[#1524 ] tree: Make check APE error get wrapped to api status

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
[#1524 ] ape: Make APE checker return error without status
2024-11-27 15:57:45 +03:00 · 2024-11-27 15:57:33 +03:00
2 changed files with 12 additions and 10 deletions
--- a/pkg/services/common/ape/checker.go
+++ b/pkg/services/common/ape/checker.go
@ -11,7 +11,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
-	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
@ -104,14 +103,7 @@ func (c *checkerCoreImpl) CheckAPE(prm CheckPrm) error {
 	if found && status == apechain.Allow {
 		return nil
 	}
-	err = fmt.Errorf("access to operation %s is denied by access policy engine: %s", prm.Request.Operation(), status.String())
-	return apeErr(err)
-}
-
-func apeErr(err error) error {
-	errAccessDenied := &apistatus.ObjectAccessDenied{}
-	errAccessDenied.WriteReason(err.Error())
-	return errAccessDenied
+	return fmt.Errorf("access to operation %s is denied by access policy engine: %s", prm.Request.Operation(), status.String())
 }

 // isValidBearer checks whether bearer token was correctly signed by authorized
--- a/pkg/services/tree/signature.go
+++ b/pkg/services/tree/signature.go
@ -11,6 +11,7 @@ import (
 	core "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
@ -62,7 +63,16 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
 		return fmt.Errorf("can't get request role: %w", err)
 	}

-	return s.checkAPE(ctx, bt, cnr, cid, op, role, pubKey)
+	if err = s.checkAPE(ctx, bt, cnr, cid, op, role, pubKey); err != nil {
+		return apeErr(err)
+	}
+	return nil
+}
+
+func apeErr(err error) error {
+	errAccessDenied := &apistatus.ObjectAccessDenied{}
+	errAccessDenied.WriteReason(err.Error())
+	return errAccessDenied
 }

 // Returns true iff the operation is read-only and request was signed
Author	SHA1	Message	Date
Airat Arifullin	d831ffc695	[#1524 ] tree: Make check APE error get wrapped to api status All checks were successful Tests and linters / Run gofumpt (pull_request) Successful in 1m21s Details Tests and linters / gopls check (pull_request) Successful in 2m48s Details Tests and linters / Staticcheck (pull_request) Successful in 3m6s Details Tests and linters / Lint (pull_request) Successful in 3m54s Details Tests and linters / Tests (pull_request) Successful in 4m3s Details Tests and linters / Tests with -race (pull_request) Successful in 4m39s Details DCO action / DCO (pull_request) Successful in 2m33s Details Vulncheck / Vulncheck (pull_request) Successful in 1m27s Details Build / Build Components (pull_request) Successful in 2m24s Details Pre-commit hooks / Pre-commit (pull_request) Successful in 2m21s Details Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-11-27 15:57:45 +03:00
Airat Arifullin	fa2e46a65a	[#1524 ] ape: Make APE checker return error without status Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-11-27 15:57:33 +03:00