[#207] aclsvc: Refactor EACL check

Resolve funlen linter for CheckEACL method.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
Dmitrii Stepanov 2023-04-04 11:34:47 +03:00
parent ee7468daa7
commit b0623e69aa

View file

@ -14,6 +14,7 @@ import (
bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer" bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa" frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl" eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
@ -118,8 +119,6 @@ func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner user.ID) bool {
} }
// CheckEACL is a main check function for extended ACL. // CheckEACL is a main check function for extended ACL.
//
// nolint: funlen
func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error { func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
basicACL := reqInfo.BasicACL() basicACL := reqInfo.BasicACL()
if !basicACL.Extendable() { if !basicACL.Extendable() {
@ -154,6 +153,44 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
return err return err
} }
hdrSrc, err := c.getHeaderSource(cnr, msg, reqInfo)
if err != nil {
return err
}
eaclRole := getRole(reqInfo)
action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
WithRole(eaclRole).
WithOperation(eaclSDK.Operation(reqInfo.Operation())).
WithContainerID(&cnr).
WithSenderKey(reqInfo.SenderKey()).
WithHeaderSource(hdrSrc).
WithEACLTable(&table),
)
if action != eaclSDK.ActionAllow {
return errEACLDeniedByRule
}
return nil
}
func getRole(reqInfo v2.RequestInfo) eaclSDK.Role {
var eaclRole eaclSDK.Role
switch op := reqInfo.RequestRole(); op {
default:
eaclRole = eaclSDK.Role(op)
case acl.RoleOwner:
eaclRole = eaclSDK.RoleUser
case acl.RoleInnerRing, acl.RoleContainer:
eaclRole = eaclSDK.RoleSystem
case acl.RoleOthers:
eaclRole = eaclSDK.RoleOthers
}
return eaclRole
}
func (c *Checker) getHeaderSource(cnr cid.ID, msg any, reqInfo v2.RequestInfo) (eaclSDK.TypedHeaderSource, error) {
hdrSrcOpts := make([]eaclV2.Option, 0, 3) hdrSrcOpts := make([]eaclV2.Option, 0, 3)
hdrSrcOpts = append(hdrSrcOpts, hdrSrcOpts = append(hdrSrcOpts,
@ -175,34 +212,9 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
hdrSrc, err := eaclV2.NewMessageHeaderSource(hdrSrcOpts...) hdrSrc, err := eaclV2.NewMessageHeaderSource(hdrSrcOpts...)
if err != nil { if err != nil {
return fmt.Errorf("can't parse headers: %w", err) return nil, fmt.Errorf("can't parse headers: %w", err)
} }
return hdrSrc, nil
var eaclRole eaclSDK.Role
switch op := reqInfo.RequestRole(); op {
default:
eaclRole = eaclSDK.Role(op)
case acl.RoleOwner:
eaclRole = eaclSDK.RoleUser
case acl.RoleInnerRing, acl.RoleContainer:
eaclRole = eaclSDK.RoleSystem
case acl.RoleOthers:
eaclRole = eaclSDK.RoleOthers
}
action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
WithRole(eaclRole).
WithOperation(eaclSDK.Operation(reqInfo.Operation())).
WithContainerID(&cnr).
WithSenderKey(reqInfo.SenderKey()).
WithHeaderSource(hdrSrc).
WithEACLTable(&table),
)
if action != eaclSDK.ActionAllow {
return errEACLDeniedByRule
}
return nil
} }
// isValidBearer checks whether bearer token was correctly signed by authorized // isValidBearer checks whether bearer token was correctly signed by authorized