[#395] Fix grantee in ACL

Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva 2022-04-06 12:27:47 +04:00 committed by Alex Vanin
parent ed47bc1596
commit f3df5ff633
3 changed files with 27 additions and 25 deletions

View file

@ -3,6 +3,7 @@ package handler
import ( import (
"context" "context"
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic"
"encoding/hex" "encoding/hex"
"encoding/json" "encoding/json"
"encoding/xml" "encoding/xml"
@ -145,30 +146,31 @@ func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) {
} }
} }
func (h *handler) gateKey(ctx context.Context) (*keys.PublicKey, error) { func (h *handler) bearerTokenIssuerKey(ctx context.Context) (*keys.PublicKey, error) {
gateKey := h.obj.EphemeralKey()
box, err := layer.GetBoxData(ctx) box, err := layer.GetBoxData(ctx)
if err == nil { if err != nil {
if box.Gate.GateKey == nil { return nil, err
return nil, fmt.Errorf("gate key must not be nil")
}
gateKey = box.Gate.GateKey
} }
return gateKey, nil key, err := keys.NewPublicKeyFromBytes(box.Gate.BearerToken.Signature().Key(), elliptic.P256())
if err != nil {
return nil, err
}
return key, nil
} }
func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) { func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) {
reqInfo := api.GetReqInfo(r.Context()) reqInfo := api.GetReqInfo(r.Context())
gateKey, err := h.gateKey(r.Context()) key, err := h.bearerTokenIssuerKey(r.Context())
if err != nil { if err != nil {
h.logAndSendError(w, "couldn't get gate key", reqInfo, err) h.logAndSendError(w, "couldn't get bearer token issuer key", reqInfo, err)
return return
} }
list := &AccessControlPolicy{} list := &AccessControlPolicy{}
if r.ContentLength == 0 { if r.ContentLength == 0 {
list, err = parseACLHeaders(r.Header, gateKey) list, err = parseACLHeaders(r.Header, key)
if err != nil { if err != nil {
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err) h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
return return
@ -256,7 +258,7 @@ func (h *handler) GetObjectACLHandler(w http.ResponseWriter, r *http.Request) {
func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) { func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
reqInfo := api.GetReqInfo(r.Context()) reqInfo := api.GetReqInfo(r.Context())
versionID := reqInfo.URL.Query().Get(api.QueryVersionID) versionID := reqInfo.URL.Query().Get(api.QueryVersionID)
gateKey, err := h.gateKey(r.Context()) key, err := h.bearerTokenIssuerKey(r.Context())
if err != nil { if err != nil {
h.logAndSendError(w, "couldn't get gate key", reqInfo, err) h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
return return
@ -264,7 +266,7 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
list := &AccessControlPolicy{} list := &AccessControlPolicy{}
if r.ContentLength == 0 { if r.ContentLength == 0 {
list, err = parseACLHeaders(r.Header, gateKey) list, err = parseACLHeaders(r.Header, key)
if err != nil { if err != nil {
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err) h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
return return
@ -375,16 +377,16 @@ func (h *handler) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request)
} }
} }
func parseACLHeaders(header http.Header, gateKey *keys.PublicKey) (*AccessControlPolicy, error) { func parseACLHeaders(header http.Header, key *keys.PublicKey) (*AccessControlPolicy, error) {
var err error var err error
acp := &AccessControlPolicy{Owner: Owner{ acp := &AccessControlPolicy{Owner: Owner{
ID: hex.EncodeToString(gateKey.Bytes()), ID: hex.EncodeToString(key.Bytes()),
DisplayName: gateKey.Address(), DisplayName: key.Address(),
}} }}
acp.AccessControlList = []*Grant{{ acp.AccessControlList = []*Grant{{
Grantee: &Grantee{ Grantee: &Grantee{
ID: hex.EncodeToString(gateKey.Bytes()), ID: hex.EncodeToString(key.Bytes()),
DisplayName: gateKey.Address(), DisplayName: key.Address(),
Type: acpCanonicalUser, Type: acpCanonicalUser,
}, },
Permission: aclFullControl, Permission: aclFullControl,

View file

@ -127,12 +127,12 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
) )
if containsACLHeaders(r) { if containsACLHeaders(r) {
gateKey, err := h.gateKey(r.Context()) key, err := h.bearerTokenIssuerKey(r.Context())
if err != nil { if err != nil {
h.logAndSendError(w, "couldn't get gate key", reqInfo, err) h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
return return
} }
data.ACL, err = parseACLHeaders(r.Header, gateKey) data.ACL, err = parseACLHeaders(r.Header, key)
if err != nil { if err != nil {
h.logAndSendError(w, "could not parse acl", reqInfo, err) h.logAndSendError(w, "could not parse acl", reqInfo, err)
return return

View file

@ -462,11 +462,11 @@ func containsACLHeaders(r *http.Request) bool {
func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) { func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) {
var newEaclTable *eacl.Table var newEaclTable *eacl.Table
gateKey, err := h.gateKey(r.Context()) key, err := h.bearerTokenIssuerKey(r.Context())
if err != nil { if err != nil {
return nil, err return nil, err
} }
objectACL, err := parseACLHeaders(r.Header, gateKey) objectACL, err := parseACLHeaders(r.Header, key)
if err != nil { if err != nil {
return nil, fmt.Errorf("could not parse object acl: %w", err) return nil, fmt.Errorf("could not parse object acl: %w", err)
} }
@ -552,13 +552,13 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
gateKey, err := h.gateKey(r.Context()) key, err := h.bearerTokenIssuerKey(r.Context())
if err != nil { if err != nil {
h.logAndSendError(w, "couldn't get gate key", reqInfo, err) h.logAndSendError(w, "couldn't get bearer token signature key", reqInfo, err)
return return
} }
bktACL, err := parseACLHeaders(r.Header, gateKey) bktACL, err := parseACLHeaders(r.Header, key)
if err != nil { if err != nil {
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err) h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
return return