[#207] aclsvc: Refactor EACL check

Resolve funlen linter for CheckEACL method. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-04-04 11:34:47 +03:00 · 2023-04-04 11:34:47 +03:00 · cd33a57f44
commit cd33a57f44
parent 1f1aed87be
1 changed files with 41 additions and 29 deletions
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@ -14,6 +14,7 @@ import (
 	bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
 	eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
@ -118,8 +119,6 @@ func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner user.ID) bool {
 }

 // CheckEACL is a main check function for extended ACL.
-//
-// nolint: funlen
 func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 	basicACL := reqInfo.BasicACL()
 	if !basicACL.Extendable() {
@ -154,6 +153,44 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 		return err
 	}

+	hdrSrc, err := c.getHeaderSource(cnr, msg, reqInfo)
+	if err != nil {
+		return err
+	}
+
+	eaclRole := getRole(reqInfo)
+
+	action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
+		WithRole(eaclRole).
+		WithOperation(eaclSDK.Operation(reqInfo.Operation())).
+		WithContainerID(&cnr).
+		WithSenderKey(reqInfo.SenderKey()).
+		WithHeaderSource(hdrSrc).
+		WithEACLTable(&table),
+	)
+
+	if action != eaclSDK.ActionAllow {
+		return errEACLDeniedByRule
+	}
+	return nil
+}
+
+func getRole(reqInfo v2.RequestInfo) eaclSDK.Role {
+	var eaclRole eaclSDK.Role
+	switch op := reqInfo.RequestRole(); op {
+	default:
+		eaclRole = eaclSDK.Role(op)
+	case acl.RoleOwner:
+		eaclRole = eaclSDK.RoleUser
+	case acl.RoleInnerRing, acl.RoleContainer:
+		eaclRole = eaclSDK.RoleSystem
+	case acl.RoleOthers:
+		eaclRole = eaclSDK.RoleOthers
+	}
+	return eaclRole
+}
+
+func (c *Checker) getHeaderSource(cnr cid.ID, msg any, reqInfo v2.RequestInfo) (eaclSDK.TypedHeaderSource, error) {
 	hdrSrcOpts := make([]eaclV2.Option, 0, 3)

 	hdrSrcOpts = append(hdrSrcOpts,
@ -175,34 +212,9 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {

 	hdrSrc, err := eaclV2.NewMessageHeaderSource(hdrSrcOpts...)
 	if err != nil {
-		return fmt.Errorf("can't parse headers: %w", err)
+		return nil, fmt.Errorf("can't parse headers: %w", err)
 	}
-
-	var eaclRole eaclSDK.Role
-	switch op := reqInfo.RequestRole(); op {
-	default:
-		eaclRole = eaclSDK.Role(op)
-	case acl.RoleOwner:
-		eaclRole = eaclSDK.RoleUser
-	case acl.RoleInnerRing, acl.RoleContainer:
-		eaclRole = eaclSDK.RoleSystem
-	case acl.RoleOthers:
-		eaclRole = eaclSDK.RoleOthers
-	}
-
-	action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
-		WithRole(eaclRole).
-		WithOperation(eaclSDK.Operation(reqInfo.Operation())).
-		WithContainerID(&cnr).
-		WithSenderKey(reqInfo.SenderKey()).
-		WithHeaderSource(hdrSrc).
-		WithEACLTable(&table),
-	)
-
-	if action != eaclSDK.ActionAllow {
-		return errEACLDeniedByRule
-	}
-	return nil
+	return hdrSrc, nil
 }

 // isValidBearer checks whether bearer token was correctly signed by authorized