[#488] middleware/policy: Add frostfs-to-s3 error transformation

Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com>

api/router_test.go

@@ -15,6 +15,7 @@ import (
 
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
 	s3middleware "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/metrics"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
@@ -26,6 +27,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/zap/zaptest"
@@ -274,6 +276,36 @@ func TestPolicyCheckerReqTypeDetermination(t *testing.T) {
 	})
 }
 
+func TestPolicyCheckFrostfsErrors(t *testing.T) {
+	chiRouter := prepareRouter(t)
+	ns1, bktName1, objName1 := "", "bucket", "object"
+
+	createBucket(chiRouter, ns1, bktName1)
+	key, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+	chiRouter.cfg.Center.(*centerMock).key = key
+	chiRouter.cfg.MiddlewareSettings.(*middlewareSettingsMock).denyByDefault = true
+
+	ruleChain := &chain.Chain{
+		ID: chain.ID("id"),
+		Rules: []chain.Rule{{
+			Status:    chain.Allow,
+			Actions:   chain.Actions{Names: []string{"*"}},
+			Resources: chain.Resources{Names: []string{fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName1)}},
+		}},
+	}
+
+	_, _, err = chiRouter.policyChecker.MorphRuleChainStorage().AddMorphRuleChain(chain.S3, engine.UserTarget(ns1+":"+key.Address()), ruleChain)
+	require.NoError(t, err)
+
+	// check we can access 'bucket' in default namespace
+	putObject(chiRouter, ns1, bktName1, objName1, nil)
+
+	chiRouter.cfg.Center.(*centerMock).anon = true
+	chiRouter.cfg.Tagging.(*resourceTaggingMock).err = frostfs.ErrAccessDenied
+	getObjectErr(chiRouter, ns1, bktName1, objName1, apierr.ErrAccessDenied)
+}
+
 func TestDefaultBehaviorPolicyChecker(t *testing.T) {
 	chiRouter := prepareRouter(t)
 	ns, bktName := "", "bucket"
@@ -524,11 +556,10 @@ func TestResourceTagsCheck(t *testing.T) {
 
 		listObjectsV1Err(router, ns, bktName, "", "", "", apierr.ErrNoSuchBucket)
 
-		router.cfg.Tagging.(*resourceTaggingMock).noSuchBucketKey = true
+		router.cfg.Tagging.(*resourceTaggingMock).err = apierr.GetAPIError(apierr.ErrNoSuchKey)
 		createBucket(router, ns, bktName)
 		getBucketErr(router, ns, bktName, apierr.ErrNoSuchKey)
 
-		router.cfg.Tagging.(*resourceTaggingMock).noSuchObjectKey = true
 		createBucket(router, ns, bktName)
 		getObjectErr(router, ns, bktName, objName, apierr.ErrNoSuchKey)
 	})
@@ -826,8 +857,11 @@ func TestAuthenticate(t *testing.T) {
 	createBucket(chiRouter, "", "bkt-2")
 
 	chiRouter = prepareRouter(t)
-	chiRouter.cfg.Center.(*centerMock).isError = true
+	chiRouter.cfg.Center.(*centerMock).err = apierr.GetAPIError(apierr.ErrAccessDenied)
 	createBucketErr(chiRouter, "", "bkt-3", nil, apierr.ErrAccessDenied)
+
+	chiRouter.cfg.Center.(*centerMock).err = frostfs.ErrGatewayTimeout
+	createBucketErr(chiRouter, "", "bkt-3", nil, apierr.ErrGatewayTimeout)
 }
 
 func TestFrostFSIDValidation(t *testing.T) {