forked from TrueCloudLab/frostfs-node
[#770] object: Introduce ape chain checker for object svc
* Introduce Request type converted from RequestInfo type to implement policy-engine's Request interface * Implement basic ape checker to check if a request is permitted to be performed * Make put handlers use APE checker instead EACL Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
5ec73fe8a0
commit
8e11ef46b8
6 changed files with 184 additions and 8 deletions
105
pkg/services/object/acl/ape_request.go
Normal file
105
pkg/services/object/acl/ape_request.go
Normal file
|
|
@ -0,0 +1,105 @@
|
|||
package acl
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
|
||||
aclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
||||
)
|
||||
|
||||
type Request struct {
|
||||
operation string
|
||||
resource *resource
|
||||
properties map[string]string
|
||||
}
|
||||
|
||||
var _ policyengine.Request = (*Request)(nil)
|
||||
|
||||
type resource struct {
|
||||
name string
|
||||
properties map[string]string
|
||||
}
|
||||
|
||||
var _ policyengine.Resource = (*resource)(nil)
|
||||
|
||||
func (r *resource) Name() string {
|
||||
return r.name
|
||||
}
|
||||
|
||||
func (r *resource) Property(key string) string {
|
||||
return r.properties[key]
|
||||
}
|
||||
|
||||
// TODO (aarifullin): these stringified verbs, properties and namespaces
|
||||
// should be non-implementation-specific.
|
||||
func getResource(reqInfo v2.RequestInfo) *resource {
|
||||
cid := reqInfo.ContainerID()
|
||||
oid := "*"
|
||||
if reqOID := reqInfo.ObjectID(); reqOID != nil {
|
||||
oid = reqOID.EncodeToString()
|
||||
}
|
||||
name := fmt.Sprintf("native:::object/%s/%s",
|
||||
cid,
|
||||
oid)
|
||||
|
||||
return &resource{
|
||||
name: name,
|
||||
properties: make(map[string]string),
|
||||
}
|
||||
}
|
||||
|
||||
func getProperties(_ v2.RequestInfo) map[string]string {
|
||||
return map[string]string{
|
||||
"Actor": "",
|
||||
}
|
||||
}
|
||||
|
||||
// TODO (aarifullin): these stringified verbs, properties and namespaces
|
||||
// should be non-implementation-specific.
|
||||
func getOperation(reqInfo v2.RequestInfo) string {
|
||||
var verb string
|
||||
switch op := reqInfo.Operation(); op {
|
||||
case aclSDK.OpObjectGet:
|
||||
verb = "GetObject"
|
||||
case aclSDK.OpObjectHead:
|
||||
verb = "HeadObject"
|
||||
case aclSDK.OpObjectPut:
|
||||
verb = "PutObject"
|
||||
case aclSDK.OpObjectDelete:
|
||||
verb = "DeleteObject"
|
||||
case aclSDK.OpObjectSearch:
|
||||
verb = "SearchObject"
|
||||
case aclSDK.OpObjectRange:
|
||||
verb = "RangeObject"
|
||||
case aclSDK.OpObjectHash:
|
||||
verb = "HashObject"
|
||||
}
|
||||
|
||||
return "native:" + verb
|
||||
}
|
||||
|
||||
func NewRequest() *Request {
|
||||
return &Request{
|
||||
resource: new(resource),
|
||||
properties: map[string]string{},
|
||||
}
|
||||
}
|
||||
|
||||
func (r *Request) FromRequestInfo(ri v2.RequestInfo) {
|
||||
r.operation = getOperation(ri)
|
||||
r.resource = getResource(ri)
|
||||
r.properties = getProperties(ri)
|
||||
}
|
||||
|
||||
func (r *Request) Operation() string {
|
||||
return r.operation
|
||||
}
|
||||
|
||||
func (r *Request) Property(key string) string {
|
||||
return r.properties[key]
|
||||
}
|
||||
|
||||
func (r *Request) Resource() policyengine.Resource {
|
||||
return r.resource
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue