From f3df5ff633ec1004fdb480dc086529203a55dd64 Mon Sep 17 00:00:00 2001 From: Angira Kekteeva Date: Wed, 6 Apr 2022 12:27:47 +0400 Subject: [PATCH] [#395] Fix grantee in ACL Signed-off-by: Angira Kekteeva --- api/handler/acl.go | 38 +++++++++++++++++---------------- api/handler/multipart_upload.go | 4 ++-- api/handler/put.go | 10 ++++----- 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/api/handler/acl.go b/api/handler/acl.go index 46198d690..b099a0856 100644 --- a/api/handler/acl.go +++ b/api/handler/acl.go @@ -3,6 +3,7 @@ package handler import ( "context" "crypto/ecdsa" + "crypto/elliptic" "encoding/hex" "encoding/json" "encoding/xml" @@ -145,30 +146,31 @@ func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) { } } -func (h *handler) gateKey(ctx context.Context) (*keys.PublicKey, error) { - gateKey := h.obj.EphemeralKey() +func (h *handler) bearerTokenIssuerKey(ctx context.Context) (*keys.PublicKey, error) { box, err := layer.GetBoxData(ctx) - if err == nil { - if box.Gate.GateKey == nil { - return nil, fmt.Errorf("gate key must not be nil") - } - gateKey = box.Gate.GateKey + if err != nil { + return nil, err } - return gateKey, nil + key, err := keys.NewPublicKeyFromBytes(box.Gate.BearerToken.Signature().Key(), elliptic.P256()) + if err != nil { + return nil, err + } + + return key, nil } func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) { reqInfo := api.GetReqInfo(r.Context()) - gateKey, err := h.gateKey(r.Context()) + key, err := h.bearerTokenIssuerKey(r.Context()) if err != nil { - h.logAndSendError(w, "couldn't get gate key", reqInfo, err) + h.logAndSendError(w, "couldn't get bearer token issuer key", reqInfo, err) return } list := &AccessControlPolicy{} if r.ContentLength == 0 { - list, err = parseACLHeaders(r.Header, gateKey) + list, err = parseACLHeaders(r.Header, key) if err != nil { h.logAndSendError(w, "could not parse bucket acl", reqInfo, err) return @@ -256,7 +258,7 @@ func (h *handler) GetObjectACLHandler(w http.ResponseWriter, r *http.Request) { func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) { reqInfo := api.GetReqInfo(r.Context()) versionID := reqInfo.URL.Query().Get(api.QueryVersionID) - gateKey, err := h.gateKey(r.Context()) + key, err := h.bearerTokenIssuerKey(r.Context()) if err != nil { h.logAndSendError(w, "couldn't get gate key", reqInfo, err) return @@ -264,7 +266,7 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) { list := &AccessControlPolicy{} if r.ContentLength == 0 { - list, err = parseACLHeaders(r.Header, gateKey) + list, err = parseACLHeaders(r.Header, key) if err != nil { h.logAndSendError(w, "could not parse bucket acl", reqInfo, err) return @@ -375,16 +377,16 @@ func (h *handler) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request) } } -func parseACLHeaders(header http.Header, gateKey *keys.PublicKey) (*AccessControlPolicy, error) { +func parseACLHeaders(header http.Header, key *keys.PublicKey) (*AccessControlPolicy, error) { var err error acp := &AccessControlPolicy{Owner: Owner{ - ID: hex.EncodeToString(gateKey.Bytes()), - DisplayName: gateKey.Address(), + ID: hex.EncodeToString(key.Bytes()), + DisplayName: key.Address(), }} acp.AccessControlList = []*Grant{{ Grantee: &Grantee{ - ID: hex.EncodeToString(gateKey.Bytes()), - DisplayName: gateKey.Address(), + ID: hex.EncodeToString(key.Bytes()), + DisplayName: key.Address(), Type: acpCanonicalUser, }, Permission: aclFullControl, diff --git a/api/handler/multipart_upload.go b/api/handler/multipart_upload.go index 018f55efb..3f36fc931 100644 --- a/api/handler/multipart_upload.go +++ b/api/handler/multipart_upload.go @@ -127,12 +127,12 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re ) if containsACLHeaders(r) { - gateKey, err := h.gateKey(r.Context()) + key, err := h.bearerTokenIssuerKey(r.Context()) if err != nil { h.logAndSendError(w, "couldn't get gate key", reqInfo, err) return } - data.ACL, err = parseACLHeaders(r.Header, gateKey) + data.ACL, err = parseACLHeaders(r.Header, key) if err != nil { h.logAndSendError(w, "could not parse acl", reqInfo, err) return diff --git a/api/handler/put.go b/api/handler/put.go index 9ce116d20..5c8de2f4d 100644 --- a/api/handler/put.go +++ b/api/handler/put.go @@ -462,11 +462,11 @@ func containsACLHeaders(r *http.Request) bool { func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) { var newEaclTable *eacl.Table - gateKey, err := h.gateKey(r.Context()) + key, err := h.bearerTokenIssuerKey(r.Context()) if err != nil { return nil, err } - objectACL, err := parseACLHeaders(r.Header, gateKey) + objectACL, err := parseACLHeaders(r.Header, key) if err != nil { return nil, fmt.Errorf("could not parse object acl: %w", err) } @@ -552,13 +552,13 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) { return } - gateKey, err := h.gateKey(r.Context()) + key, err := h.bearerTokenIssuerKey(r.Context()) if err != nil { - h.logAndSendError(w, "couldn't get gate key", reqInfo, err) + h.logAndSendError(w, "couldn't get bearer token signature key", reqInfo, err) return } - bktACL, err := parseACLHeaders(r.Header, gateKey) + bktACL, err := parseACLHeaders(r.Header, key) if err != nil { h.logAndSendError(w, "could not parse bucket acl", reqInfo, err) return