forked from TrueCloudLab/frostfs-node
[#66] Use session token of object header at put ACL check
Owner of the request is stored in session token most of the times. Put request contains session token in the object body, so we have to fetch it from there. Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin
Alex Vanin
parent
2ee24998ba
commit
afeebd310c
2 changed files with 60 additions and 28 deletions
|
|
@ -8,6 +8,7 @@ import (
|
|||
"github.com/nspcc-dev/neofs-api-go/pkg/container"
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/owner"
|
||||
"github.com/nspcc-dev/neofs-api-go/v2/object"
|
||||
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
||||
core "github.com/nspcc-dev/neofs-node/pkg/core/container"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
|
@ -75,7 +76,12 @@ func (b BasicChecker) Get(
|
|||
return nil, err
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(request, cid, acl.OperationGet)
|
||||
req := metaWithToken{
|
||||
vheader: request.GetVerificationHeader(),
|
||||
token: request.GetMetaHeader().GetSessionToken(),
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -110,7 +116,12 @@ func (b BasicChecker) Head(
|
|||
return nil, err
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(request, cid, acl.OperationHead)
|
||||
req := metaWithToken{
|
||||
vheader: request.GetVerificationHeader(),
|
||||
token: request.GetMetaHeader().GetSessionToken(),
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -133,7 +144,12 @@ func (b BasicChecker) Search(
|
|||
return nil, err
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(request, cid, acl.OperationSearch)
|
||||
req := metaWithToken{
|
||||
vheader: request.GetVerificationHeader(),
|
||||
token: request.GetMetaHeader().GetSessionToken(),
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -155,7 +171,12 @@ func (b BasicChecker) Delete(
|
|||
return nil, err
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(request, cid, acl.OperationDelete)
|
||||
req := metaWithToken{
|
||||
vheader: request.GetVerificationHeader(),
|
||||
token: request.GetMetaHeader().GetSessionToken(),
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -176,7 +197,12 @@ func (b BasicChecker) GetRange(
|
|||
return nil, err
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(request, cid, acl.OperationRange)
|
||||
req := metaWithToken{
|
||||
vheader: request.GetVerificationHeader(),
|
||||
token: request.GetMetaHeader().GetSessionToken(),
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -198,7 +224,12 @@ func (b BasicChecker) GetRangeHash(
|
|||
return nil, err
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(request, cid, acl.OperationRangeHash)
|
||||
req := metaWithToken{
|
||||
vheader: request.GetVerificationHeader(),
|
||||
token: request.GetMetaHeader().GetSessionToken(),
|
||||
}
|
||||
|
||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -217,23 +248,28 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
|
|||
}
|
||||
|
||||
part := body.GetObjectPart()
|
||||
if _, ok := part.(*object.PutObjectPartInit); ok {
|
||||
if part, ok := part.(*object.PutObjectPartInit); ok {
|
||||
cid, err := getContainerIDFromRequest(request)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
owner, err := getObjectOwnerFromMessage(request)
|
||||
ownerID, err := getObjectOwnerFromMessage(request)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
reqInfo, err := p.source.findRequestInfo(request, cid, acl.OperationPut)
|
||||
req := metaWithToken{
|
||||
vheader: request.GetVerificationHeader(),
|
||||
token: part.GetHeader().GetSessionToken(),
|
||||
}
|
||||
|
||||
reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, owner) {
|
||||
if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, ownerID) {
|
||||
return ErrBasicAccessDenied
|
||||
}
|
||||
}
|
||||
|
|
@ -272,7 +308,7 @@ func (g getStreamBasicChecker) Recv() (*object.GetResponse, error) {
|
|||
}
|
||||
|
||||
func (b BasicChecker) findRequestInfo(
|
||||
req RequestV2,
|
||||
req metaWithToken,
|
||||
cid *container.ID,
|
||||
op acl.Operation) (info requestInfo, err error) {
|
||||
|
||||
|
|
|
|||
|
|
@ -20,9 +20,9 @@ type (
|
|||
InnerRingKeys() ([][]byte, error)
|
||||
}
|
||||
|
||||
RequestV2 interface {
|
||||
GetMetaHeader() *session.RequestMetaHeader
|
||||
GetVerificationHeader() *session.RequestVerificationHeader
|
||||
metaWithToken struct {
|
||||
vheader *session.RequestVerificationHeader
|
||||
token *session.SessionToken
|
||||
}
|
||||
|
||||
SenderClassifier struct {
|
||||
|
|
@ -40,10 +40,11 @@ func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
|
|||
}
|
||||
|
||||
func (c SenderClassifier) Classify(
|
||||
req RequestV2,
|
||||
req metaWithToken,
|
||||
cid *container.ID,
|
||||
cnr *container.Container) acl.Role {
|
||||
if cid == nil || req == nil {
|
||||
|
||||
if cid == nil {
|
||||
// log there
|
||||
return acl.RoleUnknown
|
||||
}
|
||||
|
|
@ -83,24 +84,19 @@ func (c SenderClassifier) Classify(
|
|||
return acl.RoleOthers
|
||||
}
|
||||
|
||||
func requestOwner(req RequestV2) (*owner.ID, *ecdsa.PublicKey, error) {
|
||||
var (
|
||||
meta = req.GetMetaHeader()
|
||||
verify = req.GetVerificationHeader()
|
||||
)
|
||||
|
||||
if meta == nil || verify == nil {
|
||||
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at meta or verify header")
|
||||
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {
|
||||
if req.vheader == nil {
|
||||
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil verification header")
|
||||
}
|
||||
|
||||
// if session token is presented, use it as truth source
|
||||
if token := meta.GetSessionToken(); token != nil {
|
||||
body := token.GetBody()
|
||||
if req.token != nil {
|
||||
body := req.token.GetBody()
|
||||
if body == nil {
|
||||
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at session token body")
|
||||
}
|
||||
|
||||
signature := token.GetSignature()
|
||||
signature := req.token.GetSignature()
|
||||
if signature == nil {
|
||||
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at signature")
|
||||
}
|
||||
|
|
@ -109,7 +105,7 @@ func requestOwner(req RequestV2) (*owner.ID, *ecdsa.PublicKey, error) {
|
|||
}
|
||||
|
||||
// otherwise get original body signature
|
||||
bodySignature := originalBodySignature(verify)
|
||||
bodySignature := originalBodySignature(req.vheader)
|
||||
if bodySignature == nil {
|
||||
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at body signature")
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue