forked from TrueCloudLab/frostfs-node
[#207] aclsvc: Refactor EACL check
Resolve funlen linter for CheckEACL method. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
parent
ee7468daa7
commit
b0623e69aa
1 changed files with 41 additions and 29 deletions
|
@ -14,6 +14,7 @@ import (
|
||||||
bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
||||||
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
||||||
eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||||
|
@ -118,8 +119,6 @@ func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner user.ID) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
// CheckEACL is a main check function for extended ACL.
|
// CheckEACL is a main check function for extended ACL.
|
||||||
//
|
|
||||||
// nolint: funlen
|
|
||||||
func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
||||||
basicACL := reqInfo.BasicACL()
|
basicACL := reqInfo.BasicACL()
|
||||||
if !basicACL.Extendable() {
|
if !basicACL.Extendable() {
|
||||||
|
@ -154,6 +153,44 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
hdrSrc, err := c.getHeaderSource(cnr, msg, reqInfo)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
eaclRole := getRole(reqInfo)
|
||||||
|
|
||||||
|
action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
|
||||||
|
WithRole(eaclRole).
|
||||||
|
WithOperation(eaclSDK.Operation(reqInfo.Operation())).
|
||||||
|
WithContainerID(&cnr).
|
||||||
|
WithSenderKey(reqInfo.SenderKey()).
|
||||||
|
WithHeaderSource(hdrSrc).
|
||||||
|
WithEACLTable(&table),
|
||||||
|
)
|
||||||
|
|
||||||
|
if action != eaclSDK.ActionAllow {
|
||||||
|
return errEACLDeniedByRule
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func getRole(reqInfo v2.RequestInfo) eaclSDK.Role {
|
||||||
|
var eaclRole eaclSDK.Role
|
||||||
|
switch op := reqInfo.RequestRole(); op {
|
||||||
|
default:
|
||||||
|
eaclRole = eaclSDK.Role(op)
|
||||||
|
case acl.RoleOwner:
|
||||||
|
eaclRole = eaclSDK.RoleUser
|
||||||
|
case acl.RoleInnerRing, acl.RoleContainer:
|
||||||
|
eaclRole = eaclSDK.RoleSystem
|
||||||
|
case acl.RoleOthers:
|
||||||
|
eaclRole = eaclSDK.RoleOthers
|
||||||
|
}
|
||||||
|
return eaclRole
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Checker) getHeaderSource(cnr cid.ID, msg any, reqInfo v2.RequestInfo) (eaclSDK.TypedHeaderSource, error) {
|
||||||
hdrSrcOpts := make([]eaclV2.Option, 0, 3)
|
hdrSrcOpts := make([]eaclV2.Option, 0, 3)
|
||||||
|
|
||||||
hdrSrcOpts = append(hdrSrcOpts,
|
hdrSrcOpts = append(hdrSrcOpts,
|
||||||
|
@ -175,34 +212,9 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
||||||
|
|
||||||
hdrSrc, err := eaclV2.NewMessageHeaderSource(hdrSrcOpts...)
|
hdrSrc, err := eaclV2.NewMessageHeaderSource(hdrSrcOpts...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("can't parse headers: %w", err)
|
return nil, fmt.Errorf("can't parse headers: %w", err)
|
||||||
}
|
}
|
||||||
|
return hdrSrc, nil
|
||||||
var eaclRole eaclSDK.Role
|
|
||||||
switch op := reqInfo.RequestRole(); op {
|
|
||||||
default:
|
|
||||||
eaclRole = eaclSDK.Role(op)
|
|
||||||
case acl.RoleOwner:
|
|
||||||
eaclRole = eaclSDK.RoleUser
|
|
||||||
case acl.RoleInnerRing, acl.RoleContainer:
|
|
||||||
eaclRole = eaclSDK.RoleSystem
|
|
||||||
case acl.RoleOthers:
|
|
||||||
eaclRole = eaclSDK.RoleOthers
|
|
||||||
}
|
|
||||||
|
|
||||||
action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
|
|
||||||
WithRole(eaclRole).
|
|
||||||
WithOperation(eaclSDK.Operation(reqInfo.Operation())).
|
|
||||||
WithContainerID(&cnr).
|
|
||||||
WithSenderKey(reqInfo.SenderKey()).
|
|
||||||
WithHeaderSource(hdrSrc).
|
|
||||||
WithEACLTable(&table),
|
|
||||||
)
|
|
||||||
|
|
||||||
if action != eaclSDK.ActionAllow {
|
|
||||||
return errEACLDeniedByRule
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// isValidBearer checks whether bearer token was correctly signed by authorized
|
// isValidBearer checks whether bearer token was correctly signed by authorized
|
||||||
|
|
Loading…
Reference in a new issue