object.Put Object.ResourZe:Department=HR *",
expectErr: errUnknownCondObjectType,
},
{
name: "Invalid rule with mixed types of actions",
rule: "allow Object.Put Container.Put *",
expectErr: errMixedTypesInRule,
},
{
name: "Invalid rule with no actions",
rule: "allow Container.Resource:A=B *",
expectErr: errNoActionsInRule,
},
{
name: "Invalid rule with invalid resource for object nm/cnt/obj/err",
rule: "allow Object.Put nm/cnt/obj/err",
expectErr: errUnsupportedResourceFormat,
},
{
name: "Invalid rule with invalid resource for container nm/cnt/err",
rule: "allow Container.Put nm/cnt/err",
expectErr: errUnsupportedResourceFormat,
},
{
name: "Invalid rule with invalid resource for container /nm/cnt/err",
rule: "allow Container.Put /nm/cnt/err",
expectErr: errUnsupportedResourceFormat,
},
{
name: "Invalid rule with invalid resource for container /nm/cnt/",
rule: "allow Container.Put /nm/cnt/",
expectErr: errUnsupportedResourceFormat,
},
{
name: "Invalid rule with invalid resource for container /nm/cnt",
rule: "allow Container.Put /nm/cnt",
expectErr: errUnsupportedResourceFormat,
},
{
name: "Invalid rule with invalid resource for container /nm/",
rule: "allow Container.Put /nm/",
expectErr: errUnsupportedResourceFormat,
},
{
name: "Valid rule for all containers",
rule: "allow Container.Put *",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutContainer}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllContainers}},
},
},
{
name: "Valid rule for all containers in root namespace",
rule: "allow Container.Put /*",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutContainer}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootContainers}},
},
},
{
name: "Valid rule for container in root namespace",
rule: "allow Container.Put /cid",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutContainer}},
Resources: policyengine.Resources{Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatRootContainer, "cid"),
}},
},
},
{
name: "Valid rule for all container in namespace",
rule: "allow Container.Put ns/*",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutContainer}},
Resources: policyengine.Resources{Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatNamespaceContainers, "ns"),
}},
},
},
{
name: "Valid rule for container in namespace",
rule: "allow Container.Put ns/cid",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutContainer}},
Resources: policyengine.Resources{Names: []string{
fmt.Sprintf(nativeschema.ResourceFormatNamespaceContainer, "ns", "cid"),
}},
},
},
{
name: "Valid rule for container with conditions with action detail",
rule: "allow Container.Get Container.Resource:A=B Container.Put Container.Request:C!=D " +
"* /cnt_id",
expectRule: policyengine.Rule{
Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetContainer, nativeschema.MethodPutContainer}},
Resources: policyengine.Resources{Names: []string{
nativeschema.ResourceFormatAllContainers,
fmt.Sprintf(nativeschema.ResourceFormatRootContainer, "cnt_id"),
}},
Condition: []policyengine.Condition{
{
Op: policyengine.CondStringEquals,
Object: policyengine.ContainerResource,
Key: "A",
Value: "B",
},
{
Op: policyengine.CondStringNotEquals,
Object: policyengine.ContainerRequest,
Key: "C",
Value: "D",
},
},
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {