services/tree: Remove eACL mentions from bearer token parsing errors
Some checks failed
Vulncheck / Vulncheck (pull_request) Successful in 2m27s
Tests and linters / Run gofumpt (pull_request) Successful in 2m28s
DCO action / DCO (pull_request) Failing after 2m41s
Pre-commit hooks / Pre-commit (pull_request) Successful in 3m37s
Tests and linters / gopls check (pull_request) Successful in 4m19s
Tests and linters / Staticcheck (pull_request) Successful in 4m58s
Build / Build Components (pull_request) Successful in 5m39s
Tests and linters / Lint (pull_request) Successful in 5m43s
Tests and linters / Tests (pull_request) Successful in 9m12s
Tests and linters / Tests with -race (pull_request) Successful in 9m15s

Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
This commit is contained in:
Evgenii Stratonikov 2024-10-09 10:55:48 +03:00
parent 323083b652
commit 04f5d1eae6
Signed by: fyrchik
SSH key fingerprint: SHA256:m/TTwCzjnRkXgnzEx9X92ccxy1CcVeinOgDb3NPWWmg

View file

@ -15,7 +15,6 @@ import (
cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
)
@ -27,10 +26,6 @@ type message interface {
SetSignature(*Signature)
}
func eACLErr(op eacl.Operation, err error) error {
return fmt.Errorf("access to operation %s is denied by extended ACL check: %w", op, err)
}
var (
errBearerWrongContainer = errors.New("bearer token is created for another container")
errBearerSignature = errors.New("invalid bearer token signature")
@ -57,11 +52,9 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
return fmt.Errorf("can't get container %s: %w", cid, err)
}
eaclOp := eACLOp(op)
bt, err := parseBearer(rawBearer, cid, eaclOp)
bt, err := parseBearer(rawBearer, cid)
if err != nil {
return err
return fmt.Errorf("access to operation %s is denied: %w", op, err)
}
role, pubKey, err := roleAndPubKeyFromReq(cnr, req, bt)
@ -93,20 +86,20 @@ func (s *Service) isAuthorized(req message, op acl.Op) (bool, error) {
return false, nil
}
func parseBearer(rawBearer []byte, cid cidSDK.ID, eaclOp eacl.Operation) (*bearer.Token, error) {
func parseBearer(rawBearer []byte, cid cidSDK.ID) (*bearer.Token, error) {
if len(rawBearer) == 0 {
return nil, nil
}
bt := new(bearer.Token)
if err := bt.Unmarshal(rawBearer); err != nil {
return nil, eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
return nil, fmt.Errorf("invalid bearer token: %w", err)
}
if !bt.AssertContainer(cid) {
return nil, eACLErr(eaclOp, errBearerWrongContainer)
return nil, errBearerWrongContainer
}
if !bt.VerifySignature() {
return nil, eACLErr(eaclOp, errBearerSignature)
return nil, errBearerSignature
}
return bt, nil
}
@ -184,14 +177,3 @@ func roleAndPubKeyFromReq(cnr *core.Container, req message, bt *bearer.Token) (a
return role, pub, nil
}
func eACLOp(op acl.Op) eacl.Operation {
switch op {
case acl.OpObjectGet:
return eacl.OperationGet
case acl.OpObjectPut:
return eacl.OperationPut
default:
panic(fmt.Sprintf("unexpected tree service ACL operation: %s", op))
}
}