[#229] acl: Allow Impersonate
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
parent
04be9415d9
commit
c04f6c5e59
2 changed files with 14 additions and 4 deletions
|
@ -125,15 +125,17 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
bearerTok := reqInfo.Bearer()
|
||||
impersonate := bearerTok != nil && bearerTok.Impersonate()
|
||||
|
||||
// if bearer token is not allowed, then ignore it
|
||||
if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
|
||||
if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
|
||||
reqInfo.CleanBearer()
|
||||
}
|
||||
|
||||
var table eaclSDK.Table
|
||||
cnr := reqInfo.ContainerID()
|
||||
|
||||
bearerTok := reqInfo.Bearer()
|
||||
if bearerTok == nil {
|
||||
eaclInfo, err := c.eaclSrc.GetEACL(cnr)
|
||||
if err != nil {
|
||||
|
|
|
@ -113,6 +113,10 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
|
|||
return nil, nil, errEmptyVerificationHeader
|
||||
}
|
||||
|
||||
if r.bearer != nil && r.bearer.Impersonate() {
|
||||
return unmarshalPublicKeyWithOwner(r.bearer.SigningKeyBytes())
|
||||
}
|
||||
|
||||
// if session token is presented, use it as truth source
|
||||
if r.token != nil {
|
||||
// verify signature of session token
|
||||
|
@ -125,9 +129,13 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
|
|||
return nil, nil, errEmptyBodySig
|
||||
}
|
||||
|
||||
key, err := unmarshalPublicKey(bodySignature.GetKey())
|
||||
return unmarshalPublicKeyWithOwner(bodySignature.GetKey())
|
||||
}
|
||||
|
||||
func unmarshalPublicKeyWithOwner(rawKey []byte) (*user.ID, *keys.PublicKey, error) {
|
||||
key, err := unmarshalPublicKey(rawKey)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("invalid key in body signature: %w", err)
|
||||
return nil, nil, fmt.Errorf("invalid signature key: %w", err)
|
||||
}
|
||||
|
||||
var idSender user.ID
|
||||
|
|
Loading…
Reference in a new issue