[#1052] object: Make ACL middleware not use acl operation

* Remove unused methods and unactual unit-test. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2025-03-12 16:49:27 +03:00 · 2025-03-12 16:49:27 +03:00 · 51f44c8f39
commit 51f44c8f39
parent afad78b44c
4 changed files with 10 additions and 144 deletions
--- a/pkg/services/object/acl/v2/errors.go
+++ b/pkg/services/object/acl/v2/errors.go
@ -16,5 +16,4 @@ var (
 	errEmptyBodySig            = malformedRequestError("empty at body signature")
 	errInvalidSessionSig       = malformedRequestError("invalid session token signature")
 	errInvalidSessionOwner     = malformedRequestError("invalid session token owner")
-	errInvalidVerb             = malformedRequestError("session token verb is invalid")
 )
--- a/pkg/services/object/acl/v2/service.go
+++ b/pkg/services/object/acl/v2/service.go
@ -15,7 +15,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/session"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 	cnrSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	sessionSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
@ -192,7 +191,7 @@ func (b Service) Get(request *objectV2.GetRequest, stream object.GetObjectStream
 		bearer:  bTok,
 	}

-	reqInfo, err := b.findRequestInfo(stream.Context(), req, cnr, acl.OpObjectGet)
+	reqInfo, err := b.findRequestInfo(stream.Context(), req, cnr)
 	if err != nil {
 		return err
 	}
@ -255,7 +254,7 @@ func (b Service) Head(
 		bearer:  bTok,
 	}

-	reqInfo, err := b.findRequestInfo(ctx, req, cnr, acl.OpObjectHead)
+	reqInfo, err := b.findRequestInfo(ctx, req, cnr)
 	if err != nil {
 		return nil, err
 	}
@ -292,7 +291,7 @@ func (b Service) Search(request *objectV2.SearchRequest, stream object.SearchStr
 		bearer:  bTok,
 	}

-	reqInfo, err := b.findRequestInfo(stream.Context(), req, id, acl.OpObjectSearch)
+	reqInfo, err := b.findRequestInfo(stream.Context(), req, id)
 	if err != nil {
 		return err
 	}
@ -337,7 +336,7 @@ func (b Service) Delete(
 		bearer:  bTok,
 	}

-	reqInfo, err := b.findRequestInfo(ctx, req, cnr, acl.OpObjectDelete)
+	reqInfo, err := b.findRequestInfo(ctx, req, cnr)
 	if err != nil {
 		return nil, err
 	}
@ -379,7 +378,7 @@ func (b Service) GetRange(request *objectV2.GetRangeRequest, stream object.GetOb
 		bearer:  bTok,
 	}

-	reqInfo, err := b.findRequestInfo(stream.Context(), req, cnr, acl.OpObjectRange)
+	reqInfo, err := b.findRequestInfo(stream.Context(), req, cnr)
 	if err != nil {
 		return err
 	}
@ -434,7 +433,7 @@ func (b Service) GetRangeHash(
 		bearer:  bTok,
 	}

-	reqInfo, err := b.findRequestInfo(ctx, req, cnr, acl.OpObjectHash)
+	reqInfo, err := b.findRequestInfo(ctx, req, cnr)
 	if err != nil {
 		return nil, err
 	}
@ -482,7 +481,7 @@ func (b Service) PutSingle(ctx context.Context, request *objectV2.PutSingleReque
 		bearer:  bTok,
 	}

-	reqInfo, err := b.findRequestInfo(ctx, req, cnr, acl.OpObjectPut)
+	reqInfo, err := b.findRequestInfo(ctx, req, cnr)
 	if err != nil {
 		return nil, err
 	}
@ -544,7 +543,7 @@ func (p putStreamBasicChecker) Send(ctx context.Context, request *objectV2.PutRe
 			bearer:  bTok,
 		}

-		reqInfo, err := p.source.findRequestInfo(ctx, req, cnr, acl.OpObjectPut)
+		reqInfo, err := p.source.findRequestInfo(ctx, req, cnr)
 		if err != nil {
 			return err
 		}
@ -628,7 +627,7 @@ func (p *patchStreamBasicChecker) Send(ctx context.Context, request *objectV2.Pa
 			bearer:  bTok,
 		}

-		reqInfo, err := p.source.findRequestInfoWithoutACLOperationAssert(ctx, req, cnr)
+		reqInfo, err := p.source.findRequestInfo(ctx, req, cnr)
 		if err != nil {
 			return err
 		}
@ -643,60 +642,7 @@ func (p patchStreamBasicChecker) CloseAndRecv(ctx context.Context) (*objectV2.Pa
 	return p.next.CloseAndRecv(ctx)
 }

-func (b Service) findRequestInfo(ctx context.Context, req MetaWithToken, idCnr cid.ID, op acl.Op) (info RequestInfo, err error) {
-	cnr, err := b.containers.Get(ctx, idCnr) // fetch actual container
-	if err != nil {
-		return info, err
-	}
-
-	if req.token != nil {
-		currentEpoch, err := b.nm.Epoch(ctx)
-		if err != nil {
-			return info, errors.New("can't fetch current epoch")
-		}
-		if req.token.ExpiredAt(currentEpoch) {
-			return info, new(apistatus.SessionTokenExpired)
-		}
-		if req.token.InvalidAt(currentEpoch) {
-			return info, fmt.Errorf("%s: token is invalid at %d epoch)",
-				invalidRequestMessage, currentEpoch)
-		}
-
-		if !assertVerb(*req.token, op) {
-			return info, errInvalidVerb
-		}
-	}
-
-	// find request role and key
-	ownerID, ownerKey, err := req.RequestOwner()
-	if err != nil {
-		return info, err
-	}
-	res, err := b.c.Classify(ctx, ownerID, ownerKey, idCnr, cnr.Value)
-	if err != nil {
-		return info, err
-	}
-
-	info.requestRole = res.Role
-	info.cnrOwner = cnr.Value.Owner()
-
-	cnrNamespace, hasNamespace := strings.CutSuffix(cnrSDK.ReadDomain(cnr.Value).Zone(), ".ns")
-	if hasNamespace {
-		info.cnrNamespace = cnrNamespace
-	}
-
-	// it is assumed that at the moment the key will be valid,
-	// otherwise the request would not pass validation
-	info.senderKey = res.Key
-
-	// add bearer token if it is present in request
-	info.bearer = req.bearer
-
-	return info, nil
-}
-
-// findRequestInfoWithoutACLOperationAssert is findRequestInfo without session token verb assert.
-func (b Service) findRequestInfoWithoutACLOperationAssert(ctx context.Context, req MetaWithToken, idCnr cid.ID) (info RequestInfo, err error) {
+func (b Service) findRequestInfo(ctx context.Context, req MetaWithToken, idCnr cid.ID) (info RequestInfo, err error) {
 	cnr, err := b.containers.Get(ctx, idCnr) // fetch actual container
 	if err != nil {
 		return info, err
--- a/pkg/services/object/acl/v2/util.go
+++ b/pkg/services/object/acl/v2/util.go
@ -10,7 +10,6 @@ import (
 	refsV2 "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
 	sessionV2 "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/session"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	sessionSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
@ -172,35 +171,6 @@ func isOwnerFromKey(id user.ID, key *keys.PublicKey) bool {
 	return id2.Equals(id)
 }

-// assertVerb checks that token verb corresponds to op.
-func assertVerb(tok sessionSDK.Object, op acl.Op) bool {
-	switch op {
-	case acl.OpObjectPut:
-		return tok.AssertVerb(sessionSDK.VerbObjectPut, sessionSDK.VerbObjectDelete, sessionSDK.VerbObjectPatch)
-	case acl.OpObjectDelete:
-		return tok.AssertVerb(sessionSDK.VerbObjectDelete)
-	case acl.OpObjectGet:
-		return tok.AssertVerb(sessionSDK.VerbObjectGet)
-	case acl.OpObjectHead:
-		return tok.AssertVerb(
-			sessionSDK.VerbObjectHead,
-			sessionSDK.VerbObjectGet,
-			sessionSDK.VerbObjectDelete,
-			sessionSDK.VerbObjectRange,
-			sessionSDK.VerbObjectRangeHash,
-			sessionSDK.VerbObjectPatch,
-		)
-	case acl.OpObjectSearch:
-		return tok.AssertVerb(sessionSDK.VerbObjectSearch, sessionSDK.VerbObjectDelete)
-	case acl.OpObjectRange:
-		return tok.AssertVerb(sessionSDK.VerbObjectRange, sessionSDK.VerbObjectRangeHash, sessionSDK.VerbObjectPatch)
-	case acl.OpObjectHash:
-		return tok.AssertVerb(sessionSDK.VerbObjectRangeHash)
-	}
-
-	return false
-}
-
 // assertSessionRelation checks if given token describing the FrostFS session
 // relates to the given container and optional object. Missing object
 // means that the context isn't bound to any FrostFS object in the container.
--- a/pkg/services/object/acl/v2/util_test.go
+++ b/pkg/services/object/acl/v2/util_test.go
@ -9,7 +9,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/acl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/session"
 	bearertest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer/test"
-	aclsdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
 	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
 	sessionSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
@ -59,54 +58,6 @@ func testGenerateMetaHeader(depth uint32, b *acl.BearerToken, s *session.Token)
 	return metaHeader
 }

-func TestIsVerbCompatible(t *testing.T) {
-	// Source: https://nspcc.ru/upload/frostfs-spec-latest.pdf#page=28
-	table := map[aclsdk.Op][]sessionSDK.ObjectVerb{
-		aclsdk.OpObjectPut:    {sessionSDK.VerbObjectPut, sessionSDK.VerbObjectDelete},
-		aclsdk.OpObjectDelete: {sessionSDK.VerbObjectDelete},
-		aclsdk.OpObjectGet:    {sessionSDK.VerbObjectGet},
-		aclsdk.OpObjectHead: {
-			sessionSDK.VerbObjectHead,
-			sessionSDK.VerbObjectGet,
-			sessionSDK.VerbObjectDelete,
-			sessionSDK.VerbObjectRange,
-			sessionSDK.VerbObjectRangeHash,
-		},
-		aclsdk.OpObjectRange:  {sessionSDK.VerbObjectRange, sessionSDK.VerbObjectRangeHash},
-		aclsdk.OpObjectHash:   {sessionSDK.VerbObjectRangeHash},
-		aclsdk.OpObjectSearch: {sessionSDK.VerbObjectSearch, sessionSDK.VerbObjectDelete},
-	}
-
-	verbs := []sessionSDK.ObjectVerb{
-		sessionSDK.VerbObjectPut,
-		sessionSDK.VerbObjectDelete,
-		sessionSDK.VerbObjectHead,
-		sessionSDK.VerbObjectRange,
-		sessionSDK.VerbObjectRangeHash,
-		sessionSDK.VerbObjectGet,
-		sessionSDK.VerbObjectSearch,
-	}
-
-	var tok sessionSDK.Object
-
-	for op, list := range table {
-		for _, verb := range verbs {
-			var contains bool
-			for _, v := range list {
-				if v == verb {
-					contains = true
-					break
-				}
-			}
-
-			tok.ForVerb(verb)
-
-			require.Equal(t, contains, assertVerb(tok, op),
-				"%v in token, %s executing", verb, op)
-		}
-	}
-}
-
 func TestAssertSessionRelation(t *testing.T) {
 	var tok sessionSDK.Object
 	cnr := cidtest.ID()