[#247] object/eacl: Use address from session token in request validation
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
dba88c79b4
commit
49131f1bc7
5 changed files with 44 additions and 37 deletions
|
@ -606,19 +606,21 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
hdrSrcOpts := make([]eaclV2.Option, 0, 2)
|
||||
hdrSrcOpts := make([]eaclV2.Option, 0, 3)
|
||||
|
||||
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithLocalObjectStorage(cfg.localStorage))
|
||||
|
||||
if req, ok := msg.(eaclV2.Request); ok {
|
||||
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req))
|
||||
} else {
|
||||
addr := objectSDK.NewAddress()
|
||||
addr.SetContainerID(reqInfo.cid)
|
||||
addr.SetObjectID(reqInfo.oid)
|
||||
|
||||
// TODO: Add 'WithAddress' option to config and use address from reqInfo
|
||||
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response), addr.ToV2()))
|
||||
hdrSrcOpts = append(hdrSrcOpts,
|
||||
eaclV2.WithLocalObjectStorage(cfg.localStorage),
|
||||
eaclV2.WithAddress(addr.ToV2()),
|
||||
)
|
||||
|
||||
if req, ok := msg.(eaclV2.Request); ok {
|
||||
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req))
|
||||
} else {
|
||||
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response)))
|
||||
}
|
||||
|
||||
action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit).
|
||||
|
|
|
@ -21,6 +21,8 @@ type cfg struct {
|
|||
storage ObjectStorage
|
||||
|
||||
msg xHeaderSource
|
||||
|
||||
addr *refs.Address
|
||||
}
|
||||
|
||||
type ObjectStorage interface {
|
||||
|
@ -81,22 +83,27 @@ func requestHeaders(msg xHeaderSource) []eacl.Header {
|
|||
}
|
||||
|
||||
func (h *headerSource) objectHeaders() ([]eacl.Header, bool) {
|
||||
var addr *objectSDK.Address
|
||||
if h.addr != nil {
|
||||
addr = objectSDK.NewAddressFromV2(h.addr)
|
||||
}
|
||||
|
||||
switch m := h.msg.(type) {
|
||||
default:
|
||||
panic(fmt.Sprintf("unexpected message type %T", h.msg))
|
||||
case *requestXHeaderSource:
|
||||
switch req := m.req.(type) {
|
||||
case *objectV2.GetRequest:
|
||||
return h.localObjectHeaders(req.GetBody().GetAddress())
|
||||
return h.localObjectHeaders(h.addr)
|
||||
case *objectV2.DeleteRequest:
|
||||
hs, _ := h.localObjectHeaders(req.GetBody().GetAddress())
|
||||
hs, _ := h.localObjectHeaders(h.addr)
|
||||
return hs, true
|
||||
case *objectV2.HeadRequest:
|
||||
return h.localObjectHeaders(req.GetBody().GetAddress())
|
||||
return h.localObjectHeaders(h.addr)
|
||||
case *objectV2.GetRangeRequest:
|
||||
return addressHeaders(objectSDK.NewAddressFromV2(req.GetBody().GetAddress())), true
|
||||
return addressHeaders(objectSDK.NewAddressFromV2(h.addr)), true
|
||||
case *objectV2.GetRangeHashRequest:
|
||||
hs, _ := h.localObjectHeaders(req.GetBody().GetAddress())
|
||||
hs, _ := h.localObjectHeaders(h.addr)
|
||||
return hs, true
|
||||
case *objectV2.PutRequest:
|
||||
if v, ok := req.GetBody().GetObjectPart().(*objectV2.PutObjectPartInit); ok {
|
||||
|
@ -104,14 +111,14 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) {
|
|||
oV2.SetObjectID(v.GetObjectID())
|
||||
oV2.SetHeader(v.GetHeader())
|
||||
|
||||
hs := headersFromObject(object.NewFromV2(oV2))
|
||||
if tok := oV2.GetHeader().GetSessionToken(); tok != nil {
|
||||
objCtx, ok := tok.GetBody().GetContext().(*session.ObjectSessionContext)
|
||||
if ok {
|
||||
hs = append(hs, addressHeaders(objectSDK.NewAddressFromV2(objCtx.GetAddress()))...)
|
||||
}
|
||||
if addr == nil {
|
||||
addr = objectSDK.NewAddress()
|
||||
addr.SetContainerID(container.NewIDFromV2(v.GetHeader().GetContainerID()))
|
||||
addr.SetObjectID(objectSDK.NewIDFromV2(v.GetObjectID()))
|
||||
}
|
||||
|
||||
hs := headersFromObject(object.NewFromV2(oV2), addr)
|
||||
|
||||
return hs, true
|
||||
}
|
||||
case *objectV2.SearchRequest:
|
||||
|
@ -123,7 +130,7 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) {
|
|||
case *responseXHeaderSource:
|
||||
switch resp := m.resp.(type) {
|
||||
default:
|
||||
hs, _ := h.localObjectHeaders(m.addr)
|
||||
hs, _ := h.localObjectHeaders(h.addr)
|
||||
return hs, true
|
||||
case *objectV2.GetResponse:
|
||||
if v, ok := resp.GetBody().GetObjectPart().(*objectV2.GetObjectPartInit); ok {
|
||||
|
@ -131,7 +138,7 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) {
|
|||
oV2.SetObjectID(v.GetObjectID())
|
||||
oV2.SetHeader(v.GetHeader())
|
||||
|
||||
return headersFromObject(object.NewFromV2(oV2)), true
|
||||
return headersFromObject(object.NewFromV2(oV2), addr), true
|
||||
}
|
||||
case *objectV2.HeadResponse:
|
||||
oV2 := new(objectV2.Object)
|
||||
|
@ -142,7 +149,7 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) {
|
|||
case *objectV2.ShortHeader:
|
||||
hdr = new(objectV2.Header)
|
||||
|
||||
hdr.SetContainerID(m.addr.GetContainerID())
|
||||
hdr.SetContainerID(h.addr.GetContainerID())
|
||||
hdr.SetVersion(v.GetVersion())
|
||||
hdr.SetCreationEpoch(v.GetCreationEpoch())
|
||||
hdr.SetOwnerID(v.GetOwnerID())
|
||||
|
@ -154,10 +161,7 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) {
|
|||
|
||||
oV2.SetHeader(hdr)
|
||||
|
||||
return append(
|
||||
headersFromObject(object.NewFromV2(oV2)),
|
||||
oidHeader(objectSDK.NewIDFromV2(m.addr.GetObjectID())),
|
||||
), true
|
||||
return headersFromObject(object.NewFromV2(oV2), addr), true
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -169,7 +173,7 @@ func (h *headerSource) localObjectHeaders(addrV2 *refs.Address) ([]eacl.Header,
|
|||
|
||||
obj, err := h.storage.Head(addr)
|
||||
if err == nil {
|
||||
return append(headersFromObject(obj), addressHeaders(addr)...), true
|
||||
return headersFromObject(obj, addr), true
|
||||
}
|
||||
|
||||
return addressHeaders(addr), false
|
||||
|
|
|
@ -39,14 +39,13 @@ func u64Value(v uint64) string {
|
|||
return strconv.FormatUint(v, 10)
|
||||
}
|
||||
|
||||
func headersFromObject(obj *object.Object) []eacl.Header {
|
||||
func headersFromObject(obj *object.Object, addr *objectSDK.Address) []eacl.Header {
|
||||
// TODO: optimize allocs
|
||||
res := make([]eacl.Header, 0)
|
||||
|
||||
for ; obj != nil; obj = obj.GetParent() {
|
||||
res = append(res,
|
||||
// container ID
|
||||
cidHeader(obj.ContainerID()),
|
||||
cidHeader(addr.ContainerID()),
|
||||
// owner ID
|
||||
&sysObjHdr{
|
||||
k: acl.FilterObjectOwnerID,
|
||||
|
@ -62,7 +61,7 @@ func headersFromObject(obj *object.Object) []eacl.Header {
|
|||
k: acl.FilterObjectPayloadLength,
|
||||
v: u64Value(obj.PayloadSize()),
|
||||
},
|
||||
oidHeader(obj.ID()),
|
||||
oidHeader(addr.ObjectID()),
|
||||
// TODO: add others fields after neofs-api#84
|
||||
)
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
package v2
|
||||
|
||||
import (
|
||||
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/engine"
|
||||
"github.com/nspcc-dev/neofs-api-go/v2/refs"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/engine"
|
||||
)
|
||||
|
||||
func WithObjectStorage(v ObjectStorage) Option {
|
||||
|
@ -27,11 +27,16 @@ func WithServiceRequest(v Request) Option {
|
|||
}
|
||||
}
|
||||
|
||||
func WithServiceResponse(v Response, addr *refs.Address) Option {
|
||||
func WithServiceResponse(v Response) Option {
|
||||
return func(c *cfg) {
|
||||
c.msg = &responseXHeaderSource{
|
||||
resp: v,
|
||||
addr: addr,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func WithAddress(v *refs.Address) Option {
|
||||
return func(c *cfg) {
|
||||
c.addr = v
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
package v2
|
||||
|
||||
import (
|
||||
"github.com/nspcc-dev/neofs-api-go/v2/refs"
|
||||
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
||||
)
|
||||
|
||||
|
@ -15,8 +14,6 @@ type requestXHeaderSource struct {
|
|||
|
||||
type responseXHeaderSource struct {
|
||||
resp Response
|
||||
|
||||
addr *refs.Address
|
||||
}
|
||||
|
||||
func (s *requestXHeaderSource) GetXHeaders() []*session.XHeader {
|
||||
|
|
Loading…
Reference in a new issue