forked from TrueCloudLab/policy-engine
4d8242584a
* Make LocalOverrideStorage methods to receive Target type instead resource * Refactor unit-tests and dependencies * Make default chain router check local overrides not only for container but also for namespaces Signed-off-by: Airat Arifullin <aarifullin@yadro.com>
78 lines
2.2 KiB
Go
78 lines
2.2 KiB
Go
package engine
|
|
|
|
import (
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
|
|
)
|
|
|
|
type ChainRouter interface {
|
|
// IsAllowed returns status for the operation after all checks.
|
|
// The second return value signifies whether a matching rule was found.
|
|
IsAllowed(name chain.Name, target string, r resource.Request) (status chain.Status, found bool, err error)
|
|
}
|
|
|
|
// LocalOverrideStorage is the interface to manage local overrides defined
|
|
// for a node. Local overrides have a higher priority than chains got from morph storage.
|
|
type LocalOverrideStorage interface {
|
|
AddOverride(name chain.Name, target Target, c *chain.Chain) (chain.ID, error)
|
|
|
|
GetOverride(name chain.Name, target Target, chainID chain.ID) (*chain.Chain, error)
|
|
|
|
RemoveOverride(name chain.Name, target Target, chainID chain.ID) error
|
|
|
|
ListOverrides(name chain.Name, target Target) ([]*chain.Chain, error)
|
|
|
|
DropAllOverrides(name chain.Name) error
|
|
}
|
|
|
|
type TargetType rune
|
|
|
|
const (
|
|
Namespace TargetType = 'n'
|
|
Container TargetType = 'c'
|
|
)
|
|
|
|
type Target struct {
|
|
Type TargetType
|
|
Name string
|
|
}
|
|
|
|
func NamespaceTarget(namespace string) Target {
|
|
return Target{
|
|
Type: Namespace,
|
|
Name: namespace,
|
|
}
|
|
}
|
|
|
|
func ContainerTarget(container string) Target {
|
|
return Target{
|
|
Type: Container,
|
|
Name: container,
|
|
}
|
|
}
|
|
|
|
// MorphRuleChainStorage is the interface to manage chains from the chain storage.
|
|
// Basically, this implies that the storage manages rules stored in policy contract.
|
|
type MorphRuleChainStorage interface {
|
|
AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) error
|
|
|
|
RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) error
|
|
|
|
ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
|
|
}
|
|
|
|
// Engine is the interface that provides methods to check request permissions checking
|
|
// chain rules from morph client - this implies using the policy contract.
|
|
type Engine interface {
|
|
ChainRouter
|
|
|
|
MorphRuleChainStorage() MorphRuleChainStorage
|
|
}
|
|
|
|
// LocalOverrideEngine is extended Engine that also provides methods to manage a local
|
|
// chain rule storage. Local overrides must have the highest priority during request checking.
|
|
type LocalOverrideEngine interface {
|
|
Engine
|
|
|
|
LocalStorage() LocalOverrideStorage
|
|
}
|