[#1425] services/tree: Remove eACL processing

Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
2024-10-09 10:50:30 +03:00 · 2024-10-09 10:50:30 +03:00 · 02bb7159a5
commit 02bb7159a5
parent 94302235d0
4 changed files with 100 additions and 198 deletions
--- a/pkg/services/tree/signature_test.go
+++ b/pkg/services/tree/signature_test.go
@ -4,22 +4,30 @@ import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/sha256"
+	"encoding/hex"
 	"errors"
 	"testing"

 	aclV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
 	containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
+	checkercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/common/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger/test"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
-	eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	netmapSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/stretchr/testify/require"
 )

@ -27,6 +35,34 @@ type dummyNetmapSource struct {
 	netmap.Source
 }

+type dummySubjectProvider struct {
+	subjects map[util.Uint160]client.SubjectExtended
+}
+
+func (s dummySubjectProvider) GetSubject(addr util.Uint160) (*client.Subject, error) {
+	res := s.subjects[addr]
+	return &client.Subject{
+		PrimaryKey:     res.PrimaryKey,
+		AdditionalKeys: res.AdditionalKeys,
+		Namespace:      res.Namespace,
+		Name:           res.Name,
+		KV:             res.KV,
+	}, nil
+}
+
+func (s dummySubjectProvider) GetSubjectExtended(addr util.Uint160) (*client.SubjectExtended, error) {
+	res := s.subjects[addr]
+	return &res, nil
+}
+
+type dummyEpochSource struct {
+	epoch uint64
+}
+
+func (s dummyEpochSource) CurrentEpoch() uint64 {
+	return s.epoch
+}
+
 type dummyContainerSource map[string]*containercore.Container

 func (s dummyContainerSource) List() ([]cid.ID, error) {
@ -57,16 +93,6 @@ func (s dummyContainerSource) DeletionInfo(id cid.ID) (*containercore.DelInfo, e
 	return &containercore.DelInfo{}, nil
 }

-type dummyEACLSource map[string]*containercore.EACL
-
-func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) {
-	cntEACL, ok := s[id.String()]
-	if !ok {
-		return nil, errors.New("container not found")
-	}
-	return cntEACL, nil
-}
-
 func testContainer(owner user.ID) container.Container {
 	var r netmapSDK.ReplicaDescriptor
 	r.SetNumberOfObjects(1)
@ -81,6 +107,8 @@ func testContainer(owner user.ID) container.Container {
 	return cnt
 }

+const currentEpoch = 123
+
 func TestMessageSign(t *testing.T) {
 	privs := make([]*keys.PrivateKey, 4)
 	for i := range privs {
@ -99,6 +127,15 @@ func TestMessageSign(t *testing.T) {
 		Value: testContainer(ownerID),
 	}

+	e := inmemory.NewInMemoryLocalOverrides()
+	e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.Target{
+		Type: engine.Container,
+		Name: cid1.EncodeToString(),
+	}, testChain(privs[0].PublicKey(), privs[1].PublicKey()))
+	frostfsidProvider := dummySubjectProvider{
+		subjects: make(map[util.Uint160]client.SubjectExtended),
+	}
+
 	s := &Service{
 		cfg: cfg{
 			log:      test.NewLogger(t),
@ -107,12 +144,10 @@ func TestMessageSign(t *testing.T) {
 			cnrSource: dummyContainerSource{
 				cid1.String(): cnr,
 			},
-			eaclSource: dummyEACLSource{
-				cid1.String(): &containercore.EACL{
-					Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()),
-				},
-			},
+			frostfsidSubjectProvider: frostfsidProvider,
+			state:                    dummyEpochSource{epoch: currentEpoch},
 		},
+		apeChecker: checkercore.New(e.LocalStorage(), e.MorphRuleChainStorage(), frostfsidProvider, dummyEpochSource{}),
 	}

 	rawCID1 := make([]byte, sha256.Size)
@ -235,46 +270,58 @@ func TestMessageSign(t *testing.T) {

 func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token {
 	var b bearer.Token
-	b.SetEACLTable(*testTable(cid, forPutGet, forGet))
+	b.SetExp(currentEpoch + 1)
+	b.SetAPEOverride(bearer.APEOverride{
+		Target: ape.ChainTarget{
+			TargetType: ape.TargetTypeContainer,
+			Name:       cid.EncodeToString(),
+		},
+		Chains: []ape.Chain{{Raw: testChain(forPutGet, forGet).Bytes()}},
+	})

 	return b
 }

-func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table {
-	tgtGet := eaclSDK.NewTarget()
-	tgtGet.SetRole(eaclSDK.RoleUnknown)
-	tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()})
-
-	rGet := eaclSDK.NewRecord()
-	rGet.SetAction(eaclSDK.ActionAllow)
-	rGet.SetOperation(eaclSDK.OperationGet)
-	rGet.SetTargets(*tgtGet)
-
-	tgtPut := eaclSDK.NewTarget()
-	tgtPut.SetRole(eaclSDK.RoleUnknown)
-	tgtPut.SetBinaryKeys([][]byte{forPutGet.Bytes()})
-
-	rPut := eaclSDK.NewRecord()
-	rPut.SetAction(eaclSDK.ActionAllow)
-	rPut.SetOperation(eaclSDK.OperationPut)
-	rPut.SetTargets(*tgtPut)
-
-	tb := eaclSDK.NewTable()
-	tb.AddRecord(rGet)
-	tb.AddRecord(rPut)
-
-	tgt := eaclSDK.NewTarget()
-	tgt.SetRole(eaclSDK.RoleOthers)
-
-	for _, op := range []eaclSDK.Operation{eaclSDK.OperationGet, eaclSDK.OperationPut} {
-		r := eaclSDK.NewRecord()
-		r.SetAction(eaclSDK.ActionDeny)
-		r.SetTargets(*tgt)
-		r.SetOperation(op)
-		tb.AddRecord(r)
+func testChain(forPutGet, forGet *keys.PublicKey) *chain.Chain {
+	ruleGet := chain.Rule{
+		Status:    chain.Allow,
+		Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects}},
+		Actions:   chain.Actions{Names: []string{native.MethodGetObject}},
+		Any:       true,
+		Condition: []chain.Condition{
+			{
+				Op:    chain.CondStringEquals,
+				Kind:  chain.KindRequest,
+				Key:   native.PropertyKeyActorPublicKey,
+				Value: hex.EncodeToString(forPutGet.Bytes()),
+			},
+			{
+				Op:    chain.CondStringEquals,
+				Kind:  chain.KindRequest,
+				Key:   native.PropertyKeyActorPublicKey,
+				Value: hex.EncodeToString(forGet.Bytes()),
+			},
+		},
+	}
+	rulePut := chain.Rule{
+		Status:    chain.Allow,
+		Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects}},
+		Actions:   chain.Actions{Names: []string{native.MethodPutObject}},
+		Any:       true,
+		Condition: []chain.Condition{
+			{
+				Op:    chain.CondStringEquals,
+				Kind:  chain.KindRequest,
+				Key:   native.PropertyKeyActorPublicKey,
+				Value: hex.EncodeToString(forPutGet.Bytes()),
+			},
+		},
 	}

-	tb.SetCID(cid)
-
-	return tb
+	return &chain.Chain{
+		Rules: []chain.Rule{
+			ruleGet,
+			rulePut,
+		},
+	}
 }