package acl import ( "errors" "fmt" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger" apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status" policyengine "git.frostfs.info/TrueCloudLab/policy-engine" ) var ( errAPEChainNoSource = errors.New("could not get ape chain source for the container") ) type apeCheckerImpl struct { log *logger.Logger apeSrc container.AccessPolicyEngineChainSource } func NewAPEChecker(log *logger.Logger, apeSrc container.AccessPolicyEngineChainSource) v2.APEChainChecker { return &apeCheckerImpl{ log: log, apeSrc: apeSrc, } } func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error { cnr := reqInfo.ContainerID() chainCache, err := c.apeSrc.GetChainSource(cnr) if err != nil { return errAPEChainNoSource } request := new(Request) request.FromRequestInfo(reqInfo) status, ruleFound := chainCache.IsAllowed(policyengine.Ingress, "", request) if !ruleFound || status == policyengine.Allow { return nil } return apeErr(reqInfo, status) } const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s" func apeErr(req v2.RequestInfo, status policyengine.Status) error { errAccessDenied := &apistatus.ObjectAccessDenied{} errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, req.Operation(), status.String())) return errAccessDenied }