forked from TrueCloudLab/frostfs-node
[#2028] node: Do not wrap malformed request errors
After presenting request statuses on the API level, all the errors are unwrapped before sending to the caller side. It led to a losing invalid request's context. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
parent
01a226b3ec
commit
2a88b49bca
5 changed files with 22 additions and 15 deletions
|
@ -18,7 +18,8 @@ Changelog for NeoFS Node
|
|||
- `neofs-cli lock object`'s `lifetime` flag handling (#1972)
|
||||
- Do not move write-cache in read-only mode for flushing (#1906)
|
||||
- Child object collection on CLI side with a bearer token (#2000)
|
||||
- Fix concurrent map writes in `Object.Put` service
|
||||
- Fix concurrent map writes in `Object.Put` service (#2037)
|
||||
- Malformed request errors' reasons in the responses (#2028)
|
||||
|
||||
### Removed
|
||||
### Updated
|
||||
|
|
|
@ -1,18 +1,24 @@
|
|||
package v2
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
|
||||
)
|
||||
|
||||
const invalidRequestMessage = "malformed request"
|
||||
|
||||
func malformedRequestError(reason string) error {
|
||||
return fmt.Errorf("%s: %s", invalidRequestMessage, reason)
|
||||
}
|
||||
|
||||
var (
|
||||
// ErrMalformedRequest is returned when request contains
|
||||
// invalid data.
|
||||
ErrMalformedRequest = errors.New("malformed request")
|
||||
// ErrInvalidVerb is returned when session token verb doesn't include necessary operation.
|
||||
ErrInvalidVerb = errors.New("session token verb is invalid")
|
||||
errEmptyBody = malformedRequestError("empty body")
|
||||
errEmptyVerificationHeader = malformedRequestError("empty verification header")
|
||||
errEmptyBodySig = malformedRequestError("empty at body signature")
|
||||
errInvalidSessionSig = malformedRequestError("invalid session token signature")
|
||||
errInvalidSessionOwner = malformedRequestError("invalid session token owner")
|
||||
errInvalidVerb = malformedRequestError("session token verb is invalid")
|
||||
)
|
||||
|
||||
const accessDeniedACLReasonFmt = "access to operation %s is denied by basic ACL check"
|
||||
|
|
|
@ -110,7 +110,7 @@ type MetaWithToken struct {
|
|||
// according to internal meta information.
|
||||
func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
|
||||
if r.vheader == nil {
|
||||
return nil, nil, fmt.Errorf("%w: nil verification header", ErrMalformedRequest)
|
||||
return nil, nil, errEmptyVerificationHeader
|
||||
}
|
||||
|
||||
// if session token is presented, use it as truth source
|
||||
|
@ -122,7 +122,7 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
|
|||
// otherwise get original body signature
|
||||
bodySignature := originalBodySignature(r.vheader)
|
||||
if bodySignature == nil {
|
||||
return nil, nil, fmt.Errorf("%w: nil at body signature", ErrMalformedRequest)
|
||||
return nil, nil, errEmptyBodySig
|
||||
}
|
||||
|
||||
key, err := unmarshalPublicKey(bodySignature.GetKey())
|
||||
|
|
|
@ -445,7 +445,7 @@ func (b Service) GetRangeHash(
|
|||
func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
|
||||
body := request.GetBody()
|
||||
if body == nil {
|
||||
return ErrMalformedRequest
|
||||
return errEmptyBody
|
||||
}
|
||||
|
||||
part := body.GetObjectPart()
|
||||
|
@ -574,12 +574,12 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in
|
|||
return info, errors.New("can't fetch current epoch")
|
||||
}
|
||||
if req.token.ExpiredAt(currentEpoch) {
|
||||
return info, fmt.Errorf("%w: token has expired (current epoch: %d)",
|
||||
ErrMalformedRequest, currentEpoch)
|
||||
return info, fmt.Errorf("%s: token has expired (current epoch: %d)",
|
||||
invalidRequestMessage, currentEpoch)
|
||||
}
|
||||
|
||||
if !assertVerb(*req.token, op) {
|
||||
return info, ErrInvalidVerb
|
||||
return info, errInvalidVerb
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -114,7 +114,7 @@ func getObjectIDFromRequestBody(body interface{ GetAddress() *refsV2.Address })
|
|||
func ownerFromToken(token *sessionSDK.Object) (*user.ID, *keys.PublicKey, error) {
|
||||
// 1. First check signature of session token.
|
||||
if !token.VerifySignature() {
|
||||
return nil, nil, fmt.Errorf("%w: invalid session token signature", ErrMalformedRequest)
|
||||
return nil, nil, errInvalidSessionSig
|
||||
}
|
||||
|
||||
// 2. Then check if session token owner issued the session token
|
||||
|
@ -131,7 +131,7 @@ func ownerFromToken(token *sessionSDK.Object) (*user.ID, *keys.PublicKey, error)
|
|||
|
||||
if !isOwnerFromKey(tokenIssuer, tokenIssuerKey) {
|
||||
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
||||
return nil, nil, fmt.Errorf("%w: invalid session token owner", ErrMalformedRequest)
|
||||
return nil, nil, errInvalidSessionOwner
|
||||
}
|
||||
|
||||
return &tokenIssuer, tokenIssuerKey, nil
|
||||
|
|
Loading…
Reference in a new issue