[#811] ape: Update policy-engine module version and rebase

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2023-11-16 10:58:55 +03:00 · 2023-11-16 10:58:55 +03:00 · 4d5be5ccb5
commit 4d5be5ccb5
parent fd9128d051
14 changed files with 151 additions and 131 deletions
--- a/pkg/services/object/acl/ape.go
+++ b/pkg/services/object/acl/ape.go
@ -8,7 +8,7 @@ import (
 	v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
-	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 )

 var errAPEChainNoSource = errors.New("could not get ape chain source for the container")
@ -36,9 +36,12 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
 	request := new(Request)
 	request.FromRequestInfo(reqInfo)

-	status, ruleFound := chainCache.IsAllowed(policyengine.Ingress, "", request)
+	status, ruleFound, err := chainCache.IsAllowed(apechain.Ingress, "", request)
+	if err != nil {
+		return err
+	}

-	if !ruleFound || status == policyengine.Allow {
+	if !ruleFound || status == apechain.Allow {
 		return nil
 	}

@ -47,7 +50,7 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {

 const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s"

-func apeErr(req v2.RequestInfo, status policyengine.Status) error {
+func apeErr(req v2.RequestInfo, status apechain.Status) error {
 	errAccessDenied := &apistatus.ObjectAccessDenied{}
 	errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, req.Operation(), status.String()))
 	return errAccessDenied
--- a/pkg/services/object/acl/ape_request.go
+++ b/pkg/services/object/acl/ape_request.go
@ -5,7 +5,8 @@ import (

 	v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
 	aclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
-	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	aperesource "git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
+	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 )

 type Request struct {
@ -14,14 +15,14 @@ type Request struct {
 	properties map[string]string
 }

-var _ policyengine.Request = (*Request)(nil)
+var _ aperesource.Request = (*Request)(nil)

 type resource struct {
 	name       string
 	properties map[string]string
 }

-var _ policyengine.Resource = (*resource)(nil)
+var _ aperesource.Resource = (*resource)(nil)

 func (r *resource) Name() string {
 	return r.name
@ -31,18 +32,14 @@ func (r *resource) Property(key string) string {
 	return r.properties[key]
 }

-// TODO (aarifullin): these stringified verbs, properties and namespaces
-// should be non-implementation-specific.
 func getResource(reqInfo v2.RequestInfo) *resource {
+	var name string
 	cid := reqInfo.ContainerID()
-	oid := "*"
-	if reqOID := reqInfo.ObjectID(); reqOID != nil {
-		oid = reqOID.EncodeToString()
+	if oid := reqInfo.ObjectID(); oid != nil {
+		name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObject, cid.EncodeToString(), oid.EncodeToString())
+	} else {
+		name = fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cid.EncodeToString())
 	}
-	name := fmt.Sprintf("native:::object/%s/%s",
-		cid,
-		oid)
-
 	return &resource{
 		name:       name,
 		properties: make(map[string]string),
@ -51,32 +48,30 @@ func getResource(reqInfo v2.RequestInfo) *resource {

 func getProperties(_ v2.RequestInfo) map[string]string {
 	return map[string]string{
-		"Actor": "",
+		nativeschema.PropertyKeyActorPublicKey: "",
+		nativeschema.PropertyKeyActorRole:      "",
 	}
 }

-// TODO (aarifullin): these stringified verbs, properties and namespaces
-// should be non-implementation-specific.
 func getOperation(reqInfo v2.RequestInfo) string {
-	var verb string
 	switch op := reqInfo.Operation(); op {
 	case aclSDK.OpObjectGet:
-		verb = "GetObject"
+		return nativeschema.MethodGetObject
 	case aclSDK.OpObjectHead:
-		verb = "HeadObject"
+		return nativeschema.MethodHeadObject
 	case aclSDK.OpObjectPut:
-		verb = "PutObject"
+		return nativeschema.MethodPutObject
 	case aclSDK.OpObjectDelete:
-		verb = "DeleteObject"
+		return nativeschema.MethodDeleteObject
 	case aclSDK.OpObjectSearch:
-		verb = "SearchObject"
+		return nativeschema.MethodSearchObject
 	case aclSDK.OpObjectRange:
-		verb = "RangeObject"
+		return nativeschema.MethodRangeObject
 	case aclSDK.OpObjectHash:
-		verb = "HashObject"
+		return nativeschema.MethodHashObject
+	default:
+		return ""
 	}
-
-	return "native:" + verb
 }

 func NewRequest() *Request {
@ -100,6 +95,6 @@ func (r *Request) Property(key string) string {
 	return r.properties[key]
 }

-func (r *Request) Resource() policyengine.Resource {
+func (r *Request) Resource() aperesource.Resource {
 	return r.resource
 }