forked from TrueCloudLab/frostfs-node
[#1096] eacl: Rename eacl
import aliases
Since `Validator` has been moved to SDK it is more readable to see `eaclSDK` than `acl` import. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
parent
ed156cd738
commit
202dbfb95d
2 changed files with 40 additions and 40 deletions
|
@ -20,7 +20,7 @@ import (
|
|||
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
|
||||
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
|
||||
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
||||
acl "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||
objectSDK "github.com/nspcc-dev/neofs-sdk-go/object"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/owner"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/util/signature"
|
||||
|
@ -65,10 +65,10 @@ type (
|
|||
|
||||
requestInfo struct {
|
||||
basicACL basicACLHelper
|
||||
requestRole acl.Role
|
||||
requestRole eaclSDK.Role
|
||||
isInnerRing bool
|
||||
operation acl.Operation // put, get, head, etc.
|
||||
cnrOwner *owner.ID // container owner
|
||||
operation eaclSDK.Operation // put, get, head, etc.
|
||||
cnrOwner *owner.ID // container owner
|
||||
|
||||
cid *cid.ID
|
||||
|
||||
|
@ -98,7 +98,7 @@ type cfg struct {
|
|||
type eACLCfg struct {
|
||||
eaclSource eacl.Source
|
||||
|
||||
eACL *acl.Validator
|
||||
eACL *eaclSDK.Validator
|
||||
|
||||
localStorage *engine.StorageEngine
|
||||
|
||||
|
@ -131,7 +131,7 @@ func New(opts ...Option) Service {
|
|||
opts[i](cfg)
|
||||
}
|
||||
|
||||
cfg.eACL = acl.NewValidator()
|
||||
cfg.eACL = eaclSDK.NewValidator()
|
||||
|
||||
return Service{
|
||||
cfg: cfg,
|
||||
|
@ -153,7 +153,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
|
|||
src: request,
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
|
||||
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationGet)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -201,7 +201,7 @@ func (b Service) Head(
|
|||
src: request,
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
|
||||
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationHead)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -240,7 +240,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
|
|||
src: request,
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, id, acl.OperationSearch)
|
||||
reqInfo, err := b.findRequestInfo(req, id, eaclSDK.OperationSearch)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -277,7 +277,7 @@ func (b Service) Delete(
|
|||
src: request,
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
|
||||
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationDelete)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -309,7 +309,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
|
|||
src: request,
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
|
||||
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationRange)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -347,7 +347,7 @@ func (b Service) GetRangeHash(
|
|||
src: request,
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
|
||||
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationRangeHash)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -391,7 +391,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
|
|||
src: request,
|
||||
}
|
||||
|
||||
reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
|
||||
reqInfo, err := p.source.findRequestInfo(req, cid, eaclSDK.OperationPut)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -442,7 +442,7 @@ func (g *searchStreamBasicChecker) Send(resp *object.SearchResponse) error {
|
|||
func (b Service) findRequestInfo(
|
||||
req metaWithToken,
|
||||
cid *cid.ID,
|
||||
op acl.Operation) (info requestInfo, err error) {
|
||||
op eaclSDK.Operation) (info requestInfo, err error) {
|
||||
cnr, err := b.containers.Get(cid) // fetch actual container
|
||||
if err != nil || cnr.OwnerID() == nil {
|
||||
return info, ErrUnknownContainer
|
||||
|
@ -454,7 +454,7 @@ func (b Service) findRequestInfo(
|
|||
return info, err
|
||||
}
|
||||
|
||||
if role == acl.RoleUnknown {
|
||||
if role == eaclSDK.RoleUnknown {
|
||||
return info, ErrUnknownRole
|
||||
}
|
||||
|
||||
|
@ -561,17 +561,17 @@ func getObjectOwnerFromMessage(req interface{}) (id *owner.ID, err error) {
|
|||
// main check function for basic ACL
|
||||
func basicACLCheck(info requestInfo) bool {
|
||||
// check basic ACL permissions
|
||||
var checkFn func(acl.Operation) bool
|
||||
var checkFn func(eaclSDK.Operation) bool
|
||||
|
||||
switch info.requestRole {
|
||||
case acl.RoleUser:
|
||||
case eaclSDK.RoleUser:
|
||||
checkFn = info.basicACL.UserAllowed
|
||||
case acl.RoleSystem:
|
||||
case eaclSDK.RoleSystem:
|
||||
checkFn = info.basicACL.SystemAllowed
|
||||
if info.isInnerRing {
|
||||
checkFn = info.basicACL.InnerRingAllowed
|
||||
}
|
||||
case acl.RoleOthers:
|
||||
case eaclSDK.RoleOthers:
|
||||
checkFn = info.basicACL.OthersAllowed
|
||||
default:
|
||||
// log there
|
||||
|
@ -584,7 +584,7 @@ func basicACLCheck(info requestInfo) bool {
|
|||
func stickyBitCheck(info requestInfo, owner *owner.ID) bool {
|
||||
// According to NeoFS specification sticky bit has no effect on system nodes
|
||||
// for correct intra-container work with objects (in particular, replication).
|
||||
if info.requestRole == acl.RoleSystem {
|
||||
if info.requestRole == eaclSDK.RoleSystem {
|
||||
return true
|
||||
}
|
||||
|
||||
|
@ -612,7 +612,7 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
|||
}
|
||||
|
||||
var (
|
||||
table *acl.Table
|
||||
table *eaclSDK.Table
|
||||
err error
|
||||
)
|
||||
|
||||
|
@ -622,7 +622,7 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
|||
return errors.Is(err, container.ErrEACLNotFound)
|
||||
}
|
||||
} else {
|
||||
table = acl.NewTableFromV2(reqInfo.bearer.GetBody().GetEACL())
|
||||
table = eaclSDK.NewTableFromV2(reqInfo.bearer.GetBody().GetEACL())
|
||||
}
|
||||
|
||||
// if bearer token is not present, isValidBearer returns true
|
||||
|
@ -652,7 +652,7 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
|||
)
|
||||
}
|
||||
|
||||
action := cfg.eACL.CalculateAction(new(acl.ValidationUnit).
|
||||
action := cfg.eACL.CalculateAction(new(eaclSDK.ValidationUnit).
|
||||
WithRole(reqInfo.requestRole).
|
||||
WithOperation(reqInfo.operation).
|
||||
WithContainerID(reqInfo.cid).
|
||||
|
@ -663,12 +663,12 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
|||
WithEACLTable(table),
|
||||
)
|
||||
|
||||
return action == acl.ActionAllow
|
||||
return action == eaclSDK.ActionAllow
|
||||
}
|
||||
|
||||
// sourceVerbOfRequest looks for verb in session token and if it is not found,
|
||||
// returns reqVerb.
|
||||
func sourceVerbOfRequest(req metaWithToken, reqVerb acl.Operation) acl.Operation {
|
||||
func sourceVerbOfRequest(req metaWithToken, reqVerb eaclSDK.Operation) eaclSDK.Operation {
|
||||
if req.token != nil {
|
||||
switch v := req.token.GetBody().GetContext().(type) {
|
||||
case *session.ObjectSessionContext:
|
||||
|
@ -681,24 +681,24 @@ func sourceVerbOfRequest(req metaWithToken, reqVerb acl.Operation) acl.Operation
|
|||
return reqVerb
|
||||
}
|
||||
|
||||
func tokenVerbToOperation(verb session.ObjectSessionVerb) acl.Operation {
|
||||
func tokenVerbToOperation(verb session.ObjectSessionVerb) eaclSDK.Operation {
|
||||
switch verb {
|
||||
case session.ObjectVerbGet:
|
||||
return acl.OperationGet
|
||||
return eaclSDK.OperationGet
|
||||
case session.ObjectVerbPut:
|
||||
return acl.OperationPut
|
||||
return eaclSDK.OperationPut
|
||||
case session.ObjectVerbHead:
|
||||
return acl.OperationHead
|
||||
return eaclSDK.OperationHead
|
||||
case session.ObjectVerbSearch:
|
||||
return acl.OperationSearch
|
||||
return eaclSDK.OperationSearch
|
||||
case session.ObjectVerbDelete:
|
||||
return acl.OperationDelete
|
||||
return eaclSDK.OperationDelete
|
||||
case session.ObjectVerbRange:
|
||||
return acl.OperationRange
|
||||
return eaclSDK.OperationRange
|
||||
case session.ObjectVerbRangeHash:
|
||||
return acl.OperationRangeHash
|
||||
return eaclSDK.OperationRangeHash
|
||||
default:
|
||||
return acl.OperationUnknown
|
||||
return eaclSDK.OperationUnknown
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ import (
|
|||
core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/container"
|
||||
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
||||
acl "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/netmap"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/owner"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/signature"
|
||||
|
@ -52,7 +52,7 @@ func NewSenderClassifier(l *zap.Logger, ir InnerRingFetcher, nm core.Source) Sen
|
|||
func (c SenderClassifier) Classify(
|
||||
req metaWithToken,
|
||||
cid *cid.ID,
|
||||
cnr *container.Container) (role acl.Role, isIR bool, key []byte, err error) {
|
||||
cnr *container.Container) (role eaclSDK.Role, isIR bool, key []byte, err error) {
|
||||
if cid == nil {
|
||||
return 0, false, nil, fmt.Errorf("%w: container id is not set", ErrMalformedRequest)
|
||||
}
|
||||
|
@ -68,7 +68,7 @@ func (c SenderClassifier) Classify(
|
|||
|
||||
// if request owner is the same as container owner, return RoleUser
|
||||
if ownerID.Equal(cnr.OwnerID()) {
|
||||
return acl.RoleUser, false, ownerKeyInBytes, nil
|
||||
return eaclSDK.RoleUser, false, ownerKeyInBytes, nil
|
||||
}
|
||||
|
||||
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
||||
|
@ -77,7 +77,7 @@ func (c SenderClassifier) Classify(
|
|||
c.log.Debug("can't check if request from inner ring",
|
||||
zap.String("error", err.Error()))
|
||||
} else if isInnerRingNode {
|
||||
return acl.RoleSystem, true, ownerKeyInBytes, nil
|
||||
return eaclSDK.RoleSystem, true, ownerKeyInBytes, nil
|
||||
}
|
||||
|
||||
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
||||
|
@ -88,11 +88,11 @@ func (c SenderClassifier) Classify(
|
|||
c.log.Debug("can't check if request from container node",
|
||||
zap.String("error", err.Error()))
|
||||
} else if isContainerNode {
|
||||
return acl.RoleSystem, false, ownerKeyInBytes, nil
|
||||
return eaclSDK.RoleSystem, false, ownerKeyInBytes, nil
|
||||
}
|
||||
|
||||
// if none of above, return RoleOthers
|
||||
return acl.RoleOthers, false, ownerKeyInBytes, nil
|
||||
return eaclSDK.RoleOthers, false, ownerKeyInBytes, nil
|
||||
}
|
||||
|
||||
func requestOwner(req metaWithToken) (*owner.ID, *keys.PublicKey, error) {
|
||||
|
|
Loading…
Reference in a new issue