[#1105] apemanager: Implement apemanager service

* Introduce grpc server for apemanager service and its implementation in `pkg/services/apemanager`. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-04-24 20:23:15 +03:00 · 2024-04-24 20:23:15 +03:00 · 542d3adcb2
commit 542d3adcb2
parent 51ade979e8
8 changed files with 434 additions and 0 deletions
--- a/pkg/services/apemanager/executor.go
+++ b/pkg/services/apemanager/executor.go
@ -0,0 +1,245 @@
+package apemanager
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"errors"
+	"fmt"
+
+	apemanager_v2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager"
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
+	session "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
+	ape_contract "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/contract_storage"
+	containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
+	apemanager_errors "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/apemanager/errors"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
+	cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	policy_engine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"github.com/mr-tron/base58/base58"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"go.uber.org/zap"
+)
+
+var (
+	errEmptyBodySignature = errors.New("malformed request: empty body signature")
+)
+
+type cfg struct {
+	log *logger.Logger
+}
+
+type Service struct {
+	cfg
+
+	cnrSrc containercore.Source
+
+	contractStorage ape_contract.ProxyAdaptedContractStorage
+}
+
+type Option func(*cfg)
+
+func New(cnrSrc containercore.Source, contractStorage ape_contract.ProxyAdaptedContractStorage, opts ...Option) *Service {
+	s := &Service{
+		cnrSrc: cnrSrc,
+
+		contractStorage: contractStorage,
+	}
+
+	for i := range opts {
+		opts[i](&s.cfg)
+	}
+
+	if s.log == nil {
+		s.log = &logger.Logger{Logger: zap.NewNop()}
+	}
+
+	return s
+}
+
+func WithLogger(log *logger.Logger) Option {
+	return func(c *cfg) {
+		c.log = log
+	}
+}
+
+var _ Server = (*Service)(nil)
+
+// validateContainerTargetRequest validates request for the container target.
+// It checks if request actor is the owner of the container, otherwise it denies the request.
+func (s *Service) validateContainerTargetRequest(cid string, pubKey *keys.PublicKey) error {
+	var cidSDK cidSDK.ID
+	if err := cidSDK.DecodeString(cid); err != nil {
+		return fmt.Errorf("invalid CID format: %w", err)
+	}
+	isOwner, err := s.isActorContainerOwner(cidSDK, pubKey)
+	if err != nil {
+		return fmt.Errorf("failed to check owner: %w", err)
+	}
+	if !isOwner {
+		return apemanager_errors.ErrAPEManagerAccessDenied("actor must be container owner")
+	}
+	return nil
+}
+
+func (s *Service) AddChain(_ context.Context, req *apemanager_v2.AddChainRequest) (*apemanager_v2.AddChainResponse, error) {
+	pub, err := getSignaturePublicKey(req.GetVerificationHeader())
+	if err != nil {
+		return nil, err
+	}
+
+	chain, err := decodeAndValidateChain(req.GetBody().GetChain().GetKind().(*apemanager_v2.ChainRaw).GetRaw())
+	if err != nil {
+		return nil, err
+	}
+	if len(chain.ID) == 0 {
+		const randomIDLength = 10
+		randID, err := base58Str(randomIDLength)
+		if err != nil {
+			return nil, fmt.Errorf("randomize chain ID error: %w", err)
+		}
+		chain.ID = apechain.ID(randID)
+	}
+
+	var target policy_engine.Target
+
+	switch targetType := req.GetBody().GetTarget().GetTargetType(); targetType {
+	case apemanager_v2.TargetTypeContainer:
+		reqCID := req.GetBody().GetTarget().GetName()
+		if err = s.validateContainerTargetRequest(reqCID, pub); err != nil {
+			return nil, err
+		}
+		target = policy_engine.ContainerTarget(reqCID)
+	default:
+		return nil, fmt.Errorf("unsupported target type: %s", targetType)
+	}
+
+	if _, _, err = s.contractStorage.AddMorphRuleChain(apechain.Ingress, target, &chain); err != nil {
+		return nil, err
+	}
+
+	body := new(apemanager_v2.AddChainResponseBody)
+	body.SetChainID(chain.ID)
+
+	resp := new(apemanager_v2.AddChainResponse)
+	resp.SetBody(body)
+
+	return resp, nil
+}
+
+func (s *Service) RemoveChain(_ context.Context, req *apemanager_v2.RemoveChainRequest) (*apemanager_v2.RemoveChainResponse, error) {
+	pub, err := getSignaturePublicKey(req.GetVerificationHeader())
+	if err != nil {
+		return nil, err
+	}
+
+	var target policy_engine.Target
+
+	switch targetType := req.GetBody().GetTarget().GetTargetType(); targetType {
+	case apemanager_v2.TargetTypeContainer:
+		reqCID := req.GetBody().GetTarget().GetName()
+		if err = s.validateContainerTargetRequest(reqCID, pub); err != nil {
+			return nil, err
+		}
+		target = policy_engine.ContainerTarget(reqCID)
+	default:
+		return nil, fmt.Errorf("unsupported target type: %s", targetType)
+	}
+
+	if _, _, err = s.contractStorage.RemoveMorphRuleChain(apechain.Ingress, target, req.GetBody().GetChainID()); err != nil {
+		return nil, err
+	}
+
+	body := new(apemanager_v2.RemoveChainResponseBody)
+
+	resp := new(apemanager_v2.RemoveChainResponse)
+	resp.SetBody(body)
+
+	return resp, nil
+}
+
+func (s *Service) ListChains(_ context.Context, req *apemanager_v2.ListChainsRequest) (*apemanager_v2.ListChainsResponse, error) {
+	pub, err := getSignaturePublicKey(req.GetVerificationHeader())
+	if err != nil {
+		return nil, err
+	}
+
+	var target policy_engine.Target
+
+	switch targetType := req.GetBody().GetTarget().GetTargetType(); targetType {
+	case apemanager_v2.TargetTypeContainer:
+		reqCID := req.GetBody().GetTarget().GetName()
+		if err = s.validateContainerTargetRequest(reqCID, pub); err != nil {
+			return nil, err
+		}
+		target = policy_engine.ContainerTarget(reqCID)
+	default:
+		return nil, fmt.Errorf("unsupported target type: %s", targetType)
+	}
+
+	chs, err := s.contractStorage.ListMorphRuleChains(apechain.Ingress, target)
+	if err != nil {
+		return nil, err
+	}
+
+	res := make([]*apemanager_v2.Chain, 0, len(chs))
+	for _, ch := range chs {
+		v2chraw := new(apemanager_v2.ChainRaw)
+		v2chraw.SetRaw(ch.Bytes())
+
+		v2ch := new(apemanager_v2.Chain)
+		v2ch.SetKind(v2chraw)
+
+		res = append(res, v2ch)
+	}
+
+	body := new(apemanager_v2.ListChainsResponseBody)
+	body.SetChains(res)
+
+	resp := new(apemanager_v2.ListChainsResponse)
+	resp.SetBody(body)
+
+	return resp, nil
+}
+
+func getSignaturePublicKey(vh *session.RequestVerificationHeader) (*keys.PublicKey, error) {
+	for vh.GetOrigin() != nil {
+		vh = vh.GetOrigin()
+	}
+	sig := vh.GetBodySignature()
+	if sig == nil {
+		return nil, errEmptyBodySignature
+	}
+	key, err := keys.NewPublicKeyFromBytes(sig.GetKey(), elliptic.P256())
+	if err != nil {
+		return nil, fmt.Errorf("invalid signature key: %w", err)
+	}
+
+	return key, nil
+}
+
+func (s *Service) isActorContainerOwner(cid cidSDK.ID, pk *keys.PublicKey) (bool, error) {
+	var actor user.ID
+	user.IDFromKey(&actor, (ecdsa.PublicKey)(*pk))
+	actorOwnerID := new(refs.OwnerID)
+	actor.WriteToV2(actorOwnerID)
+
+	cnr, err := s.cnrSrc.Get(cid)
+	if err != nil {
+		return false, fmt.Errorf("get container error: %w", err)
+	}
+	return cnr.Value.Owner().Equals(actor), nil
+}
+
+// base58Str generates base58 string.
+func base58Str(n int) (string, error) {
+	b := make([]byte, n)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	return base58.FastBase58Encoding(b), nil
+}