package acl import ( "errors" "fmt" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger" apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" ) var errAPEChainNoSource = errors.New("could not get ape chain source for the container") type apeCheckerImpl struct { log *logger.Logger apeSrc container.AccessPolicyEngineChainSource } func NewAPEChecker(log *logger.Logger, apeSrc container.AccessPolicyEngineChainSource) v2.APEChainChecker { return &apeCheckerImpl{ log: log, apeSrc: apeSrc, } } func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error { cnr := reqInfo.ContainerID() chainCache, err := c.apeSrc.GetChainSource(cnr) if err != nil { return errAPEChainNoSource } request := new(Request) request.FromRequestInfo(reqInfo) cnrTarget := getResource(reqInfo).Name() status, ruleFound, err := chainCache.IsAllowed(apechain.Ingress, policyengine.NewRequestTargetWithContainer(cnrTarget), request) if err != nil { return err } if !ruleFound || status == apechain.Allow { return nil } return apeErr(reqInfo, status) } const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s" func apeErr(req v2.RequestInfo, status apechain.Status) error { errAccessDenied := &apistatus.ObjectAccessDenied{} errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, req.Operation(), status.String())) return errAccessDenied }