eacl

package
v0.0.0-...-0352b5b Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 29, 2024 License: Apache-2.0 Imports: 14 Imported by: 6

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddFormedTarget

func AddFormedTarget(r *Record, role Role, keys ...ecdsa.PublicKey)

AddFormedTarget forms Target with specified Role and list of ECDSA public keys and adds it to the Record.

func AddRecordTarget

func AddRecordTarget(r *Record, t *Target)

AddRecordTarget adds single Target to the Record.

func EqualTables

func EqualTables(t1, t2 Table) bool

EqualTables compares Table with each other.

func SetTargetECDSAKeys

func SetTargetECDSAKeys(t *Target, pubs ...*ecdsa.PublicKey)

SetTargetECDSAKeys converts ECDSA public keys to a binary format and stores them in Target.

func TargetECDSAKeys

func TargetECDSAKeys(t *Target) []*ecdsa.PublicKey

TargetECDSAKeys interprets binary public keys of Target as ECDSA public keys. If any key has a different format, the corresponding element will be nil.

Types

type Action

type Action uint32

Action taken if ContainerEACL record matched request. Action is compatible with v2 acl.Action enum.

const (
	// ActionUnknown is an Action value used to mark action as undefined.
	ActionUnknown Action = iota

	// ActionAllow is an Action value that allows access to the operation from context.
	ActionAllow

	// ActionDeny is an Action value that denies access to the operation from context.
	ActionDeny
)

func ActionFromV2

func ActionFromV2(action v2acl.Action) (a Action)

ActionFromV2 converts v2 Action enum value to Action.

func (*Action) FromString

func (a *Action) FromString(s string) bool

FromString parses Action from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (Action) String

func (a Action) String() string

String returns string representation of Action.

String mapping:

  • ActionAllow: ALLOW;
  • ActionDeny: DENY;
  • ActionUnknown, default: ACTION_UNSPECIFIED.

func (Action) ToV2

func (a Action) ToV2() v2acl.Action

ToV2 converts Action to v2 Action enum value.

type Filter

type Filter struct {
	// contains filtered or unexported fields
}

Filter defines check conditions if request header is matched or not. Matched header means that request should be processed according to ContainerEACL action.

Filter is compatible with v2 acl.EACLRecord.Filter message.

func NewFilter

func NewFilter() *Filter

NewFilter creates, initializes and returns blank Filter instance.

Defaults:

  • header type: HeaderTypeUnknown;
  • matcher: MatchUnknown;
  • key: "";
  • value: "".

func NewFilterFromV2

func NewFilterFromV2(filter *v2acl.HeaderFilter) *Filter

NewFilterFromV2 converts v2 acl.EACLRecord.Filter message to Filter.

func (Filter) From

func (f Filter) From() FilterHeaderType

From returns FilterHeaderType that defined which header will be filtered.

func (Filter) Key

func (f Filter) Key() string

Key returns key to the filtered header.

func (*Filter) Marshal

func (f *Filter) Marshal() ([]byte, error)

Marshal marshals Filter into a protobuf binary form.

func (*Filter) MarshalJSON

func (f *Filter) MarshalJSON() ([]byte, error)

MarshalJSON encodes Filter to protobuf JSON format.

func (Filter) Matcher

func (f Filter) Matcher() Match

Matcher returns filter Match type.

func (*Filter) ToV2

func (f *Filter) ToV2() *v2acl.HeaderFilter

ToV2 converts Filter to v2 acl.EACLRecord.Filter message.

Nil Filter converts to nil.

func (*Filter) Unmarshal

func (f *Filter) Unmarshal(data []byte) error

Unmarshal unmarshals protobuf binary representation of Filter.

func (*Filter) UnmarshalJSON

func (f *Filter) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes Filter from protobuf JSON format.

func (Filter) Value

func (f Filter) Value() string

Value returns filtered string value.

type FilterHeaderType

type FilterHeaderType uint32

FilterHeaderType indicates source of headers to make matches. FilterHeaderType is compatible with v2 acl.HeaderType enum.

const (
	// HeaderTypeUnknown is a FilterHeaderType value used to mark header type as undefined.
	HeaderTypeUnknown FilterHeaderType = iota

	// HeaderFromRequest is a FilterHeaderType for request X-Header.
	HeaderFromRequest

	// HeaderFromObject is a FilterHeaderType for object header.
	HeaderFromObject

	// HeaderFromService is a FilterHeaderType for service header.
	HeaderFromService
)

func FilterHeaderTypeFromV2

func FilterHeaderTypeFromV2(header v2acl.HeaderType) (h FilterHeaderType)

FilterHeaderTypeFromV2 converts v2 HeaderType enum value to FilterHeaderType.

func (*FilterHeaderType) FromString

func (h *FilterHeaderType) FromString(s string) bool

FromString parses FilterHeaderType from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (FilterHeaderType) String

func (h FilterHeaderType) String() string

String returns string representation of FilterHeaderType.

String mapping:

  • HeaderFromRequest: REQUEST;
  • HeaderFromObject: OBJECT;
  • HeaderTypeUnknown, default: HEADER_UNSPECIFIED.

func (FilterHeaderType) ToV2

ToV2 converts FilterHeaderType to v2 HeaderType enum value.

type Header interface {
	Key() string
	Value() string
}

Header is an interface of string key-value header.

type Match

type Match uint32

Match is binary operation on filer name and value to check if request is matched. Match is compatible with v2 acl.MatchType enum.

const (
	// MatchUnknown is a Match value used to mark matcher as undefined.
	MatchUnknown Match = iota

	// MatchStringEqual is a Match of string equality.
	MatchStringEqual

	// MatchStringNotEqual is a Match of string inequality.
	MatchStringNotEqual
)

func MatchFromV2

func MatchFromV2(match v2acl.MatchType) (m Match)

MatchFromV2 converts v2 MatchType enum value to Match.

func (*Match) FromString

func (m *Match) FromString(s string) bool

FromString parses Match from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (Match) String

func (m Match) String() string

String returns string representation of Match.

String mapping:

  • MatchStringEqual: STRING_EQUAL;
  • MatchStringNotEqual: STRING_NOT_EQUAL;
  • MatchUnknown, default: MATCH_TYPE_UNSPECIFIED.

func (Match) ToV2

func (m Match) ToV2() v2acl.MatchType

ToV2 converts Match to v2 MatchType enum value.

type Operation

type Operation uint32

Operation is a object service method to match request. Operation is compatible with v2 acl.Operation enum.

const (
	// OperationUnknown is an Operation value used to mark operation as undefined.
	OperationUnknown Operation = iota

	// OperationGet is an object get Operation.
	OperationGet

	// OperationHead is an Operation of getting the object header.
	OperationHead

	// OperationPut is an object put Operation.
	OperationPut

	// OperationDelete is an object delete Operation.
	OperationDelete

	// OperationSearch is an object search Operation.
	OperationSearch

	// OperationRange is an object payload range retrieval Operation.
	OperationRange

	// OperationRangeHash is an object payload range hashing Operation.
	OperationRangeHash
)

func OperationFromV2

func OperationFromV2(operation v2acl.Operation) (o Operation)

OperationFromV2 converts v2 Operation enum value to Operation.

func (*Operation) FromString

func (o *Operation) FromString(s string) bool

FromString parses Operation from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (Operation) String

func (o Operation) String() string

String returns string representation of Operation.

String mapping:

  • OperationGet: GET;
  • OperationHead: HEAD;
  • OperationPut: PUT;
  • OperationDelete: DELETE;
  • OperationSearch: SEARCH;
  • OperationRange: GETRANGE;
  • OperationRangeHash: GETRANGEHASH;
  • OperationUnknown, default: OPERATION_UNSPECIFIED.

func (Operation) ToV2

func (o Operation) ToV2() v2acl.Operation

ToV2 converts Operation to v2 Operation enum value.

type Record

type Record struct {
	// contains filtered or unexported fields
}

Record of the ContainerEACL rule, that defines ContainerEACL action, targets for this action, object service operation and filters for request headers.

Record is compatible with v2 acl.EACLRecord message.

func CreateRecord

func CreateRecord(action Action, operation Operation) *Record

CreateRecord creates, initializes with parameters and returns Record instance.

func NewRecord

func NewRecord() *Record

NewRecord creates and returns blank Record instance.

Defaults:

  • action: ActionUnknown;
  • operation: OperationUnknown;
  • targets: nil,
  • filters: nil.

func NewRecordFromV2

func NewRecordFromV2(record *v2acl.Record) *Record

NewRecordFromV2 converts v2 acl.EACLRecord message to Record.

func (Record) Action

func (r Record) Action() Action

Action returns rule execution result.

func (*Record) AddFilter

func (r *Record) AddFilter(from FilterHeaderType, matcher Match, name, value string)

AddFilter adds generic filter.

func (*Record) AddObjectAttributeFilter

func (r *Record) AddObjectAttributeFilter(m Match, key, value string)

AddObjectAttributeFilter adds filter by object attribute.

func (*Record) AddObjectContainerIDFilter

func (r *Record) AddObjectContainerIDFilter(m Match, id cid.ID)

AddObjectContainerIDFilter adds filter by object container ID.

func (*Record) AddObjectCreationEpoch

func (r *Record) AddObjectCreationEpoch(m Match, epoch uint64)

AddObjectCreationEpoch adds filter by object creation epoch.

func (*Record) AddObjectHomomorphicHashFilter

func (r *Record) AddObjectHomomorphicHashFilter(m Match, h checksum.Checksum)

AddObjectHomomorphicHashFilter adds filter by object payload homomorphic hash value.

func (*Record) AddObjectIDFilter

func (r *Record) AddObjectIDFilter(m Match, id oid.ID)

AddObjectIDFilter adds filter by object ID.

func (*Record) AddObjectOwnerIDFilter

func (r *Record) AddObjectOwnerIDFilter(m Match, id user.ID)

AddObjectOwnerIDFilter adds filter by object owner ID.

func (*Record) AddObjectPayloadHashFilter

func (r *Record) AddObjectPayloadHashFilter(m Match, h checksum.Checksum)

AddObjectPayloadHashFilter adds filter by object payload hash value.

func (*Record) AddObjectPayloadLengthFilter

func (r *Record) AddObjectPayloadLengthFilter(m Match, size uint64)

AddObjectPayloadLengthFilter adds filter by object payload length.

func (*Record) AddObjectTypeFilter

func (r *Record) AddObjectTypeFilter(m Match, t object.Type)

AddObjectTypeFilter adds filter by object type.

func (*Record) AddObjectVersionFilter

func (r *Record) AddObjectVersionFilter(m Match, v *version.Version)

AddObjectVersionFilter adds filter by object version.

func (Record) Filters

func (r Record) Filters() []Filter

Filters returns list of filters to match and see if rule is applicable.

func (*Record) Marshal

func (r *Record) Marshal() ([]byte, error)

Marshal marshals Record into a protobuf binary form.

func (*Record) MarshalJSON

func (r *Record) MarshalJSON() ([]byte, error)

MarshalJSON encodes Record to protobuf JSON format.

func (Record) Operation

func (r Record) Operation() Operation

Operation returns FrostFS request verb to match.

func (*Record) SetAction

func (r *Record) SetAction(action Action)

SetAction sets rule execution result.

func (*Record) SetOperation

func (r *Record) SetOperation(operation Operation)

SetOperation sets FrostFS request verb to match.

func (*Record) SetTargets

func (r *Record) SetTargets(targets ...Target)

SetTargets sets list of target subjects to apply ACL rule to.

func (Record) Targets

func (r Record) Targets() []Target

Targets returns list of target subjects to apply ACL rule to.

func (*Record) ToV2

func (r *Record) ToV2() *v2acl.Record

ToV2 converts Record to v2 acl.EACLRecord message.

Nil Record converts to nil.

func (*Record) Unmarshal

func (r *Record) Unmarshal(data []byte) error

Unmarshal unmarshals protobuf binary representation of Record.

func (*Record) UnmarshalJSON

func (r *Record) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes Record from protobuf JSON format.

type Role

type Role uint32

Role is a group of request senders to match request. Role is compatible with v2 acl.Role enum.

const (
	// RoleUnknown is a Role value used to mark role as undefined.
	RoleUnknown Role = iota

	// RoleUser is a group of senders that contains only key of container owner.
	RoleUser

	// RoleSystem is a group of senders that contains keys of container nodes and
	// inner ring nodes.
	RoleSystem

	// RoleOthers is a group of senders that contains none of above keys.
	RoleOthers
)

func RoleFromV2

func RoleFromV2(role v2acl.Role) (r Role)

RoleFromV2 converts v2 Role enum value to Role.

func (*Role) FromString

func (r *Role) FromString(s string) bool

FromString parses Role from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (Role) String

func (r Role) String() string

String returns string representation of Role.

String mapping:

  • RoleUser: USER;
  • RoleSystem: SYSTEM;
  • RoleOthers: OTHERS;
  • RoleUnknown, default: ROLE_UNKNOWN.

func (Role) ToV2

func (r Role) ToV2() v2acl.Role

ToV2 converts Role to v2 Role enum value.

type Table

type Table struct {
	// contains filtered or unexported fields
}

Table is a group of ContainerEACL records for single container.

Table is compatible with v2 acl.EACLTable message.

func CreateTable

func CreateTable(cid cid.ID) *Table

CreateTable creates, initializes with parameters and returns Table instance.

func NewTable

func NewTable() *Table

NewTable creates, initializes and returns blank Table instance.

Defaults:

  • version: version.Current();
  • container ID: nil;
  • records: nil;
  • session token: nil;
  • signature: nil.

func NewTableFromV2

func NewTableFromV2(table *v2acl.Table) *Table

NewTableFromV2 converts v2 acl.EACLTable message to Table.

func (*Table) AddRecord

func (t *Table) AddRecord(r *Record)

AddRecord adds single eACL rule.

func (Table) CID

func (t Table) CID() (cID cid.ID, isSet bool)

CID returns identifier of the container that should use given access control rules.

func (*Table) Marshal

func (t *Table) Marshal() ([]byte, error)

Marshal marshals Table into a protobuf binary form.

func (*Table) MarshalJSON

func (t *Table) MarshalJSON() ([]byte, error)

MarshalJSON encodes Table to protobuf JSON format.

func (Table) Records

func (t Table) Records() []Record

Records returns list of extended ACL rules.

func (*Table) SetCID

func (t *Table) SetCID(cid cid.ID)

SetCID sets identifier of the container that should use given access control rules.

func (*Table) SetVersion

func (t *Table) SetVersion(version version.Version)

SetVersion sets version of eACL format.

func (*Table) ToV2

func (t *Table) ToV2() *v2acl.Table

ToV2 converts Table to v2 acl.EACLTable message.

Nil Table converts to nil.

func (*Table) Unmarshal

func (t *Table) Unmarshal(data []byte) error

Unmarshal unmarshals protobuf binary representation of Table.

func (*Table) UnmarshalJSON

func (t *Table) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes Table from protobuf JSON format.

func (Table) Version

func (t Table) Version() version.Version

Version returns version of eACL format.

type Target

type Target struct {
	// contains filtered or unexported fields
}

Target is a group of request senders to match ContainerEACL. Defined by role enum and set of public keys.

Target is compatible with v2 acl.EACLRecord.Target message.

func NewTarget

func NewTarget() *Target

NewTarget creates, initializes and returns blank Target instance.

Defaults:

  • role: RoleUnknown;
  • keys: nil.

func NewTargetFromV2

func NewTargetFromV2(target *v2acl.Target) *Target

NewTargetFromV2 converts v2 acl.EACLRecord.Target message to Target.

func (*Target) BinaryKeys

func (t *Target) BinaryKeys() [][]byte

BinaryKeys returns list of public keys to identify target subject in a binary format.

func (*Target) Marshal

func (t *Target) Marshal() ([]byte, error)

Marshal marshals Target into a protobuf binary form.

func (*Target) MarshalJSON

func (t *Target) MarshalJSON() ([]byte, error)

MarshalJSON encodes Target to protobuf JSON format.

func (Target) Role

func (t Target) Role() Role

Role returns target subject's role class.

func (*Target) SetBinaryKeys

func (t *Target) SetBinaryKeys(keys [][]byte)

SetBinaryKeys sets list of binary public keys to identify target subject.

func (*Target) SetRole

func (t *Target) SetRole(r Role)

SetRole sets target subject's role class.

func (*Target) ToV2

func (t *Target) ToV2() *v2acl.Target

ToV2 converts Target to v2 acl.EACLRecord.Target message.

Nil Target converts to nil.

func (*Target) Unmarshal

func (t *Target) Unmarshal(data []byte) error

Unmarshal unmarshals protobuf binary representation of Target.

func (*Target) UnmarshalJSON

func (t *Target) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes Target from protobuf JSON format.

type TypedHeaderSource

type TypedHeaderSource interface {
	// HeadersOfType returns the list of key-value headers
	// of particular type.
	//
	// It returns any problem encountered through the boolean
	// false value.
	HeadersOfType(FilterHeaderType) ([]Header, bool)
}

TypedHeaderSource is the interface that wraps method for selecting typed headers by type.

type ValidationUnit

type ValidationUnit struct {
	// contains filtered or unexported fields
}

ValidationUnit represents unit of check for Validator.

func (*ValidationUnit) WithContainerID

func (u *ValidationUnit) WithContainerID(v *cid.ID) *ValidationUnit

WithContainerID configures ValidationUnit to use v as request's container ID.

func (*ValidationUnit) WithEACLTable

func (u *ValidationUnit) WithEACLTable(table *Table) *ValidationUnit

WithBearerToken configures ValidationUnit to use v as request's bearer token.

func (*ValidationUnit) WithHeaderSource

func (u *ValidationUnit) WithHeaderSource(v TypedHeaderSource) *ValidationUnit

WithHeaderSource configures ValidationUnit to use v as a source of headers.

func (*ValidationUnit) WithOperation

func (u *ValidationUnit) WithOperation(v Operation) *ValidationUnit

WithOperation configures ValidationUnit to use v as request's operation.

func (*ValidationUnit) WithRole

func (u *ValidationUnit) WithRole(v Role) *ValidationUnit

WithRole configures ValidationUnit to use v as request's role.

func (*ValidationUnit) WithSenderKey

func (u *ValidationUnit) WithSenderKey(v []byte) *ValidationUnit

WithSenderKey configures ValidationUnit to use as sender's public key.

type Validator

type Validator struct{}

Validator is a tool that calculates the action on a request according to the extended ACL rule table.

func NewValidator

func NewValidator() *Validator

NewValidator creates and initializes a new Validator using options.

func (*Validator) CalculateAction

func (v *Validator) CalculateAction(unit *ValidationUnit) (Action, bool)

CalculateAction calculates action on the request according to its information represented in ValidationUnit.

The action is calculated according to the application of eACL table of rules to the request.

Second return value is true iff the action was produced by a matching entry.

If no matching table entry is found or some filters are missing, ActionAllow is returned and the second return value is false.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL