forked from TrueCloudLab/frostfs-s3-gw
[#395] Fix grantee in ACL
Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva
Alex Vanin
parent
ed47bc1596
commit
f3df5ff633
3 changed files with 27 additions and 25 deletions
|
|
@ -3,6 +3,7 @@ package handler
|
|||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"encoding/xml"
|
||||
|
|
@ -145,30 +146,31 @@ func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
}
|
||||
|
||||
func (h *handler) gateKey(ctx context.Context) (*keys.PublicKey, error) {
|
||||
gateKey := h.obj.EphemeralKey()
|
||||
func (h *handler) bearerTokenIssuerKey(ctx context.Context) (*keys.PublicKey, error) {
|
||||
box, err := layer.GetBoxData(ctx)
|
||||
if err == nil {
|
||||
if box.Gate.GateKey == nil {
|
||||
return nil, fmt.Errorf("gate key must not be nil")
|
||||
}
|
||||
gateKey = box.Gate.GateKey
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return gateKey, nil
|
||||
key, err := keys.NewPublicKeyFromBytes(box.Gate.BearerToken.Signature().Key(), elliptic.P256())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return key, nil
|
||||
}
|
||||
|
||||
func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||
reqInfo := api.GetReqInfo(r.Context())
|
||||
gateKey, err := h.gateKey(r.Context())
|
||||
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||
if err != nil {
|
||||
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
||||
h.logAndSendError(w, "couldn't get bearer token issuer key", reqInfo, err)
|
||||
return
|
||||
}
|
||||
|
||||
list := &AccessControlPolicy{}
|
||||
if r.ContentLength == 0 {
|
||||
list, err = parseACLHeaders(r.Header, gateKey)
|
||||
list, err = parseACLHeaders(r.Header, key)
|
||||
if err != nil {
|
||||
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
||||
return
|
||||
|
|
@ -256,7 +258,7 @@ func (h *handler) GetObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
|||
func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||
reqInfo := api.GetReqInfo(r.Context())
|
||||
versionID := reqInfo.URL.Query().Get(api.QueryVersionID)
|
||||
gateKey, err := h.gateKey(r.Context())
|
||||
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||
if err != nil {
|
||||
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
||||
return
|
||||
|
|
@ -264,7 +266,7 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
list := &AccessControlPolicy{}
|
||||
if r.ContentLength == 0 {
|
||||
list, err = parseACLHeaders(r.Header, gateKey)
|
||||
list, err = parseACLHeaders(r.Header, key)
|
||||
if err != nil {
|
||||
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
||||
return
|
||||
|
|
@ -375,16 +377,16 @@ func (h *handler) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request)
|
|||
}
|
||||
}
|
||||
|
||||
func parseACLHeaders(header http.Header, gateKey *keys.PublicKey) (*AccessControlPolicy, error) {
|
||||
func parseACLHeaders(header http.Header, key *keys.PublicKey) (*AccessControlPolicy, error) {
|
||||
var err error
|
||||
acp := &AccessControlPolicy{Owner: Owner{
|
||||
ID: hex.EncodeToString(gateKey.Bytes()),
|
||||
DisplayName: gateKey.Address(),
|
||||
ID: hex.EncodeToString(key.Bytes()),
|
||||
DisplayName: key.Address(),
|
||||
}}
|
||||
acp.AccessControlList = []*Grant{{
|
||||
Grantee: &Grantee{
|
||||
ID: hex.EncodeToString(gateKey.Bytes()),
|
||||
DisplayName: gateKey.Address(),
|
||||
ID: hex.EncodeToString(key.Bytes()),
|
||||
DisplayName: key.Address(),
|
||||
Type: acpCanonicalUser,
|
||||
},
|
||||
Permission: aclFullControl,
|
||||
|
|
|
|||
|
|
@ -127,12 +127,12 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
|
|||
)
|
||||
|
||||
if containsACLHeaders(r) {
|
||||
gateKey, err := h.gateKey(r.Context())
|
||||
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||
if err != nil {
|
||||
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
||||
return
|
||||
}
|
||||
data.ACL, err = parseACLHeaders(r.Header, gateKey)
|
||||
data.ACL, err = parseACLHeaders(r.Header, key)
|
||||
if err != nil {
|
||||
h.logAndSendError(w, "could not parse acl", reqInfo, err)
|
||||
return
|
||||
|
|
|
|||
|
|
@ -462,11 +462,11 @@ func containsACLHeaders(r *http.Request) bool {
|
|||
|
||||
func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) {
|
||||
var newEaclTable *eacl.Table
|
||||
gateKey, err := h.gateKey(r.Context())
|
||||
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
objectACL, err := parseACLHeaders(r.Header, gateKey)
|
||||
objectACL, err := parseACLHeaders(r.Header, key)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not parse object acl: %w", err)
|
||||
}
|
||||
|
|
@ -552,13 +552,13 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
gateKey, err := h.gateKey(r.Context())
|
||||
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||
if err != nil {
|
||||
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
||||
h.logAndSendError(w, "couldn't get bearer token signature key", reqInfo, err)
|
||||
return
|
||||
}
|
||||
|
||||
bktACL, err := parseACLHeaders(r.Header, gateKey)
|
||||
bktACL, err := parseACLHeaders(r.Header, key)
|
||||
if err != nil {
|
||||
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
||||
return
|
||||
|
|
|
|||
Loading…
Reference in a new issue