Refactor ACL service #207
1 changed files with 41 additions and 29 deletions
|
@ -14,6 +14,7 @@ import (
|
|||
bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
||||
eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||
|
@ -118,8 +119,6 @@ func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner user.ID) bool {
|
|||
}
|
||||
|
||||
// CheckEACL is a main check function for extended ACL.
|
||||
//
|
||||
// nolint: funlen
|
||||
func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
||||
basicACL := reqInfo.BasicACL()
|
||||
if !basicACL.Extendable() {
|
||||
|
@ -154,6 +153,44 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
|||
return err
|
||||
}
|
||||
|
||||
hdrSrc, err := c.getHeaderSource(cnr, msg, reqInfo)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
eaclRole := getRole(reqInfo)
|
||||
|
||||
action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
|
||||
WithRole(eaclRole).
|
||||
WithOperation(eaclSDK.Operation(reqInfo.Operation())).
|
||||
WithContainerID(&cnr).
|
||||
WithSenderKey(reqInfo.SenderKey()).
|
||||
WithHeaderSource(hdrSrc).
|
||||
WithEACLTable(&table),
|
||||
)
|
||||
|
||||
if action != eaclSDK.ActionAllow {
|
||||
return errEACLDeniedByRule
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func getRole(reqInfo v2.RequestInfo) eaclSDK.Role {
|
||||
var eaclRole eaclSDK.Role
|
||||
switch op := reqInfo.RequestRole(); op {
|
||||
default:
|
||||
eaclRole = eaclSDK.Role(op)
|
||||
case acl.RoleOwner:
|
||||
eaclRole = eaclSDK.RoleUser
|
||||
case acl.RoleInnerRing, acl.RoleContainer:
|
||||
eaclRole = eaclSDK.RoleSystem
|
||||
case acl.RoleOthers:
|
||||
eaclRole = eaclSDK.RoleOthers
|
||||
}
|
||||
return eaclRole
|
||||
}
|
||||
|
||||
func (c *Checker) getHeaderSource(cnr cid.ID, msg any, reqInfo v2.RequestInfo) (eaclSDK.TypedHeaderSource, error) {
|
||||
hdrSrcOpts := make([]eaclV2.Option, 0, 3)
|
||||
|
||||
hdrSrcOpts = append(hdrSrcOpts,
|
||||
|
@ -175,34 +212,9 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
|||
|
||||
hdrSrc, err := eaclV2.NewMessageHeaderSource(hdrSrcOpts...)
|
||||
if err != nil {
|
||||
return fmt.Errorf("can't parse headers: %w", err)
|
||||
return nil, fmt.Errorf("can't parse headers: %w", err)
|
||||
}
|
||||
|
||||
var eaclRole eaclSDK.Role
|
||||
switch op := reqInfo.RequestRole(); op {
|
||||
default:
|
||||
eaclRole = eaclSDK.Role(op)
|
||||
case acl.RoleOwner:
|
||||
eaclRole = eaclSDK.RoleUser
|
||||
case acl.RoleInnerRing, acl.RoleContainer:
|
||||
eaclRole = eaclSDK.RoleSystem
|
||||
case acl.RoleOthers:
|
||||
eaclRole = eaclSDK.RoleOthers
|
||||
}
|
||||
|
||||
action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
|
||||
WithRole(eaclRole).
|
||||
WithOperation(eaclSDK.Operation(reqInfo.Operation())).
|
||||
WithContainerID(&cnr).
|
||||
WithSenderKey(reqInfo.SenderKey()).
|
||||
WithHeaderSource(hdrSrc).
|
||||
WithEACLTable(&table),
|
||||
)
|
||||
|
||||
if action != eaclSDK.ActionAllow {
|
||||
return errEACLDeniedByRule
|
||||
}
|
||||
return nil
|
||||
return hdrSrc, nil
|
||||
}
|
||||
|
||||
// isValidBearer checks whether bearer token was correctly signed by authorized
|
||||
|
|
Loading…
Reference in a new issue