diff --git a/authmate/authmate.go b/authmate/authmate.go index 651022663..13674f6f9 100644 --- a/authmate/authmate.go +++ b/authmate/authmate.go @@ -384,20 +384,21 @@ func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) { return table, nil } -func buildContext(rules []byte) (*session.ContainerContext, error) { - sessionCtx := session.NewContainerContext() // wildcard == true on by default +func buildContext(rules []byte) ([]*session.ContainerContext, error) { + var sessionCtxs []*session.ContainerContext if len(rules) != 0 { // cast ToV2 temporary, because there is no method for unmarshalling in ContainerContext in api-go - err := sessionCtx.UnmarshalJSON(rules) + err := json.Unmarshal(rules, &sessionCtxs) if err != nil { - return nil, fmt.Errorf("failed to read rules for session token: %w", err) + return nil, fmt.Errorf("failed to unmarshal rules for session token: %w", err) } - return sessionCtx, nil + return sessionCtxs, nil } + + sessionCtx := session.NewContainerContext() sessionCtx.ForPut() - sessionCtx.ApplyTo(nil) - return sessionCtx, nil + return []*session.ContainerContext{sessionCtx}, nil } func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) { @@ -441,14 +442,18 @@ func buildSessionToken(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOpt return tok, tok.Sign(&key.PrivateKey) } -func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOptions, ctx *session.ContainerContext, gatesKeys []*keys.PublicKey) ([]*session.Token, error) { - sessionTokens := make([]*session.Token, 0, len(gatesKeys)) +func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOptions, ctxs []*session.ContainerContext, gatesKeys []*keys.PublicKey) ([][]*session.Token, error) { + sessionTokens := make([][]*session.Token, 0, len(gatesKeys)) for _, gateKey := range gatesKeys { - tkn, err := buildSessionToken(key, oid, lifetime, ctx, gateKey) - if err != nil { - return nil, err + tkns := make([]*session.Token, len(ctxs)) + for i, ctx := range ctxs { + tkn, err := buildSessionToken(key, oid, lifetime, ctx, gateKey) + if err != nil { + return nil, err + } + tkns[i] = tkn } - sessionTokens = append(sessionTokens, tkn) + sessionTokens = append(sessionTokens, tkns) } return sessionTokens, nil } @@ -480,7 +485,7 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci return nil, err } for i, sessionToken := range sessionTokens { - gates[i].SessionToken = sessionToken + gates[i].SessionToken = sessionToken[0] } } diff --git a/authmate/authmate_test.go b/authmate/authmate_test.go new file mode 100644 index 000000000..e32d5bb2a --- /dev/null +++ b/authmate/authmate_test.go @@ -0,0 +1,39 @@ +package authmate + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestContainerSessionRules(t *testing.T) { + jsonRules := []byte(` +[ + { + "verb": "PUT", + "wildcard": true, + "containerID": null + }, + { + "verb": "DELETE", + "wildcard": true, + "containerID": null + }, + { + "verb": "SETEACL", + "wildcard": true, + "containerID": null + } +]`) + + sessionContext, err := buildContext(jsonRules) + require.NoError(t, err) + + require.Len(t, sessionContext, 3) + require.True(t, sessionContext[0].IsForPut()) + require.Nil(t, sessionContext[0].Container()) + require.True(t, sessionContext[1].IsForDelete()) + require.Nil(t, sessionContext[1].Container()) + require.True(t, sessionContext[2].IsForSetEACL()) + require.Nil(t, sessionContext[2].Container()) +}