2022-02-11 12:25:05 +00:00
|
|
|
package v2
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/ecdsa"
|
|
|
|
"fmt"
|
|
|
|
|
2024-11-07 14:32:10 +00:00
|
|
|
sessionV2 "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/session"
|
2023-03-07 13:38:26 +00:00
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
|
|
|
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
|
|
|
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
|
|
|
sessionSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
2022-02-11 12:25:05 +00:00
|
|
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
|
|
|
)
|
|
|
|
|
|
|
|
// RequestInfo groups parsed version-independent (from SDK library)
|
|
|
|
// request information and raw API request.
|
|
|
|
type RequestInfo struct {
|
2022-06-17 13:40:51 +00:00
|
|
|
basicACL acl.Basic
|
|
|
|
requestRole acl.Role
|
|
|
|
operation acl.Op // put, get, head, etc.
|
|
|
|
cnrOwner user.ID // container owner
|
2022-02-11 12:25:05 +00:00
|
|
|
|
2023-12-27 14:18:15 +00:00
|
|
|
// cnrNamespace defined to which namespace a container is belonged.
|
|
|
|
cnrNamespace string
|
|
|
|
|
2022-05-31 17:00:41 +00:00
|
|
|
idCnr cid.ID
|
2022-02-11 12:25:05 +00:00
|
|
|
|
2022-05-24 18:47:21 +00:00
|
|
|
// optional for some request
|
|
|
|
// e.g. Put, Search
|
2022-05-31 17:00:41 +00:00
|
|
|
obj *oid.ID
|
2022-02-11 12:25:05 +00:00
|
|
|
|
|
|
|
senderKey []byte
|
|
|
|
|
2022-05-12 07:22:02 +00:00
|
|
|
bearer *bearer.Token // bearer token of request
|
2022-02-11 12:25:05 +00:00
|
|
|
|
2023-02-21 11:42:45 +00:00
|
|
|
srcRequest any
|
2022-02-11 12:25:05 +00:00
|
|
|
}
|
|
|
|
|
2022-06-17 13:40:51 +00:00
|
|
|
func (r *RequestInfo) SetBasicACL(basicACL acl.Basic) {
|
2022-02-11 12:25:05 +00:00
|
|
|
r.basicACL = basicACL
|
|
|
|
}
|
|
|
|
|
2022-06-17 13:40:51 +00:00
|
|
|
func (r *RequestInfo) SetRequestRole(requestRole acl.Role) {
|
2022-02-11 12:25:05 +00:00
|
|
|
r.requestRole = requestRole
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *RequestInfo) SetSenderKey(senderKey []byte) {
|
|
|
|
r.senderKey = senderKey
|
|
|
|
}
|
|
|
|
|
|
|
|
// Request returns raw API request.
|
2023-02-21 11:42:45 +00:00
|
|
|
func (r RequestInfo) Request() any {
|
2022-02-11 12:25:05 +00:00
|
|
|
return r.srcRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
// ContainerOwner returns owner if the container.
|
2022-05-31 17:00:41 +00:00
|
|
|
func (r RequestInfo) ContainerOwner() user.ID {
|
2022-02-11 12:25:05 +00:00
|
|
|
return r.cnrOwner
|
|
|
|
}
|
|
|
|
|
2023-12-27 14:18:15 +00:00
|
|
|
func (r RequestInfo) ContainerNamespace() string {
|
|
|
|
return r.cnrNamespace
|
|
|
|
}
|
|
|
|
|
2022-02-11 12:25:05 +00:00
|
|
|
// ObjectID return object ID.
|
2022-05-31 17:00:41 +00:00
|
|
|
func (r RequestInfo) ObjectID() *oid.ID {
|
|
|
|
return r.obj
|
2022-02-11 12:25:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// ContainerID return container ID.
|
2022-05-31 17:00:41 +00:00
|
|
|
func (r RequestInfo) ContainerID() cid.ID {
|
2022-02-11 12:25:05 +00:00
|
|
|
return r.idCnr
|
|
|
|
}
|
|
|
|
|
|
|
|
// CleanBearer forces cleaning bearer token information.
|
|
|
|
func (r *RequestInfo) CleanBearer() {
|
|
|
|
r.bearer = nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Bearer returns bearer token of the request.
|
2022-05-12 07:22:02 +00:00
|
|
|
func (r RequestInfo) Bearer() *bearer.Token {
|
2022-02-11 12:25:05 +00:00
|
|
|
return r.bearer
|
|
|
|
}
|
|
|
|
|
|
|
|
// BasicACL returns basic ACL of the container.
|
2022-06-17 13:40:51 +00:00
|
|
|
func (r RequestInfo) BasicACL() acl.Basic {
|
2022-02-11 12:25:05 +00:00
|
|
|
return r.basicACL
|
|
|
|
}
|
|
|
|
|
|
|
|
// SenderKey returns public key of the request's sender.
|
|
|
|
func (r RequestInfo) SenderKey() []byte {
|
|
|
|
return r.senderKey
|
|
|
|
}
|
|
|
|
|
|
|
|
// Operation returns request's operation.
|
2022-06-17 13:40:51 +00:00
|
|
|
func (r RequestInfo) Operation() acl.Op {
|
2022-02-11 12:25:05 +00:00
|
|
|
return r.operation
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequestRole returns request sender's role.
|
2022-06-17 13:40:51 +00:00
|
|
|
func (r RequestInfo) RequestRole() acl.Role {
|
2022-02-11 12:25:05 +00:00
|
|
|
return r.requestRole
|
|
|
|
}
|
|
|
|
|
2024-02-14 11:14:07 +00:00
|
|
|
// IsSoftAPECheck states if APE should perform soft checks.
|
|
|
|
// Soft APE check allows a request if CheckAPE returns NoRuleFound for it,
|
|
|
|
// otherwise it denies the request.
|
|
|
|
func (r RequestInfo) IsSoftAPECheck() bool {
|
|
|
|
return r.BasicACL().Bits() != 0
|
|
|
|
}
|
|
|
|
|
2022-02-11 12:25:05 +00:00
|
|
|
// MetaWithToken groups session and bearer tokens,
|
|
|
|
// verification header and raw API request.
|
|
|
|
type MetaWithToken struct {
|
|
|
|
vheader *sessionV2.RequestVerificationHeader
|
2022-05-18 15:20:08 +00:00
|
|
|
token *sessionSDK.Object
|
2022-05-12 07:22:02 +00:00
|
|
|
bearer *bearer.Token
|
2023-02-21 11:42:45 +00:00
|
|
|
src any
|
2022-02-11 12:25:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// RequestOwner returns ownerID and its public key
|
|
|
|
// according to internal meta information.
|
2022-05-17 13:59:46 +00:00
|
|
|
func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
|
2022-02-11 12:25:05 +00:00
|
|
|
if r.vheader == nil {
|
2022-11-10 17:46:52 +00:00
|
|
|
return nil, nil, errEmptyVerificationHeader
|
2022-02-11 12:25:05 +00:00
|
|
|
}
|
|
|
|
|
2022-10-24 13:29:05 +00:00
|
|
|
if r.bearer != nil && r.bearer.Impersonate() {
|
|
|
|
return unmarshalPublicKeyWithOwner(r.bearer.SigningKeyBytes())
|
|
|
|
}
|
|
|
|
|
2022-02-11 12:25:05 +00:00
|
|
|
// if session token is presented, use it as truth source
|
|
|
|
if r.token != nil {
|
|
|
|
// verify signature of session token
|
|
|
|
return ownerFromToken(r.token)
|
|
|
|
}
|
|
|
|
|
|
|
|
// otherwise get original body signature
|
|
|
|
bodySignature := originalBodySignature(r.vheader)
|
|
|
|
if bodySignature == nil {
|
2022-11-10 17:46:52 +00:00
|
|
|
return nil, nil, errEmptyBodySig
|
2022-02-11 12:25:05 +00:00
|
|
|
}
|
|
|
|
|
2022-10-24 13:29:05 +00:00
|
|
|
return unmarshalPublicKeyWithOwner(bodySignature.GetKey())
|
|
|
|
}
|
|
|
|
|
|
|
|
func unmarshalPublicKeyWithOwner(rawKey []byte) (*user.ID, *keys.PublicKey, error) {
|
|
|
|
key, err := unmarshalPublicKey(rawKey)
|
2022-05-17 13:59:46 +00:00
|
|
|
if err != nil {
|
2022-10-24 13:29:05 +00:00
|
|
|
return nil, nil, fmt.Errorf("invalid signature key: %w", err)
|
2022-05-17 13:59:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var idSender user.ID
|
|
|
|
user.IDFromKey(&idSender, (ecdsa.PublicKey)(*key))
|
2022-02-11 12:25:05 +00:00
|
|
|
|
2022-05-17 13:59:46 +00:00
|
|
|
return &idSender, key, nil
|
2022-02-11 12:25:05 +00:00
|
|
|
}
|