forked from TrueCloudLab/frostfs-node
[#1096] eacl: Rename eacl
import aliases
Since `Validator` has been moved to SDK it is more readable to see `eaclSDK` than `acl` import. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
parent
ed156cd738
commit
202dbfb95d
2 changed files with 40 additions and 40 deletions
|
@ -20,7 +20,7 @@ import (
|
||||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
|
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
|
||||||
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
|
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
|
||||||
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
||||||
acl "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||||
objectSDK "github.com/nspcc-dev/neofs-sdk-go/object"
|
objectSDK "github.com/nspcc-dev/neofs-sdk-go/object"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/owner"
|
"github.com/nspcc-dev/neofs-sdk-go/owner"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/util/signature"
|
"github.com/nspcc-dev/neofs-sdk-go/util/signature"
|
||||||
|
@ -65,10 +65,10 @@ type (
|
||||||
|
|
||||||
requestInfo struct {
|
requestInfo struct {
|
||||||
basicACL basicACLHelper
|
basicACL basicACLHelper
|
||||||
requestRole acl.Role
|
requestRole eaclSDK.Role
|
||||||
isInnerRing bool
|
isInnerRing bool
|
||||||
operation acl.Operation // put, get, head, etc.
|
operation eaclSDK.Operation // put, get, head, etc.
|
||||||
cnrOwner *owner.ID // container owner
|
cnrOwner *owner.ID // container owner
|
||||||
|
|
||||||
cid *cid.ID
|
cid *cid.ID
|
||||||
|
|
||||||
|
@ -98,7 +98,7 @@ type cfg struct {
|
||||||
type eACLCfg struct {
|
type eACLCfg struct {
|
||||||
eaclSource eacl.Source
|
eaclSource eacl.Source
|
||||||
|
|
||||||
eACL *acl.Validator
|
eACL *eaclSDK.Validator
|
||||||
|
|
||||||
localStorage *engine.StorageEngine
|
localStorage *engine.StorageEngine
|
||||||
|
|
||||||
|
@ -131,7 +131,7 @@ func New(opts ...Option) Service {
|
||||||
opts[i](cfg)
|
opts[i](cfg)
|
||||||
}
|
}
|
||||||
|
|
||||||
cfg.eACL = acl.NewValidator()
|
cfg.eACL = eaclSDK.NewValidator()
|
||||||
|
|
||||||
return Service{
|
return Service{
|
||||||
cfg: cfg,
|
cfg: cfg,
|
||||||
|
@ -153,7 +153,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
|
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationGet)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -201,7 +201,7 @@ func (b Service) Head(
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
|
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationHead)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -240,7 +240,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, id, acl.OperationSearch)
|
reqInfo, err := b.findRequestInfo(req, id, eaclSDK.OperationSearch)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -277,7 +277,7 @@ func (b Service) Delete(
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
|
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationDelete)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -309,7 +309,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
|
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationRange)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -347,7 +347,7 @@ func (b Service) GetRangeHash(
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
|
reqInfo, err := b.findRequestInfo(req, cid, eaclSDK.OperationRangeHash)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -391,7 +391,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
|
reqInfo, err := p.source.findRequestInfo(req, cid, eaclSDK.OperationPut)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -442,7 +442,7 @@ func (g *searchStreamBasicChecker) Send(resp *object.SearchResponse) error {
|
||||||
func (b Service) findRequestInfo(
|
func (b Service) findRequestInfo(
|
||||||
req metaWithToken,
|
req metaWithToken,
|
||||||
cid *cid.ID,
|
cid *cid.ID,
|
||||||
op acl.Operation) (info requestInfo, err error) {
|
op eaclSDK.Operation) (info requestInfo, err error) {
|
||||||
cnr, err := b.containers.Get(cid) // fetch actual container
|
cnr, err := b.containers.Get(cid) // fetch actual container
|
||||||
if err != nil || cnr.OwnerID() == nil {
|
if err != nil || cnr.OwnerID() == nil {
|
||||||
return info, ErrUnknownContainer
|
return info, ErrUnknownContainer
|
||||||
|
@ -454,7 +454,7 @@ func (b Service) findRequestInfo(
|
||||||
return info, err
|
return info, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if role == acl.RoleUnknown {
|
if role == eaclSDK.RoleUnknown {
|
||||||
return info, ErrUnknownRole
|
return info, ErrUnknownRole
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -561,17 +561,17 @@ func getObjectOwnerFromMessage(req interface{}) (id *owner.ID, err error) {
|
||||||
// main check function for basic ACL
|
// main check function for basic ACL
|
||||||
func basicACLCheck(info requestInfo) bool {
|
func basicACLCheck(info requestInfo) bool {
|
||||||
// check basic ACL permissions
|
// check basic ACL permissions
|
||||||
var checkFn func(acl.Operation) bool
|
var checkFn func(eaclSDK.Operation) bool
|
||||||
|
|
||||||
switch info.requestRole {
|
switch info.requestRole {
|
||||||
case acl.RoleUser:
|
case eaclSDK.RoleUser:
|
||||||
checkFn = info.basicACL.UserAllowed
|
checkFn = info.basicACL.UserAllowed
|
||||||
case acl.RoleSystem:
|
case eaclSDK.RoleSystem:
|
||||||
checkFn = info.basicACL.SystemAllowed
|
checkFn = info.basicACL.SystemAllowed
|
||||||
if info.isInnerRing {
|
if info.isInnerRing {
|
||||||
checkFn = info.basicACL.InnerRingAllowed
|
checkFn = info.basicACL.InnerRingAllowed
|
||||||
}
|
}
|
||||||
case acl.RoleOthers:
|
case eaclSDK.RoleOthers:
|
||||||
checkFn = info.basicACL.OthersAllowed
|
checkFn = info.basicACL.OthersAllowed
|
||||||
default:
|
default:
|
||||||
// log there
|
// log there
|
||||||
|
@ -584,7 +584,7 @@ func basicACLCheck(info requestInfo) bool {
|
||||||
func stickyBitCheck(info requestInfo, owner *owner.ID) bool {
|
func stickyBitCheck(info requestInfo, owner *owner.ID) bool {
|
||||||
// According to NeoFS specification sticky bit has no effect on system nodes
|
// According to NeoFS specification sticky bit has no effect on system nodes
|
||||||
// for correct intra-container work with objects (in particular, replication).
|
// for correct intra-container work with objects (in particular, replication).
|
||||||
if info.requestRole == acl.RoleSystem {
|
if info.requestRole == eaclSDK.RoleSystem {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -612,7 +612,7 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
table *acl.Table
|
table *eaclSDK.Table
|
||||||
err error
|
err error
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -622,7 +622,7 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
||||||
return errors.Is(err, container.ErrEACLNotFound)
|
return errors.Is(err, container.ErrEACLNotFound)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
table = acl.NewTableFromV2(reqInfo.bearer.GetBody().GetEACL())
|
table = eaclSDK.NewTableFromV2(reqInfo.bearer.GetBody().GetEACL())
|
||||||
}
|
}
|
||||||
|
|
||||||
// if bearer token is not present, isValidBearer returns true
|
// if bearer token is not present, isValidBearer returns true
|
||||||
|
@ -652,7 +652,7 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
action := cfg.eACL.CalculateAction(new(acl.ValidationUnit).
|
action := cfg.eACL.CalculateAction(new(eaclSDK.ValidationUnit).
|
||||||
WithRole(reqInfo.requestRole).
|
WithRole(reqInfo.requestRole).
|
||||||
WithOperation(reqInfo.operation).
|
WithOperation(reqInfo.operation).
|
||||||
WithContainerID(reqInfo.cid).
|
WithContainerID(reqInfo.cid).
|
||||||
|
@ -663,12 +663,12 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
||||||
WithEACLTable(table),
|
WithEACLTable(table),
|
||||||
)
|
)
|
||||||
|
|
||||||
return action == acl.ActionAllow
|
return action == eaclSDK.ActionAllow
|
||||||
}
|
}
|
||||||
|
|
||||||
// sourceVerbOfRequest looks for verb in session token and if it is not found,
|
// sourceVerbOfRequest looks for verb in session token and if it is not found,
|
||||||
// returns reqVerb.
|
// returns reqVerb.
|
||||||
func sourceVerbOfRequest(req metaWithToken, reqVerb acl.Operation) acl.Operation {
|
func sourceVerbOfRequest(req metaWithToken, reqVerb eaclSDK.Operation) eaclSDK.Operation {
|
||||||
if req.token != nil {
|
if req.token != nil {
|
||||||
switch v := req.token.GetBody().GetContext().(type) {
|
switch v := req.token.GetBody().GetContext().(type) {
|
||||||
case *session.ObjectSessionContext:
|
case *session.ObjectSessionContext:
|
||||||
|
@ -681,24 +681,24 @@ func sourceVerbOfRequest(req metaWithToken, reqVerb acl.Operation) acl.Operation
|
||||||
return reqVerb
|
return reqVerb
|
||||||
}
|
}
|
||||||
|
|
||||||
func tokenVerbToOperation(verb session.ObjectSessionVerb) acl.Operation {
|
func tokenVerbToOperation(verb session.ObjectSessionVerb) eaclSDK.Operation {
|
||||||
switch verb {
|
switch verb {
|
||||||
case session.ObjectVerbGet:
|
case session.ObjectVerbGet:
|
||||||
return acl.OperationGet
|
return eaclSDK.OperationGet
|
||||||
case session.ObjectVerbPut:
|
case session.ObjectVerbPut:
|
||||||
return acl.OperationPut
|
return eaclSDK.OperationPut
|
||||||
case session.ObjectVerbHead:
|
case session.ObjectVerbHead:
|
||||||
return acl.OperationHead
|
return eaclSDK.OperationHead
|
||||||
case session.ObjectVerbSearch:
|
case session.ObjectVerbSearch:
|
||||||
return acl.OperationSearch
|
return eaclSDK.OperationSearch
|
||||||
case session.ObjectVerbDelete:
|
case session.ObjectVerbDelete:
|
||||||
return acl.OperationDelete
|
return eaclSDK.OperationDelete
|
||||||
case session.ObjectVerbRange:
|
case session.ObjectVerbRange:
|
||||||
return acl.OperationRange
|
return eaclSDK.OperationRange
|
||||||
case session.ObjectVerbRangeHash:
|
case session.ObjectVerbRangeHash:
|
||||||
return acl.OperationRangeHash
|
return eaclSDK.OperationRangeHash
|
||||||
default:
|
default:
|
||||||
return acl.OperationUnknown
|
return eaclSDK.OperationUnknown
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ import (
|
||||||
core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/container"
|
"github.com/nspcc-dev/neofs-sdk-go/container"
|
||||||
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
||||||
acl "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/netmap"
|
"github.com/nspcc-dev/neofs-sdk-go/netmap"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/owner"
|
"github.com/nspcc-dev/neofs-sdk-go/owner"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/signature"
|
"github.com/nspcc-dev/neofs-sdk-go/signature"
|
||||||
|
@ -52,7 +52,7 @@ func NewSenderClassifier(l *zap.Logger, ir InnerRingFetcher, nm core.Source) Sen
|
||||||
func (c SenderClassifier) Classify(
|
func (c SenderClassifier) Classify(
|
||||||
req metaWithToken,
|
req metaWithToken,
|
||||||
cid *cid.ID,
|
cid *cid.ID,
|
||||||
cnr *container.Container) (role acl.Role, isIR bool, key []byte, err error) {
|
cnr *container.Container) (role eaclSDK.Role, isIR bool, key []byte, err error) {
|
||||||
if cid == nil {
|
if cid == nil {
|
||||||
return 0, false, nil, fmt.Errorf("%w: container id is not set", ErrMalformedRequest)
|
return 0, false, nil, fmt.Errorf("%w: container id is not set", ErrMalformedRequest)
|
||||||
}
|
}
|
||||||
|
@ -68,7 +68,7 @@ func (c SenderClassifier) Classify(
|
||||||
|
|
||||||
// if request owner is the same as container owner, return RoleUser
|
// if request owner is the same as container owner, return RoleUser
|
||||||
if ownerID.Equal(cnr.OwnerID()) {
|
if ownerID.Equal(cnr.OwnerID()) {
|
||||||
return acl.RoleUser, false, ownerKeyInBytes, nil
|
return eaclSDK.RoleUser, false, ownerKeyInBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
||||||
|
@ -77,7 +77,7 @@ func (c SenderClassifier) Classify(
|
||||||
c.log.Debug("can't check if request from inner ring",
|
c.log.Debug("can't check if request from inner ring",
|
||||||
zap.String("error", err.Error()))
|
zap.String("error", err.Error()))
|
||||||
} else if isInnerRingNode {
|
} else if isInnerRingNode {
|
||||||
return acl.RoleSystem, true, ownerKeyInBytes, nil
|
return eaclSDK.RoleSystem, true, ownerKeyInBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
||||||
|
@ -88,11 +88,11 @@ func (c SenderClassifier) Classify(
|
||||||
c.log.Debug("can't check if request from container node",
|
c.log.Debug("can't check if request from container node",
|
||||||
zap.String("error", err.Error()))
|
zap.String("error", err.Error()))
|
||||||
} else if isContainerNode {
|
} else if isContainerNode {
|
||||||
return acl.RoleSystem, false, ownerKeyInBytes, nil
|
return eaclSDK.RoleSystem, false, ownerKeyInBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// if none of above, return RoleOthers
|
// if none of above, return RoleOthers
|
||||||
return acl.RoleOthers, false, ownerKeyInBytes, nil
|
return eaclSDK.RoleOthers, false, ownerKeyInBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func requestOwner(req metaWithToken) (*owner.ID, *keys.PublicKey, error) {
|
func requestOwner(req metaWithToken) (*owner.ID, *keys.PublicKey, error) {
|
||||||
|
|
Loading…
Reference in a new issue