[#306] Save bucket policy as native chain

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-02-19 10:51:41 +03:00 · 2024-02-19 10:51:41 +03:00 · 8f89f275bd
commit 8f89f275bd
parent ff15f9f28a
6 changed files with 78 additions and 24 deletions
--- a/api/handler/acl.go
+++ b/api/handler/acl.go
@ -681,7 +681,7 @@ func (h *handler) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Reque
 		return
 	}

-	if err = h.ape.DeleteBucketPolicy(reqInfo.Namespace, bktInfo.CID, getBucketChainID(bktInfo)); err != nil {
+	if err = h.ape.DeleteBucketPolicy(reqInfo.Namespace, bktInfo.CID, getBucketChainID(chain.S3, bktInfo)); err != nil {
 		h.logAndSendError(w, "failed to delete policy from storage", reqInfo, err)
 		return
 	}
@ -721,15 +721,13 @@ func (h *handler) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	s3Chain, err := engineiam.ConvertToS3Chain(bktPolicy, h.frostfsid)
-	if err != nil {
-		h.logAndSendError(w, "could not convert s3 policy to chain policy", reqInfo, err)
-		return
-	}
-	s3Chain.ID = getBucketChainID(bktInfo)
+	for _, stat := range bktPolicy.Statement {
+		if len(stat.NotResource) != 0 {
+			h.logAndSendError(w, "policy resource mismatched bucket", reqInfo, errors.GetAPIError(errors.ErrMalformedPolicy))
+			return
+		}

-	for _, rule := range s3Chain.Rules {
-		for _, resource := range rule.Resources.Names {
+		for _, resource := range stat.Resource {
 			if reqInfo.BucketName != strings.Split(strings.TrimPrefix(resource, arnAwsPrefix), "/")[0] {
 				h.logAndSendError(w, "policy resource mismatched bucket", reqInfo, errors.GetAPIError(errors.ErrMalformedPolicy))
 				return
@ -737,14 +735,50 @@ func (h *handler) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request)
 		}
 	}

-	if err = h.ape.PutBucketPolicy(reqInfo.Namespace, bktInfo.CID, jsonPolicy, s3Chain); err != nil {
+	nativeChain, err := engineiam.ConvertToNativeChain(bktPolicy, h.nativeResolver(reqInfo.Namespace, bktInfo))
+	if err != nil {
+		h.logAndSendError(w, "could not convert s3 policy to native chain policy", reqInfo, err)
+		return
+	}
+	nativeChain.ID = getBucketChainID(chain.Ingress, bktInfo)
+
+	s3Chain, err := engineiam.ConvertToS3Chain(bktPolicy, h.frostfsid)
+	if err != nil {
+		h.logAndSendError(w, "could not convert s3 policy to chain policy", reqInfo, err)
+		return
+	}
+	s3Chain.ID = getBucketChainID(chain.S3, bktInfo)
+
+	if err = h.ape.PutBucketPolicy(reqInfo.Namespace, bktInfo.CID, jsonPolicy, []*chain.Chain{s3Chain, nativeChain}); err != nil {
 		h.logAndSendError(w, "failed to update policy in contract", reqInfo, err)
 		return
 	}
 }

-func getBucketChainID(bktInfo *data.BucketInfo) chain.ID {
-	return chain.ID(string(chain.S3) + ":bkt" + string(bktInfo.CID[:]))
+type nativeResolver struct {
+	FrostFSID
+	namespace string
+	bktInfo   *data.BucketInfo
+}
+
+func (n *nativeResolver) GetBucketInfo(bucket string) (*engineiam.BucketInfo, error) {
+	if n.bktInfo.Name != bucket {
+		return nil, fmt.Errorf("invalid bucket %s: %w", bucket, errors.GetAPIError(errors.ErrMalformedPolicy))
+	}
+
+	return &engineiam.BucketInfo{Namespace: n.namespace, Container: n.bktInfo.CID.EncodeToString()}, nil
+}
+
+func (h *handler) nativeResolver(ns string, bktInfo *data.BucketInfo) engineiam.NativeResolver {
+	return &nativeResolver{
+		FrostFSID: h.frostfsid,
+		namespace: ns,
+		bktInfo:   bktInfo,
+	}
+}
+
+func getBucketChainID(prefix chain.Name, bktInfo *data.BucketInfo) chain.ID {
+	return chain.ID(string(prefix) + ":bkt" + string(bktInfo.CID[:]))
 }

 func parseACLHeaders(header http.Header, key *keys.PublicKey) (*AccessControlPolicy, error) {