[#115] Make ACL classifier errors transparent for client
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
parent
ca552f53c6
commit
094248690b
2 changed files with 16 additions and 15 deletions
|
@ -86,6 +86,7 @@ type accessErr struct {
|
||||||
|
|
||||||
var (
|
var (
|
||||||
ErrMalformedRequest = errors.New("malformed request")
|
ErrMalformedRequest = errors.New("malformed request")
|
||||||
|
ErrInternal = errors.New("internal error")
|
||||||
ErrUnknownRole = errors.New("can't classify request sender")
|
ErrUnknownRole = errors.New("can't classify request sender")
|
||||||
ErrUnknownContainer = errors.New("can't fetch container info")
|
ErrUnknownContainer = errors.New("can't fetch container info")
|
||||||
)
|
)
|
||||||
|
@ -387,7 +388,11 @@ func (b Service) findRequestInfo(
|
||||||
}
|
}
|
||||||
|
|
||||||
// find request role and key
|
// find request role and key
|
||||||
role, key := b.sender.Classify(req, cid, cnr)
|
role, key, err := b.sender.Classify(req, cid, cnr)
|
||||||
|
if err != nil {
|
||||||
|
return info, err
|
||||||
|
}
|
||||||
|
|
||||||
if role == acl.RoleUnknown {
|
if role == acl.RoleUnknown {
|
||||||
return info, ErrUnknownRole
|
return info, ErrUnknownRole
|
||||||
}
|
}
|
||||||
|
|
|
@ -44,17 +44,15 @@ func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
|
||||||
func (c SenderClassifier) Classify(
|
func (c SenderClassifier) Classify(
|
||||||
req metaWithToken,
|
req metaWithToken,
|
||||||
cid *container.ID,
|
cid *container.ID,
|
||||||
cnr *container.Container) (acl.Role, []byte) {
|
cnr *container.Container) (acl.Role, []byte, error) {
|
||||||
|
|
||||||
if cid == nil {
|
if cid == nil {
|
||||||
// log there
|
return 0, nil, errors.Wrap(ErrMalformedRequest, "container id is not set")
|
||||||
return acl.RoleUnknown, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ownerID, ownerKey, err := requestOwner(req)
|
ownerID, ownerKey, err := requestOwner(req)
|
||||||
if err != nil || ownerID == nil || ownerKey == nil {
|
if err != nil {
|
||||||
// log there
|
return 0, nil, err
|
||||||
return acl.RoleUnknown, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
|
ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
|
||||||
|
@ -63,27 +61,25 @@ func (c SenderClassifier) Classify(
|
||||||
|
|
||||||
// if request owner is the same as container owner, return RoleUser
|
// if request owner is the same as container owner, return RoleUser
|
||||||
if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) {
|
if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) {
|
||||||
return acl.RoleUser, ownerKeyInBytes
|
return acl.RoleUser, ownerKeyInBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// log there
|
return 0, nil, errors.Wrap(err, "can't check if request from inner ring")
|
||||||
return acl.RoleUnknown, nil
|
|
||||||
} else if isInnerRingNode {
|
} else if isInnerRingNode {
|
||||||
return acl.RoleSystem, ownerKeyInBytes
|
return acl.RoleSystem, ownerKeyInBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// log there
|
return 0, nil, errors.Wrap(err, "can't check if request from container node")
|
||||||
return acl.RoleUnknown, nil
|
|
||||||
} else if isContainerNode {
|
} else if isContainerNode {
|
||||||
return acl.RoleSystem, ownerKeyInBytes
|
return acl.RoleSystem, ownerKeyInBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// if none of above, return RoleOthers
|
// if none of above, return RoleOthers
|
||||||
return acl.RoleOthers, ownerKeyInBytes
|
return acl.RoleOthers, ownerKeyInBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {
|
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {
|
||||||
|
|
Loading…
Reference in a new issue