[#229] acl: Allow Impersonate
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
parent
04be9415d9
commit
c04f6c5e59
2 changed files with 14 additions and 4 deletions
|
@ -125,15 +125,17 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bearerTok := reqInfo.Bearer()
|
||||||
|
impersonate := bearerTok != nil && bearerTok.Impersonate()
|
||||||
|
|
||||||
// if bearer token is not allowed, then ignore it
|
// if bearer token is not allowed, then ignore it
|
||||||
if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
|
if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
|
||||||
reqInfo.CleanBearer()
|
reqInfo.CleanBearer()
|
||||||
}
|
}
|
||||||
|
|
||||||
var table eaclSDK.Table
|
var table eaclSDK.Table
|
||||||
cnr := reqInfo.ContainerID()
|
cnr := reqInfo.ContainerID()
|
||||||
|
|
||||||
bearerTok := reqInfo.Bearer()
|
|
||||||
if bearerTok == nil {
|
if bearerTok == nil {
|
||||||
eaclInfo, err := c.eaclSrc.GetEACL(cnr)
|
eaclInfo, err := c.eaclSrc.GetEACL(cnr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -113,6 +113,10 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
|
||||||
return nil, nil, errEmptyVerificationHeader
|
return nil, nil, errEmptyVerificationHeader
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if r.bearer != nil && r.bearer.Impersonate() {
|
||||||
|
return unmarshalPublicKeyWithOwner(r.bearer.SigningKeyBytes())
|
||||||
|
}
|
||||||
|
|
||||||
// if session token is presented, use it as truth source
|
// if session token is presented, use it as truth source
|
||||||
if r.token != nil {
|
if r.token != nil {
|
||||||
// verify signature of session token
|
// verify signature of session token
|
||||||
|
@ -125,9 +129,13 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
|
||||||
return nil, nil, errEmptyBodySig
|
return nil, nil, errEmptyBodySig
|
||||||
}
|
}
|
||||||
|
|
||||||
key, err := unmarshalPublicKey(bodySignature.GetKey())
|
return unmarshalPublicKeyWithOwner(bodySignature.GetKey())
|
||||||
|
}
|
||||||
|
|
||||||
|
func unmarshalPublicKeyWithOwner(rawKey []byte) (*user.ID, *keys.PublicKey, error) {
|
||||||
|
key, err := unmarshalPublicKey(rawKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, fmt.Errorf("invalid key in body signature: %w", err)
|
return nil, nil, fmt.Errorf("invalid signature key: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
var idSender user.ID
|
var idSender user.ID
|
||||||
|
|
Loading…
Reference in a new issue