Fix error for APE check #1524
2 changed files with 12 additions and 10 deletions
|
|
@ -11,7 +11,6 @@ import (
|
|||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
|
|
@ -104,14 +103,7 @@ func (c *checkerCoreImpl) CheckAPE(prm CheckPrm) error {
|
|||
if found && status == apechain.Allow {
|
||||
return nil
|
||||
}
|
||||
err = fmt.Errorf("access to operation %s is denied by access policy engine: %s", prm.Request.Operation(), status.String())
|
||||
return apeErr(err)
|
||||
}
|
||||
|
||||
func apeErr(err error) error {
|
||||
errAccessDenied := &apistatus.ObjectAccessDenied{}
|
||||
errAccessDenied.WriteReason(err.Error())
|
||||
return errAccessDenied
|
||||
return fmt.Errorf("access to operation %s is denied by access policy engine: %s", prm.Request.Operation(), status.String())
|
||||
|
|
||||
}
|
||||
|
||||
// isValidBearer checks whether bearer token was correctly signed by authorized
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
core "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
||||
cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||
frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
|
||||
|
|
@ -62,7 +63,16 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
|
|||
return fmt.Errorf("can't get request role: %w", err)
|
||||
}
|
||||
|
||||
return s.checkAPE(ctx, bt, cnr, cid, op, role, pubKey)
|
||||
if err = s.checkAPE(ctx, bt, cnr, cid, op, role, pubKey); err != nil {
|
||||
return apeErr(err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func apeErr(err error) error {
|
||||
errAccessDenied := &apistatus.ObjectAccessDenied{}
|
||||
errAccessDenied.WriteReason(err.Error())
|
||||
return errAccessDenied
|
||||
}
|
||||
|
||||
// Returns true iff the operation is read-only and request was signed
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue
This file has not been touched by the recent refactoring.
Why change it instead of fixing what has changed there?
It seems in PR #1362 I unnecessarily moved
apeErrto common package because I was thinking rather abouttreeservice thanobjectservice. It's better if the common package just returns error without statuses and each service wraps into status on its ownLet's have a look at the ape middleware of object service. Any failure is turned to
object access deniedbytoStatusErrinvocationSo, I suppose the middleware wraps an error on its own and I don't need to check statuses within