object: Skip APE check for certain request roles #1039

Merged
fyrchik merged 1 commit from aarifullin/frostfs-node:fix/check_ape_role into master 2024-03-12 18:05:48 +00:00

View file

@ -10,6 +10,7 @@ import (
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
) )
type checkerImpl struct { type checkerImpl struct {
@ -56,6 +57,21 @@ var errMissingOID = errors.New("object ID is not set")
// CheckAPE checks if a request or a response is permitted creating an ape request and passing // CheckAPE checks if a request or a response is permitted creating an ape request and passing
// it to chain router. // it to chain router.
func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error { func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error {
// APE check is ignored for some inter-node requests.
if prm.Role == nativeschema.PropertyValueContainerRoleContainer {
return nil
} else if prm.Role == nativeschema.PropertyValueContainerRoleIR {
switch prm.Method {
fyrchik marked this conversation as resolved Outdated

Can we do this check before newAPERequest call? It seems we do not use the result.

Can we do this check before `newAPERequest` call? It seems we do not use the result.

Moved this checks at the top. Also, I replaced checking prm.Role by if-else statements instead switch

Moved this checks at the top. Also, I replaced checking `prm.Role` by if-else statements instead `switch`
case nativeschema.MethodGetObject,
nativeschema.MethodHeadObject,
nativeschema.MethodSearchObject,
nativeschema.MethodRangeObject,
nativeschema.MethodHashObject:
return nil
fyrchik marked this conversation as resolved Outdated

I would rather make return nil on explicit enumeration of read methods: this way we won't accidentally allow writing something when new method is added.

I would rather make `return nil` on explicit enumeration of read methods: this way we won't accidentally allow writing something when new method is added.

Sure. Fixed

Sure. Fixed
default:
}
}
r, err := c.newAPERequest(ctx, prm) r, err := c.newAPERequest(ctx, prm)
if err != nil { if err != nil {
return fmt.Errorf("failed to create ape request: %w", err) return fmt.Errorf("failed to create ape request: %w", err)