[#1249] object: Remove all APE pre-checks in handlers

* Methods `Head`, `Get`, `GetRangeHash` should no longer use APE pre-checks
  as that leads only to incorrect rule chain processing for requests:
  1. Immediate return with `NoRuleFound` may be unexpected as some `Allow`
     rule is actually defined but can't be matched yet as it gets no object
     attributes;
  2. Immdediate return with `Allow` may be incorrect as some `Deny` rule
     is actually defined but can't bet matched yet as it gets no object
     attirbutes;
  3. Pre-check breaks compatibility for converted EACL-tables.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2024-07-18 13:23:17 +03:00 committed by Evgenii Stratonikov
parent 5e5ee545b6
commit eadcea8df0

View file

@ -134,33 +134,11 @@ func requestContext(ctx context.Context) (*objectSvc.RequestContext, error) {
} }
func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectStream) error { func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectStream) error {
cnrID, objID, err := getAddressParamsSDK(request.GetBody().GetAddress().GetContainerID(), request.GetBody().GetAddress().GetObjectID())
if err != nil {
return toStatusErr(err)
}
reqCtx, err := requestContext(stream.Context()) reqCtx, err := requestContext(stream.Context())
if err != nil { if err != nil {
return toStatusErr(err) return toStatusErr(err)
} }
err = c.apeChecker.CheckAPE(stream.Context(), Prm{
Namespace: reqCtx.Namespace,
Container: cnrID,
Object: objID,
Method: nativeschema.MethodGetObject,
Role: nativeSchemaRole(reqCtx.Role),
SenderKey: hex.EncodeToString(reqCtx.SenderKey),
ContainerOwner: reqCtx.ContainerOwner,
SoftAPECheck: reqCtx.SoftAPECheck,
WithoutHeaderRequest: true,
BearerToken: reqCtx.BearerToken,
XHeaders: request.GetMetaHeader().GetXHeaders(),
})
if err != nil {
return toStatusErr(err)
}
return c.next.Get(request, &getStreamBasicChecker{ return c.next.Get(request, &getStreamBasicChecker{
GetObjectStream: stream, GetObjectStream: stream,
apeChecker: c.apeChecker, apeChecker: c.apeChecker,
@ -237,23 +215,6 @@ func (c *Service) Head(ctx context.Context, request *objectV2.HeadRequest) (*obj
return nil, err return nil, err
} }
err = c.apeChecker.CheckAPE(ctx, Prm{
Namespace: reqCtx.Namespace,
Container: cnrID,
Object: objID,
Method: nativeschema.MethodHeadObject,
Role: nativeSchemaRole(reqCtx.Role),
SenderKey: hex.EncodeToString(reqCtx.SenderKey),
ContainerOwner: reqCtx.ContainerOwner,
SoftAPECheck: reqCtx.SoftAPECheck,
WithoutHeaderRequest: true,
BearerToken: reqCtx.BearerToken,
XHeaders: request.GetMetaHeader().GetXHeaders(),
})
if err != nil {
return nil, toStatusErr(err)
}
resp, err := c.next.Head(ctx, request) resp, err := c.next.Head(ctx, request)
if err != nil { if err != nil {
return nil, err return nil, err
@ -417,10 +378,6 @@ func (c *Service) GetRangeHash(ctx context.Context, request *objectV2.GetRangeHa
XHeaders: request.GetMetaHeader().GetXHeaders(), XHeaders: request.GetMetaHeader().GetXHeaders(),
} }
if err = c.apeChecker.CheckAPE(ctx, prm); err != nil {
return nil, toStatusErr(err)
}
resp, err := c.next.GetRangeHash(ctx, request) resp, err := c.next.GetRangeHash(ctx, request)
if err != nil { if err != nil {
return nil, err return nil, err