From 962d136e736697341d12db1b1de118fa6d738d59 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <denis@nspcc.ru>
Date: Fri, 21 Jan 2022 15:06:39 +0300
Subject: [PATCH] [#308] Correct access denied status code

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
---
 api/layer/layer.go         |  3 ++-
 api/layer/object.go        | 34 +++++++++++++++++++++++++++-------
 api/layer/system_object.go |  2 +-
 3 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/api/layer/layer.go b/api/layer/layer.go
index 1aadd740..ffc64db9 100644
--- a/api/layer/layer.go
+++ b/api/layer/layer.go
@@ -313,7 +313,8 @@ func (n *layer) SessionOpt(ctx context.Context) pool.CallOption {
 // Get NeoFS Object by refs.Address (should be used by auth.Center).
 func (n *layer) Get(ctx context.Context, address *object.Address) (*object.Object, error) {
 	ops := new(client.GetObjectParams).WithAddress(address)
-	return n.pool.GetObject(ctx, ops, n.CallOptions(ctx)...)
+	obj, err := n.pool.GetObject(ctx, ops, n.CallOptions(ctx)...)
+	return obj, n.transformNeofsError(ctx, err)
 }
 
 // GetBucketInfo returns bucket info by name.
diff --git a/api/layer/object.go b/api/layer/object.go
index 790307e1..e2ad9a83 100644
--- a/api/layer/object.go
+++ b/api/layer/object.go
@@ -101,7 +101,9 @@ func (n *layer) objectSearch(ctx context.Context, p *findParams) ([]*object.ID,
 		opts.AddFilter(object.AttributeFileName, prefix, object.MatchCommonPrefix)
 	}
 	searchParams := new(client.SearchObjectParams).WithContainerID(p.cid).WithSearchFilters(opts)
-	return n.pool.SearchObject(ctx, searchParams, n.CallOptions(ctx)...)
+
+	ids, err := n.pool.SearchObject(ctx, searchParams, n.CallOptions(ctx)...)
+	return ids, n.transformNeofsError(ctx, err)
 }
 
 func newAddress(cid *cid.ID, oid *object.ID) *object.Address {
@@ -114,7 +116,8 @@ func newAddress(cid *cid.ID, oid *object.ID) *object.Address {
 // objectHead returns all object's headers.
 func (n *layer) objectHead(ctx context.Context, cid *cid.ID, oid *object.ID) (*object.Object, error) {
 	ops := new(client.ObjectHeaderParams).WithAddress(newAddress(cid, oid)).WithAllFields()
-	return n.pool.GetObjectHeader(ctx, ops, n.CallOptions(ctx)...)
+	obj, err := n.pool.GetObjectHeader(ctx, ops, n.CallOptions(ctx)...)
+	return obj, n.transformNeofsError(ctx, err)
 }
 
 // objectGetWithPayloadWriter and write it into provided io.Reader.
@@ -122,20 +125,23 @@ func (n *layer) objectGetWithPayloadWriter(ctx context.Context, p *getParams) (*
 	// prepare length/offset writer
 	w := newWriter(p.Writer, p.offset, p.length)
 	ops := new(client.GetObjectParams).WithAddress(newAddress(p.cid, p.oid)).WithPayloadWriter(w)
-	return n.pool.GetObject(ctx, ops, n.CallOptions(ctx)...)
+	obj, err := n.pool.GetObject(ctx, ops, n.CallOptions(ctx)...)
+	return obj, n.transformNeofsError(ctx, err)
 }
 
 // objectGet returns an object with payload in the object.
 func (n *layer) objectGet(ctx context.Context, cid *cid.ID, oid *object.ID) (*object.Object, error) {
 	ops := new(client.GetObjectParams).WithAddress(newAddress(cid, oid))
-	return n.pool.GetObject(ctx, ops, n.CallOptions(ctx)...)
+	obj, err := n.pool.GetObject(ctx, ops, n.CallOptions(ctx)...)
+	return obj, n.transformNeofsError(ctx, err)
 }
 
 // objectRange gets object range and writes it into provided io.Writer.
 func (n *layer) objectRange(ctx context.Context, p *getParams) ([]byte, error) {
 	w := newWriter(p.Writer, p.offset, p.length)
 	ops := new(client.RangeDataParams).WithAddress(newAddress(p.cid, p.oid)).WithDataWriter(w).WithRange(p.Range)
-	return n.pool.ObjectPayloadRangeData(ctx, ops, n.CallOptions(ctx)...)
+	payload, err := n.pool.ObjectPayloadRangeData(ctx, ops, n.CallOptions(ctx)...)
+	return payload, n.transformNeofsError(ctx, err)
 }
 
 // objectPut into NeoFS, took payload from io.Reader.
@@ -168,7 +174,7 @@ func (n *layer) objectPut(ctx context.Context, bkt *data.BucketInfo, p *PutObjec
 	ops := new(client.PutObjectParams).WithObject(rawObject.Object()).WithPayloadReader(r)
 	oid, err := n.pool.PutObject(ctx, ops, n.CallOptions(ctx)...)
 	if err != nil {
-		return nil, err
+		return nil, n.transformNeofsError(ctx, err)
 	}
 
 	if p.Header[VersionsDeleteMarkAttr] == DelMarkFullObject {
@@ -395,7 +401,8 @@ func (n *layer) objectDelete(ctx context.Context, cid *cid.ID, oid *object.ID) e
 	dop := new(client.DeleteObjectParams)
 	dop.WithAddress(address)
 	n.objCache.Delete(address)
-	return n.pool.DeleteObject(ctx, dop, n.CallOptions(ctx)...)
+	err := n.pool.DeleteObject(ctx, dop, n.CallOptions(ctx)...)
+	return n.transformNeofsError(ctx, err)
 }
 
 // ListObjectsV1 returns objects in a bucket for requests of Version 1.
@@ -639,3 +646,16 @@ func (n *layer) objectFromObjectsCacheOrNeoFS(ctx context.Context, cid *cid.ID,
 
 	return meta
 }
+
+func (n *layer) transformNeofsError(ctx context.Context, err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if strings.Contains(err.Error(), "access to operation") && strings.Contains(err.Error(), "is denied by") {
+		n.log.Debug("error was transformed", zap.String("request_id", api.GetRequestID(ctx)), zap.Error(err))
+		return apiErrors.GetAPIError(apiErrors.ErrAccessDenied)
+	}
+
+	return err
+}
diff --git a/api/layer/system_object.go b/api/layer/system_object.go
index d5b891e9..7bf2020b 100644
--- a/api/layer/system_object.go
+++ b/api/layer/system_object.go
@@ -107,7 +107,7 @@ func (n *layer) putSystemObjectIntoNeoFS(ctx context.Context, p *PutSystemObject
 	ops := new(client.PutObjectParams).WithObject(raw.Object()).WithPayloadReader(p.Reader)
 	oid, err := n.pool.PutObject(ctx, ops, n.CallOptions(ctx)...)
 	if err != nil {
-		return nil, err
+		return nil, n.transformNeofsError(ctx, err)
 	}
 
 	meta, err := n.objectHead(ctx, p.BktInfo.CID, oid)