From bd30e4838f8c4901105f6f819ade70e7215482e1 Mon Sep 17 00:00:00 2001
From: Airat Arifullin <a.arifullin@yadro.com>
Date: Tue, 25 Feb 2025 16:27:47 +0300
Subject: [PATCH] [#1574] container: Introduce debug logging for APE check
 failures

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
---
 cmd/frostfs-node/container.go |  2 +-
 pkg/services/container/ape.go | 35 +++++++++++++++++++++++++++--------
 2 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/cmd/frostfs-node/container.go b/cmd/frostfs-node/container.go
index 012012297..5f3f4cb36 100644
--- a/cmd/frostfs-node/container.go
+++ b/cmd/frostfs-node/container.go
@@ -56,7 +56,7 @@ func initContainerService(_ context.Context, c *cfg) {
 	)
 	service := containerService.NewSignService(
 		&c.key.PrivateKey,
-		containerService.NewAPEServer(defaultChainRouter, cnrRdr,
+		containerService.NewAPEServer(c.log, defaultChainRouter, cnrRdr,
 			newCachedIRFetcher(createInnerRingFetcher(c)), c.netMapSource, c.shared.frostfsidClient,
 			containerService.NewSplitterService(
 				c.cfgContainer.containerBatchSize, c.respSvc,
diff --git a/pkg/services/container/ape.go b/pkg/services/container/ape.go
index e1fbe3960..902c3fdf4 100644
--- a/pkg/services/container/ape.go
+++ b/pkg/services/container/ape.go
@@ -12,10 +12,13 @@ import (
 	"net"
 	"strings"
 
+	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"
 	aperequest "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/request"
 	containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
+	apecommon "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/common/ape"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
 	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
@@ -31,6 +34,7 @@ import (
 	commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"go.uber.org/zap"
 	"google.golang.org/grpc/peer"
 )
 
@@ -57,6 +61,7 @@ type containers interface {
 }
 
 type apeChecker struct {
+	logger *logger.Logger
 	router policyengine.ChainRouter
 	reader containers
 	ir     ir
@@ -67,8 +72,9 @@ type apeChecker struct {
 	next Server
 }
 
-func NewAPEServer(router policyengine.ChainRouter, reader containers, ir ir, nm netmap.Source, frostFSIDClient frostfsidcore.SubjectProvider, srv Server) Server {
+func NewAPEServer(logger *logger.Logger, router policyengine.ChainRouter, reader containers, ir ir, nm netmap.Source, frostFSIDClient frostfsidcore.SubjectProvider, srv Server) Server {
 	return &apeChecker{
+		logger:          logger,
 		router:          router,
 		reader:          reader,
 		ir:              ir,
@@ -172,7 +178,10 @@ func (ac *apeChecker) List(ctx context.Context, req *container.ListRequest) (*co
 		return ac.next.List(ctx, req)
 	}
 
-	return nil, apeErr(nativeschema.MethodListContainers, s)
+	chRouterErr := apecommon.NewChainRouterError(rt, request, s)
+	ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
+
+	return nil, apeErr(chRouterErr)
 }
 
 func (ac *apeChecker) ListStream(req *container.ListStreamRequest, stream ListStream) error {
@@ -245,7 +254,10 @@ func (ac *apeChecker) ListStream(req *container.ListStreamRequest, stream ListSt
 		return ac.next.ListStream(req, stream)
 	}
 
-	return apeErr(nativeschema.MethodListContainers, s)
+	chRouterErr := apecommon.NewChainRouterError(rt, request, s)
+	ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
+
+	return apeErr(chRouterErr)
 }
 
 func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*container.PutResponse, error) {
@@ -318,7 +330,10 @@ func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*cont
 		return ac.next.Put(ctx, req)
 	}
 
-	return nil, apeErr(nativeschema.MethodPutContainer, s)
+	chRouterErr := apecommon.NewChainRouterError(rt, request, s)
+	ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
+
+	return nil, apeErr(chRouterErr)
 }
 
 func (ac *apeChecker) getRoleWithoutContainerID(ctx context.Context, oID *refs.OwnerID, mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader) (string, *keys.PublicKey, error) {
@@ -400,8 +415,9 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
 		reqProps,
 	)
 
+	rt := policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups)
 	s, found, err := ac.router.IsAllowed(apechain.Ingress,
-		policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups),
+		rt,
 		request)
 	if err != nil {
 		return err
@@ -411,12 +427,15 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
 		return nil
 	}
 
-	return apeErr(op, s)
+	chRouterErr := apecommon.NewChainRouterError(rt, request, s)
+	ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
+
+	return apeErr(chRouterErr)
 }
 
-func apeErr(operation string, status apechain.Status) error {
+func apeErr(err error) error {
 	errAccessDenied := &apistatus.ObjectAccessDenied{}
-	errAccessDenied.WriteReason(fmt.Sprintf("access to container operation %s is denied by access policy engine: %s", operation, status.String()))
+	errAccessDenied.WriteReason(err.Error())
 	return errAccessDenied
 }