[#770] cli: Add methods to work with APE rules via control svc

* Add methods to frostfs-cli
* Implement rpc in control service

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>

cmd/frostfs-cli/modules/control/add_rule.go

@@ -0,0 +1,90 @@
+package control
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/json"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	ape "git.frostfs.info/TrueCloudLab/policy-engine"
+	"github.com/spf13/cobra"
+)
+
+const (
+	ruleFlag = "rule"
+)
+
+var addRuleCmd = &cobra.Command{
+	Use:   "add-rule",
+	Short: "Add local override",
+	Long:  "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",
+	Example: `allow Object.Get *
+deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*
+deny:QuotaLimitReached Object.Put Object.Resource:Department=HR *
+`,
+	Run: addRule,
+}
+
+func prettyJSONFormat(cmd *cobra.Command, serializedChain []byte) string {
+	wr := bytes.NewBufferString("")
+	err := json.Indent(wr, serializedChain, "", " ")
+	commonCmd.ExitOnErr(cmd, "%w", err)
+	return wr.String()
+}
+
+func addRule(cmd *cobra.Command, _ []string) {
+	pk := key.Get(cmd)
+
+	var cnr cid.ID
+	cidStr, _ := cmd.Flags().GetString(commonflags.CIDFlag)
+	commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(cidStr))
+
+	rawCID := make([]byte, sha256.Size)
+	cnr.Encode(rawCID)
+
+	rule, _ := cmd.Flags().GetString(ruleFlag)
+
+	chain := new(ape.Chain)
+	commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, []string{rule}))
+	serializedChain := chain.Bytes()
+
+	cmd.Println("Container ID: " + cidStr)
+	cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, serializedChain))
+
+	req := &control.AddChainLocalOverrideRequest{
+		Body: &control.AddChainLocalOverrideRequest_Body{
+			ContainerId: rawCID,
+			Chain:       serializedChain,
+		},
+	}
+
+	signRequest(cmd, pk, req)
+
+	cli := getClient(cmd, pk)
+
+	var resp *control.AddChainLocalOverrideResponse
+	var err error
+	err = cli.ExecRaw(func(client *client.Client) error {
+		resp, err = control.AddChainLocalOverride(client, req)
+		return err
+	})
+	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
+	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+
+	cmd.Println("Rule has been added. Chain id: ", resp.GetBody().GetChainId())
+}
+
+func initControlAddRuleCmd() {
+	initControlFlags(addRuleCmd)
+
+	ff := addRuleCmd.Flags()
+	ff.String(commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
+	ff.String(ruleFlag, "", "Rule statement")
+}

cmd/frostfs-cli/modules/control/get_rule.go

@@ -0,0 +1,69 @@
+package control
+
+import (
+	"crypto/sha256"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	"github.com/spf13/cobra"
+)
+
+var getRuleCmd = &cobra.Command{
+	Use:   "get-rule",
+	Short: "Get local override",
+	Long:  "Get local APE override of the node",
+	Run:   getRule,
+}
+
+func getRule(cmd *cobra.Command, _ []string) {
+	pk := key.Get(cmd)
+
+	var cnr cid.ID
+	cidStr, _ := cmd.Flags().GetString(commonflags.CIDFlag)
+	commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(cidStr))
+
+	rawCID := make([]byte, sha256.Size)
+	cnr.Encode(rawCID)
+
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+
+	req := &control.GetChainLocalOverrideRequest{
+		Body: &control.GetChainLocalOverrideRequest_Body{
+			ContainerId: rawCID,
+			ChainId:     chainID,
+		},
+	}
+
+	signRequest(cmd, pk, req)
+
+	cli := getClient(cmd, pk)
+
+	var resp *control.GetChainLocalOverrideResponse
+	var err error
+	err = cli.ExecRaw(func(client *client.Client) error {
+		resp, err = control.GetChainLocalOverride(client, req)
+		return err
+	})
+	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
+	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+
+	var chain policyengine.Chain
+	commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(resp.GetBody().GetChain()))
+
+	// TODO (aarifullin): make pretty-formatted output for chains.
+	cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, chain.Bytes()))
+}
+
+func initControGetRuleCmd() {
+	initControlFlags(getRuleCmd)
+
+	ff := getRuleCmd.Flags()
+	ff.String(commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
+	ff.String(chainIDFlag, "", "Chain id")
+}

cmd/frostfs-cli/modules/control/list_rules.go

@@ -0,0 +1,72 @@
+package control
+
+import (
+	"crypto/sha256"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	"github.com/spf13/cobra"
+)
+
+var listRulesCmd = &cobra.Command{
+	Use:   "list-rules",
+	Short: "List local overrides",
+	Long:  "List local APE overrides of the node",
+	Run:   listRules,
+}
+
+func listRules(cmd *cobra.Command, _ []string) {
+	pk := key.Get(cmd)
+
+	var cnr cid.ID
+	cidStr, _ := cmd.Flags().GetString(commonflags.CIDFlag)
+	commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(cidStr))
+
+	rawCID := make([]byte, sha256.Size)
+	cnr.Encode(rawCID)
+
+	req := &control.ListChainLocalOverridesRequest{
+		Body: &control.ListChainLocalOverridesRequest_Body{
+			ContainerId: rawCID,
+		},
+	}
+
+	signRequest(cmd, pk, req)
+
+	cli := getClient(cmd, pk)
+
+	var resp *control.ListChainLocalOverridesResponse
+	var err error
+	err = cli.ExecRaw(func(client *client.Client) error {
+		resp, err = control.ListChainLocalOverrides(client, req)
+		return err
+	})
+	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
+	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+
+	chains := resp.GetBody().GetChains()
+	if len(chains) == 0 {
+		cmd.Println("Local overrides are not defined for the container.")
+		return
+	}
+
+	for _, c := range chains {
+		// TODO (aarifullin): make pretty-formatted output for chains.
+		var chain policyengine.Chain
+		commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(c))
+		cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, chain.Bytes()))
+	}
+}
+
+func initControlListRulesCmd() {
+	initControlFlags(listRulesCmd)
+
+	ff := listRulesCmd.Flags()
+	ff.String(commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
+}

cmd/frostfs-cli/modules/control/remove_rule.go

@@ -0,0 +1,72 @@
+package control
+
+import (
+	"crypto/sha256"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	"github.com/spf13/cobra"
+)
+
+const (
+	chainIDFlag = "chain-id"
+)
+
+var removeRuleCmd = &cobra.Command{
+	Use:   "remove-rule",
+	Short: "Remove local override",
+	Long:  "Remove local APE override of the node",
+	Run:   removeRule,
+}
+
+func removeRule(cmd *cobra.Command, _ []string) {
+	pk := key.Get(cmd)
+
+	var cnr cid.ID
+	cidStr, _ := cmd.Flags().GetString(commonflags.CIDFlag)
+	commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(cidStr))
+
+	rawCID := make([]byte, sha256.Size)
+	cnr.Encode(rawCID)
+
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+
+	req := &control.RemoveChainLocalOverrideRequest{
+		Body: &control.RemoveChainLocalOverrideRequest_Body{
+			ContainerId: rawCID,
+			ChainId:     chainID,
+		},
+	}
+
+	signRequest(cmd, pk, req)
+
+	cli := getClient(cmd, pk)
+
+	var resp *control.RemoveChainLocalOverrideResponse
+	var err error
+	err = cli.ExecRaw(func(client *client.Client) error {
+		resp, err = control.RemoveChainLocalOverride(client, req)
+		return err
+	})
+	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
+	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+
+	if resp.GetBody().Removed {
+		cmd.Println("Rule has been removed.")
+	} else {
+		cmd.Println("Rule has not been removed.")
+	}
+}
+
+func initControlRemoveRuleCmd() {
+	initControlFlags(removeRuleCmd)
+
+	ff := removeRuleCmd.Flags()
+	ff.String(commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
+	ff.String(chainIDFlag, "", "Chain id")
+}

cmd/frostfs-cli/modules/control/root.go

@@ -34,6 +34,10 @@ func init() {
 		shardsCmd,
 		synchronizeTreeCmd,
 		irCmd,
+		addRuleCmd,
+		removeRuleCmd,
+		listRulesCmd,
+		getRuleCmd,
 	)
 
 	initControlHealthCheckCmd()
@@ -42,4 +46,8 @@ func init() {
 	initControlShardsCmd()
 	initControlSynchronizeTreeCmd()
 	initControlIRCmd()
+	initControlAddRuleCmd()
+	initControlRemoveRuleCmd()
+	initControlListRulesCmd()
+	initControGetRuleCmd()
 }