[#229] services/tree: Use bearer owner as signer

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

go.mod

@@ -5,7 +5,7 @@ go 1.18
 require (
 	git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb
-	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204
+	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68
 	git.frostfs.info/TrueCloudLab/hrw v1.2.0
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	github.com/cheggaaa/pb v1.0.29

pkg/services/tree/signature.go

@@ -101,6 +101,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 	}
 
 	var tb eacl.Table
+	signer := req.GetSignature().GetKey()
 	if tableFromBearer {
 		if bt.Impersonate() {
 			tbCore, err := s.eaclSource.GetEACL(cid)
@@ -108,6 +109,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 				return handleGetEACLError(err)
 			}
 			tb = *tbCore.Value
+			signer = bt.SigningKeyBytes()
 		} else {
 			if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
 				return eACLErr(eaclOp, errBearerWrongOwner)
@@ -123,7 +125,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 		tb = *tbCore.Value
 	}
 
-	return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
+	return checkEACL(tb, signer, eACLRole(role), eaclOp)
 }
 
 func handleGetEACLError(err error) error {

pkg/services/tree/signature_test.go

@@ -53,6 +53,16 @@ func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) {
 	return cnt, nil
 }
 
+type dummyEACLSource map[string]*containercore.EACL
+
+func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) {
+	cntEACL, ok := s[id.String()]
+	if !ok {
+		return nil, errors.New("container not found")
+	}
+	return cntEACL, nil
+}
+
 func testContainer(owner user.ID) container.Container {
 	var r netmapSDK.ReplicaDescriptor
 	r.SetNumberOfObjects(1)
@@ -93,6 +103,11 @@ func TestMessageSign(t *testing.T) {
 			cnrSource: dummyContainerSource{
 				cid1.String(): cnr,
 			},
+			eaclSource: dummyEACLSource{
+				cid1.String(): &containercore.EACL{
+					Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()),
+				},
+			},
 		},
 	}
 
@@ -178,6 +193,19 @@ func TestMessageSign(t *testing.T) {
 			require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
 		})
 
+		t.Run("impersonate", func(t *testing.T) {
+			cnr.Value.SetBasicACL(acl.PublicRWExtended)
+			var bt bearer.Token
+			bt.SetImpersonate(true)
+
+			require.NoError(t, bt.Sign(privs[1].PrivateKey))
+			req.Body.BearerToken = bt.Marshal()
+
+			require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
+			require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+		})
+
 		bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
 		require.NoError(t, bt.Sign(privs[0].PrivateKey))
 		req.Body.BearerToken = bt.Marshal()
@@ -202,6 +230,13 @@ func TestMessageSign(t *testing.T) {
 }
 
 func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token {
+	var b bearer.Token
+	b.SetEACLTable(*testTable(cid, forPutGet, forGet))
+
+	return b
+}
+
+func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table {
 	tgtGet := eaclSDK.NewTarget()
 	tgtGet.SetRole(eaclSDK.RoleUnknown)
 	tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()})
@@ -237,8 +272,5 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token
 
 	tb.SetCID(cid)
 
-	var b bearer.Token
+	return tb
-	b.SetEACLTable(*tb)
-
-	return b
 }