TrueCloudLab/frostfs-node
20
1
Fork 27
Code Issues 110 Pull requests 6 Projects Releases 2 Activity Actions

[#1574] ape: Extend ChainRouterError

Browse source 
* Introduce new fields and getters for them;
* Fix `CheckAPE` in `checkerCoreImpl` at `newChainRouterError`.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2025-02-24 19:30:05 +03:00
parent 00faa9f854
commit b83bce1435
2 changed files with 25 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/services/common/ape/checker.go
View file

@ -104,7 +104,7 @@ func (c *checkerCoreImpl) CheckAPE(ctx context.Context, prm CheckPrm) error {
if found && status == apechain.Allow { if found && status == apechain.Allow {
return nil return nil
} }
return newChainRouterError(prm.Request.Operation(), status) return newChainRouterError(rt, prm.Request, status)
} }
// isValidBearer checks whether bearer token was correctly signed by authorized // isValidBearer checks whether bearer token was correctly signed by authorized

28
pkg/services/common/ape/error.go
View file

@ -3,31 +3,47 @@ package ape
import ( import (
"fmt" "fmt"
aperequest "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/request"
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
) )
// ChainRouterError is returned when chain router validation prevents // ChainRouterError is returned when chain router validation prevents
// the APE request from being processed (no rule found, access denied, etc.). // the APE request from being processed (no rule found, access denied, etc.).
type ChainRouterError struct { type ChainRouterError struct {
operation string target policyengine.RequestTarget
request aperequest.Request
status apechain.Status status apechain.Status
} }
func (e *ChainRouterError) Error() string { func (e *ChainRouterError) Error() string {
return fmt.Sprintf("access to operation %s is denied by access policy engine: %s", e.Operation(), e.Status()) return fmt.Sprintf("access to operation %s is denied by access policy engine: %s", e.Request().Operation(), e.Status())
} }
func (e *ChainRouterError) Operation() string { func (e *ChainRouterError) Target() policyengine.RequestTarget {
return e.operation return e.target
}
func (e *ChainRouterError) Request() aperequest.Request {
return e.request
}
func (e *ChainRouterError) Resource() aperequest.Resource {
res, ok := e.request.Resource().(*aperequest.Resource)
if !ok {
return aperequest.Resource{}
}
return *res
} }
func (e *ChainRouterError) Status() apechain.Status { func (e *ChainRouterError) Status() apechain.Status {
return e.status return e.status
} }
func newChainRouterError(operation string, status apechain.Status) *ChainRouterError { func newChainRouterError(target policyengine.RequestTarget, request aperequest.Request, status apechain.Status) *ChainRouterError {
return &ChainRouterError{ return &ChainRouterError{
operation: operation, target: target,
request: request,
status: status, status: status,
} }
} }