Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go.mod: upgrade to post-api-go SDK version #1073

Merged
merged 3 commits into from
Feb 11, 2025
Merged

go.mod: upgrade to post-api-go SDK version #1073

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8a8ed82
go.mod: upgrade to post-api-go SDK version
roman-khimov Feb 3, 2025
b72c8dc
tests: Remove deprecated SetSHA256 usage
smallhive Feb 10, 2025
3aebde1
*: Fix deprecations with eacl package
smallhive Feb 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
149 changes: 66 additions & 83 deletions api/handler/acl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -969,20 +969,22 @@ func getParentResource(parent *ast, resource *astResource) *astResource {
}

func astToTable(ast *ast) (*eacl.Table, error) {
table := eacl.NewTable()
var records []eacl.Record

for i := len(ast.Resources) - 1; i >= 0; i-- {
records, err := formRecords(ast.Resources[i])
recs, err := formRecords(ast.Resources[i])
if err != nil {
return nil, fmt.Errorf("form records: %w", err)
}

for _, rec := range records {
table.AddRecord(rec)
for _, rec := range recs {
records = append(records, *rec)
}
}

return table, nil
table := eacl.ConstructTable(records)

return &table, nil
}

func tryServiceRecord(record eacl.Record) *ServiceRecord {
Expand Down Expand Up @@ -1041,31 +1043,35 @@ func formRecords(resource *astResource) ([]*eacl.Record, error) {
}
}

record := eacl.NewRecord()
record.SetOperation(astOp.Op)
record.SetAction(astOp.Action)
record := eacl.ConstructRecord(astOp.Action, astOp.Op, []eacl.Target{})
if astOp.IsGroupGrantee() {
eacl.AddFormedTarget(record, eacl.RoleOthers)
record.SetTargets(eacl.NewTargetByRole(eacl.RoleOthers))
} else {
t := eacl.NewTarget()
// Unknown role is used, because it is ignored when accounts are set
t.SetRole(eacl.RoleUnknown)
t.SetAccounts(astOp.Users)
t := eacl.NewTargetByAccounts(astOp.Users)

record.SetTargets(*t)
record.SetTargets(t)
}

var filters []eacl.Filter
if len(resource.Object) != 0 {
record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resource.Object)
filters = append(
filters,
eacl.NewObjectPropertyFilter(object.AttributeFilePath, eacl.MatchStringEqual, resource.Object),
)
}

if len(resource.Version) != 0 {
var id oid.ID
if err := id.DecodeString(resource.Version); err != nil {
return nil, fmt.Errorf("parse object version (oid): %w", err)
}
record.AddObjectIDFilter(eacl.MatchStringEqual, id)

filters = append(filters, eacl.NewFilterObjectWithID(id))
}
res = append(res, record)

record.SetFilters(filters)

res = append(res, &record)
}

return res, nil
Expand Down Expand Up @@ -1640,7 +1646,7 @@ func contains(list []eacl.Operation, op eacl.Operation) bool {

func bucketACLToTable(acp *AccessControlPolicy) (*eacl.Table, error) {
var found bool
table := eacl.NewTable()
var records []eacl.Record

for _, grant := range acp.AccessControlList {
if !isValidGrant(grant) {
Expand All @@ -1667,7 +1673,7 @@ func bucketACLToTable(acp *AccessControlPolicy) (*eacl.Table, error) {
}

for _, op := range permissionToOperations(grant.Permission) {
table.AddRecord(recordFromOp(op))
records = append(records, *recordFromOp(op))
}
}

Expand All @@ -1678,18 +1684,20 @@ func bucketACLToTable(acp *AccessControlPolicy) (*eacl.Table, error) {
if err != nil {
return nil, fmt.Errorf("%w: %w", layer.ErrDecodeUserID, err)
}
table.AddRecord(getAllowRecordWithUser(op, account))
records = append(records, *getAllowRecordWithUser(op, account))
}
}
}

for _, op := range fullOps {
table.AddRecord(getOthersRecord(op, eacl.ActionDeny))
records = append(records, *getOthersRecord(op, eacl.ActionDeny))
}

table.AddRecord(BucketOwnerEnforcedRecord())
records = append(records, *BucketOwnerEnforcedRecord())

table := eacl.ConstructTable(records)

return table, nil
return &table, nil
}

func isValidGrant(grant *Grant) bool {
Expand All @@ -1698,43 +1706,33 @@ func isValidGrant(grant *Grant) bool {
}

func getAllowRecordWithUser(op eacl.Operation, acc user.ID) *eacl.Record {
record := eacl.NewRecord()
record.SetOperation(op)
record.SetAction(eacl.ActionAllow)

t := eacl.NewTarget()
// Unknown role is used, because it is ignored when accounts are set
t.SetRole(eacl.RoleUnknown)
t.SetAccounts([]user.ID{acc})

record.SetTargets(*t)
record := eacl.ConstructRecord(eacl.ActionAllow, op,
[]eacl.Target{eacl.NewTargetByAccounts([]user.ID{acc})},
)

return record
return &record
}

func getOthersRecord(op eacl.Operation, action eacl.Action) *eacl.Record {
record := eacl.NewRecord()
record.SetOperation(op)
record.SetAction(action)
eacl.AddFormedTarget(record, eacl.RoleOthers)
return record
record := eacl.ConstructRecord(action, op,
[]eacl.Target{eacl.NewTargetByRole(eacl.RoleOthers)},
)

return &record
}

// BucketOwnerEnforcedRecord generates special marker record for OwnerEnforced policy.
func BucketOwnerEnforcedRecord() *eacl.Record {
var markerRecord = eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut)
markerRecord.AddFilter(
eacl.HeaderFromRequest,
eacl.MatchStringNotEqual,
amzBucketOwnerField,
amzBucketOwnerEnforced,
var markerRecord = eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut,
[]eacl.Target{
eacl.NewTargetByAccounts([]user.ID{ownerEnforcedUserID}),
},
[]eacl.Filter{
eacl.ConstructFilter(eacl.HeaderFromRequest, amzBucketOwnerField, eacl.MatchStringNotEqual, amzBucketOwnerEnforced),
}...,
)

t := eacl.NewTarget()
t.SetAccounts([]user.ID{ownerEnforcedUserID})
markerRecord.SetTargets(*t)

return markerRecord
return &markerRecord
}

func isValidOwnerEnforced(r *http.Request) bool {
Expand All @@ -1754,19 +1752,14 @@ func isValidOwnerEnforced(r *http.Request) bool {

// BucketACLObjectWriterRecord generates special marker record for OwnerWriter policy.
func BucketACLObjectWriterRecord() *eacl.Record {
var markerRecord = eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut)
markerRecord.AddFilter(
eacl.HeaderFromRequest,
eacl.MatchStringNotEqual,
amzBucketOwnerField,
amzBucketOwnerObjectWriter,
var markerRecord = eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut,
[]eacl.Target{eacl.NewTargetByAccounts([]user.ID{ownerObjectWriterUserID})},
[]eacl.Filter{
eacl.ConstructFilter(eacl.HeaderFromRequest, amzBucketOwnerField, eacl.MatchStringNotEqual, amzBucketOwnerObjectWriter),
}...,
)

t := eacl.NewTarget()
t.SetAccounts([]user.ID{ownerObjectWriterUserID})
markerRecord.SetTargets(*t)

return markerRecord
return &markerRecord
}

// IsBucketOwnerForced checks special marker record for OwnerForced policy.
Expand Down Expand Up @@ -1795,19 +1788,14 @@ func IsBucketOwnerForced(table *eacl.Table) bool {

// BucketOwnerPreferredRecord generates special marker record for OwnerPreferred policy.
func BucketOwnerPreferredRecord() *eacl.Record {
var markerRecord = eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut)
markerRecord.AddFilter(
eacl.HeaderFromRequest,
eacl.MatchStringNotEqual,
amzBucketOwnerField,
amzBucketOwnerPreferred,
var markerRecord = eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut,
[]eacl.Target{eacl.NewTargetByAccounts([]user.ID{ownerPreferredUserID})},
[]eacl.Filter{
eacl.ConstructFilter(eacl.HeaderFromRequest, amzBucketOwnerField, eacl.MatchStringNotEqual, amzBucketOwnerPreferred),
}...,
)

t := eacl.NewTarget()
t.SetAccounts([]user.ID{ownerPreferredUserID})
markerRecord.SetTargets(*t)

return markerRecord
return &markerRecord
}

// IsBucketOwnerPreferred checks special marker record for OwnerPreferred policy.
Expand Down Expand Up @@ -1836,19 +1824,14 @@ func IsBucketOwnerPreferred(table *eacl.Table) bool {

// BucketOwnerPreferredRecord generates special marker record for OwnerPreferred policy and sets flag for bucket owner full control acl restriction.
func BucketOwnerPreferredAndRestrictedRecord() *eacl.Record {
var markerRecord = eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut)
markerRecord.AddFilter(
eacl.HeaderFromObject,
eacl.MatchStringEqual,
amzBucketOwnerField,
cannedACLBucketOwnerFullControl,
var markerRecord = eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut,
[]eacl.Target{eacl.NewTargetByAccounts([]user.ID{ownerPreferredAndRestrictedUserID})},
[]eacl.Filter{
eacl.ConstructFilter(eacl.HeaderFromObject, amzBucketOwnerField, eacl.MatchStringEqual, cannedACLBucketOwnerFullControl),
}...,
)

t := eacl.NewTarget()
t.SetAccounts([]user.ID{ownerPreferredAndRestrictedUserID})
markerRecord.SetTargets(*t)

return markerRecord
return &markerRecord
}

// IsBucketOwnerPreferredAndRestricted checks special marker record and check ALC bucket owner full control flag for OwnerPreferred policy.
Expand Down
Loading
Loading