From 5f86d54721a5936d1f28a54eafca02abb7033210 Mon Sep 17 00:00:00 2001 From: Evgenii Stratonikov Date: Fri, 10 Sep 2021 11:18:04 +0300 Subject: [PATCH] [#816] object/acl: fix eACL target processing Ignore role if public keys are present. Signed-off-by: Evgenii Stratonikov --- pkg/services/object/acl/eacl/validator.go | 9 ++-- .../object/acl/eacl/validator_test.go | 52 +++++++++++++++++++ 2 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 pkg/services/object/acl/eacl/validator_test.go diff --git a/pkg/services/object/acl/eacl/validator.go b/pkg/services/object/acl/eacl/validator.go index 187d49785..9ad18319e 100644 --- a/pkg/services/object/acl/eacl/validator.go +++ b/pkg/services/object/acl/eacl/validator.go @@ -159,10 +159,13 @@ func matchFilters(hdrSrc TypedHeaderSource, filters []*eacl.Filter) int { func targetMatches(unit *ValidationUnit, record *eacl.Record) bool { for _, target := range record.Targets() { // check public key match - for _, key := range target.BinaryKeys() { - if bytes.Equal(key, unit.key) { - return true + if pubs := target.BinaryKeys(); len(pubs) != 0 { + for _, key := range pubs { + if bytes.Equal(key, unit.key) { + return true + } } + continue } // check target group match diff --git a/pkg/services/object/acl/eacl/validator_test.go b/pkg/services/object/acl/eacl/validator_test.go new file mode 100644 index 000000000..7add95a20 --- /dev/null +++ b/pkg/services/object/acl/eacl/validator_test.go @@ -0,0 +1,52 @@ +package eacl + +import ( + "math/rand" + "testing" + + "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl" + "github.com/stretchr/testify/require" +) + +func TestTargetMatches(t *testing.T) { + pubs := make([][]byte, 3) + for i := range pubs { + pubs[i] = make([]byte, 33) + pubs[i][0] = 0x02 + + _, err := rand.Read(pubs[i][1:]) + require.NoError(t, err) + } + + tgt1 := eacl.NewTarget() + tgt1.SetBinaryKeys(pubs[0:2]) + tgt1.SetRole(eacl.RoleUser) + + tgt2 := eacl.NewTarget() + tgt2.SetRole(eacl.RoleOthers) + + r := eacl.NewRecord() + r.SetTargets(tgt1, tgt2) + + u := newValidationUnit(eacl.RoleUser, pubs[0]) + require.True(t, targetMatches(u, r)) + + u = newValidationUnit(eacl.RoleUser, pubs[2]) + require.False(t, targetMatches(u, r)) + + u = newValidationUnit(eacl.RoleUnknown, pubs[1]) + require.True(t, targetMatches(u, r)) + + u = newValidationUnit(eacl.RoleOthers, pubs[2]) + require.True(t, targetMatches(u, r)) + + u = newValidationUnit(eacl.RoleSystem, pubs[2]) + require.False(t, targetMatches(u, r)) +} + +func newValidationUnit(role eacl.Role, key []byte) *ValidationUnit { + return &ValidationUnit{ + role: role, + key: key, + } +}