From 094248690b0535e5c1df7bd2b94946b6832500b6 Mon Sep 17 00:00:00 2001
From: Alex Vanin <alexey@nspcc.ru>
Date: Wed, 21 Oct 2020 20:39:14 +0300
Subject: [PATCH] [#115] Make ACL classifier errors transparent for client

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
---
 pkg/services/object/acl/acl.go        |  7 ++++++-
 pkg/services/object/acl/classifier.go | 24 ++++++++++--------------
 2 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index b5d5a679e..4a29883d3 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -86,6 +86,7 @@ type accessErr struct {
 
 var (
 	ErrMalformedRequest = errors.New("malformed request")
+	ErrInternal         = errors.New("internal error")
 	ErrUnknownRole      = errors.New("can't classify request sender")
 	ErrUnknownContainer = errors.New("can't fetch container info")
 )
@@ -387,7 +388,11 @@ func (b Service) findRequestInfo(
 	}
 
 	// find request role and key
-	role, key := b.sender.Classify(req, cid, cnr)
+	role, key, err := b.sender.Classify(req, cid, cnr)
+	if err != nil {
+		return info, err
+	}
+
 	if role == acl.RoleUnknown {
 		return info, ErrUnknownRole
 	}
diff --git a/pkg/services/object/acl/classifier.go b/pkg/services/object/acl/classifier.go
index b440033ae..444aef703 100644
--- a/pkg/services/object/acl/classifier.go
+++ b/pkg/services/object/acl/classifier.go
@@ -44,17 +44,15 @@ func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
 func (c SenderClassifier) Classify(
 	req metaWithToken,
 	cid *container.ID,
-	cnr *container.Container) (acl.Role, []byte) {
+	cnr *container.Container) (acl.Role, []byte, error) {
 
 	if cid == nil {
-		// log there
-		return acl.RoleUnknown, nil
+		return 0, nil, errors.Wrap(ErrMalformedRequest, "container id is not set")
 	}
 
 	ownerID, ownerKey, err := requestOwner(req)
-	if err != nil || ownerID == nil || ownerKey == nil {
-		// log there
-		return acl.RoleUnknown, nil
+	if err != nil {
+		return 0, nil, err
 	}
 
 	ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
@@ -63,27 +61,25 @@ func (c SenderClassifier) Classify(
 
 	// if request owner is the same as container owner, return RoleUser
 	if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) {
-		return acl.RoleUser, ownerKeyInBytes
+		return acl.RoleUser, ownerKeyInBytes, nil
 	}
 
 	isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
 	if err != nil {
-		// log there
-		return acl.RoleUnknown, nil
+		return 0, nil, errors.Wrap(err, "can't check if request from inner ring")
 	} else if isInnerRingNode {
-		return acl.RoleSystem, ownerKeyInBytes
+		return acl.RoleSystem, ownerKeyInBytes, nil
 	}
 
 	isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
 	if err != nil {
-		// log there
-		return acl.RoleUnknown, nil
+		return 0, nil, errors.Wrap(err, "can't check if request from container node")
 	} else if isContainerNode {
-		return acl.RoleSystem, ownerKeyInBytes
+		return acl.RoleSystem, ownerKeyInBytes, nil
 	}
 
 	// if none of above, return RoleOthers
-	return acl.RoleOthers, ownerKeyInBytes
+	return acl.RoleOthers, ownerKeyInBytes, nil
 }
 
 func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {