[#69] object/acl: Define access denied error
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
0f52444ae9
commit
6c3c872ee4
1 changed files with 29 additions and 12 deletions
|
@ -3,6 +3,7 @@ package acl
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
||||||
"github.com/nspcc-dev/neofs-api-go/pkg/container"
|
"github.com/nspcc-dev/neofs-api-go/pkg/container"
|
||||||
|
@ -56,11 +57,16 @@ type cfg struct {
|
||||||
next object.Service
|
next object.Service
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type accessErr struct {
|
||||||
|
requestInfo
|
||||||
|
|
||||||
|
failedCheckTyp string
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
ErrMalformedRequest = errors.New("malformed request")
|
ErrMalformedRequest = errors.New("malformed request")
|
||||||
ErrUnknownRole = errors.New("can't classify request sender")
|
ErrUnknownRole = errors.New("can't classify request sender")
|
||||||
ErrUnknownContainer = errors.New("can't fetch container info")
|
ErrUnknownContainer = errors.New("can't fetch container info")
|
||||||
ErrBasicAccessDenied = errors.New("access denied by basic acl")
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func defaultCfg() *cfg {
|
func defaultCfg() *cfg {
|
||||||
|
@ -99,7 +105,7 @@ func (b Service) Get(
|
||||||
}
|
}
|
||||||
|
|
||||||
if !basicACLCheck(reqInfo) {
|
if !basicACLCheck(reqInfo) {
|
||||||
return nil, ErrBasicAccessDenied
|
return nil, basicACLErr(reqInfo)
|
||||||
}
|
}
|
||||||
|
|
||||||
stream, err := b.next.Get(ctx, request)
|
stream, err := b.next.Get(ctx, request)
|
||||||
|
@ -139,7 +145,7 @@ func (b Service) Head(
|
||||||
}
|
}
|
||||||
|
|
||||||
if !basicACLCheck(reqInfo) {
|
if !basicACLCheck(reqInfo) {
|
||||||
return nil, ErrBasicAccessDenied
|
return nil, basicACLErr(reqInfo)
|
||||||
}
|
}
|
||||||
|
|
||||||
return b.next.Head(ctx, request)
|
return b.next.Head(ctx, request)
|
||||||
|
@ -167,7 +173,7 @@ func (b Service) Search(
|
||||||
}
|
}
|
||||||
|
|
||||||
if !basicACLCheck(reqInfo) {
|
if !basicACLCheck(reqInfo) {
|
||||||
return nil, ErrBasicAccessDenied
|
return nil, basicACLErr(reqInfo)
|
||||||
}
|
}
|
||||||
|
|
||||||
stream, err := b.next.Search(ctx, request)
|
stream, err := b.next.Search(ctx, request)
|
||||||
|
@ -194,7 +200,7 @@ func (b Service) Delete(
|
||||||
}
|
}
|
||||||
|
|
||||||
if !basicACLCheck(reqInfo) {
|
if !basicACLCheck(reqInfo) {
|
||||||
return nil, ErrBasicAccessDenied
|
return nil, basicACLErr(reqInfo)
|
||||||
}
|
}
|
||||||
|
|
||||||
return b.next.Delete(ctx, request)
|
return b.next.Delete(ctx, request)
|
||||||
|
@ -220,7 +226,7 @@ func (b Service) GetRange(
|
||||||
}
|
}
|
||||||
|
|
||||||
if !basicACLCheck(reqInfo) {
|
if !basicACLCheck(reqInfo) {
|
||||||
return nil, ErrBasicAccessDenied
|
return nil, basicACLErr(reqInfo)
|
||||||
}
|
}
|
||||||
|
|
||||||
stream, err := b.next.GetRange(ctx, request)
|
stream, err := b.next.GetRange(ctx, request)
|
||||||
|
@ -247,7 +253,7 @@ func (b Service) GetRangeHash(
|
||||||
}
|
}
|
||||||
|
|
||||||
if !basicACLCheck(reqInfo) {
|
if !basicACLCheck(reqInfo) {
|
||||||
return nil, ErrBasicAccessDenied
|
return nil, basicACLErr(reqInfo)
|
||||||
}
|
}
|
||||||
|
|
||||||
return b.next.GetRangeHash(ctx, request)
|
return b.next.GetRangeHash(ctx, request)
|
||||||
|
@ -282,7 +288,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, ownerID) {
|
if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, ownerID) {
|
||||||
return ErrBasicAccessDenied
|
return basicACLErr(reqInfo)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -312,7 +318,7 @@ func (g getStreamBasicChecker) Recv() (*object.GetResponse, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if !stickyBitCheck(g.info, ownerID) {
|
if !stickyBitCheck(g.info, ownerID) {
|
||||||
return nil, ErrBasicAccessDenied
|
return nil, basicACLErr(g.info)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -463,3 +469,14 @@ func tokenVerbToOperation(verb session.ObjectSessionVerb) acl.Operation {
|
||||||
return acl.OperationUnknown
|
return acl.OperationUnknown
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (a *accessErr) Error() string {
|
||||||
|
return fmt.Sprintf("access to operation %v is denied by %s check", a.operation, a.failedCheckTyp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func basicACLErr(info requestInfo) error {
|
||||||
|
return &accessErr{
|
||||||
|
requestInfo: info,
|
||||||
|
failedCheckTyp: "basic ACL",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue