From cf85fa9fabadf3b027b3758c884c2cf927785f19 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Wed, 18 Nov 2020 10:53:42 +0300 Subject: [PATCH] [#180] Return isInnerRing flag in request classifier Signed-off-by: Alex Vanin --- pkg/services/object/acl/acl.go | 3 ++- pkg/services/object/acl/classifier.go | 18 +++++++++--------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 030e80653..bee06cf63 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -405,7 +405,7 @@ func (b Service) findRequestInfo( } // find request role and key - role, key, err := b.sender.Classify(req, cid, cnr) + role, isIR, key, err := b.sender.Classify(req, cid, cnr) if err != nil { return info, err } @@ -420,6 +420,7 @@ func (b Service) findRequestInfo( info.basicACL = basicACLHelper(cnr.BasicACL()) info.requestRole = role + info.isInnerRing = isIR info.operation = verb info.owner = cnr.OwnerID() info.cid = cid diff --git a/pkg/services/object/acl/classifier.go b/pkg/services/object/acl/classifier.go index 9bc3d262e..c3013164e 100644 --- a/pkg/services/object/acl/classifier.go +++ b/pkg/services/object/acl/classifier.go @@ -46,15 +46,15 @@ func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier { func (c SenderClassifier) Classify( req metaWithToken, cid *container.ID, - cnr *container.Container) (acl.Role, []byte, error) { + cnr *container.Container) (role acl.Role, isIR bool, key []byte, err error) { if cid == nil { - return 0, nil, errors.Wrap(ErrMalformedRequest, "container id is not set") + return 0, false, nil, errors.Wrap(ErrMalformedRequest, "container id is not set") } ownerID, ownerKey, err := requestOwner(req) if err != nil { - return 0, nil, err + return 0, false, nil, err } ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey) @@ -63,25 +63,25 @@ func (c SenderClassifier) Classify( // if request owner is the same as container owner, return RoleUser if bytes.Equal(cnr.OwnerID().ToV2().GetValue(), ownerID.ToV2().GetValue()) { - return acl.RoleUser, ownerKeyInBytes, nil + return acl.RoleUser, false, ownerKeyInBytes, nil } isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes) if err != nil { - return 0, nil, errors.Wrap(err, "can't check if request from inner ring") + return 0, false, nil, errors.Wrap(err, "can't check if request from inner ring") } else if isInnerRingNode { - return acl.RoleSystem, ownerKeyInBytes, nil + return acl.RoleSystem, true, ownerKeyInBytes, nil } isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr) if err != nil { - return 0, nil, errors.Wrap(err, "can't check if request from container node") + return 0, false, nil, errors.Wrap(err, "can't check if request from container node") } else if isContainerNode { - return acl.RoleSystem, ownerKeyInBytes, nil + return acl.RoleSystem, false, ownerKeyInBytes, nil } // if none of above, return RoleOthers - return acl.RoleOthers, ownerKeyInBytes, nil + return acl.RoleOthers, false, ownerKeyInBytes, nil } func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {