[#306] Use APE instead of eACL on bucket creation

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-02-12 11:00:04 +03:00 · 2024-02-12 11:00:04 +03:00 · 1f2cf0ed67
commit 1f2cf0ed67
parent 37be8851b3
7 changed files with 202 additions and 39 deletions
--- a/api/handler/put.go
+++ b/api/handler/put.go
@ -4,6 +4,7 @@ import (
 	"bytes"
 	"crypto/md5"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
 	"encoding/xml"
 	"fmt"
@ -24,8 +25,14 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"go.uber.org/zap"
 )

@ -744,6 +751,20 @@ func parseMetadata(r *http.Request) map[string]string {
 	return res
 }

+func parseCannedACL(header http.Header) (string, error) {
+	acl := header.Get(api.AmzACL)
+	if len(acl) == 0 {
+		return basicACLPrivate, nil
+	}
+
+	if acl == basicACLPrivate || acl == basicACLPublic ||
+		acl == cannedACLAuthRead || acl == basicACLReadOnly {
+		return acl, nil
+	}
+
+	return "", fmt.Errorf("unknown acl: %s", acl)
+}
+
 func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	reqInfo := middleware.GetReqInfo(ctx)
@ -763,16 +784,9 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	bktACL, err := parseACLHeaders(r.Header, key)
+	cannedACL, err := parseCannedACL(r.Header)
 	if err != nil {
-		h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
-		return
-	}
-	resInfo := &resourceInfo{Bucket: reqInfo.BucketName}
-
-	p.EACL, err = bucketACLToTable(bktACL, resInfo)
-	if err != nil {
-		h.logAndSendError(w, "could translate bucket acl to eacl", reqInfo, err)
+		h.logAndSendError(w, "could not parse canned ACL", reqInfo, err)
 		return
 	}

@ -787,7 +801,6 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
 	if err == nil {
 		policies = boxData.Policies
 		p.SessionContainerCreation = boxData.Gate.SessionTokenForPut()
-		p.SessionEACL = boxData.Gate.SessionTokenForSetEACL()
 	}

 	if p.SessionContainerCreation == nil {
@ -795,12 +808,7 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if p.SessionEACL == nil {
-		h.logAndSendError(w, "couldn't find session token for setEACL", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
-		return
-	}
-
-	if err = h.setPolicy(p, reqInfo.Namespace, createParams.LocationConstraint, policies); err != nil {
+	if err = h.setPlacementPolicy(p, reqInfo.Namespace, createParams.LocationConstraint, policies); err != nil {
 		h.logAndSendError(w, "couldn't set placement policy", reqInfo, err)
 		return
 	}
@ -812,25 +820,165 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
 		h.logAndSendError(w, "could not create bucket", reqInfo, err)
 		return
 	}
-
 	h.reqLogger(ctx).Info(logs.BucketIsCreated, zap.Stringer("container_id", bktInfo.CID))

-	if p.ObjectLockEnabled {
-		sp := &layer.PutSettingsParams{
-			BktInfo:  bktInfo,
-			Settings: &data.BucketSettings{Versioning: data.VersioningEnabled},
-		}
-		if err = h.obj.PutBucketSettings(ctx, sp); err != nil {
-			h.logAndSendError(w, "couldn't enable bucket versioning", reqInfo, err,
-				zap.String("container_id", bktInfo.CID.EncodeToString()))
+	chainRules := bucketCannedACLToAPERules(cannedACL, reqInfo, key, bktInfo.CID)
+
+	target := engine.NamespaceTarget(reqInfo.Namespace)
+	for _, chainPolicy := range chainRules {
+		if err = h.ape.AddChain(target, chainPolicy); err != nil {
+			h.logAndSendError(w, "failed to add morph rule chain", reqInfo, err, zap.String("chain_id", string(chainPolicy.ID)))
 			return
 		}
 	}

+	sp := &layer.PutSettingsParams{
+		BktInfo:  bktInfo,
+		Settings: &data.BucketSettings{APE: true},
+	}
+
+	if p.ObjectLockEnabled {
+		sp.Settings.Versioning = data.VersioningEnabled
+	}
+
+	if err = h.obj.PutBucketSettings(ctx, sp); err != nil {
+		h.logAndSendError(w, "couldn't save bucket settings", reqInfo, err,
+			zap.String("container_id", bktInfo.CID.EncodeToString()))
+		return
+	}
+
 	middleware.WriteSuccessResponseHeadersOnly(w)
 }

-func (h handler) setPolicy(prm *layer.CreateBucketParams, namespace, locationConstraint string, userPolicies []*accessbox.ContainerPolicy) error {
+const s3ActionPrefix = "s3:"
+
+var (
+	// https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html
+
+	writeACLBucketS3Actions = []string{
+		s3ActionPrefix + middleware.PutObjectOperation,
+		s3ActionPrefix + middleware.PostObjectOperation,
+		s3ActionPrefix + middleware.CopyObjectOperation,
+		s3ActionPrefix + middleware.UploadPartOperation,
+		s3ActionPrefix + middleware.UploadPartCopyOperation,
+		s3ActionPrefix + middleware.CreateMultipartUploadOperation,
+		s3ActionPrefix + middleware.CompleteMultipartUploadOperation,
+	}
+
+	readACLBucketS3Actions = []string{
+		s3ActionPrefix + middleware.HeadBucketOperation,
+		s3ActionPrefix + middleware.GetBucketLocationOperation,
+		s3ActionPrefix + middleware.ListObjectsV1Operation,
+		s3ActionPrefix + middleware.ListObjectsV2Operation,
+		s3ActionPrefix + middleware.ListBucketObjectVersionsOperation,
+		s3ActionPrefix + middleware.ListMultipartUploadsOperation,
+	}
+
+	writeACLBucketNativeActions = []string{
+		native.MethodPutObject,
+	}
+
+	readACLBucketNativeActions = []string{
+		native.MethodGetContainer,
+		native.MethodGetObject,
+		native.MethodHeadObject,
+		native.MethodSearchObject,
+		native.MethodRangeObject,
+		native.MethodHashObject,
+	}
+)
+
+func bucketCannedACLToAPERules(cannedACL string, reqInfo *middleware.ReqInfo, key *keys.PublicKey, cnrID cid.ID) []*chain.Chain {
+	cnrIDStr := cnrID.EncodeToString()
+
+	chains := []*chain.Chain{
+		{
+			ID: getBucketCannedChainID(chain.S3, cnrID),
+			Rules: []chain.Rule{{
+				Status:  chain.Allow,
+				Actions: chain.Actions{Names: []string{"s3:*"}},
+				Resources: chain.Resources{Names: []string{
+					fmt.Sprintf(s3.ResourceFormatS3Bucket, reqInfo.BucketName),
+					fmt.Sprintf(s3.ResourceFormatS3BucketObjects, reqInfo.BucketName),
+				}},
+				Condition: []chain.Condition{{
+					Op:     chain.CondStringEquals,
+					Object: chain.ObjectRequest,
+					Key:    s3.PropertyKeyOwner,
+					Value:  key.Address(),
+				}},
+			}}},
+		{
+			ID: getBucketCannedChainID(chain.Ingress, cnrID),
+			Rules: []chain.Rule{{
+				Status:  chain.Allow,
+				Actions: chain.Actions{Names: []string{"*"}},
+				Resources: chain.Resources{Names: []string{
+					fmt.Sprintf(native.ResourceFormatNamespaceContainer, reqInfo.Namespace, cnrIDStr),
+					fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, reqInfo.Namespace, cnrIDStr),
+				}},
+				Condition: []chain.Condition{{
+					Op:     chain.CondStringEquals,
+					Object: chain.ObjectRequest,
+					Key:    native.PropertyKeyActorPublicKey,
+					Value:  hex.EncodeToString(key.Bytes()),
+				}},
+			}},
+		},
+	}
+
+	switch cannedACL {
+	case basicACLPrivate:
+	case cannedACLAuthRead:
+		fallthrough
+	case basicACLReadOnly:
+		chains[0].Rules = append(chains[0].Rules, chain.Rule{
+			Status:  chain.Allow,
+			Actions: chain.Actions{Names: readACLBucketS3Actions},
+			Resources: chain.Resources{Names: []string{
+				fmt.Sprintf(s3.ResourceFormatS3Bucket, reqInfo.BucketName),
+				fmt.Sprintf(s3.ResourceFormatS3BucketObjects, reqInfo.BucketName),
+			}},
+		})
+
+		chains[1].Rules = append(chains[1].Rules, chain.Rule{
+			Status:  chain.Allow,
+			Actions: chain.Actions{Names: readACLBucketNativeActions},
+			Resources: chain.Resources{Names: []string{
+				fmt.Sprintf(native.ResourceFormatNamespaceContainer, reqInfo.Namespace, cnrIDStr),
+				fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, reqInfo.Namespace, cnrIDStr),
+			}},
+		})
+	case basicACLPublic:
+		chains[0].Rules = append(chains[0].Rules, chain.Rule{
+			Status:  chain.Allow,
+			Actions: chain.Actions{Names: append(readACLBucketS3Actions, writeACLBucketS3Actions...)},
+			Resources: chain.Resources{Names: []string{
+				fmt.Sprintf(s3.ResourceFormatS3Bucket, reqInfo.BucketName),
+				fmt.Sprintf(s3.ResourceFormatS3BucketObjects, reqInfo.BucketName),
+			}},
+		})
+
+		chains[1].Rules = append(chains[1].Rules, chain.Rule{
+			Status:  chain.Allow,
+			Actions: chain.Actions{Names: append(readACLBucketNativeActions, writeACLBucketNativeActions...)},
+			Resources: chain.Resources{Names: []string{
+				fmt.Sprintf(native.ResourceFormatNamespaceContainer, reqInfo.Namespace, cnrIDStr),
+				fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, reqInfo.Namespace, cnrIDStr),
+			}},
+		})
+	default:
+		panic("unknown canned acl") // this should never happen
+	}
+
+	return chains
+}
+
+func getBucketCannedChainID(prefix chain.Name, cnrID cid.ID) chain.ID {
+	return chain.ID(string(prefix) + ":bktCanned" + string(cnrID[:]))
+}
+
+func (h handler) setPlacementPolicy(prm *layer.CreateBucketParams, namespace, locationConstraint string, userPolicies []*accessbox.ContainerPolicy) error {
 	prm.Policy = h.cfg.DefaultPlacementPolicy(namespace)
 	prm.LocationConstraint = locationConstraint