acl: Store filter by object ID and object name

This fix helps to store ACL for each object. Signed-off-by: Evgenii Baidakov <[email protected]>
nspcc-dev · Oct 23, 2023 · d59bff9 · d59bff9
1 parent c1a2f14
commit d59bff9
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 30 deletions.
diff --git a/api/handler/acl.go b/api/handler/acl.go
@@ -929,15 +929,15 @@ func formRecords(resource *astResource) ([]*eacl.Record, error) {
 			eacl.AddFormedTarget(record, eacl.RoleUnknown, targetKeys...)
 		}
 		if len(resource.Object) != 0 {
-			if len(resource.Version) != 0 {
-				var id oid.ID
-				if err := id.DecodeString(resource.Version); err != nil {
-					return nil, fmt.Errorf("parse object version (oid): %w", err)
-				}
-				record.AddObjectIDFilter(eacl.MatchStringEqual, id)
-			} else {
-				record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resource.Object)
+			record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resource.Object)
+		}
+
+		if len(resource.Version) != 0 {
+			var id oid.ID
+			if err := id.DecodeString(resource.Version); err != nil {
+				return nil, fmt.Errorf("parse object version (oid): %w", err)
 			}
+			record.AddObjectIDFilter(eacl.MatchStringEqual, id)
 		}
 		res = append(res, record)
 	}

diff --git a/api/handler/acl_test.go b/api/handler/acl_test.go
@@ -881,55 +881,53 @@ func TestObjectWithVersionAclToTable(t *testing.T) {
 }
 
 func allowedTableForPrivateObject(t *testing.T, key *keys.PrivateKey, resInfo *resourceInfo) *eacl.Table {
-	var isVersion bool
 	var objID oid.ID
+	var zeroObjectID oid.ID
+
 	if resInfo.Version != "" {
-		isVersion = true
 		err := objID.DecodeString(resInfo.Version)
 		require.NoError(t, err)
 	}
 
 	expectedTable := eacl.NewTable()
 
+	applyFilters := func(r *eacl.Record) {
+		if resInfo.Object != "" {
+			r.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resInfo.Object)
+		}
+		if !objID.Equals(zeroObjectID) {
+			r.AddObjectIDFilter(eacl.MatchStringEqual, objID)
+		}
+	}
+
+	// Order of these loops is important for test.
 	for i := len(writeOps) - 1; i >= 0; i-- {
 		op := writeOps[i]
 		record := getAllowRecord(op, key.PublicKey())
-		if isVersion {
-			record.AddObjectIDFilter(eacl.MatchStringEqual, objID)
-		} else {
-			record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resInfo.Object)
-		}
+
+		applyFilters(record)
 		expectedTable.AddRecord(record)
 	}
 	for i := len(readOps) - 1; i >= 0; i-- {
 		op := readOps[i]
 		record := getAllowRecord(op, key.PublicKey())
-		if isVersion {
-			record.AddObjectIDFilter(eacl.MatchStringEqual, objID)
-		} else {
-			record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resInfo.Object)
-		}
+
+		applyFilters(record)
 		expectedTable.AddRecord(record)
 	}
 
 	for i := len(writeOps) - 1; i >= 0; i-- {
 		op := writeOps[i]
 		record := getOthersRecord(op, eacl.ActionDeny)
-		if isVersion {
-			record.AddObjectIDFilter(eacl.MatchStringEqual, objID)
-		} else {
-			record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resInfo.Object)
-		}
+
+		applyFilters(record)
 		expectedTable.AddRecord(record)
 	}
 	for i := len(readOps) - 1; i >= 0; i-- {
 		op := readOps[i]
 		record := getOthersRecord(op, eacl.ActionDeny)
-		if isVersion {
-			record.AddObjectIDFilter(eacl.MatchStringEqual, objID)
-		} else {
-			record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resInfo.Object)
-		}
+
+		applyFilters(record)
 		expectedTable.AddRecord(record)
 	}