[#487] Remove attach of bearer token

When bucket owner is not an issuer of the bearer token

Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva 2022-06-01 21:35:20 +04:00 committed by Alex Vanin
parent 4f43aad495
commit 4767eeed8c
7 changed files with 59 additions and 65 deletions

View file

@ -164,7 +164,6 @@ func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
ObjectInfo: info,
Writer: w,
Range: params,
VersionID: p.VersionID,
}
if err = h.obj.GetObject(r.Context(), getParams); err != nil {
h.logAndSendError(w, "could not get object", reqInfo, err)

View file

@ -74,7 +74,6 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
ObjectInfo: info,
Writer: buffer,
Range: getRangeToDetectContentType(info.Size),
VersionID: reqInfo.URL.Query().Get(api.QueryVersionID),
}
if err = h.obj.GetObject(r.Context(), getParams); err != nil {
h.logAndSendError(w, "could not get object", reqInfo, err, zap.Stringer("oid", info.ID))

View file

@ -79,7 +79,6 @@ type (
Range *RangeParams
ObjectInfo *data.ObjectInfo
Writer io.Writer
VersionID string
}
// HeadObjectParams stores object head request parameters.
@ -323,11 +322,13 @@ func (n *layer) Owner(ctx context.Context) user.ID {
return ownerID
}
func (n *layer) prepareAuthParameters(ctx context.Context, prm *neofs.PrmAuth) {
func (n *layer) prepareAuthParameters(ctx context.Context, prm *neofs.PrmAuth, bktOwner user.ID) {
if bd, ok := ctx.Value(api.BoxData).(*accessbox.Box); ok && bd != nil && bd.Gate != nil {
if issuer, ok := bd.Gate.BearerToken.Issuer(); ok && bktOwner.Equals(issuer) {
prm.BearerToken = bd.Gate.BearerToken
return
}
}
prm.PrivateKey = &n.anonKey.Key.PrivateKey
}
@ -380,8 +381,7 @@ func (n *layer) ListBuckets(ctx context.Context) ([]*data.BucketInfo, error) {
func (n *layer) GetObject(ctx context.Context, p *GetObjectParams) error {
var params getParams
params.oid = p.ObjectInfo.ID
params.cid = p.ObjectInfo.CID
params.objInfo = p.ObjectInfo
if p.Range != nil {
if p.Range.Start > p.Range.End {
@ -584,7 +584,7 @@ func (n *layer) deleteObject(ctx context.Context, bkt *data.BucketInfo, settings
}
for _, id := range ids {
if err = n.objectDelete(ctx, bkt.CID, id); err != nil {
if err = n.objectDelete(ctx, bkt, id); err != nil {
obj.Error = err
return obj
}

View file

@ -209,7 +209,7 @@ func (x *multiObjectReader) Read(p []byte) (n int, err error) {
return n, io.EOF
}
x.prm.oid = x.parts[0].ID
x.prm.objInfo = x.parts[0]
x.curReader, err = x.layer.initObjectPayloadReader(x.ctx, x.prm)
if err != nil {
@ -307,8 +307,6 @@ func (n *layer) CompleteMultipartUpload(ctx context.Context, p *CompleteMultipar
parts: parts,
}
r.prm.cid = p.Info.Bkt.CID
obj, err = n.PutObject(ctx, &PutObjectParams{
BktInfo: p.Info.Bkt,
Object: p.Info.Key,
@ -328,7 +326,7 @@ func (n *layer) CompleteMultipartUpload(ctx context.Context, p *CompleteMultipar
if partNum == 0 {
continue
}
if err = n.objectDelete(ctx, p.Info.Bkt.CID, objInfo.ID); err != nil {
if err = n.objectDelete(ctx, p.Info.Bkt, objInfo.ID); err != nil {
n.log.Warn("could not delete upload part",
zap.Stringer("object id", objInfo.ID),
zap.Stringer("bucket id", p.Info.Bkt.CID),
@ -348,7 +346,7 @@ func (n *layer) ListMultipartUploads(ctx context.Context, p *ListMultipartUpload
f := &findParams{
attr: [2]string{UploadPartNumberAttributeName, "0"},
cid: p.Bkt.CID,
bkt: p.Bkt,
}
ids, err := n.objectSearch(ctx, f)
@ -360,7 +358,7 @@ func (n *layer) ListMultipartUploads(ctx context.Context, p *ListMultipartUpload
uniqDirs := make(map[string]struct{})
for i := range ids {
meta, err := n.objectHead(ctx, p.Bkt.CID, ids[i])
meta, err := n.objectHead(ctx, p.Bkt, ids[i])
if err != nil {
n.log.Warn("couldn't head object",
zap.Stringer("object id", &ids[i]),
@ -420,7 +418,7 @@ func (n *layer) AbortMultipartUpload(ctx context.Context, p *UploadInfoParams) e
}
for _, info := range objects {
err := n.objectDelete(ctx, info.CID, info.ID)
err := n.objectDelete(ctx, p.Bkt, info.ID)
if err != nil {
return err
}
@ -493,7 +491,7 @@ func (n *layer) getUploadParts(ctx context.Context, p *UploadInfoParams) (map[in
// and search in attributes by prefix is not supported
f := &findParams{
attr: [2]string{UploadIDAttributeName, p.UploadID},
cid: p.Bkt.CID,
bkt: p.Bkt,
}
ids, err := n.objectSearch(ctx, f)
@ -504,7 +502,7 @@ func (n *layer) getUploadParts(ctx context.Context, p *UploadInfoParams) (map[in
res := make(map[int]*data.ObjectInfo)
for i := range ids {
meta, err := n.objectHead(ctx, p.Bkt.CID, ids[i])
meta, err := n.objectHead(ctx, p.Bkt, ids[i])
if err != nil {
n.log.Warn("couldn't head a part of upload",
zap.Stringer("object id", &ids[i]),

View file

@ -27,7 +27,7 @@ import (
type (
findParams struct {
attr [2]string
cid cid.ID
bkt *data.BucketInfo
prefix string
}
@ -35,8 +35,7 @@ type (
// payload range
off, ln uint64
cid cid.ID
oid oid.ID
objInfo *data.ObjectInfo
}
// ListObjectsParamsCommon contains common parameters for ListObjectsV1 and ListObjectsV2.
@ -69,10 +68,10 @@ type (
}
)
func (n *layer) objectSearchByName(ctx context.Context, cnr cid.ID, filename string) ([]oid.ID, error) {
func (n *layer) objectSearchByName(ctx context.Context, bktInfo *data.BucketInfo, filename string) ([]oid.ID, error) {
f := &findParams{
attr: [2]string{object.AttributeFileName, filename},
cid: cnr,
bkt: bktInfo,
}
return n.objectSearch(ctx, f)
}
@ -80,12 +79,12 @@ func (n *layer) objectSearchByName(ctx context.Context, cnr cid.ID, filename str
// objectSearch returns all available objects by search params.
func (n *layer) objectSearch(ctx context.Context, p *findParams) ([]oid.ID, error) {
prm := neofs.PrmObjectSelect{
Container: p.cid,
Container: p.bkt.CID,
ExactAttribute: p.attr,
FilePrefix: p.prefix,
}
n.prepareAuthParameters(ctx, &prm.PrmAuth)
n.prepareAuthParameters(ctx, &prm.PrmAuth, p.bkt.Owner)
res, err := n.neoFS.SelectObjects(ctx, prm)
@ -100,14 +99,14 @@ func newAddress(cnr cid.ID, obj oid.ID) oid.Address {
}
// objectHead returns all object's headers.
func (n *layer) objectHead(ctx context.Context, idCnr cid.ID, idObj oid.ID) (*object.Object, error) {
func (n *layer) objectHead(ctx context.Context, bktInfo *data.BucketInfo, idObj oid.ID) (*object.Object, error) {
prm := neofs.PrmObjectRead{
Container: idCnr,
Container: bktInfo.CID,
Object: idObj,
WithHeader: true,
}
n.prepareAuthParameters(ctx, &prm.PrmAuth)
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
res, err := n.neoFS.ReadObject(ctx, prm)
if err != nil {
@ -121,13 +120,19 @@ func (n *layer) objectHead(ctx context.Context, idCnr cid.ID, idObj oid.ID) (*ob
// Zero range corresponds to full payload (panics if only offset is set).
func (n *layer) initObjectPayloadReader(ctx context.Context, p getParams) (io.Reader, error) {
prm := neofs.PrmObjectRead{
Container: p.cid,
Object: p.oid,
Container: p.objInfo.CID,
Object: p.objInfo.ID,
WithPayload: true,
PayloadRange: [2]uint64{p.off, p.ln},
}
n.prepareAuthParameters(ctx, &prm.PrmAuth)
// should be taken from cache
bktInfo, err := n.GetBucketInfo(ctx, p.objInfo.Bucket)
if err != nil {
return nil, err
}
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
res, err := n.neoFS.ReadObject(ctx, prm)
if err != nil {
@ -138,15 +143,15 @@ func (n *layer) initObjectPayloadReader(ctx context.Context, p getParams) (io.Re
}
// objectGet returns an object with payload in the object.
func (n *layer) objectGet(ctx context.Context, addr oid.Address) (*object.Object, error) {
func (n *layer) objectGet(ctx context.Context, bktInfo *data.BucketInfo, objID oid.ID) (*object.Object, error) {
prm := neofs.PrmObjectRead{
Container: addr.Container(),
Object: addr.Object(),
Container: bktInfo.CID,
Object: objID,
WithHeader: true,
WithPayload: true,
}
n.prepareAuthParameters(ctx, &prm.PrmAuth)
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
res, err := n.neoFS.ReadObject(ctx, prm)
if err != nil {
@ -198,7 +203,7 @@ func (n *layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.Object
}
}
id, hash, err := n.objectPutAndHash(ctx, prm)
id, hash, err := n.objectPutAndHash(ctx, prm, p.BktInfo)
if err != nil {
return nil, err
}
@ -229,7 +234,7 @@ func (n *layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.Object
n.listsCache.CleanCacheEntriesContainingObject(p.Object, p.BktInfo.CID)
for _, id := range idsToDeleteArr {
if err = n.objectDelete(ctx, p.BktInfo.CID, id); err != nil {
if err = n.objectDelete(ctx, p.BktInfo, id); err != nil {
n.log.Warn("couldn't delete object",
zap.Stringer("version id", id),
zap.Error(err))
@ -356,7 +361,7 @@ func (n *layer) headLastVersionIfNotDeleted(ctx context.Context, bkt *data.Bucke
}
func (n *layer) headVersions(ctx context.Context, bkt *data.BucketInfo, objectName string) (*objectVersions, error) {
ids, err := n.objectSearchByName(ctx, bkt.CID, objectName)
ids, err := n.objectSearchByName(ctx, bkt, objectName)
if err != nil {
return nil, err
}
@ -367,7 +372,7 @@ func (n *layer) headVersions(ctx context.Context, bkt *data.BucketInfo, objectNa
}
for i := range ids {
meta, err := n.objectHead(ctx, bkt.CID, ids[i])
meta, err := n.objectHead(ctx, bkt, ids[i])
if err != nil {
n.log.Warn("couldn't head object",
zap.Stringer("object id", &ids[i]),
@ -416,7 +421,7 @@ func (n *layer) headVersion(ctx context.Context, bkt *data.BucketInfo, p *HeadOb
return objInfoFromMeta(bkt, headInfo), nil
}
meta, err := n.objectHead(ctx, bkt.CID, id)
meta, err := n.objectHead(ctx, bkt, id)
if err != nil {
if client.IsErrObjectNotFound(err) {
return nil, apiErrors.GetAPIError(apiErrors.ErrNoSuchVersion)
@ -438,23 +443,23 @@ func (n *layer) headVersion(ctx context.Context, bkt *data.BucketInfo, p *HeadOb
}
// objectDelete puts tombstone object into neofs.
func (n *layer) objectDelete(ctx context.Context, idCnr cid.ID, idObj oid.ID) error {
func (n *layer) objectDelete(ctx context.Context, bktInfo *data.BucketInfo, idObj oid.ID) error {
prm := neofs.PrmObjectDelete{
Container: idCnr,
Container: bktInfo.CID,
Object: idObj,
}
n.prepareAuthParameters(ctx, &prm.PrmAuth)
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
n.objCache.Delete(newAddress(idCnr, idObj))
n.objCache.Delete(newAddress(bktInfo.CID, idObj))
return n.transformNeofsError(ctx, n.neoFS.DeleteObject(ctx, prm))
}
// objectPutAndHash prepare auth parameters and invoke neofs.CreateObject.
// Returns object ID and payload sha256 hash.
func (n *layer) objectPutAndHash(ctx context.Context, prm neofs.PrmObjectCreate) (*oid.ID, []byte, error) {
n.prepareAuthParameters(ctx, &prm.PrmAuth)
func (n *layer) objectPutAndHash(ctx context.Context, prm neofs.PrmObjectCreate, bktInfo *data.BucketInfo) (*oid.ID, []byte, error) {
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
hash := sha256.New()
prm.Payload = wrapReader(prm.Payload, 64*1024, func(buf []byte) {
hash.Write(buf)
@ -565,7 +570,7 @@ func (n *layer) getAllObjectsVersions(ctx context.Context, bkt *data.BucketInfo,
ids := n.listsCache.Get(cacheKey)
if ids == nil {
ids, err = n.objectSearch(ctx, &findParams{cid: bkt.CID, prefix: prefix})
ids, err = n.objectSearch(ctx, &findParams{bkt: bkt, prefix: prefix})
if err != nil {
return nil, err
}
@ -577,7 +582,7 @@ func (n *layer) getAllObjectsVersions(ctx context.Context, bkt *data.BucketInfo,
versions := make(map[string]*objectVersions, len(ids)/2)
for i := 0; i < len(ids); i++ {
obj := n.objectFromObjectsCacheOrNeoFS(ctx, bkt.CID, ids[i])
obj := n.objectFromObjectsCacheOrNeoFS(ctx, bkt, ids[i])
if obj == nil {
continue
}
@ -681,13 +686,13 @@ func (n *layer) isVersioningEnabled(ctx context.Context, bktInfo *data.BucketInf
return settings.VersioningEnabled
}
func (n *layer) objectFromObjectsCacheOrNeoFS(ctx context.Context, cnr cid.ID, obj oid.ID) *object.Object {
func (n *layer) objectFromObjectsCacheOrNeoFS(ctx context.Context, bktInfo *data.BucketInfo, obj oid.ID) *object.Object {
var (
err error
meta = n.objCache.Get(newAddress(cnr, obj))
meta = n.objCache.Get(newAddress(bktInfo.CID, obj))
)
if meta == nil {
meta, err = n.objectHead(ctx, cnr, obj)
meta, err = n.objectHead(ctx, bktInfo, obj)
if err != nil {
n.log.Warn("could not fetch object meta", zap.Error(err))
return nil

View file

@ -15,7 +15,6 @@ import (
"github.com/nspcc-dev/neofs-s3-gw/api/layer/neofs"
"github.com/nspcc-dev/neofs-s3-gw/internal/misc"
"github.com/nspcc-dev/neofs-sdk-go/object"
oid "github.com/nspcc-dev/neofs-sdk-go/object/id"
"go.uber.org/zap"
)
@ -60,7 +59,7 @@ func (n *layer) HeadSystemObject(ctx context.Context, bkt *data.BucketInfo, objN
func (n *layer) DeleteSystemObject(ctx context.Context, bktInfo *data.BucketInfo, name string) error {
f := &findParams{
attr: [2]string{objectSystemAttributeName, name},
cid: bktInfo.CID,
bkt: bktInfo,
}
ids, err := n.objectSearch(ctx, f)
if err != nil {
@ -69,7 +68,7 @@ func (n *layer) DeleteSystemObject(ctx context.Context, bktInfo *data.BucketInfo
n.systemCache.Delete(systemObjectKey(bktInfo, name))
for i := range ids {
if err = n.objectDelete(ctx, bktInfo.CID, ids[i]); err != nil {
if err = n.objectDelete(ctx, bktInfo, ids[i]); err != nil {
return err
}
}
@ -119,7 +118,7 @@ func (n *layer) putSystemObjectIntoNeoFS(ctx context.Context, p *PutSystemObject
prm.Attributes = append(prm.Attributes, [2]string{k, v})
}
id, hash, err := n.objectPutAndHash(ctx, prm)
id, hash, err := n.objectPutAndHash(ctx, prm, p.BktInfo)
if err != nil {
return nil, err
}
@ -133,7 +132,7 @@ func (n *layer) putSystemObjectIntoNeoFS(ctx context.Context, p *PutSystemObject
}
for _, id := range idsToDeleteArr {
if err = n.objectDelete(ctx, p.BktInfo.CID, id); err != nil {
if err = n.objectDelete(ctx, p.BktInfo, id); err != nil {
n.log.Warn("couldn't delete system object",
zap.Stringer("version id", id),
zap.String("name", misc.SanitizeString(p.ObjName)),
@ -169,12 +168,7 @@ func (n *layer) getSystemObjectFromNeoFS(ctx context.Context, bkt *data.BucketIn
objInfo := versions.getLast()
var addr oid.Address
addr.SetContainer(bkt.CID)
addr.SetObject(objInfo.ID)
obj, err := n.objectGet(ctx, addr)
obj, err := n.objectGet(ctx, bkt, objInfo.ID)
if err != nil {
return nil, err
}
@ -215,7 +209,7 @@ func (n *layer) getCORS(ctx context.Context, bkt *data.BucketInfo, sysName strin
func (n *layer) headSystemVersions(ctx context.Context, bkt *data.BucketInfo, sysName string) (*objectVersions, error) {
f := &findParams{
attr: [2]string{objectSystemAttributeName, sysName},
cid: bkt.CID,
bkt: bkt,
}
ids, err := n.objectSearch(ctx, f)
if err != nil {
@ -224,7 +218,7 @@ func (n *layer) headSystemVersions(ctx context.Context, bkt *data.BucketInfo, sy
versions := newObjectVersions(sysName)
for i := range ids {
meta, err := n.objectHead(ctx, bkt.CID, ids[i])
meta, err := n.objectHead(ctx, bkt, ids[i])
if err != nil {
n.log.Warn("couldn't head object",
zap.Stringer("object id", &ids[i]),

View file

@ -50,7 +50,6 @@ func (tc *testContext) getObject(objectName, versionID string, needError bool) (
err = tc.layer.GetObject(tc.ctx, &GetObjectParams{
ObjectInfo: objInfo,
Writer: content,
VersionID: versionID,
})
require.NoError(tc.t, err)