forked from TrueCloudLab/frostfs-node
[#1190] object: GroupIDs must also be target of APE checks
* Also add new test case for ape middleware in container service. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
621dbf58ab
commit
0b87388c18
2 changed files with 58 additions and 6 deletions
|
|
@ -27,6 +27,7 @@ import (
|
|||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
||||
commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
|
||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||
"github.com/nspcc-dev/neo-go/pkg/util"
|
||||
|
|
@ -159,6 +160,8 @@ var (
|
|||
|
||||
objectID = "BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R"
|
||||
|
||||
groupID = "1"
|
||||
|
||||
role = "Container"
|
||||
|
||||
senderPrivateKey, _ = keys.NewPrivateKey()
|
||||
|
|
@ -238,6 +241,7 @@ var apeCheckTestCases = []struct {
|
|||
methods []string
|
||||
header testHeader
|
||||
containerRules []chain.Rule
|
||||
groupidRules []chain.Rule
|
||||
expectAPEErr bool
|
||||
}{
|
||||
{
|
||||
|
|
@ -393,6 +397,36 @@ var apeCheckTestCases = []struct {
|
|||
},
|
||||
expectAPEErr: true,
|
||||
},
|
||||
{
|
||||
name: "optional oid requests reached quota limit by group-id",
|
||||
container: containerID,
|
||||
methods: methodsOptionalOID,
|
||||
header: testHeader{
|
||||
headerObjSDK: &headerObjectSDKParams{
|
||||
payloadSize: 1000,
|
||||
},
|
||||
fromRequestResponseHeader: true,
|
||||
},
|
||||
groupidRules: []chain.Rule{
|
||||
{
|
||||
Status: chain.QuotaLimitReached,
|
||||
Actions: chain.Actions{Names: methodsOptionalOID},
|
||||
Resources: chain.Resources{
|
||||
Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, containerID)},
|
||||
},
|
||||
Any: true,
|
||||
Condition: []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: commonschema.PropertyKeyFrostFSIDGroupID,
|
||||
Value: groupID,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
expectAPEErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
type stMock struct{}
|
||||
|
|
@ -486,10 +520,19 @@ func TestAPECheck(t *testing.T) {
|
|||
ls := inmemory.NewInmemoryLocalStorage()
|
||||
ms := inmemory.NewInmemoryMorphRuleChainStorage()
|
||||
|
||||
ls.AddOverride(chain.Ingress, policyengine.ContainerTarget(test.container), &chain.Chain{
|
||||
Rules: test.containerRules,
|
||||
MatchType: chain.MatchTypeFirstMatch,
|
||||
})
|
||||
if len(test.containerRules) > 0 {
|
||||
ls.AddOverride(chain.Ingress, policyengine.ContainerTarget(test.container), &chain.Chain{
|
||||
Rules: test.containerRules,
|
||||
MatchType: chain.MatchTypeFirstMatch,
|
||||
})
|
||||
}
|
||||
|
||||
if len(test.groupidRules) > 0 {
|
||||
ls.AddOverride(chain.Ingress, policyengine.GroupTarget(":"+groupID), &chain.Chain{
|
||||
Rules: test.groupidRules,
|
||||
MatchType: chain.MatchTypeFirstMatch,
|
||||
})
|
||||
}
|
||||
|
||||
router := policyengine.NewDefaultChainRouterWithLocalOverrides(ms, ls)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue