[#180] Return isInnerRing flag in request classifier
Signed-off-by: Alex Vanin <alexey@nspcc.ru>remotes/KirillovDenis/release/v0.21.1
Alex Vanin
Alex Vanin
parent
6f841e319d
commit
cf85fa9fab
|
|
@ -405,7 +405,7 @@ func (b Service) findRequestInfo(
|
|||
}
|
||||
|
||||
// find request role and key
|
||||
role, key, err := b.sender.Classify(req, cid, cnr)
|
||||
role, isIR, key, err := b.sender.Classify(req, cid, cnr)
|
||||
if err != nil {
|
||||
return info, err
|
||||
}
|
||||
|
|
@ -420,6 +420,7 @@ func (b Service) findRequestInfo(
|
|||
|
||||
info.basicACL = basicACLHelper(cnr.BasicACL())
|
||||
info.requestRole = role
|
||||
info.isInnerRing = isIR
|
||||
info.operation = verb
|
||||
info.owner = cnr.OwnerID()
|
||||
info.cid = cid
|
||||
|
|
|
|||
|
|
@ -46,15 +46,15 @@ func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
|
|||
func (c SenderClassifier) Classify(
|
||||
req metaWithToken,
|
||||
cid *container.ID,
|
||||
cnr *container.Container) (acl.Role, []byte, error) {
|
||||
cnr *container.Container) (role acl.Role, isIR bool, key []byte, err error) {
|
||||
|
||||
if cid == nil {
|
||||
return 0, nil, errors.Wrap(ErrMalformedRequest, "container id is not set")
|
||||
return 0, false, nil, errors.Wrap(ErrMalformedRequest, "container id is not set")
|
||||
}
|
||||
|
||||
ownerID, ownerKey, err := requestOwner(req)
|
||||
if err != nil {
|
||||
return 0, nil, err
|
||||
return 0, false, nil, err
|
||||
}
|
||||
|
||||
ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
|
||||
|
|
@ -63,25 +63,25 @@ func (c SenderClassifier) Classify(
|
|||
|
||||
// if request owner is the same as container owner, return RoleUser
|
||||
if bytes.Equal(cnr.OwnerID().ToV2().GetValue(), ownerID.ToV2().GetValue()) {
|
||||
return acl.RoleUser, ownerKeyInBytes, nil
|
||||
return acl.RoleUser, false, ownerKeyInBytes, nil
|
||||
}
|
||||
|
||||
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
||||
if err != nil {
|
||||
return 0, nil, errors.Wrap(err, "can't check if request from inner ring")
|
||||
return 0, false, nil, errors.Wrap(err, "can't check if request from inner ring")
|
||||
} else if isInnerRingNode {
|
||||
return acl.RoleSystem, ownerKeyInBytes, nil
|
||||
return acl.RoleSystem, true, ownerKeyInBytes, nil
|
||||
}
|
||||
|
||||
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
||||
if err != nil {
|
||||
return 0, nil, errors.Wrap(err, "can't check if request from container node")
|
||||
return 0, false, nil, errors.Wrap(err, "can't check if request from container node")
|
||||
} else if isContainerNode {
|
||||
return acl.RoleSystem, ownerKeyInBytes, nil
|
||||
return acl.RoleSystem, false, ownerKeyInBytes, nil
|
||||
}
|
||||
|
||||
// if none of above, return RoleOthers
|
||||
return acl.RoleOthers, ownerKeyInBytes, nil
|
||||
return acl.RoleOthers, false, ownerKeyInBytes, nil
|
||||
}
|
||||
|
||||
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue