From b0623e69aa0000734242f1c48f8e393abc651a1c Mon Sep 17 00:00:00 2001 From: Dmitrii Stepanov Date: Tue, 4 Apr 2023 11:34:47 +0300 Subject: [PATCH] [#207] aclsvc: Refactor EACL check Resolve funlen linter for CheckEACL method. Signed-off-by: Dmitrii Stepanov --- pkg/services/object/acl/acl.go | 70 ++++++++++++++++++++-------------- 1 file changed, 41 insertions(+), 29 deletions(-) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index a068eadb8..87d2f9c82 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -14,6 +14,7 @@ import ( bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl" + cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa" eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user" @@ -118,8 +119,6 @@ func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner user.ID) bool { } // CheckEACL is a main check function for extended ACL. -// -// nolint: funlen func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error { basicACL := reqInfo.BasicACL() if !basicACL.Extendable() { @@ -154,6 +153,44 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error { return err } + hdrSrc, err := c.getHeaderSource(cnr, msg, reqInfo) + if err != nil { + return err + } + + eaclRole := getRole(reqInfo) + + action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit). + WithRole(eaclRole). + WithOperation(eaclSDK.Operation(reqInfo.Operation())). + WithContainerID(&cnr). + WithSenderKey(reqInfo.SenderKey()). + WithHeaderSource(hdrSrc). + WithEACLTable(&table), + ) + + if action != eaclSDK.ActionAllow { + return errEACLDeniedByRule + } + return nil +} + +func getRole(reqInfo v2.RequestInfo) eaclSDK.Role { + var eaclRole eaclSDK.Role + switch op := reqInfo.RequestRole(); op { + default: + eaclRole = eaclSDK.Role(op) + case acl.RoleOwner: + eaclRole = eaclSDK.RoleUser + case acl.RoleInnerRing, acl.RoleContainer: + eaclRole = eaclSDK.RoleSystem + case acl.RoleOthers: + eaclRole = eaclSDK.RoleOthers + } + return eaclRole +} + +func (c *Checker) getHeaderSource(cnr cid.ID, msg any, reqInfo v2.RequestInfo) (eaclSDK.TypedHeaderSource, error) { hdrSrcOpts := make([]eaclV2.Option, 0, 3) hdrSrcOpts = append(hdrSrcOpts, @@ -175,34 +212,9 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error { hdrSrc, err := eaclV2.NewMessageHeaderSource(hdrSrcOpts...) if err != nil { - return fmt.Errorf("can't parse headers: %w", err) + return nil, fmt.Errorf("can't parse headers: %w", err) } - - var eaclRole eaclSDK.Role - switch op := reqInfo.RequestRole(); op { - default: - eaclRole = eaclSDK.Role(op) - case acl.RoleOwner: - eaclRole = eaclSDK.RoleUser - case acl.RoleInnerRing, acl.RoleContainer: - eaclRole = eaclSDK.RoleSystem - case acl.RoleOthers: - eaclRole = eaclSDK.RoleOthers - } - - action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit). - WithRole(eaclRole). - WithOperation(eaclSDK.Operation(reqInfo.Operation())). - WithContainerID(&cnr). - WithSenderKey(reqInfo.SenderKey()). - WithHeaderSource(hdrSrc). - WithEACLTable(&table), - ) - - if action != eaclSDK.ActionAllow { - return errEACLDeniedByRule - } - return nil + return hdrSrc, nil } // isValidBearer checks whether bearer token was correctly signed by authorized