From eadcea8df057d6eb502161c0a2d1f202f0f843be Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Thu, 18 Jul 2024 13:23:17 +0300 Subject: [PATCH] [#1249] object: Remove all APE pre-checks in handlers * Methods `Head`, `Get`, `GetRangeHash` should no longer use APE pre-checks as that leads only to incorrect rule chain processing for requests: 1. Immediate return with `NoRuleFound` may be unexpected as some `Allow` rule is actually defined but can't be matched yet as it gets no object attributes; 2. Immdediate return with `Allow` may be incorrect as some `Deny` rule is actually defined but can't bet matched yet as it gets no object attirbutes; 3. Pre-check breaks compatibility for converted EACL-tables. Signed-off-by: Airat Arifullin --- pkg/services/object/ape/service.go | 43 ------------------------------ 1 file changed, 43 deletions(-) diff --git a/pkg/services/object/ape/service.go b/pkg/services/object/ape/service.go index 56c66002d..2adb1b736 100644 --- a/pkg/services/object/ape/service.go +++ b/pkg/services/object/ape/service.go @@ -134,33 +134,11 @@ func requestContext(ctx context.Context) (*objectSvc.RequestContext, error) { } func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectStream) error { - cnrID, objID, err := getAddressParamsSDK(request.GetBody().GetAddress().GetContainerID(), request.GetBody().GetAddress().GetObjectID()) - if err != nil { - return toStatusErr(err) - } - reqCtx, err := requestContext(stream.Context()) if err != nil { return toStatusErr(err) } - err = c.apeChecker.CheckAPE(stream.Context(), Prm{ - Namespace: reqCtx.Namespace, - Container: cnrID, - Object: objID, - Method: nativeschema.MethodGetObject, - Role: nativeSchemaRole(reqCtx.Role), - SenderKey: hex.EncodeToString(reqCtx.SenderKey), - ContainerOwner: reqCtx.ContainerOwner, - SoftAPECheck: reqCtx.SoftAPECheck, - WithoutHeaderRequest: true, - BearerToken: reqCtx.BearerToken, - XHeaders: request.GetMetaHeader().GetXHeaders(), - }) - if err != nil { - return toStatusErr(err) - } - return c.next.Get(request, &getStreamBasicChecker{ GetObjectStream: stream, apeChecker: c.apeChecker, @@ -237,23 +215,6 @@ func (c *Service) Head(ctx context.Context, request *objectV2.HeadRequest) (*obj return nil, err } - err = c.apeChecker.CheckAPE(ctx, Prm{ - Namespace: reqCtx.Namespace, - Container: cnrID, - Object: objID, - Method: nativeschema.MethodHeadObject, - Role: nativeSchemaRole(reqCtx.Role), - SenderKey: hex.EncodeToString(reqCtx.SenderKey), - ContainerOwner: reqCtx.ContainerOwner, - SoftAPECheck: reqCtx.SoftAPECheck, - WithoutHeaderRequest: true, - BearerToken: reqCtx.BearerToken, - XHeaders: request.GetMetaHeader().GetXHeaders(), - }) - if err != nil { - return nil, toStatusErr(err) - } - resp, err := c.next.Head(ctx, request) if err != nil { return nil, err @@ -417,10 +378,6 @@ func (c *Service) GetRangeHash(ctx context.Context, request *objectV2.GetRangeHa XHeaders: request.GetMetaHeader().GetXHeaders(), } - if err = c.apeChecker.CheckAPE(ctx, prm); err != nil { - return nil, toStatusErr(err) - } - resp, err := c.next.GetRangeHash(ctx, request) if err != nil { return nil, err