eacl

package
v0.0.0-...-5e759bf Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 1, 2023 License: Apache-2.0 Imports: 14 Imported by: 14

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddFormedTarget 

func AddFormedTarget(r *Record, role Role, keys ...ecdsa.PublicKey)

AddFormedTarget forms Target with specified Role and list of ECDSA public keys and adds it to the Record.

func AddRecordTarget 

func AddRecordTarget(r *Record, t *Target)

AddRecordTarget adds single Target to the Record.

func EqualTables 

func EqualTables(t1, t2 Table) bool

EqualTables compares Table with each other.

func SetTargetECDSAKeys 

func SetTargetECDSAKeys(t *Target, pubs ...*ecdsa.PublicKey)

SetTargetECDSAKeys converts ECDSA public keys to a binary format and stores them in Target.

func TargetECDSAKeys 

func TargetECDSAKeys(t *Target) []*ecdsa.PublicKey

TargetECDSAKeys interprets binary public keys of Target as ECDSA public keys. If any key has a different format, the corresponding element will be nil.

Types

type Action 

type Action uint32

Action taken if ContainerEACL record matched request. Action is compatible with v2 acl.Action enum. 

const (
	// ActionUnknown is an Action value used to mark action as undefined.
	ActionUnknown Action = iota

	// ActionAllow is an Action value that allows access to the operation from context.
	ActionAllow

	// ActionDeny is an Action value that denies access to the operation from context.
	ActionDeny
)

func ActionFromV2 

func ActionFromV2(action v2acl.Action) (a Action)

ActionFromV2 converts v2 Action enum value to Action.

func (*Action) FromString 

func (a *Action) FromString(s string) bool

FromString parses Action from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (Action) String 

func (a Action) String() string

String returns string representation of Action.

String mapping:

  • ActionAllow: ALLOW;
  • ActionDeny: DENY;
  • ActionUnknown, default: ACTION_UNSPECIFIED.

func (Action) ToV2 

func (a Action) ToV2() v2acl.Action

ToV2 converts Action to v2 Action enum value.

type Filter 

type Filter struct {
	// contains filtered or unexported fields
}

Filter defines check conditions if request header is matched or not. Matched header means that request should be processed according to ContainerEACL action.

Filter is compatible with v2 acl.EACLRecord.Filter message.

func NewFilter 

func NewFilter() *Filter

NewFilter creates, initializes and returns blank Filter instance.

Defaults:

  • header type: HeaderTypeUnknown;
  • matcher: MatchUnknown;
  • key: "";
  • value: "".

func NewFilterFromV2 

func NewFilterFromV2(filter *v2acl.HeaderFilter) *Filter

NewFilterFromV2 converts v2 acl.EACLRecord.Filter message to Filter.

func (Filter) From 

func (f Filter) From() FilterHeaderType

From returns FilterHeaderType that defined which header will be filtered.

func (Filter) Key 

func (f Filter) Key() string

Key returns key to the filtered header.

func (*Filter) Marshal 

func (f *Filter) Marshal() ([]byte, error)

Marshal marshals Filter into a protobuf binary form.

func (*Filter) MarshalJSON 

func (f *Filter) MarshalJSON() ([]byte, error)

MarshalJSON encodes Filter to protobuf JSON format.

func (Filter) Matcher 

func (f Filter) Matcher() Match

Matcher returns filter Match type.

func (*Filter) ToV2 

func (f *Filter) ToV2() *v2acl.HeaderFilter

ToV2 converts Filter to v2 acl.EACLRecord.Filter message.

Nil Filter converts to nil.

func (*Filter) Unmarshal 

func (f *Filter) Unmarshal(data []byte) error

Unmarshal unmarshals protobuf binary representation of Filter.

func (*Filter) UnmarshalJSON 

func (f *Filter) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes Filter from protobuf JSON format.

func (Filter) Value 

func (f Filter) Value() string

Value returns filtered string value.

type FilterHeaderType 

type FilterHeaderType uint32

FilterHeaderType indicates source of headers to make matches. FilterHeaderType is compatible with v2 acl.HeaderType enum. 

const (
	// HeaderTypeUnknown is a FilterHeaderType value used to mark header type as undefined.
	HeaderTypeUnknown FilterHeaderType = iota

	// HeaderFromRequest is a FilterHeaderType for request X-Header.
	HeaderFromRequest

	// HeaderFromObject is a FilterHeaderType for object header.
	HeaderFromObject

	// HeaderFromService is a FilterHeaderType for service header.
	HeaderFromService
)

func FilterHeaderTypeFromV2 

func FilterHeaderTypeFromV2(header v2acl.HeaderType) (h FilterHeaderType)

FilterHeaderTypeFromV2 converts v2 HeaderType enum value to FilterHeaderType.

func (*FilterHeaderType) FromString 

func (h *FilterHeaderType) FromString(s string) bool

FromString parses FilterHeaderType from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (FilterHeaderType) String 

func (h FilterHeaderType) String() string

String returns string representation of FilterHeaderType.

String mapping:

  • HeaderFromRequest: REQUEST;
  • HeaderFromObject: OBJECT;
  • HeaderTypeUnknown, default: HEADER_UNSPECIFIED.

func (FilterHeaderType) ToV2 

func (h FilterHeaderType) ToV2() v2acl.HeaderType

ToV2 converts FilterHeaderType to v2 HeaderType enum value. 

type Header interface {
	Key() string
	Value() string
}

Header is an interface of string key-value header.

type Match 

type Match uint32

Match is binary operation on filer name and value to check if request is matched. Match is compatible with v2 acl.MatchType enum. 

const (
	// MatchUnknown is a Match value used to mark matcher as undefined.
	MatchUnknown Match = iota

	// MatchStringEqual is a Match of string equality.
	MatchStringEqual

	// MatchStringNotEqual is a Match of string inequality.
	MatchStringNotEqual
)

func MatchFromV2 

func MatchFromV2(match v2acl.MatchType) (m Match)

MatchFromV2 converts v2 MatchType enum value to Match.

func (*Match) FromString 

func (m *Match) FromString(s string) bool

FromString parses Match from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (Match) String 

func (m Match) String() string

String returns string representation of Match.

String mapping:

  • MatchStringEqual: STRING_EQUAL;
  • MatchStringNotEqual: STRING_NOT_EQUAL;
  • MatchUnknown, default: MATCH_TYPE_UNSPECIFIED.

func (Match) ToV2 

func (m Match) ToV2() v2acl.MatchType

ToV2 converts Match to v2 MatchType enum value.

type Operation 

type Operation uint32

Operation is a object service method to match request. Operation is compatible with v2 acl.Operation enum. 

const (
	// OperationUnknown is an Operation value used to mark operation as undefined.
	OperationUnknown Operation = iota

	// OperationGet is an object get Operation.
	OperationGet

	// OperationHead is an Operation of getting the object header.
	OperationHead

	// OperationPut is an object put Operation.
	OperationPut

	// OperationDelete is an object delete Operation.
	OperationDelete

	// OperationSearch is an object search Operation.
	OperationSearch

	// OperationRange is an object payload range retrieval Operation.
	OperationRange

	// OperationRangeHash is an object payload range hashing Operation.
	OperationRangeHash
)

func OperationFromV2 

func OperationFromV2(operation v2acl.Operation) (o Operation)

OperationFromV2 converts v2 Operation enum value to Operation.

func (*Operation) FromString 

func (o *Operation) FromString(s string) bool

FromString parses Operation from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (Operation) String 

func (o Operation) String() string

String returns string representation of Operation.

String mapping:

  • OperationGet: GET;
  • OperationHead: HEAD;
  • OperationPut: PUT;
  • OperationDelete: DELETE;
  • OperationSearch: SEARCH;
  • OperationRange: GETRANGE;
  • OperationRangeHash: GETRANGEHASH;
  • OperationUnknown, default: OPERATION_UNSPECIFIED.

func (Operation) ToV2 

func (o Operation) ToV2() v2acl.Operation

ToV2 converts Operation to v2 Operation enum value.

type Record 

type Record struct {
	// contains filtered or unexported fields
}

Record of the ContainerEACL rule, that defines ContainerEACL action, targets for this action, object service operation and filters for request headers.

Record is compatible with v2 acl.EACLRecord message.

func CreateRecord 

func CreateRecord(action Action, operation Operation) *Record

CreateRecord creates, initializes with parameters and returns Record instance.

func NewRecord 

func NewRecord() *Record

NewRecord creates and returns blank Record instance.

Defaults:

  • action: ActionUnknown;
  • operation: OperationUnknown;
  • targets: nil,
  • filters: nil.

func NewRecordFromV2 

func NewRecordFromV2(record *v2acl.Record) *Record

NewRecordFromV2 converts v2 acl.EACLRecord message to Record.

func (Record) Action 

func (r Record) Action() Action

Action returns rule execution result.

func (*Record) AddFilter 

func (r *Record) AddFilter(from FilterHeaderType, matcher Match, name, value string)

AddFilter adds generic filter.

func (*Record) AddObjectAttributeFilter 

func (r *Record) AddObjectAttributeFilter(m Match, key, value string)

AddObjectAttributeFilter adds filter by object attribute.

func (*Record) AddObjectContainerIDFilter 

func (r *Record) AddObjectContainerIDFilter(m Match, id cid.ID)

AddObjectContainerIDFilter adds filter by object container ID.

func (*Record) AddObjectCreationEpoch 

func (r *Record) AddObjectCreationEpoch(m Match, epoch uint64)

AddObjectCreationEpoch adds filter by object creation epoch.

func (*Record) AddObjectHomomorphicHashFilter 

func (r *Record) AddObjectHomomorphicHashFilter(m Match, h checksum.Checksum)

AddObjectHomomorphicHashFilter adds filter by object payload homomorphic hash value.

func (*Record) AddObjectIDFilter 

func (r *Record) AddObjectIDFilter(m Match, id oid.ID)

AddObjectIDFilter adds filter by object ID.

func (*Record) AddObjectOwnerIDFilter 

func (r *Record) AddObjectOwnerIDFilter(m Match, id *user.ID)

AddObjectOwnerIDFilter adds filter by object owner ID.

func (*Record) AddObjectPayloadHashFilter 

func (r *Record) AddObjectPayloadHashFilter(m Match, h checksum.Checksum)

AddObjectPayloadHashFilter adds filter by object payload hash value.

func (*Record) AddObjectPayloadLengthFilter 

func (r *Record) AddObjectPayloadLengthFilter(m Match, size uint64)

AddObjectPayloadLengthFilter adds filter by object payload length.

func (*Record) AddObjectTypeFilter 

func (r *Record) AddObjectTypeFilter(m Match, t object.Type)

AddObjectTypeFilter adds filter by object type.

func (*Record) AddObjectVersionFilter 

func (r *Record) AddObjectVersionFilter(m Match, v *version.Version)

AddObjectVersionFilter adds filter by object version.

func (Record) Filters 

func (r Record) Filters() []Filter

Filters returns list of filters to match and see if rule is applicable.

func (*Record) Marshal 

func (r *Record) Marshal() ([]byte, error)

Marshal marshals Record into a protobuf binary form.

func (*Record) MarshalJSON 

func (r *Record) MarshalJSON() ([]byte, error)

MarshalJSON encodes Record to protobuf JSON format.

func (Record) Operation 

func (r Record) Operation() Operation

Operation returns FrostFS request verb to match.

func (*Record) SetAction 

func (r *Record) SetAction(action Action)

SetAction sets rule execution result.

func (*Record) SetOperation 

func (r *Record) SetOperation(operation Operation)

SetOperation sets FrostFS request verb to match.

func (*Record) SetTargets 

func (r *Record) SetTargets(targets ...Target)

SetTargets sets list of target subjects to apply ACL rule to.

func (Record) Targets 

func (r Record) Targets() []Target

Targets returns list of target subjects to apply ACL rule to.

func (*Record) ToV2 

func (r *Record) ToV2() *v2acl.Record

ToV2 converts Record to v2 acl.EACLRecord message.

Nil Record converts to nil.

func (*Record) Unmarshal 

func (r *Record) Unmarshal(data []byte) error

Unmarshal unmarshals protobuf binary representation of Record.

func (*Record) UnmarshalJSON 

func (r *Record) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes Record from protobuf JSON format.

type Role 

type Role uint32

Role is a group of request senders to match request. Role is compatible with v2 acl.Role enum. 

const (
	// RoleUnknown is a Role value used to mark role as undefined.
	RoleUnknown Role = iota

	// RoleUser is a group of senders that contains only key of container owner.
	RoleUser

	// RoleSystem is a group of senders that contains keys of container nodes and
	// inner ring nodes.
	RoleSystem

	// RoleOthers is a group of senders that contains none of above keys.
	RoleOthers
)

func RoleFromV2 

func RoleFromV2(role v2acl.Role) (r Role)

RoleFromV2 converts v2 Role enum value to Role.

func (*Role) FromString 

func (r *Role) FromString(s string) bool

FromString parses Role from a string representation. It is a reverse action to String().

Returns true if s was parsed successfully.

func (Role) String 

func (r Role) String() string

String returns string representation of Role.

String mapping:

  • RoleUser: USER;
  • RoleSystem: SYSTEM;
  • RoleOthers: OTHERS;
  • RoleUnknown, default: ROLE_UNKNOWN.

func (Role) ToV2 

func (r Role) ToV2() v2acl.Role

ToV2 converts Role to v2 Role enum value.

type Table 

type Table struct {
	// contains filtered or unexported fields
}

Table is a group of ContainerEACL records for single container.

Table is compatible with v2 acl.EACLTable message.

func CreateTable 

func CreateTable(cid cid.ID) *Table

CreateTable creates, initializes with parameters and returns Table instance.

func NewTable 

func NewTable() *Table

NewTable creates, initializes and returns blank Table instance.

Defaults:

  • version: version.Current();
  • container ID: nil;
  • records: nil;
  • session token: nil;
  • signature: nil.

func NewTableFromV2 

func NewTableFromV2(table *v2acl.Table) *Table

NewTableFromV2 converts v2 acl.EACLTable message to Table.

func (*Table) AddRecord 

func (t *Table) AddRecord(r *Record)

AddRecord adds single eACL rule.

func (Table) CID 

func (t Table) CID() (cID cid.ID, isSet bool)

CID returns identifier of the container that should use given access control rules.

func (*Table) Marshal 

func (t *Table) Marshal() ([]byte, error)

Marshal marshals Table into a protobuf binary form.

func (*Table) MarshalJSON 

func (t *Table) MarshalJSON() ([]byte, error)

MarshalJSON encodes Table to protobuf JSON format.

func (Table) Records 

func (t Table) Records() []Record

Records returns list of extended ACL rules.

func (*Table) SetCID 

func (t *Table) SetCID(cid cid.ID)

SetCID sets identifier of the container that should use given access control rules.

func (*Table) SetVersion 

func (t *Table) SetVersion(version version.Version)

SetVersion sets version of eACL format.

func (*Table) ToV2 

func (t *Table) ToV2() *v2acl.Table

ToV2 converts Table to v2 acl.EACLTable message.

Nil Table converts to nil.

func (*Table) Unmarshal 

func (t *Table) Unmarshal(data []byte) error

Unmarshal unmarshals protobuf binary representation of Table.

func (*Table) UnmarshalJSON 

func (t *Table) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes Table from protobuf JSON format.

func (Table) Version 

func (t Table) Version() version.Version

Version returns version of eACL format.

type Target 

type Target struct {
	// contains filtered or unexported fields
}

Target is a group of request senders to match ContainerEACL. Defined by role enum and set of public keys.

Target is compatible with v2 acl.EACLRecord.Target message.

func NewTarget 

func NewTarget() *Target

NewTarget creates, initializes and returns blank Target instance.

Defaults:

  • role: RoleUnknown;
  • keys: nil.

func NewTargetFromV2 

func NewTargetFromV2(target *v2acl.Target) *Target

NewTargetFromV2 converts v2 acl.EACLRecord.Target message to Target.

func (*Target) BinaryKeys 

func (t *Target) BinaryKeys() [][]byte

BinaryKeys returns list of public keys to identify target subject in a binary format.

func (*Target) Marshal 

func (t *Target) Marshal() ([]byte, error)

Marshal marshals Target into a protobuf binary form.

func (*Target) MarshalJSON 

func (t *Target) MarshalJSON() ([]byte, error)

MarshalJSON encodes Target to protobuf JSON format.

func (Target) Role 

func (t Target) Role() Role

Role returns target subject's role class.

func (*Target) SetBinaryKeys 

func (t *Target) SetBinaryKeys(keys [][]byte)

SetBinaryKeys sets list of binary public keys to identify target subject.

func (*Target) SetRole 

func (t *Target) SetRole(r Role)

SetRole sets target subject's role class.

func (*Target) ToV2 

func (t *Target) ToV2() *v2acl.Target

ToV2 converts Target to v2 acl.EACLRecord.Target message.

Nil Target converts to nil.

func (*Target) Unmarshal 

func (t *Target) Unmarshal(data []byte) error

Unmarshal unmarshals protobuf binary representation of Target.

func (*Target) UnmarshalJSON 

func (t *Target) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes Target from protobuf JSON format.

type TypedHeaderSource 

type TypedHeaderSource interface {
	// HeadersOfType returns the list of key-value headers
	// of particular type.
	//
	// It returns any problem encountered through the boolean
	// false value.
	HeadersOfType(FilterHeaderType) ([]Header, bool)
}

TypedHeaderSource is the interface that wraps method for selecting typed headers by type.

type ValidationUnit 

type ValidationUnit struct {
	// contains filtered or unexported fields
}

ValidationUnit represents unit of check for Validator.

func (*ValidationUnit) WithContainerID 

func (u *ValidationUnit) WithContainerID(v *cid.ID) *ValidationUnit

WithContainerID configures ValidationUnit to use v as request's container ID.

func (*ValidationUnit) WithEACLTable 

func (u *ValidationUnit) WithEACLTable(table *Table) *ValidationUnit

WithBearerToken configures ValidationUnit to use v as request's bearer token.

func (*ValidationUnit) WithHeaderSource 

func (u *ValidationUnit) WithHeaderSource(v TypedHeaderSource) *ValidationUnit

WithHeaderSource configures ValidationUnit to use v as a source of headers.

func (*ValidationUnit) WithOperation 

func (u *ValidationUnit) WithOperation(v Operation) *ValidationUnit

WithOperation configures ValidationUnit to use v as request's operation.

func (*ValidationUnit) WithRole 

func (u *ValidationUnit) WithRole(v Role) *ValidationUnit

WithRole configures ValidationUnit to use v as request's role.

func (*ValidationUnit) WithSenderKey 

func (u *ValidationUnit) WithSenderKey(v []byte) *ValidationUnit

WithSenderKey configures ValidationUnit to use as sender's public key.

type Validator 

type Validator struct {
}

Validator is a tool that calculates the action on a request according to the extended ACL rule table.

func NewValidator 

func NewValidator() *Validator

NewValidator creates and initializes a new Validator using options.

func (*Validator) CalculateAction 

func (v *Validator) CalculateAction(unit *ValidationUnit) (Action, bool)

CalculateAction calculates action on the request according to its information represented in ValidationUnit.

The action is calculated according to the application of eACL table of rules to the request.

Second return value is true iff the action was produced by a matching entry.

If no matching table entry is found or some filters are missing, ActionAllow is returned and the second return value is false.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.