[#283] Support frostfsid groups in policy request checking

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2023-12-13 17:44:18 +03:00 · 2023-12-13 17:44:18 +03:00 · 5698d5844e
commit 5698d5844e
parent 43cae9ee04
11 changed files with 92 additions and 56 deletions
--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@ -11,8 +11,10 @@ import (
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"go.uber.org/zap"
 )

@ -21,12 +23,16 @@ type PolicySettings interface {
 	PolicyDenyByDefault() bool
 }

-func PolicyCheck(storage engine.ChainRouter, settings PolicySettings, domains []string, log *zap.Logger) Func {
+type FrostFSIDInformer interface {
+	GetUserGroupIDs(userHash util.Uint160) ([]string, error)
+}
+
+func PolicyCheck(storage engine.ChainRouter, frostfsid FrostFSIDInformer, settings PolicySettings, domains []string, log *zap.Logger) Func {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()

-			st, err := policyCheck(storage, settings, domains, r)
+			st, err := policyCheck(storage, frostfsid, settings, domains, r)
 			if err == nil {
 				if st != chain.Allow && (st != chain.NoRuleFound || settings.PolicyDenyByDefault()) {
 					err = apiErr.GetAPIErrorWithError(apiErr.ErrAccessDenied, fmt.Errorf("policy check: %s", st.String()))
@ -43,8 +49,8 @@ func PolicyCheck(storage engine.ChainRouter, settings PolicySettings, domains []
 	}
 }

-func policyCheck(storage engine.ChainRouter, settings PolicySettings, domains []string, r *http.Request) (chain.Status, error) {
-	req, err := getPolicyRequest(r, domains)
+func policyCheck(storage engine.ChainRouter, frostfsid FrostFSIDInformer, settings PolicySettings, domains []string, r *http.Request) (chain.Status, error) {
+	req, err := getPolicyRequest(r, frostfsid, domains)
 	if err != nil {
 		return 0, err
 	}
@ -63,8 +69,12 @@ func policyCheck(storage engine.ChainRouter, settings PolicySettings, domains []
 	return st, nil
 }

-func getPolicyRequest(r *http.Request, domains []string) (*testutil.Request, error) {
-	var owner string
+func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, domains []string) (*testutil.Request, error) {
+	var (
+		owner  string
+		groups []string
+	)
+
 	ctx := r.Context()
 	bd, err := GetBoxData(ctx)
 	if err == nil && bd.Gate.BearerToken != nil {
@ -73,12 +83,20 @@ func getPolicyRequest(r *http.Request, domains []string) (*testutil.Request, err
 			return nil, fmt.Errorf("parse pubclic key from btoken: %w", err)
 		}
 		owner = pk.Address()
+
+		groups, err = frostfsid.GetUserGroupIDs(pk.GetScriptHash())
+		if err != nil {
+			return nil, fmt.Errorf("get group ids: %w", err)
+		}
 	}

 	op, res := determineOperationAndResource(r, domains)

 	return testutil.NewRequest(op, testutil.NewResource(res, nil),
-		map[string]string{s3.PropertyKeyOwner: owner},
+		map[string]string{
+			s3.PropertyKeyOwner:                owner,
+			common.PropertyKeyFrostFSIDGroupID: chain.FormCondSliceContainsValue(groups),
+		},
 	), nil
 }