[#1563] ape: Introduce ChainRouterError
error type
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
892542d6e3
commit
bdb1f00e2b
2 changed files with 34 additions and 9 deletions
|
@ -11,7 +11,6 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||||
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
|
@ -104,14 +103,7 @@ func (c *checkerCoreImpl) CheckAPE(prm CheckPrm) error {
|
||||||
if found && status == apechain.Allow {
|
if found && status == apechain.Allow {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
err = fmt.Errorf("access to operation %s is denied by access policy engine: %s", prm.Request.Operation(), status.String())
|
return newChainRouterError(prm.Request.Operation(), status)
|
||||||
return apeErr(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
func apeErr(err error) error {
|
|
||||||
errAccessDenied := &apistatus.ObjectAccessDenied{}
|
|
||||||
errAccessDenied.WriteReason(err.Error())
|
|
||||||
return errAccessDenied
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// isValidBearer checks whether bearer token was correctly signed by authorized
|
// isValidBearer checks whether bearer token was correctly signed by authorized
|
||||||
|
|
33
pkg/services/common/ape/error.go
Normal file
33
pkg/services/common/ape/error.go
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
package ape
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ChainRouterError is returned when chain router validation prevents
|
||||||
|
// the APE request from being processed (no rule found, access denied, etc.).
|
||||||
|
type ChainRouterError struct {
|
||||||
|
operation string
|
||||||
|
status apechain.Status
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *ChainRouterError) Error() string {
|
||||||
|
return fmt.Sprintf("access to operation %s is denied by access policy engine: %s", e.Operation(), e.Status())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *ChainRouterError) Operation() string {
|
||||||
|
return e.operation
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *ChainRouterError) Status() apechain.Status {
|
||||||
|
return e.status
|
||||||
|
}
|
||||||
|
|
||||||
|
func newChainRouterError(operation string, status apechain.Status) *ChainRouterError {
|
||||||
|
return &ChainRouterError{
|
||||||
|
operation: operation,
|
||||||
|
status: status,
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue