forked from TrueCloudLab/frostfs-node
[#811] ape: Update policy-engine module version and rebase
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
fd9128d051
commit
4d5be5ccb5
14 changed files with 151 additions and 131 deletions
|
|
@ -5,7 +5,7 @@ import (
|
|||
"fmt"
|
||||
"strings"
|
||||
|
||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
"github.com/flynn-archive/go-shlex"
|
||||
)
|
||||
|
|
@ -21,13 +21,13 @@ var (
|
|||
)
|
||||
|
||||
// ParseAPEChain parses APE chain rules.
|
||||
func ParseAPEChain(chain *policyengine.Chain, rules []string) error {
|
||||
func ParseAPEChain(chain *apechain.Chain, rules []string) error {
|
||||
if len(rules) == 0 {
|
||||
return errors.New("no APE rules provided")
|
||||
}
|
||||
|
||||
for _, rule := range rules {
|
||||
r := new(policyengine.Rule)
|
||||
r := new(apechain.Rule)
|
||||
if err := ParseAPERule(r, rule); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -47,7 +47,7 @@ func ParseAPEChain(chain *policyengine.Chain, rules []string) error {
|
|||
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
|
||||
//
|
||||
//nolint:godot
|
||||
func ParseAPERule(r *policyengine.Rule, rule string) error {
|
||||
func ParseAPERule(r *apechain.Rule, rule string) error {
|
||||
lexemes, err := shlex.Split(rule)
|
||||
if err != nil {
|
||||
return fmt.Errorf("can't parse rule '%s': %v", rule, err)
|
||||
|
|
@ -55,7 +55,7 @@ func ParseAPERule(r *policyengine.Rule, rule string) error {
|
|||
return parseRuleLexemes(r, lexemes)
|
||||
}
|
||||
|
||||
func parseRuleLexemes(r *policyengine.Rule, lexemes []string) error {
|
||||
func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
|
||||
if len(lexemes) < 2 {
|
||||
return errInvalidStatementFormat
|
||||
}
|
||||
|
|
@ -80,14 +80,14 @@ func parseRuleLexemes(r *policyengine.Rule, lexemes []string) error {
|
|||
return err
|
||||
}
|
||||
|
||||
func parseStatus(lexeme string) (policyengine.Status, error) {
|
||||
func parseStatus(lexeme string) (apechain.Status, error) {
|
||||
action, expression, found := strings.Cut(lexeme, ":")
|
||||
switch action = strings.ToLower(action); action {
|
||||
case "deny":
|
||||
if !found {
|
||||
return policyengine.AccessDenied, nil
|
||||
return apechain.AccessDenied, nil
|
||||
} else if strings.EqualFold(expression, "QuotaLimitReached") {
|
||||
return policyengine.QuotaLimitReached, nil
|
||||
return apechain.QuotaLimitReached, nil
|
||||
} else {
|
||||
return 0, fmt.Errorf("%w: %s", errUnknownActionDetail, expression)
|
||||
}
|
||||
|
|
@ -95,38 +95,38 @@ func parseStatus(lexeme string) (policyengine.Status, error) {
|
|||
if found {
|
||||
return 0, errUnknownActionDetail
|
||||
}
|
||||
return policyengine.Allow, nil
|
||||
return apechain.Allow, nil
|
||||
default:
|
||||
return 0, errUnknownAction
|
||||
}
|
||||
}
|
||||
|
||||
func parseAction(lexeme string) (policyengine.Actions, error) {
|
||||
func parseAction(lexeme string) (apechain.Actions, error) {
|
||||
switch strings.ToLower(lexeme) {
|
||||
case "object.put":
|
||||
return policyengine.Actions{Names: []string{nativeschema.MethodPutObject}}, nil
|
||||
return apechain.Actions{Names: []string{nativeschema.MethodPutObject}}, nil
|
||||
case "object.get":
|
||||
return policyengine.Actions{Names: []string{nativeschema.MethodGetObject}}, nil
|
||||
return apechain.Actions{Names: []string{nativeschema.MethodGetObject}}, nil
|
||||
case "object.head":
|
||||
return policyengine.Actions{Names: []string{nativeschema.MethodHeadObject}}, nil
|
||||
return apechain.Actions{Names: []string{nativeschema.MethodHeadObject}}, nil
|
||||
case "object.delete":
|
||||
return policyengine.Actions{Names: []string{nativeschema.MethodDeleteObject}}, nil
|
||||
return apechain.Actions{Names: []string{nativeschema.MethodDeleteObject}}, nil
|
||||
case "object.search":
|
||||
return policyengine.Actions{Names: []string{nativeschema.MethodSearchObject}}, nil
|
||||
return apechain.Actions{Names: []string{nativeschema.MethodSearchObject}}, nil
|
||||
case "object.range":
|
||||
return policyengine.Actions{Names: []string{nativeschema.MethodRangeObject}}, nil
|
||||
return apechain.Actions{Names: []string{nativeschema.MethodRangeObject}}, nil
|
||||
case "object.hash":
|
||||
return policyengine.Actions{Names: []string{nativeschema.MethodHashObject}}, nil
|
||||
return apechain.Actions{Names: []string{nativeschema.MethodHashObject}}, nil
|
||||
default:
|
||||
}
|
||||
return policyengine.Actions{}, fmt.Errorf("%w: %s", errUnknownOperation, lexeme)
|
||||
return apechain.Actions{}, fmt.Errorf("%w: %s", errUnknownOperation, lexeme)
|
||||
}
|
||||
|
||||
func parseResource(lexeme string) (policyengine.Resources, error) {
|
||||
func parseResource(lexeme string) (apechain.Resources, error) {
|
||||
if lexeme == "*" {
|
||||
return policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, nil
|
||||
return apechain.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, nil
|
||||
}
|
||||
return policyengine.Resources{Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, lexeme)}}, nil
|
||||
return apechain.Resources{Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, lexeme)}}, nil
|
||||
}
|
||||
|
||||
const (
|
||||
|
|
@ -134,13 +134,13 @@ const (
|
|||
ObjectRequest = "object.request"
|
||||
)
|
||||
|
||||
var typeToCondObject = map[string]policyengine.ObjectType{
|
||||
ObjectResource: policyengine.ObjectResource,
|
||||
ObjectRequest: policyengine.ObjectRequest,
|
||||
var typeToCondObject = map[string]apechain.ObjectType{
|
||||
ObjectResource: apechain.ObjectResource,
|
||||
ObjectRequest: apechain.ObjectRequest,
|
||||
}
|
||||
|
||||
func parseConditions(lexemes []string) ([]policyengine.Condition, error) {
|
||||
conds := make([]policyengine.Condition, 0)
|
||||
func parseConditions(lexemes []string) ([]apechain.Condition, error) {
|
||||
conds := make([]apechain.Condition, 0)
|
||||
|
||||
for _, lexeme := range lexemes {
|
||||
typ, expression, found := strings.Cut(lexeme, ":")
|
||||
|
|
@ -155,7 +155,7 @@ func parseConditions(lexemes []string) ([]policyengine.Condition, error) {
|
|||
var lhs, rhs string
|
||||
var binExpFound bool
|
||||
|
||||
var cond policyengine.Condition
|
||||
var cond apechain.Condition
|
||||
cond.Object = objType
|
||||
|
||||
lhs, rhs, binExpFound = strings.Cut(expression, "!=")
|
||||
|
|
@ -164,9 +164,9 @@ func parseConditions(lexemes []string) ([]policyengine.Condition, error) {
|
|||
if !binExpFound {
|
||||
return nil, fmt.Errorf("%w: %s", errUnknownBinaryOperator, expression)
|
||||
}
|
||||
cond.Op = policyengine.CondStringEquals
|
||||
cond.Op = apechain.CondStringEquals
|
||||
} else {
|
||||
cond.Op = policyengine.CondStringNotEquals
|
||||
cond.Op = apechain.CondStringNotEquals
|
||||
}
|
||||
|
||||
cond.Key, cond.Value = lhs, rhs
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue