From 5adf089c1dcff73e7b2dae0bd42a42d37342e6d8 Mon Sep 17 00:00:00 2001 From: Pavel Karpy Date: Mon, 12 Sep 2022 14:28:37 +0300 Subject: [PATCH] [#1628] tree: Log unacceptable bearer attachment Signed-off-by: Pavel Karpy --- pkg/services/tree/signature.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go index 2bbf75fe14..4239a9c29f 100644 --- a/pkg/services/tree/signature.go +++ b/pkg/services/tree/signature.go @@ -18,6 +18,7 @@ import ( neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa" "github.com/nspcc-dev/neofs-sdk-go/eacl" "github.com/nspcc-dev/neofs-sdk-go/user" + "go.uber.org/zap" ) type message interface { @@ -68,8 +69,20 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op eaclOp := eACLOp(op) + var tableFromBearer bool + if len(rawBearer) != 0 { + if !basicACL.AllowedBearerRules(op) { + s.log.Debug("bearer presented but not allowed by ACL", + zap.String("cid", cid.EncodeToString()), + zap.String("op", op.String()), + ) + } else { + tableFromBearer = true + } + } + var tb eacl.Table - if len(rawBearer) != 0 && basicACL.AllowedBearerRules(op) { + if tableFromBearer { var bt bearer.Token if err = bt.Unmarshal(rawBearer); err != nil { return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))