From 3aebde1b9fda02e591407fbc20d5e262ca860d4f Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Mon, 10 Feb 2025 14:10:59 +0400 Subject: [PATCH] *: Fix deprecations with eacl package Signed-off-by: Evgenii Baidakov --- api/handler/acl.go | 149 ++++++++--------- api/handler/acl_test.go | 239 ++++++++++++++------------- api/handler/head_test.go | 2 +- authmate/authmate.go | 33 ++-- cmd/s3-authmate/main.go | 27 ++- creds/accessbox/bearer_token_test.go | 8 +- 6 files changed, 223 insertions(+), 235 deletions(-) diff --git a/api/handler/acl.go b/api/handler/acl.go index 98e2722d..b9bc7f1a 100644 --- a/api/handler/acl.go +++ b/api/handler/acl.go @@ -969,20 +969,22 @@ func getParentResource(parent *ast, resource *astResource) *astResource { } func astToTable(ast *ast) (*eacl.Table, error) { - table := eacl.NewTable() + var records []eacl.Record for i := len(ast.Resources) - 1; i >= 0; i-- { - records, err := formRecords(ast.Resources[i]) + recs, err := formRecords(ast.Resources[i]) if err != nil { return nil, fmt.Errorf("form records: %w", err) } - for _, rec := range records { - table.AddRecord(rec) + for _, rec := range recs { + records = append(records, *rec) } } - return table, nil + table := eacl.ConstructTable(records) + + return &table, nil } func tryServiceRecord(record eacl.Record) *ServiceRecord { @@ -1041,21 +1043,21 @@ func formRecords(resource *astResource) ([]*eacl.Record, error) { } } - record := eacl.NewRecord() - record.SetOperation(astOp.Op) - record.SetAction(astOp.Action) + record := eacl.ConstructRecord(astOp.Action, astOp.Op, []eacl.Target{}) if astOp.IsGroupGrantee() { - eacl.AddFormedTarget(record, eacl.RoleOthers) + record.SetTargets(eacl.NewTargetByRole(eacl.RoleOthers)) } else { - t := eacl.NewTarget() - // Unknown role is used, because it is ignored when accounts are set - t.SetRole(eacl.RoleUnknown) - t.SetAccounts(astOp.Users) + t := eacl.NewTargetByAccounts(astOp.Users) - record.SetTargets(*t) + record.SetTargets(t) } + + var filters []eacl.Filter if len(resource.Object) != 0 { - record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resource.Object) + filters = append( + filters, + eacl.NewObjectPropertyFilter(object.AttributeFilePath, eacl.MatchStringEqual, resource.Object), + ) } if len(resource.Version) != 0 { @@ -1063,9 +1065,13 @@ func formRecords(resource *astResource) ([]*eacl.Record, error) { if err := id.DecodeString(resource.Version); err != nil { return nil, fmt.Errorf("parse object version (oid): %w", err) } - record.AddObjectIDFilter(eacl.MatchStringEqual, id) + + filters = append(filters, eacl.NewFilterObjectWithID(id)) } - res = append(res, record) + + record.SetFilters(filters) + + res = append(res, &record) } return res, nil @@ -1640,7 +1646,7 @@ func contains(list []eacl.Operation, op eacl.Operation) bool { func bucketACLToTable(acp *AccessControlPolicy) (*eacl.Table, error) { var found bool - table := eacl.NewTable() + var records []eacl.Record for _, grant := range acp.AccessControlList { if !isValidGrant(grant) { @@ -1667,7 +1673,7 @@ func bucketACLToTable(acp *AccessControlPolicy) (*eacl.Table, error) { } for _, op := range permissionToOperations(grant.Permission) { - table.AddRecord(recordFromOp(op)) + records = append(records, *recordFromOp(op)) } } @@ -1678,18 +1684,20 @@ func bucketACLToTable(acp *AccessControlPolicy) (*eacl.Table, error) { if err != nil { return nil, fmt.Errorf("%w: %w", layer.ErrDecodeUserID, err) } - table.AddRecord(getAllowRecordWithUser(op, account)) + records = append(records, *getAllowRecordWithUser(op, account)) } } } for _, op := range fullOps { - table.AddRecord(getOthersRecord(op, eacl.ActionDeny)) + records = append(records, *getOthersRecord(op, eacl.ActionDeny)) } - table.AddRecord(BucketOwnerEnforcedRecord()) + records = append(records, *BucketOwnerEnforcedRecord()) + + table := eacl.ConstructTable(records) - return table, nil + return &table, nil } func isValidGrant(grant *Grant) bool { @@ -1698,43 +1706,33 @@ func isValidGrant(grant *Grant) bool { } func getAllowRecordWithUser(op eacl.Operation, acc user.ID) *eacl.Record { - record := eacl.NewRecord() - record.SetOperation(op) - record.SetAction(eacl.ActionAllow) - - t := eacl.NewTarget() - // Unknown role is used, because it is ignored when accounts are set - t.SetRole(eacl.RoleUnknown) - t.SetAccounts([]user.ID{acc}) - - record.SetTargets(*t) + record := eacl.ConstructRecord(eacl.ActionAllow, op, + []eacl.Target{eacl.NewTargetByAccounts([]user.ID{acc})}, + ) - return record + return &record } func getOthersRecord(op eacl.Operation, action eacl.Action) *eacl.Record { - record := eacl.NewRecord() - record.SetOperation(op) - record.SetAction(action) - eacl.AddFormedTarget(record, eacl.RoleOthers) - return record + record := eacl.ConstructRecord(action, op, + []eacl.Target{eacl.NewTargetByRole(eacl.RoleOthers)}, + ) + + return &record } // BucketOwnerEnforcedRecord generates special marker record for OwnerEnforced policy. func BucketOwnerEnforcedRecord() *eacl.Record { - var markerRecord = eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut) - markerRecord.AddFilter( - eacl.HeaderFromRequest, - eacl.MatchStringNotEqual, - amzBucketOwnerField, - amzBucketOwnerEnforced, + var markerRecord = eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut, + []eacl.Target{ + eacl.NewTargetByAccounts([]user.ID{ownerEnforcedUserID}), + }, + []eacl.Filter{ + eacl.ConstructFilter(eacl.HeaderFromRequest, amzBucketOwnerField, eacl.MatchStringNotEqual, amzBucketOwnerEnforced), + }..., ) - t := eacl.NewTarget() - t.SetAccounts([]user.ID{ownerEnforcedUserID}) - markerRecord.SetTargets(*t) - - return markerRecord + return &markerRecord } func isValidOwnerEnforced(r *http.Request) bool { @@ -1754,19 +1752,14 @@ func isValidOwnerEnforced(r *http.Request) bool { // BucketACLObjectWriterRecord generates special marker record for OwnerWriter policy. func BucketACLObjectWriterRecord() *eacl.Record { - var markerRecord = eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut) - markerRecord.AddFilter( - eacl.HeaderFromRequest, - eacl.MatchStringNotEqual, - amzBucketOwnerField, - amzBucketOwnerObjectWriter, + var markerRecord = eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut, + []eacl.Target{eacl.NewTargetByAccounts([]user.ID{ownerObjectWriterUserID})}, + []eacl.Filter{ + eacl.ConstructFilter(eacl.HeaderFromRequest, amzBucketOwnerField, eacl.MatchStringNotEqual, amzBucketOwnerObjectWriter), + }..., ) - t := eacl.NewTarget() - t.SetAccounts([]user.ID{ownerObjectWriterUserID}) - markerRecord.SetTargets(*t) - - return markerRecord + return &markerRecord } // IsBucketOwnerForced checks special marker record for OwnerForced policy. @@ -1795,19 +1788,14 @@ func IsBucketOwnerForced(table *eacl.Table) bool { // BucketOwnerPreferredRecord generates special marker record for OwnerPreferred policy. func BucketOwnerPreferredRecord() *eacl.Record { - var markerRecord = eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut) - markerRecord.AddFilter( - eacl.HeaderFromRequest, - eacl.MatchStringNotEqual, - amzBucketOwnerField, - amzBucketOwnerPreferred, + var markerRecord = eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut, + []eacl.Target{eacl.NewTargetByAccounts([]user.ID{ownerPreferredUserID})}, + []eacl.Filter{ + eacl.ConstructFilter(eacl.HeaderFromRequest, amzBucketOwnerField, eacl.MatchStringNotEqual, amzBucketOwnerPreferred), + }..., ) - t := eacl.NewTarget() - t.SetAccounts([]user.ID{ownerPreferredUserID}) - markerRecord.SetTargets(*t) - - return markerRecord + return &markerRecord } // IsBucketOwnerPreferred checks special marker record for OwnerPreferred policy. @@ -1836,19 +1824,14 @@ func IsBucketOwnerPreferred(table *eacl.Table) bool { // BucketOwnerPreferredRecord generates special marker record for OwnerPreferred policy and sets flag for bucket owner full control acl restriction. func BucketOwnerPreferredAndRestrictedRecord() *eacl.Record { - var markerRecord = eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut) - markerRecord.AddFilter( - eacl.HeaderFromObject, - eacl.MatchStringEqual, - amzBucketOwnerField, - cannedACLBucketOwnerFullControl, + var markerRecord = eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut, + []eacl.Target{eacl.NewTargetByAccounts([]user.ID{ownerPreferredAndRestrictedUserID})}, + []eacl.Filter{ + eacl.ConstructFilter(eacl.HeaderFromObject, amzBucketOwnerField, eacl.MatchStringEqual, cannedACLBucketOwnerFullControl), + }..., ) - t := eacl.NewTarget() - t.SetAccounts([]user.ID{ownerPreferredAndRestrictedUserID}) - markerRecord.SetTargets(*t) - - return markerRecord + return &markerRecord } // IsBucketOwnerPreferredAndRestricted checks special marker record and check ALC bucket owner full control flag for OwnerPreferred policy. diff --git a/api/handler/acl_test.go b/api/handler/acl_test.go index 487d4168..edbe09c2 100644 --- a/api/handler/acl_test.go +++ b/api/handler/acl_test.go @@ -46,28 +46,23 @@ func TestTableToAst(t *testing.T) { require.NoError(t, err) table := new(eacl.Table) - record := eacl.NewRecord() - record.SetAction(eacl.ActionAllow) - record.SetOperation(eacl.OperationGet) - eacl.AddFormedTarget(record, eacl.RoleOthers) - table.AddRecord(record) - record2 := eacl.NewRecord() - record2.SetAction(eacl.ActionDeny) - record2.SetOperation(eacl.OperationPut) - - target := eacl.NewTarget() - // Unknown role is used, because it is ignored when accounts are set - target.SetRole(eacl.RoleUnknown) - target.SetAccounts([]user.ID{ - user.NewFromScriptHash(key.PublicKey().GetScriptHash()), - user.NewFromScriptHash(key2.PublicKey().GetScriptHash()), - }) - - record2.SetTargets(*target) - - record2.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, "objectName") - record2.AddObjectIDFilter(eacl.MatchStringEqual, id) - table.AddRecord(record2) + var records []eacl.Record + records = append(records, eacl.ConstructRecord(eacl.ActionAllow, eacl.OperationGet, + []eacl.Target{eacl.NewTargetByRole(eacl.RoleOthers)}, + )) + + records = append(records, eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut, + []eacl.Target{eacl.NewTargetByAccounts([]user.ID{ + user.NewFromScriptHash(key.PublicKey().GetScriptHash()), + user.NewFromScriptHash(key2.PublicKey().GetScriptHash()), + })}, + []eacl.Filter{ + eacl.NewObjectPropertyFilter(object.AttributeFilePath, eacl.MatchStringEqual, "objectName"), + eacl.NewFilterObjectWithID(id), + }..., + )) + + table.SetRecords(records) expectedAst := &ast{ Resources: []*astResource{ @@ -450,10 +445,6 @@ func TestOrder(t *testing.T) { key, err := keys.NewPrivateKey() require.NoError(t, err) users := []user.ID{user.NewFromScriptHash(key.GetScriptHash())} - targetUser := eacl.NewTarget() - targetUser.SetAccounts(users) - targetOther := eacl.NewTarget() - targetOther.SetRole(eacl.RoleOthers) bucketName := "bucket" objectName := "objectName" @@ -494,47 +485,52 @@ func TestOrder(t *testing.T) { }, }, } - bucketUsersGetRec := eacl.NewRecord() - bucketUsersGetRec.SetOperation(eacl.OperationGet) - bucketUsersGetRec.SetAction(eacl.ActionAllow) - bucketUsersGetRec.SetTargets(*targetUser) - bucketOtherGetRec := eacl.NewRecord() - bucketOtherGetRec.SetOperation(eacl.OperationGet) - bucketOtherGetRec.SetAction(eacl.ActionDeny) - bucketOtherGetRec.SetTargets(*targetOther) - objectUsersPutRec := eacl.NewRecord() - objectUsersPutRec.SetOperation(eacl.OperationPut) - objectUsersPutRec.SetAction(eacl.ActionAllow) - objectUsersPutRec.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, objectName) - objectUsersPutRec.SetTargets(*targetUser) - objectOtherPutRec := eacl.NewRecord() - objectOtherPutRec.SetOperation(eacl.OperationPut) - objectOtherPutRec.SetAction(eacl.ActionDeny) - objectOtherPutRec.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, objectName) - objectOtherPutRec.SetTargets(*targetOther) - - expectedEacl := eacl.NewTable() - expectedEacl.AddRecord(objectOtherPutRec) - expectedEacl.AddRecord(objectUsersPutRec) - expectedEacl.AddRecord(bucketOtherGetRec) - expectedEacl.AddRecord(bucketUsersGetRec) + + var records = []eacl.Record{ + eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationPut, + []eacl.Target{ + eacl.NewTargetByRole(eacl.RoleOthers), + }, + []eacl.Filter{ + eacl.NewObjectPropertyFilter(object.AttributeFilePath, eacl.MatchStringEqual, objectName), + }..., + ), + eacl.ConstructRecord(eacl.ActionAllow, eacl.OperationPut, + []eacl.Target{ + eacl.NewTargetByAccounts(users), + }, + []eacl.Filter{ + eacl.NewObjectPropertyFilter(object.AttributeFilePath, eacl.MatchStringEqual, objectName), + }..., + ), + eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationGet, + []eacl.Target{ + eacl.NewTargetByRole(eacl.RoleOthers), + }), + eacl.ConstructRecord(eacl.ActionAllow, eacl.OperationGet, + []eacl.Target{ + eacl.NewTargetByAccounts(users), + }), + } + + expectedEacl := eacl.ConstructTable(records) t.Run("astToTable order and vice versa", func(t *testing.T) { actualEacl, err := astToTable(expectedAst) require.NoError(t, err) - require.Equal(t, expectedEacl, actualEacl) + require.Equal(t, &expectedEacl, actualEacl) actualAst := tableToAst(actualEacl, bucketName) require.Equal(t, expectedAst, actualAst) }) t.Run("tableToAst order and vice versa", func(t *testing.T) { - actualAst := tableToAst(expectedEacl, bucketName) + actualAst := tableToAst(&expectedEacl, bucketName) require.Equal(t, expectedAst, actualAst) actualEacl, err := astToTable(actualAst) require.NoError(t, err) - require.Equal(t, expectedEacl, actualEacl) + require.Equal(t, &expectedEacl, actualEacl) }) t.Run("append a resource", func(t *testing.T) { @@ -547,11 +543,14 @@ func TestOrder(t *testing.T) { Operations: []*astOperation{{Op: eacl.OperationDelete, Action: eacl.ActionDeny}}}}, } - childRecord := eacl.NewRecord() - childRecord.SetOperation(eacl.OperationDelete) - childRecord.SetAction(eacl.ActionDeny) - childRecord.SetTargets(*targetOther) - childRecord.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, childName) + childRecord := eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationDelete, + []eacl.Target{ + eacl.NewTargetByRole(eacl.RoleOthers), + }, + []eacl.Filter{ + eacl.NewObjectPropertyFilter(object.AttributeFilePath, eacl.MatchStringEqual, childName), + }..., + ) mergedAst, updated := mergeAst(expectedAst, child) require.True(t, updated) @@ -559,7 +558,7 @@ func TestOrder(t *testing.T) { mergedEacl, err := astToTable(mergedAst) require.NoError(t, err) - require.Equal(t, *childRecord, mergedEacl.Records()[0]) + require.Equal(t, childRecord, mergedEacl.Records()[0]) }) } @@ -668,30 +667,23 @@ func TestAstToTable(t *testing.T) { }, } - expectedTable := eacl.NewTable() - record1 := eacl.NewRecord() - record1.SetAction(eacl.ActionAllow) - record1.SetOperation(eacl.OperationPut) - - target := eacl.NewTarget() - // Unknown role is used, because it is ignored when accounts are set - target.SetRole(eacl.RoleUnknown) - target.SetAccounts([]user.ID{user.NewFromScriptHash(key.PublicKey().GetScriptHash())}) - - record1.SetTargets(*target) - - record2 := eacl.NewRecord() - record2.SetAction(eacl.ActionDeny) - record2.SetOperation(eacl.OperationGet) - eacl.AddFormedTarget(record2, eacl.RoleOthers) - record2.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, "objectName") + records := []eacl.Record{ + eacl.ConstructRecord(eacl.ActionDeny, eacl.OperationGet, + []eacl.Target{eacl.NewTargetByRole(eacl.RoleOthers)}, + []eacl.Filter{ + eacl.NewObjectPropertyFilter(object.AttributeFilePath, eacl.MatchStringEqual, "objectName"), + }..., + ), + eacl.ConstructRecord(eacl.ActionAllow, eacl.OperationPut, + []eacl.Target{eacl.NewTargetByAccounts([]user.ID{user.NewFromScriptHash(key.PublicKey().GetScriptHash())})}, + ), + } - expectedTable.AddRecord(record2) - expectedTable.AddRecord(record1) + expectedTable := eacl.ConstructTable(records) actualTable, err := astToTable(ast) require.NoError(t, err) - require.Equal(t, expectedTable, actualTable) + require.Equal(t, &expectedTable, actualTable) } func TestRemoveUsers(t *testing.T) { @@ -912,22 +904,25 @@ func TestObjectWithVersionAclToTable(t *testing.T) { func allowedTableForPrivateObject(t *testing.T, key *keys.PrivateKey, resInfo *resourceInfo) *eacl.Table { var objID oid.ID - var zeroObjectID oid.ID if resInfo.Version != "" { err := objID.DecodeString(resInfo.Version) require.NoError(t, err) } - expectedTable := eacl.NewTable() + var records []eacl.Record applyFilters := func(r *eacl.Record) { + var filters []eacl.Filter + if resInfo.Object != "" { - r.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resInfo.Object) + filters = append(filters, eacl.NewObjectPropertyFilter(object.AttributeFilePath, eacl.MatchStringEqual, resInfo.Object)) } - if !objID.Equals(zeroObjectID) { - r.AddObjectIDFilter(eacl.MatchStringEqual, objID) + if !objID.IsZero() { + filters = append(filters, eacl.NewFilterObjectWithID(objID)) } + + r.SetFilters(filters) } // Order of these loops is important for test. @@ -936,14 +931,14 @@ func allowedTableForPrivateObject(t *testing.T, key *keys.PrivateKey, resInfo *r record := getAllowRecordWithUser(op, user.NewFromScriptHash(key.GetScriptHash())) applyFilters(record) - expectedTable.AddRecord(record) + records = append(records, *record) } for i := len(readOps) - 1; i >= 0; i-- { op := readOps[i] record := getAllowRecordWithUser(op, user.NewFromScriptHash(key.GetScriptHash())) applyFilters(record) - expectedTable.AddRecord(record) + records = append(records, *record) } for i := len(writeOps) - 1; i >= 0; i-- { @@ -951,17 +946,19 @@ func allowedTableForPrivateObject(t *testing.T, key *keys.PrivateKey, resInfo *r record := getOthersRecord(op, eacl.ActionDeny) applyFilters(record) - expectedTable.AddRecord(record) + records = append(records, *record) } for i := len(readOps) - 1; i >= 0; i-- { op := readOps[i] record := getOthersRecord(op, eacl.ActionDeny) applyFilters(record) - expectedTable.AddRecord(record) + records = append(records, *record) } - return expectedTable + expectedTable := eacl.ConstructTable(records) + + return &expectedTable } func tableFromACL(t *testing.T, acl *AccessControlPolicy, resInfo *resourceInfo) *eacl.Table { @@ -983,8 +980,8 @@ func checkTables(t *testing.T, expectedTable, actualTable *eacl.Table) { for j, target := range record.Targets() { actTarget := actRecord.Targets()[j] - expected := fmt.Sprintf("%s %v", target.Role().String(), target.BinaryKeys()) - actual := fmt.Sprintf("%s %v", actTarget.Role().String(), actTarget.BinaryKeys()) + expected := fmt.Sprintf("%s %v", target.Role().String(), target.Accounts()) + actual := fmt.Sprintf("%s %v", actTarget.Role().String(), actTarget.Accounts()) require.Equalf(t, target, actTarget, "want: '%s'\ngot: '%s'", expected, actual) } @@ -1172,24 +1169,24 @@ func TestBucketAclToTable(t *testing.T) { }}, } - expectedTable := new(eacl.Table) + var records []eacl.Record for _, op := range readOps { - expectedTable.AddRecord(getOthersRecord(op, eacl.ActionAllow)) + records = append(records, *getOthersRecord(op, eacl.ActionAllow)) } for _, op := range writeOps { - expectedTable.AddRecord(getAllowRecordWithUser(op, user.NewFromScriptHash(key2.GetScriptHash()))) + records = append(records, *getAllowRecordWithUser(op, user.NewFromScriptHash(key2.GetScriptHash()))) } for _, op := range fullOps { - expectedTable.AddRecord(getAllowRecordWithUser(op, user.NewFromScriptHash(key.GetScriptHash()))) + records = append(records, *getAllowRecordWithUser(op, user.NewFromScriptHash(key.GetScriptHash()))) } for _, op := range fullOps { - expectedTable.AddRecord(getOthersRecord(op, eacl.ActionDeny)) + records = append(records, *getOthersRecord(op, eacl.ActionDeny)) } - expectedTable.AddRecord(BucketOwnerEnforcedRecord()) + records = append(records, *BucketOwnerEnforcedRecord()) actualTable, err := bucketACLToTable(acl) require.NoError(t, err) - require.Equal(t, expectedTable.Records(), actualTable.Records()) + require.Equal(t, records, actualTable.Records()) } func TestObjectAclToAst(t *testing.T) { @@ -1567,27 +1564,31 @@ func TestEACLEncode(t *testing.T) { var othersTarget eacl.Target othersTarget.SetRole(eacl.RoleOthers) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationGet, []eacl.Target{userTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationHead, []eacl.Target{userTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationPut, []eacl.Target{userTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationDelete, []eacl.Target{userTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationSearch, []eacl.Target{userTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationRange, []eacl.Target{userTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationRangeHash, []eacl.Target{userTarget})) - - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationGet, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationHead, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationSearch, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationRange, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationRangeHash, []eacl.Target{othersTarget})) - - acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationGet, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationHead, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationPut, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationDelete, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationSearch, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationRange, []eacl.Target{othersTarget})) - acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationRangeHash, []eacl.Target{othersTarget})) + var records []eacl.Record + + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationGet, []eacl.Target{userTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationHead, []eacl.Target{userTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationPut, []eacl.Target{userTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationDelete, []eacl.Target{userTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationSearch, []eacl.Target{userTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationRange, []eacl.Target{userTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationRangeHash, []eacl.Target{userTarget})) + + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationGet, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationHead, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationSearch, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationRange, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionAllow, eacl.OperationRangeHash, []eacl.Target{othersTarget})) + + records = append(records, *generateRecord(eacl.ActionDeny, eacl.OperationGet, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionDeny, eacl.OperationHead, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionDeny, eacl.OperationPut, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionDeny, eacl.OperationDelete, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionDeny, eacl.OperationSearch, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionDeny, eacl.OperationRange, []eacl.Target{othersTarget})) + records = append(records, *generateRecord(eacl.ActionDeny, eacl.OperationRangeHash, []eacl.Target{othersTarget})) + + acl.EACL.SetRecords(records) logger, err := zap.NewProduction() require.NoError(t, err) diff --git a/api/handler/head_test.go b/api/handler/head_test.go index e630869c..263123be 100644 --- a/api/handler/head_test.go +++ b/api/handler/head_test.go @@ -97,7 +97,7 @@ func newTestAccessBox(t *testing.T, key *keys.PrivateKey) *accessbox.Box { } var btoken bearer.Token - btoken.SetEACLTable(*eacl.NewTable()) + btoken.SetEACLTable(eacl.Table{}) err = btoken.Sign(user.NewAutoIDSignerRFC6979(key.PrivateKey)) require.NoError(t, err) diff --git a/authmate/authmate.go b/authmate/authmate.go index 73f13407..9408e15e 100644 --- a/authmate/authmate.go +++ b/authmate/authmate.go @@ -322,31 +322,36 @@ func (a *Agent) ObtainSecret(ctx context.Context, options *ObtainSecretOptions) } func buildEACLTable(eaclTable []byte) (*eacl.Table, error) { - table := eacl.NewTable() + var table eacl.Table + if len(eaclTable) != 0 { - return table, table.UnmarshalJSON(eaclTable) + return &table, table.UnmarshalJSON(eaclTable) } - record := eacl.NewRecord() - record.SetOperation(eacl.OperationGet) - record.SetAction(eacl.ActionAllow) - eacl.AddFormedTarget(record, eacl.RoleOthers) - table.AddRecord(record) + var ( + records = []eacl.Record{ + eacl.ConstructRecord(eacl.ActionAllow, eacl.OperationGet, + []eacl.Target{eacl.NewTargetByRole(eacl.RoleOthers)}, + ), + } + ) for _, rec := range restrictedRecords() { - table.AddRecord(rec) + records = append(records, *rec) } - return table, nil + table.SetRecords(records) + + return &table, nil } func restrictedRecords() (records []*eacl.Record) { for op := eacl.OperationHead; op <= eacl.OperationRangeHash; op++ { - record := eacl.NewRecord() - record.SetOperation(op) - record.SetAction(eacl.ActionDeny) - eacl.AddFormedTarget(record, eacl.RoleOthers) - records = append(records, record) + record := eacl.ConstructRecord(eacl.ActionDeny, op, + []eacl.Target{eacl.NewTargetByRole(eacl.RoleOthers)}, + ) + + records = append(records, &record) } return diff --git a/cmd/s3-authmate/main.go b/cmd/s3-authmate/main.go index 7e41fb2c..917cd036 100644 --- a/cmd/s3-authmate/main.go +++ b/cmd/s3-authmate/main.go @@ -739,27 +739,24 @@ func resetBucketEACL() *cli.Command { var ( newEACLTable eacl.Table targetOwner eacl.Target + records []eacl.Record ) newEACLTable.SetCID(containerID) targetOwner.SetAccounts([]user.ID{or.BearerToken.Issuer()}) for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ { - record := eacl.NewRecord() - record.SetOperation(op) - record.SetAction(eacl.ActionAllow) - record.SetTargets(targetOwner) - - newEACLTable.AddRecord(record) + records = append(records, + eacl.ConstructRecord(eacl.ActionAllow, op, []eacl.Target{targetOwner}), + ) } for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ { - record := eacl.NewRecord() - record.SetOperation(op) - record.SetAction(eacl.ActionDeny) - eacl.AddFormedTarget(record, eacl.RoleOthers) + record := eacl.ConstructRecord(eacl.ActionDeny, op, + []eacl.Target{eacl.NewTargetByRole(eacl.RoleOthers)}, + ) - newEACLTable.AddRecord(record) + records = append(records, record) } oldEacl, err := neoFS.ContainerEACL(ctx, containerID) @@ -768,17 +765,19 @@ func resetBucketEACL() *cli.Command { } if handler.IsBucketOwnerForced(oldEacl) { - newEACLTable.AddRecord(handler.BucketOwnerEnforcedRecord()) + records = append(records, *handler.BucketOwnerEnforcedRecord()) } if handler.IsBucketOwnerPreferred(oldEacl) { - newEACLTable.AddRecord(handler.BucketOwnerPreferredRecord()) + records = append(records, *handler.BucketOwnerPreferredRecord()) } if handler.IsBucketOwnerPreferredAndRestricted(oldEacl) { - newEACLTable.AddRecord(handler.BucketOwnerPreferredAndRestrictedRecord()) + records = append(records, *handler.BucketOwnerPreferredAndRestrictedRecord()) } + newEACLTable.SetRecords(records) + if applyFlag { var tcancel context.CancelFunc ctx, tcancel = context.WithTimeout(ctx, timeoutFlag) diff --git a/creds/accessbox/bearer_token_test.go b/creds/accessbox/bearer_token_test.go index 7c5572d0..85fe4959 100644 --- a/creds/accessbox/bearer_token_test.go +++ b/creds/accessbox/bearer_token_test.go @@ -29,7 +29,7 @@ func TestTokensEncryptDecrypt(t *testing.T) { cred, err := keys.NewPrivateKey() require.NoError(t, err) - tkn.SetEACLTable(*eacl.NewTable()) + tkn.SetEACLTable(eacl.Table{}) require.NoError(t, tkn.Sign(user.NewAutoIDSignerRFC6979(sec.PrivateKey))) data, err := encrypt(cred, cred.PublicKey(), tkn.Marshal()) @@ -57,7 +57,7 @@ func TestBearerTokenInAccessBox(t *testing.T) { cred, err := keys.NewPrivateKey() require.NoError(t, err) - tkn.SetEACLTable(*eacl.NewTable()) + tkn.SetEACLTable(eacl.Table{}) require.NoError(t, tkn.Sign(user.NewAutoIDSignerRFC6979(sec.PrivateKey))) gate := NewGateData(cred.PublicKey(), &tkn) @@ -120,7 +120,7 @@ func TestAccessboxMultipleKeys(t *testing.T) { sec, err := keys.NewPrivateKey() require.NoError(t, err) - tkn.SetEACLTable(*eacl.NewTable()) + tkn.SetEACLTable(eacl.Table{}) require.NoError(t, tkn.Sign(user.NewAutoIDSignerRFC6979(sec.PrivateKey))) count := 10 @@ -161,7 +161,7 @@ func TestUnknownKey(t *testing.T) { wrongCred, err := keys.NewPrivateKey() require.NoError(t, err) - tkn.SetEACLTable(*eacl.NewTable()) + tkn.SetEACLTable(eacl.Table{}) require.NoError(t, tkn.Sign(user.NewAutoIDSigner(sec.PrivateKey))) gate := NewGateData(cred.PublicKey(), &tkn)