From 00c608c05e3c6574b5258f9c63b5ed8bfca264a7 Mon Sep 17 00:00:00 2001
From: Airat Arifullin <a.arifullin@yadro.com>
Date: Wed, 27 Nov 2024 15:52:23 +0300
Subject: [PATCH] [#1524] tree: Make check APE error get wrapped to api status

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
---
 pkg/services/tree/signature.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go
index 4fd4a7e1e..80f5b3590 100644
--- a/pkg/services/tree/signature.go
+++ b/pkg/services/tree/signature.go
@@ -11,6 +11,7 @@ import (
 	core "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
@@ -62,7 +63,16 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
 		return fmt.Errorf("can't get request role: %w", err)
 	}
 
-	return s.checkAPE(ctx, bt, cnr, cid, op, role, pubKey)
+	if err = s.checkAPE(ctx, bt, cnr, cid, op, role, pubKey); err != nil {
+		return apeErr(err)
+	}
+	return nil
+}
+
+func apeErr(err error) error {
+	errAccessDenied := &apistatus.ObjectAccessDenied{}
+	errAccessDenied.WriteReason(err.Error())
+	return errAccessDenied
 }
 
 // Returns true iff the operation is read-only and request was signed