[#811] ape: Update policy-engine module version and rebase

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2023-11-16 10:58:55 +03:00 · 2023-11-16 10:58:55 +03:00 · 4d5be5ccb5
commit 4d5be5ccb5
parent fd9128d051
14 changed files with 151 additions and 131 deletions
--- a/pkg/core/container/storage.go
+++ b/pkg/core/container/storage.go
@ -7,7 +7,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
-	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 )

 // Container groups information about the FrostFS container stored in the FrostFS network.
@ -77,5 +77,5 @@ type EACLSource interface {
 // policy engine chain storage.
 type AccessPolicyEngineChainSource interface {
 	// TODO (aarifullin): Better to use simpler interface instead CachedChainStorage.
-	GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error)
+	GetChainSource(cid cid.ID) (engine.LocalOverrideEngine, error)
 }
--- a/pkg/services/control/server/policy_engine.go
+++ b/pkg/services/control/server/policy_engine.go
@ -2,11 +2,14 @@ package control

 import (
 	"context"
+	"errors"
 	"fmt"

 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
-	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	engine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@ -22,7 +25,7 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL
 		return nil, status.Error(codes.InvalidArgument, err.Error())
 	}

-	var chain policyengine.Chain
+	var chain apechain.Chain
 	if err = chain.DecodeBytes(req.GetBody().GetChain()); err != nil {
 		return nil, status.Error(codes.InvalidArgument, err.Error())
 	}
@ -34,9 +37,12 @@ func (s *Server) AddChainLocalOverride(_ context.Context, req *control.AddChainL

 	s.apeChainCounter.Add(1)
 	// TODO (aarifullin): the such chain id is not well-designed yet.
-	chain.ID = policyengine.ChainID(fmt.Sprintf("%s:%d", policyengine.Ingress, s.apeChainCounter.Load()))
+	chain.ID = apechain.ID(fmt.Sprintf("%s:%d", apechain.Ingress, s.apeChainCounter.Load()))

-	src.AddOverride(policyengine.Ingress, &chain)
+	resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
+	if _, err = src.LocalStorage().AddOverride(apechain.Ingress, resource, &chain); err != nil {
+		return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
+	}

 	resp := &control.AddChainLocalOverrideResponse{
 		Body: &control.AddChainLocalOverrideResponse_Body{
@ -66,10 +72,10 @@ func (s *Server) GetChainLocalOverride(_ context.Context, req *control.GetChainL
 		return nil, status.Error(codes.Internal, err.Error())
 	}

-	chain, found := src.GetOverride(policyengine.Ingress, policyengine.ChainID(req.GetBody().GetChainId()))
-	if !found {
-		err = fmt.Errorf("local override has not been found")
-		return nil, status.Error(codes.NotFound, err.Error())
+	resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
+	chain, err := src.LocalStorage().GetOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId()))
+	if err != nil {
+		return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
 	}

 	resp := &control.GetChainLocalOverrideResponse{
@ -100,7 +106,11 @@ func (s *Server) ListChainLocalOverrides(_ context.Context, req *control.ListCha
 		return nil, status.Error(codes.Internal, err.Error())
 	}

-	chains := src.ListOverrides(policyengine.Ingress)
+	resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
+	chains, err := src.LocalStorage().ListOverrides(apechain.Ingress, resource)
+	if err != nil {
+		return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
+	}
 	serializedChains := make([][]byte, 0, len(chains))
 	for _, chain := range chains {
 		serializedChains = append(serializedChains, chain.Bytes())
@ -134,10 +144,13 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
 		return nil, status.Error(codes.Internal, err.Error())
 	}

-	removed := src.RemoveOverride(policyengine.Ingress, policyengine.ChainID(req.GetBody().GetChainId()))
+	resource := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
+	if err = src.LocalStorage().RemoveOverride(apechain.Ingress, resource, apechain.ID(req.GetBody().GetChainId())); err != nil {
+		return nil, status.Error(getCodeByLocalStorageErr(err), err.Error())
+	}
 	resp := &control.RemoveChainLocalOverrideResponse{
 		Body: &control.RemoveChainLocalOverrideResponse_Body{
-			Removed: removed,
+			Removed: true,
 		},
 	}
 	err = SignMessage(s.key, resp)
@ -146,3 +159,10 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
 	}
 	return resp, nil
 }
+
+func getCodeByLocalStorageErr(err error) codes.Code {
+	if errors.Is(err, engine.ErrChainNotFound) {
+		return codes.NotFound
+	}
+	return codes.Internal
+}
--- a/pkg/services/object/acl/ape.go
+++ b/pkg/services/object/acl/ape.go
@ -8,7 +8,7 @@ import (
 	v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
-	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 )

 var errAPEChainNoSource = errors.New("could not get ape chain source for the container")
@ -36,9 +36,12 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
 	request := new(Request)
 	request.FromRequestInfo(reqInfo)

-	status, ruleFound := chainCache.IsAllowed(policyengine.Ingress, "", request)
+	status, ruleFound, err := chainCache.IsAllowed(apechain.Ingress, "", request)
+	if err != nil {
+		return err
+	}

-	if !ruleFound || status == policyengine.Allow {
+	if !ruleFound || status == apechain.Allow {
 		return nil
 	}

@ -47,7 +50,7 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {

 const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s"

-func apeErr(req v2.RequestInfo, status policyengine.Status) error {
+func apeErr(req v2.RequestInfo, status apechain.Status) error {
 	errAccessDenied := &apistatus.ObjectAccessDenied{}
 	errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, req.Operation(), status.String()))
 	return errAccessDenied
--- a/pkg/services/object/acl/ape_request.go
+++ b/pkg/services/object/acl/ape_request.go
@ -5,7 +5,8 @@ import (

 	v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
 	aclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
-	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	aperesource "git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
+	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 )

 type Request struct {
@ -14,14 +15,14 @@ type Request struct {
 	properties map[string]string
 }

-var _ policyengine.Request = (*Request)(nil)
+var _ aperesource.Request = (*Request)(nil)

 type resource struct {
 	name       string
 	properties map[string]string
 }

-var _ policyengine.Resource = (*resource)(nil)
+var _ aperesource.Resource = (*resource)(nil)

 func (r *resource) Name() string {
 	return r.name
@ -31,18 +32,14 @@ func (r *resource) Property(key string) string {
 	return r.properties[key]
 }

-// TODO (aarifullin): these stringified verbs, properties and namespaces
-// should be non-implementation-specific.
 func getResource(reqInfo v2.RequestInfo) *resource {
+	var name string
 	cid := reqInfo.ContainerID()
-	oid := "*"
-	if reqOID := reqInfo.ObjectID(); reqOID != nil {
-		oid = reqOID.EncodeToString()
+	if oid := reqInfo.ObjectID(); oid != nil {
+		name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObject, cid.EncodeToString(), oid.EncodeToString())
+	} else {
+		name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
 	}
-	name := fmt.Sprintf("native:::object/%s/%s",
-		cid,
-		oid)
-
 	return &resource{
 		name:       name,
 		properties: make(map[string]string),
@ -51,32 +48,30 @@ func getResource(reqInfo v2.RequestInfo) *resource {

 func getProperties(_ v2.RequestInfo) map[string]string {
 	return map[string]string{
-		"Actor": "",
+		nativeschema.PropertyKeyActorPublicKey: "",
+		nativeschema.PropertyKeyActorRole:      "",
 	}
 }

-// TODO (aarifullin): these stringified verbs, properties and namespaces
-// should be non-implementation-specific.
 func getOperation(reqInfo v2.RequestInfo) string {
-	var verb string
 	switch op := reqInfo.Operation(); op {
 	case aclSDK.OpObjectGet:
-		verb = "GetObject"
+		return nativeschema.MethodGetObject
 	case aclSDK.OpObjectHead:
-		verb = "HeadObject"
+		return nativeschema.MethodHeadObject
 	case aclSDK.OpObjectPut:
-		verb = "PutObject"
+		return nativeschema.MethodPutObject
 	case aclSDK.OpObjectDelete:
-		verb = "DeleteObject"
+		return nativeschema.MethodDeleteObject
 	case aclSDK.OpObjectSearch:
-		verb = "SearchObject"
+		return nativeschema.MethodSearchObject
 	case aclSDK.OpObjectRange:
-		verb = "RangeObject"
+		return nativeschema.MethodRangeObject
 	case aclSDK.OpObjectHash:
-		verb = "HashObject"
+		return nativeschema.MethodHashObject
+	default:
+		return ""
 	}
-
-	return "native:" + verb
 }

 func NewRequest() *Request {
@ -100,6 +95,6 @@ func (r *Request) Property(key string) string {
 	return r.properties[key]
 }

-func (r *Request) Resource() policyengine.Resource {
+func (r *Request) Resource() aperesource.Resource {
 	return r.resource
 }