From 91e79c98ba5805b3da5358f131a0b301c58b4633 Mon Sep 17 00:00:00 2001 From: Evgenii Stratonikov Date: Thu, 11 Apr 2024 13:51:39 +0300 Subject: [PATCH] [#1089] ape: Provide request actor as an additional target Signed-off-by: Evgenii Stratonikov --- go.mod | 2 +- go.sum | Bin 43242 -> 43242 bytes pkg/services/container/ape.go | 30 ++++++++++++++---------- pkg/services/object/ape/checker.go | 10 ++++++-- pkg/services/object/ape/checker_test.go | 5 +++- pkg/services/tree/ape.go | 3 ++- 6 files changed, 33 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 7f9c9d457..8cfea305d 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240329104804-ec0cb2169f92 git.frostfs.info/TrueCloudLab/hrw v1.2.1 - git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240410114823-1f190e1668ec + git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a git.frostfs.info/TrueCloudLab/tzhash v1.8.0 git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02 github.com/cheggaaa/pb v1.0.29 diff --git a/go.sum b/go.sum index 83bb5818d3f024fbca97b3a00ba512c5eefeb7c5..76ed7e5dc963cac023ebe5deadddb39c17afc41a 100644 GIT binary patch delta 106 zcmaELk?GY%rVY7l&PImD2Ij^lx(2CcmZ>HdriO;5i3%BpR^>@~Dc)rsN#!nqnZdq+ s;XdZ3K^2)HQO>EMmCl*wexX^0ImKxyj_%pXlMUHyM6j8&iT%|=04hZxS^xk5 delta 106 zcmaELk?GY%rVY7l&IX2tCKg7HxoIYDfo4grlMUHyM6j8&iT%|=0Ps;DbN~PV diff --git a/pkg/services/container/ape.go b/pkg/services/container/ape.go index 7622a40bc..02549bded 100644 --- a/pkg/services/container/ape.go +++ b/pkg/services/container/ape.go @@ -157,9 +157,12 @@ func (ac *apeChecker) List(ctx context.Context, req *container.ListRequest) (*co reqProps, ) - s, found, err := ac.router.IsAllowed(apechain.Ingress, - policyengine.NewRequestTargetWithNamespace(namespace), - request) + rt := policyengine.NewRequestTargetWithNamespace(namespace) + rt.User = &policyengine.Target{ + Type: policyengine.User, + Name: fmt.Sprintf("%s:%s", namespace, pk.Address()), + } + s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request) if err != nil { return nil, err } @@ -202,9 +205,12 @@ func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*cont reqProps, ) - s, found, err := ac.router.IsAllowed(apechain.Ingress, - policyengine.NewRequestTargetWithNamespace(namespace), - request) + rt := policyengine.NewRequestTargetWithNamespace(namespace) + rt.User = &policyengine.Target{ + Type: policyengine.User, + Name: fmt.Sprintf("%s:%s", namespace, pk.Address()), + } + s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request) if err != nil { return nil, err } @@ -277,7 +283,7 @@ func (ac *apeChecker) validateContainerBoundedOperation(containerID *refs.Contai return err } - reqProps, err := ac.getRequestProps(mh, vh, cont, id) + reqProps, pk, err := ac.getRequestProps(mh, vh, cont, id) if err != nil { return err } @@ -298,7 +304,7 @@ func (ac *apeChecker) validateContainerBoundedOperation(containerID *refs.Contai ) s, found, err := ac.router.IsAllowed(apechain.Ingress, - policyengine.NewRequestTarget(namespace, id.EncodeToString()), + policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), nil), request) if err != nil { return err @@ -350,19 +356,19 @@ func (ac *apeChecker) getContainerProps(c *containercore.Container) map[string]s func (ac *apeChecker) getRequestProps(mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader, cont *containercore.Container, cnrID cid.ID, -) (map[string]string, error) { +) (map[string]string, *keys.PublicKey, error) { actor, pk, err := ac.getActorAndPublicKey(mh, vh, cnrID) if err != nil { - return nil, err + return nil, nil, err } role, err := ac.getRole(actor, pk, cont, cnrID) if err != nil { - return nil, err + return nil, nil, err } return map[string]string{ nativeschema.PropertyKeyActorPublicKey: hex.EncodeToString(pk.Bytes()), nativeschema.PropertyKeyActorRole: role, - }, nil + }, pk, nil } func (ac *apeChecker) getRole(actor *user.ID, pk *keys.PublicKey, cont *containercore.Container, cnrID cid.ID) (string, error) { diff --git a/pkg/services/object/ape/checker.go b/pkg/services/object/ape/checker.go index 119df5fc0..1063bd901 100644 --- a/pkg/services/object/ape/checker.go +++ b/pkg/services/object/ape/checker.go @@ -12,6 +12,7 @@ import ( apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" + "github.com/nspcc-dev/neo-go/pkg/crypto/keys" ) type checkerImpl struct { @@ -84,8 +85,13 @@ func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error { return fmt.Errorf("failed to create ape request: %w", err) } - status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, - policyengine.NewRequestTarget(prm.Namespace, prm.Container.EncodeToString()), r) + pub, err := keys.NewPublicKeyFromString(prm.SenderKey) + if err != nil { + return err + } + + rt := policyengine.NewRequestTargetExtended(prm.Namespace, prm.Container.EncodeToString(), fmt.Sprintf("%s:%s", prm.Namespace, pub.Address()), nil) + status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, rt, r) if err != nil { return err } diff --git a/pkg/services/object/ape/checker_test.go b/pkg/services/object/ape/checker_test.go index 443414959..fc915715c 100644 --- a/pkg/services/object/ape/checker_test.go +++ b/pkg/services/object/ape/checker_test.go @@ -16,6 +16,7 @@ import ( policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" + "github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/stretchr/testify/require" ) @@ -147,7 +148,9 @@ var ( role = "Container" - senderKey = hex.EncodeToString([]byte{1, 0, 0, 1}) + senderPrivateKey, _ = keys.NewPrivateKey() + + senderKey = hex.EncodeToString(senderPrivateKey.PublicKey().Bytes()) ) func TestAPECheck(t *testing.T) { diff --git a/pkg/services/tree/ape.go b/pkg/services/tree/ape.go index 52036074a..5da49a591 100644 --- a/pkg/services/tree/ape.go +++ b/pkg/services/tree/ape.go @@ -51,7 +51,8 @@ func (s *Service) checkAPE(container *core.Container, cid cid.ID, operation acl. reqProps, ) - status, found, err := s.router.IsAllowed(apechain.Ingress, engine.NewRequestTarget(namespace, cid.EncodeToString()), request) + rt := engine.NewRequestTargetExtended(namespace, cid.EncodeToString(), fmt.Sprintf("%s:%s", namespace, publicKey.Address()), nil) + status, found, err := s.router.IsAllowed(apechain.Ingress, rt, request) if err != nil { return apeErr(err) }