aarifullin/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#69] object/acl: Define access denied error

Browse source 
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2020-10-03 10:39:02 +03:00 committed by Alex Vanin
parent 0f52444ae9
commit 6c3c872ee4
1 changed files with 29 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
pkg/services/object/acl/basic.go
View file

@ -3,6 +3,7 @@ package acl
import ( import (
"bytes" "bytes"
"context" "context"
"fmt"
acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl" acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
"github.com/nspcc-dev/neofs-api-go/pkg/container" "github.com/nspcc-dev/neofs-api-go/pkg/container"
@ -56,11 +57,16 @@ type cfg struct {
next object.Service next object.Service
} }
type accessErr struct {
requestInfo
failedCheckTyp string
}
var ( var (
ErrMalformedRequest = errors.New("malformed request") ErrMalformedRequest = errors.New("malformed request")
ErrUnknownRole = errors.New("can't classify request sender") ErrUnknownRole = errors.New("can't classify request sender")
ErrUnknownContainer = errors.New("can't fetch container info") ErrUnknownContainer = errors.New("can't fetch container info")
ErrBasicAccessDenied = errors.New("access denied by basic acl")
) )
func defaultCfg() *cfg { func defaultCfg() *cfg {
@ -99,7 +105,7 @@ func (b Service) Get(
} }
if !basicACLCheck(reqInfo) { if !basicACLCheck(reqInfo) {
return nil, ErrBasicAccessDenied return nil, basicACLErr(reqInfo)
} }
stream, err := b.next.Get(ctx, request) stream, err := b.next.Get(ctx, request)
@ -139,7 +145,7 @@ func (b Service) Head(
} }
if !basicACLCheck(reqInfo) { if !basicACLCheck(reqInfo) {
return nil, ErrBasicAccessDenied return nil, basicACLErr(reqInfo)
} }
return b.next.Head(ctx, request) return b.next.Head(ctx, request)
@ -167,7 +173,7 @@ func (b Service) Search(
} }
if !basicACLCheck(reqInfo) { if !basicACLCheck(reqInfo) {
return nil, ErrBasicAccessDenied return nil, basicACLErr(reqInfo)
} }
stream, err := b.next.Search(ctx, request) stream, err := b.next.Search(ctx, request)
@ -194,7 +200,7 @@ func (b Service) Delete(
} }
if !basicACLCheck(reqInfo) { if !basicACLCheck(reqInfo) {
return nil, ErrBasicAccessDenied return nil, basicACLErr(reqInfo)
} }
return b.next.Delete(ctx, request) return b.next.Delete(ctx, request)
@ -220,7 +226,7 @@ func (b Service) GetRange(
} }
if !basicACLCheck(reqInfo) { if !basicACLCheck(reqInfo) {
return nil, ErrBasicAccessDenied return nil, basicACLErr(reqInfo)
} }
stream, err := b.next.GetRange(ctx, request) stream, err := b.next.GetRange(ctx, request)
@ -247,7 +253,7 @@ func (b Service) GetRangeHash(
} }
if !basicACLCheck(reqInfo) { if !basicACLCheck(reqInfo) {
return nil, ErrBasicAccessDenied return nil, basicACLErr(reqInfo)
} }
return b.next.GetRangeHash(ctx, request) return b.next.GetRangeHash(ctx, request)
@ -282,7 +288,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
} }
if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, ownerID) { if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, ownerID) {
return ErrBasicAccessDenied return basicACLErr(reqInfo)
} }
} }
@ -312,7 +318,7 @@ func (g getStreamBasicChecker) Recv() (*object.GetResponse, error) {
} }
if !stickyBitCheck(g.info, ownerID) { if !stickyBitCheck(g.info, ownerID) {
return nil, ErrBasicAccessDenied return nil, basicACLErr(g.info)
} }
} }
@ -463,3 +469,14 @@ func tokenVerbToOperation(verb session.ObjectSessionVerb) acl.Operation {
return acl.OperationUnknown return acl.OperationUnknown
} }
} }
func (a *accessErr) Error() string {
return fmt.Sprintf("access to operation %v is denied by %s check", a.operation, a.failedCheckTyp)
}
func basicACLErr(info requestInfo) error {
return &accessErr{
requestInfo: info,
failedCheckTyp: "basic ACL",
}
}