[#372] Drop [e]ACL related code

Always consider buckets as APE compatible Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-05-28 15:50:34 +03:00 · 2024-05-28 15:50:34 +03:00 · 465eaa816a
commit 465eaa816a
parent 9241954496
19 changed files with 43 additions and 3342 deletions
--- a/api/handler/acl.go
+++ b/api/handler/acl.go
--- a/api/handler/acl_test.go
+++ b/api/handler/acl_test.go
--- a/api/handler/copy.go
+++ b/api/handler/copy.go
@ -13,7 +13,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"go.uber.org/zap"
 )

@ -42,11 +41,10 @@ func path2BucketObject(path string) (string, string, error) {

 func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
 	var (
-		err              error
-		versionID        string
-		metadata         map[string]string
-		tagSet           map[string]string
-		sessionTokenEACL *session.Container
+		err       error
+		versionID string
+		metadata  map[string]string
+		tagSet    map[string]string

 		ctx     = r.Context()
 		reqInfo = middleware.GetReqInfo(ctx)
@ -93,20 +91,11 @@ func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	apeEnabled := dstBktInfo.APEEnabled || settings.CannedACL != ""
-	if apeEnabled && cannedACLStatus == aclStatusYes {
+	if cannedACLStatus == aclStatusYes {
 		h.logAndSendError(w, "acl not supported for this bucket", reqInfo, errors.GetAPIError(errors.ErrAccessControlListNotSupported))
 		return
 	}

-	needUpdateEACLTable := !(apeEnabled || cannedACLStatus == aclStatusNo)
-	if needUpdateEACLTable {
-		if sessionTokenEACL, err = getSessionTokenSetEACL(ctx); err != nil {
-			h.logAndSendError(w, "could not get eacl session token from a box", reqInfo, err)
-			return
-		}
-	}
-
 	extendedSrcObjInfo, err := h.obj.GetExtendedObjectInfo(ctx, srcObjPrm)
 	if err != nil {
 		h.logAndSendError(w, "could not find object", reqInfo, err)
@ -239,25 +228,6 @@ func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if needUpdateEACLTable {
-		newEaclTable, err := h.getNewEAclTable(r, dstBktInfo, dstObjInfo)
-		if err != nil {
-			h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
-			return
-		}
-
-		p := &layer.PutBucketACLParams{
-			BktInfo:      dstBktInfo,
-			EACL:         newEaclTable,
-			SessionToken: sessionTokenEACL,
-		}
-
-		if err = h.obj.PutBucketACL(ctx, p); err != nil {
-			h.logAndSendError(w, "could not put bucket acl", reqInfo, err)
-			return
-		}
-	}
-
 	if tagSet != nil {
 		tagPrm := &data.PutObjectTaggingParams{
 			ObjectVersion: &data.ObjectVersion{
--- a/api/handler/head_test.go
+++ b/api/handler/head_test.go
@ -7,12 +7,9 @@ import (

 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	s3errors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
-	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
-	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/stretchr/testify/require"
 )
@ -84,31 +81,6 @@ func headObject(t *testing.T, tc *handlerContext, bktName, objName string, heade
 	assertStatus(t, w, status)
 }

-func TestInvalidAccessThroughCache(t *testing.T) {
-	hc := prepareHandlerContext(t)
-
-	bktName, objName := "bucket-for-cache", "obj-for-cache"
-	bktInfo, _ := createBucketAndObject(hc, bktName, objName)
-	setContainerEACL(hc, bktInfo.CID)
-
-	headObject(t, hc, bktName, objName, nil, http.StatusOK)
-
-	w, r := prepareTestRequest(hc, bktName, objName, nil)
-	hc.Handler().HeadObjectHandler(w, r.WithContext(middleware.SetBox(r.Context(), &middleware.Box{AccessBox: newTestAccessBox(t, nil)})))
-	assertStatus(t, w, http.StatusForbidden)
-}
-
-func setContainerEACL(hc *handlerContext, cnrID cid.ID) {
-	table := eacl.NewTable()
-	table.SetCID(cnrID)
-	for _, op := range fullOps {
-		table.AddRecord(getOthersRecord(op, eacl.ActionDeny))
-	}
-
-	err := hc.MockedPool().SetContainerEACL(hc.Context(), *table, nil)
-	require.NoError(hc.t, err)
-}
-
 func TestHeadObject(t *testing.T) {
 	hc := prepareHandlerContextWithMinCache(t)
 	bktName, objName := "bucket", "obj"
@ -155,7 +127,7 @@ func newTestAccessBox(t *testing.T, key *keys.PrivateKey) *accessbox.Box {
 	}

 	var btoken bearer.Token
-	btoken.SetEACLTable(*eacl.NewTable())
+	btoken.SetImpersonate(true)
 	err = btoken.Sign(key.PrivateKey)
 	require.NoError(t, err)

--- a/api/handler/multipart_upload.go
+++ b/api/handler/multipart_upload.go
@ -112,14 +112,7 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
 		return
 	}

-	settings, err := h.obj.GetBucketSettings(r.Context(), bktInfo)
-	if err != nil {
-		h.logAndSendError(w, "couldn't get bucket settings", reqInfo, err)
-		return
-	}
-
-	apeEnabled := bktInfo.APEEnabled || settings.CannedACL != ""
-	if apeEnabled && cannedACLStatus == aclStatusYes {
+	if cannedACLStatus == aclStatusYes {
 		h.logAndSendError(w, "acl not supported for this bucket", reqInfo, errors.GetAPIError(errors.ErrAccessControlListNotSupported))
 		return
 	}
@ -133,20 +126,6 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
 		Data: &layer.UploadData{},
 	}

-	needUpdateEACLTable := !(apeEnabled || cannedACLStatus == aclStatusNo)
-	if needUpdateEACLTable {
-		key, err := h.bearerTokenIssuerKey(r.Context())
-		if err != nil {
-			h.logAndSendError(w, "couldn't get gate key", reqInfo, err, additional...)
-			return
-		}
-		if _, err = parseACLHeaders(r.Header, key); err != nil {
-			h.logAndSendError(w, "could not parse acl", reqInfo, err, additional...)
-			return
-		}
-		p.Data.ACLHeaders = formACLHeadersForMultipart(r.Header)
-	}
-
 	if len(r.Header.Get(api.AmzTagging)) > 0 {
 		p.Data.TagSet, err = parseTaggingHeader(r.Header)
 		if err != nil {
@ -196,25 +175,6 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
 	}
 }

-func formACLHeadersForMultipart(header http.Header) map[string]string {
-	result := make(map[string]string)
-
-	if value := header.Get(api.AmzACL); value != "" {
-		result[api.AmzACL] = value
-	}
-	if value := header.Get(api.AmzGrantRead); value != "" {
-		result[api.AmzGrantRead] = value
-	}
-	if value := header.Get(api.AmzGrantFullControl); value != "" {
-		result[api.AmzGrantFullControl] = value
-	}
-	if value := header.Get(api.AmzGrantWrite); value != "" {
-		result[api.AmzGrantWrite] = value
-	}
-
-	return result
-}
-
 func (h *handler) UploadPartHandler(w http.ResponseWriter, r *http.Request) {
 	reqInfo := middleware.GetReqInfo(r.Context())

@ -500,33 +460,6 @@ func (h *handler) completeMultipartUpload(r *http.Request, c *layer.CompleteMult
 		}
 	}

-	if len(uploadData.ACLHeaders) != 0 {
-		sessionTokenSetEACL, err := getSessionTokenSetEACL(ctx)
-		if err != nil {
-			return nil, fmt.Errorf("couldn't get eacl token: %w", err)
-		}
-		key, err := h.bearerTokenIssuerKey(ctx)
-		if err != nil {
-			return nil, fmt.Errorf("couldn't get gate key: %w", err)
-		}
-		acl, err := parseACLHeaders(r.Header, key)
-		if err != nil {
-			return nil, fmt.Errorf("could not parse acl: %w", err)
-		}
-
-		resInfo := &resourceInfo{
-			Bucket: objInfo.Bucket,
-			Object: objInfo.Name,
-		}
-		astObject, err := aclToAst(acl, resInfo)
-		if err != nil {
-			return nil, fmt.Errorf("could not translate acl of completed multipart upload to ast: %w", err)
-		}
-		if _, err = h.updateBucketACL(r, astObject, bktInfo, sessionTokenSetEACL); err != nil {
-			return nil, fmt.Errorf("could not update bucket acl while completing multipart upload: %w", err)
-		}
-	}
-
 	return objInfo, nil
 }

--- a/api/handler/put.go
+++ b/api/handler/put.go
@ -28,8 +28,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/retryer"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/tree"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
@ -173,10 +171,9 @@ func (p *policyCondition) UnmarshalJSON(data []byte) error {

 // keywords of predefined basic ACL values.
 const (
-	basicACLPrivate   = "private"
-	basicACLReadOnly  = "public-read"
-	basicACLPublic    = "public-read-write"
-	cannedACLAuthRead = "authenticated-read"
+	basicACLPrivate  = "private"
+	basicACLReadOnly = "public-read"
+	basicACLPublic   = "public-read-write"
 )

 type createBucketParams struct {
@ -186,12 +183,10 @@ type createBucketParams struct {

 func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 	var (
-		err              error
-		newEaclTable     *eacl.Table
-		sessionTokenEACL *session.Container
-		cannedACLStatus  = aclHeadersStatus(r)
-		ctx              = r.Context()
-		reqInfo          = middleware.GetReqInfo(ctx)
+		err             error
+		cannedACLStatus = aclHeadersStatus(r)
+		ctx             = r.Context()
+		reqInfo         = middleware.GetReqInfo(ctx)
 	)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -206,20 +201,11 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	apeEnabled := bktInfo.APEEnabled || settings.CannedACL != ""
-	if apeEnabled && cannedACLStatus == aclStatusYes {
+	if cannedACLStatus == aclStatusYes {
 		h.logAndSendError(w, "acl not supported for this bucket", reqInfo, errors.GetAPIError(errors.ErrAccessControlListNotSupported))
 		return
 	}

-	needUpdateEACLTable := !(apeEnabled || cannedACLStatus == aclStatusNo)
-	if needUpdateEACLTable {
-		if sessionTokenEACL, err = getSessionTokenSetEACL(r.Context()); err != nil {
-			h.logAndSendError(w, "could not get eacl session token from a box", reqInfo, err)
-			return
-		}
-	}
-
 	tagSet, err := parseTaggingHeader(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "could not parse tagging header", reqInfo, err)
@ -292,13 +278,6 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	objInfo := extendedObjInfo.ObjectInfo

-	if needUpdateEACLTable {
-		if newEaclTable, err = h.getNewEAclTable(r, bktInfo, objInfo); err != nil {
-			h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
-			return
-		}
-	}
-
 	if tagSet != nil {
 		tagPrm := &data.PutObjectTaggingParams{
 			ObjectVersion: &data.ObjectVersion{
@ -315,19 +294,6 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	if newEaclTable != nil {
-		p := &layer.PutBucketACLParams{
-			BktInfo:      bktInfo,
-			EACL:         newEaclTable,
-			SessionToken: sessionTokenEACL,
-		}
-
-		if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
-			h.logAndSendError(w, "could not put bucket acl", reqInfo, err)
-			return
-		}
-	}
-
 	if settings.VersioningEnabled() {
 		w.Header().Set(api.AmzVersionID, objInfo.VersionID())
 	}
@ -459,13 +425,10 @@ func formEncryptionParamsBase(r *http.Request, isCopySource bool) (enc encryptio

 func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
 	var (
-		newEaclTable     *eacl.Table
-		tagSet           map[string]string
-		sessionTokenEACL *session.Container
-		ctx              = r.Context()
-		reqInfo          = middleware.GetReqInfo(ctx)
-		metadata         = make(map[string]string)
-		cannedACLStatus  = aclHeadersStatus(r)
+		tagSet   map[string]string
+		ctx      = r.Context()
+		reqInfo  = middleware.GetReqInfo(ctx)
+		metadata = make(map[string]string)
 	)

 	policy, err := checkPostPolicy(r, reqInfo, metadata)
@ -501,20 +464,11 @@ func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	apeEnabled := bktInfo.APEEnabled || settings.CannedACL != ""
-	if apeEnabled && cannedACLStatus == aclStatusYes {
+	if acl := auth.MultipartFormValue(r, "acl"); acl != "" && acl != basicACLPrivate {
 		h.logAndSendError(w, "acl not supported for this bucket", reqInfo, errors.GetAPIError(errors.ErrAccessControlListNotSupported))
 		return
 	}

-	needUpdateEACLTable := !(apeEnabled || cannedACLStatus == aclStatusNo)
-	if needUpdateEACLTable {
-		if sessionTokenEACL, err = getSessionTokenSetEACL(ctx); err != nil {
-			h.logAndSendError(w, "could not get eacl session token from a box", reqInfo, err)
-			return
-		}
-	}
-
 	var contentReader io.Reader
 	var size uint64
 	if content, ok := r.MultipartForm.Value["file"]; ok {
@ -550,18 +504,6 @@ func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
 	}
 	objInfo := extendedObjInfo.ObjectInfo

-	if acl := auth.MultipartFormValue(r, "acl"); acl != "" {
-		r.Header.Set(api.AmzACL, acl)
-		r.Header.Set(api.AmzGrantFullControl, "")
-		r.Header.Set(api.AmzGrantWrite, "")
-		r.Header.Set(api.AmzGrantRead, "")
-
-		if newEaclTable, err = h.getNewEAclTable(r, bktInfo, objInfo); err != nil {
-			h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
-			return
-		}
-	}
-
 	if tagSet != nil {
 		tagPrm := &data.PutObjectTaggingParams{
 			ObjectVersion: &data.ObjectVersion{
@ -578,19 +520,6 @@ func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	if newEaclTable != nil {
-		p := &layer.PutBucketACLParams{
-			BktInfo:      bktInfo,
-			EACL:         newEaclTable,
-			SessionToken: sessionTokenEACL,
-		}
-
-		if err = h.obj.PutBucketACL(ctx, p); err != nil {
-			h.logAndSendError(w, "could not put bucket acl", reqInfo, err)
-			return
-		}
-	}
-
 	if settings.VersioningEnabled() {
 		w.Header().Set(api.AmzVersionID, objInfo.VersionID())
 	}
@ -716,56 +645,6 @@ func aclHeadersStatus(r *http.Request) aclStatus {
 	return aclStatusNo
 }

-func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) {
-	var newEaclTable *eacl.Table
-	key, err := h.bearerTokenIssuerKey(r.Context())
-	if err != nil {
-		return nil, fmt.Errorf("get bearer token issuer: %w", err)
-	}
-	objectACL, err := parseACLHeaders(r.Header, key)
-	if err != nil {
-		return nil, fmt.Errorf("could not parse object acl: %w", err)
-	}
-
-	resInfo := &resourceInfo{
-		Bucket:  objInfo.Bucket,
-		Object:  objInfo.Name,
-		Version: objInfo.VersionID(),
-	}
-
-	bktPolicy, err := aclToPolicy(objectACL, resInfo)
-	if err != nil {
-		return nil, fmt.Errorf("could not translate object acl to bucket policy: %w", err)
-	}
-
-	astChild, err := policyToAst(bktPolicy)
-	if err != nil {
-		return nil, fmt.Errorf("could not translate policy to ast: %w", err)
-	}
-
-	bacl, err := h.obj.GetBucketACL(r.Context(), bktInfo)
-	if err != nil {
-		return nil, fmt.Errorf("could not get bucket eacl: %w", err)
-	}
-
-	parentAst := tableToAst(bacl.EACL, objInfo.Bucket)
-	strCID := bacl.Info.CID.EncodeToString()
-
-	for _, resource := range parentAst.Resources {
-		if resource.Bucket == strCID {
-			resource.Bucket = objInfo.Bucket
-		}
-	}
-
-	if resAst, updated := mergeAst(parentAst, astChild); updated {
-		if newEaclTable, err = astToTable(resAst); err != nil {
-			return nil, fmt.Errorf("could not translate ast to table: %w", err)
-		}
-	}
-
-	return newEaclTable, nil
-}
-
 func parseTaggingHeader(header http.Header) (map[string]string, error) {
 	var tagSet map[string]string
 	if tagging := header.Get(api.AmzTagging); len(tagging) > 0 {
@ -805,8 +684,7 @@ func parseCannedACL(header http.Header) (string, error) {
 		return basicACLPrivate, nil
 	}

-	if acl == basicACLPrivate || acl == basicACLPublic ||
-		acl == cannedACLAuthRead || acl == basicACLReadOnly {
+	if acl == basicACLPrivate || acl == basicACLPublic || acl == basicACLReadOnly {
 		return acl, nil
 	}

@ -873,7 +751,6 @@ func (h *handler) createBucketHandlerPolicy(w http.ResponseWriter, r *http.Reque
 		return
 	}

-	p.APEEnabled = true
 	bktInfo, err := h.obj.CreateBucket(ctx, p)
 	if err != nil {
 		h.logAndSendError(w, "could not create bucket", reqInfo, err)
@ -990,8 +867,6 @@ func bucketCannedACLToAPERules(cannedACL string, reqInfo *middleware.ReqInfo, cn

 	switch cannedACL {
 	case basicACLPrivate:
-	case cannedACLAuthRead:
-		fallthrough
 	case basicACLReadOnly:
 		chains[0].Rules = append(chains[0].Rules, chain.Rule{
 			Status:  chain.Allow,
--- a/api/handler/util.go
+++ b/api/handler/util.go
@ -16,7 +16,6 @@ import (
 	frosterrors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"go.opentelemetry.io/otel/trace"
 	"go.uber.org/zap"
 )
@ -142,16 +141,3 @@ func parseRange(s string) (*layer.RangeParams, error) {
 		End:   values[1],
 	}, nil
 }
-
-func getSessionTokenSetEACL(ctx context.Context) (*session.Container, error) {
-	boxData, err := middleware.GetBoxData(ctx)
-	if err != nil {
-		return nil, err
-	}
-	sessionToken := boxData.Gate.SessionTokenForSetEACL()
-	if sessionToken == nil {
-		return nil, s3errors.GetAPIError(s3errors.ErrAccessDenied)
-	}
-
-	return sessionToken, nil
-}