[SUPPORT] Introduce ChainRouterError error type and wrap only these errors with ObjectAccessDenied status #1565
4 changed files with 50 additions and 1 deletions
|
|
@ -103,7 +103,7 @@ func (c *checkerCoreImpl) CheckAPE(prm CheckPrm) error {
|
|||
if found && status == apechain.Allow {
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("access to operation %s is denied by access policy engine: %s", prm.Request.Operation(), status.String())
|
||||
return newChainRouterError(prm.Request.Operation(), status)
|
||||
}
|
||||
|
||||
// isValidBearer checks whether bearer token was correctly signed by authorized
|
||||
|
|
|
|||
33
pkg/services/common/ape/error.go
Normal file
33
pkg/services/common/ape/error.go
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
package ape
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
)
|
||||
|
||||
// ChainRouterError is returned when chain router validation prevents
|
||||
// the APE request from being processed (no rule found, access denied, etc.).
|
||||
type ChainRouterError struct {
|
||||
operation string
|
||||
status apechain.Status
|
||||
}
|
||||
|
||||
func (e *ChainRouterError) Error() string {
|
||||
return fmt.Sprintf("access to operation %s is denied by access policy engine: %s", e.Operation(), e.Status())
|
||||
}
|
||||
|
||||
func (e *ChainRouterError) Operation() string {
|
||||
return e.operation
|
||||
}
|
||||
|
||||
func (e *ChainRouterError) Status() apechain.Status {
|
||||
return e.status
|
||||
}
|
||||
|
||||
func newChainRouterError(operation string, status apechain.Status) *ChainRouterError {
|
||||
return &ChainRouterError{
|
||||
operation: operation,
|
||||
status: status,
|
||||
}
|
||||
}
|
||||
|
|
@ -1,10 +1,19 @@
|
|||
package ape
|
||||
|
||||
import (
|
||||
"errors"
|
||||
|
||||
checkercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/common/ape"
|
||||
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
||||
)
|
||||
|
||||
func toStatusErr(err error) error {
|
||||
var chRouterErr *checkercore.ChainRouterError
|
||||
if !errors.As(err, &chRouterErr) {
|
||||
errServerInternal := &apistatus.ServerInternal{}
|
||||
apistatus.WriteInternalServerErr(errServerInternal, err)
|
||||
return errServerInternal
|
||||
}
|
||||
errAccessDenied := &apistatus.ObjectAccessDenied{}
|
||||
errAccessDenied.WriteReason("ape denied request: " + err.Error())
|
||||
return errAccessDenied
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"fmt"
|
||||
|
||||
core "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
|
||||
checkercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/common/ape"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
|
||||
|
|
@ -70,6 +71,12 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
|
|||
}
|
||||
|
||||
func apeErr(err error) error {
|
||||
var chRouterErr *checkercore.ChainRouterError
|
||||
if !errors.As(err, &chRouterErr) {
|
||||
errServerInternal := &apistatus.ServerInternal{}
|
||||
apistatus.WriteInternalServerErr(errServerInternal, err)
|
||||
return errServerInternal
|
||||
}
|
||||
errAccessDenied := &apistatus.ObjectAccessDenied{}
|
||||
errAccessDenied.WriteReason(err.Error())
|
||||
return errAccessDenied
|
||||
|
|
|
|||
Loading…
Reference in a new issue