frostfs-node/pkg/services/object/acl/acl.go

package acl

import (
	"context"
	"crypto/ecdsa"
	"crypto/elliptic"
	"errors"
	"fmt"
	"io"

	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/local_object_storage/engine"
	eaclV2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/eacl/v2"
	v2 "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/acl/v2"
	bearerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
	frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
	eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
	objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
)

// Checker implements v2.ACLChecker interfaces and provides
// ACL/eACL validation functionality.
type Checker struct {
	eaclSrc      container.EACLSource
	validator    *eaclSDK.Validator
	localStorage *engine.StorageEngine
	state        netmap.State
}

type localStorage struct {
	ls *engine.StorageEngine
}

func (s *localStorage) Head(ctx context.Context, addr oid.Address) (*objectSDK.Object, error) {
	if s.ls == nil {
		return nil, io.ErrUnexpectedEOF
	}

	return engine.Head(ctx, s.ls, addr)
}

// Various EACL check errors.
var (
	errEACLDeniedByRule         = errors.New("denied by rule")
	errBearerExpired            = errors.New("bearer token has expired")
	errBearerInvalidSignature   = errors.New("bearer token has invalid signature")
	errBearerInvalidContainerID = errors.New("bearer token was created for another container")
	errBearerNotSignedByOwner   = errors.New("bearer token is not signed by the container owner")
	errBearerInvalidOwner       = errors.New("bearer token owner differs from the request sender")
)

// NewChecker creates Checker.
// Panics if at least one of the parameter is nil.
func NewChecker(
	state netmap.State,
	eaclSrc container.EACLSource,
	validator *eaclSDK.Validator,
	localStorage *engine.StorageEngine,
) *Checker {
	return &Checker{
		eaclSrc:      eaclSrc,
		validator:    validator,
		localStorage: localStorage,
		state:        state,
	}
}

// CheckBasicACL is a main check function for basic ACL.
func (c *Checker) CheckBasicACL(info v2.RequestInfo) bool {
	// check basic ACL permissions
	return info.BasicACL().IsOpAllowed(info.Operation(), info.RequestRole())
}

// StickyBitCheck validates owner field in the request if sticky bit is enabled.
func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner user.ID) bool {
	// According to FrostFS specification sticky bit has no effect on system nodes
	// for correct intra-container work with objects (in particular, replication).
	if info.RequestRole() == acl.RoleContainer {
		return true
	}

	if !info.BasicACL().Sticky() {
		return true
	}

	if len(info.SenderKey()) == 0 {
		return false
	}

	requestSenderKey := unmarshalPublicKey(info.SenderKey())

	return isOwnerFromKey(owner, requestSenderKey)
}

// CheckEACL is a main check function for extended ACL.
func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
	basicACL := reqInfo.BasicACL()
	if !basicACL.Extendable() {
		return nil
	}

	bearerTok := reqInfo.Bearer()
	impersonate := bearerTok != nil && bearerTok.Impersonate()

	// if bearer token is not allowed, then ignore it
	if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
		reqInfo.CleanBearer()
	}

	var table eaclSDK.Table
	cnr := reqInfo.ContainerID()

	if bearerTok == nil {
		eaclInfo, err := c.eaclSrc.GetEACL(cnr)
		if err != nil {
			if client.IsErrEACLNotFound(err) {
				return nil
			}
			return err
		}

		table = *eaclInfo.Value
	} else {
		table = bearerTok.EACLTable()
	}

	// if bearer token is not present, isValidBearer returns true
	if err := isValidBearer(reqInfo, c.state); err != nil {
		return err
	}

	hdrSrc, err := c.getHeaderSource(cnr, msg, reqInfo)
	if err != nil {
		return err
	}

	eaclRole := getRole(reqInfo)

	action, _ := c.validator.CalculateAction(new(eaclSDK.ValidationUnit).
		WithRole(eaclRole).
		WithOperation(eaclSDK.Operation(reqInfo.Operation())).
		WithContainerID(&cnr).
		WithSenderKey(reqInfo.SenderKey()).
		WithHeaderSource(hdrSrc).
		WithEACLTable(&table),
	)

	if action != eaclSDK.ActionAllow {
		return errEACLDeniedByRule
	}
	return nil
}

func getRole(reqInfo v2.RequestInfo) eaclSDK.Role {
	var eaclRole eaclSDK.Role
	switch op := reqInfo.RequestRole(); op {
	default:
		eaclRole = eaclSDK.Role(op)
	case acl.RoleOwner:
		eaclRole = eaclSDK.RoleUser
	case acl.RoleInnerRing, acl.RoleContainer:
		eaclRole = eaclSDK.RoleSystem
	case acl.RoleOthers:
		eaclRole = eaclSDK.RoleOthers
	}
	return eaclRole
}

func (c *Checker) getHeaderSource(cnr cid.ID, msg any, reqInfo v2.RequestInfo) (eaclSDK.TypedHeaderSource, error) {
	var xHeaderSource eaclV2.XHeaderSource
	if req, ok := msg.(eaclV2.Request); ok {
		xHeaderSource = eaclV2.NewRequestXHeaderSource(req)
	} else {
		xHeaderSource = eaclV2.NewResponseXHeaderSource(msg.(eaclV2.Response), reqInfo.Request().(eaclV2.Request))
	}

	hdrSrc, err := eaclV2.NewMessageHeaderSource(&localStorage{ls: c.localStorage}, xHeaderSource, cnr, eaclV2.WithOID(reqInfo.ObjectID()))
	if err != nil {
		return nil, fmt.Errorf("can't parse headers: %w", err)
	}
	return hdrSrc, nil
}

// isValidBearer checks whether bearer token was correctly signed by authorized
// entity. This method might be defined on whole ACL service because it will
// require fetching current epoch to check lifetime.
func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
	ownerCnr := reqInfo.ContainerOwner()

	token := reqInfo.Bearer()

	// 0. Check if bearer token is present in reqInfo.
	if token == nil {
		return nil
	}

	// 1. First check token lifetime. Simplest verification.
	if token.InvalidAt(st.CurrentEpoch()) {
		return errBearerExpired
	}

	// 2. Then check if bearer token is signed correctly.
	if !token.VerifySignature() {
		return errBearerInvalidSignature
	}

	// 3. Then check if container is either empty or equal to the container in the request.
	cnr, isSet := token.EACLTable().CID()
	if isSet && !cnr.Equals(reqInfo.ContainerID()) {
		return errBearerInvalidContainerID
	}

	// 4. Then check if container owner signed this token.
	if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) {
		// TODO: #767 in this case we can issue all owner keys from frostfs.id and check once again
		return errBearerNotSignedByOwner
	}

	// 5. Then check if request sender has rights to use this token.
	var keySender frostfsecdsa.PublicKey

	err := keySender.Decode(reqInfo.SenderKey())
	if err != nil {
		return fmt.Errorf("decode sender public key: %w", err)
	}

	var usrSender user.ID
	user.IDFromKey(&usrSender, ecdsa.PublicKey(keySender))

	if !token.AssertUser(usrSender) {
		// TODO: #767 in this case we can issue all owner keys from frostfs.id and check once again
		return errBearerInvalidOwner
	}

	return nil
}

func isOwnerFromKey(id user.ID, key *keys.PublicKey) bool {
	if key == nil {
		return false
	}

	var id2 user.ID
	user.IDFromKey(&id2, (ecdsa.PublicKey)(*key))

	return id.Equals(id2)
}

func unmarshalPublicKey(bs []byte) *keys.PublicKey {
	pub, err := keys.NewPublicKeyFromBytes(bs, elliptic.P256())
	if err != nil {
		return nil
	}
	return pub
}