forked from TrueCloudLab/frostfs-node
[#229] service/tree: Disable container owner check in tree service
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
parent
c04f6c5e59
commit
89530534a1
1 changed files with 44 additions and 24 deletions
|
|
@ -57,7 +57,23 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
||||||
return fmt.Errorf("can't get container %s: %w", cid, err)
|
return fmt.Errorf("can't get container %s: %w", cid, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
role, err := roleFromReq(cnr, req)
|
eaclOp := eACLOp(op)
|
||||||
|
|
||||||
|
var bt *bearer.Token
|
||||||
|
if len(rawBearer) > 0 {
|
||||||
|
bt = new(bearer.Token)
|
||||||
|
if err = bt.Unmarshal(rawBearer); err != nil {
|
||||||
|
return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
|
||||||
|
}
|
||||||
|
if !bt.AssertContainer(cid) {
|
||||||
|
return eACLErr(eaclOp, errBearerWrongContainer)
|
||||||
|
}
|
||||||
|
if !bt.VerifySignature() {
|
||||||
|
return eACLErr(eaclOp, errBearerSignature)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
role, err := roleFromReq(cnr, req, bt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("can't get request role: %w", err)
|
return fmt.Errorf("can't get request role: %w", err)
|
||||||
}
|
}
|
||||||
|
|
@ -72,8 +88,6 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
eaclOp := eACLOp(op)
|
|
||||||
|
|
||||||
var tableFromBearer bool
|
var tableFromBearer bool
|
||||||
if len(rawBearer) != 0 {
|
if len(rawBearer) != 0 {
|
||||||
if !basicACL.AllowedBearerRules(op) {
|
if !basicACL.AllowedBearerRules(op) {
|
||||||
|
|
@ -88,29 +102,22 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
||||||
|
|
||||||
var tb eacl.Table
|
var tb eacl.Table
|
||||||
if tableFromBearer {
|
if tableFromBearer {
|
||||||
var bt bearer.Token
|
if bt.Impersonate() {
|
||||||
if err = bt.Unmarshal(rawBearer); err != nil {
|
tbCore, err := s.eaclSource.GetEACL(cid)
|
||||||
return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
|
if err != nil {
|
||||||
|
return handleGetEACLError(err)
|
||||||
}
|
}
|
||||||
if !bearer.ResolveIssuer(bt).Equals(cnr.Value.Owner()) {
|
tb = *tbCore.Value
|
||||||
|
} else {
|
||||||
|
if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
|
||||||
return eACLErr(eaclOp, errBearerWrongOwner)
|
return eACLErr(eaclOp, errBearerWrongOwner)
|
||||||
}
|
}
|
||||||
if !bt.AssertContainer(cid) {
|
|
||||||
return eACLErr(eaclOp, errBearerWrongContainer)
|
|
||||||
}
|
|
||||||
if !bt.VerifySignature() {
|
|
||||||
return eACLErr(eaclOp, errBearerSignature)
|
|
||||||
}
|
|
||||||
|
|
||||||
tb = bt.EACLTable()
|
tb = bt.EACLTable()
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
tbCore, err := s.eaclSource.GetEACL(cid)
|
tbCore, err := s.eaclSource.GetEACL(cid)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if client.IsErrEACLNotFound(err) {
|
return handleGetEACLError(err)
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return fmt.Errorf("get eACL table: %w", err)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tb = *tbCore.Value
|
tb = *tbCore.Value
|
||||||
|
|
@ -119,6 +126,14 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
||||||
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
|
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func handleGetEACLError(err error) error {
|
||||||
|
if client.IsErrEACLNotFound(err) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Errorf("get eACL table: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
func verifyMessage(m message) error {
|
func verifyMessage(m message) error {
|
||||||
binBody, err := m.ReadSignedData(nil)
|
binBody, err := m.ReadSignedData(nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -169,11 +184,16 @@ func SignMessage(m message, key *ecdsa.PrivateKey) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func roleFromReq(cnr *core.Container, req message) (acl.Role, error) {
|
func roleFromReq(cnr *core.Container, req message, bt *bearer.Token) (acl.Role, error) {
|
||||||
role := acl.RoleOthers
|
role := acl.RoleOthers
|
||||||
owner := cnr.Value.Owner()
|
owner := cnr.Value.Owner()
|
||||||
|
|
||||||
pub, err := keys.NewPublicKeyFromBytes(req.GetSignature().GetKey(), elliptic.P256())
|
rawKey := req.GetSignature().GetKey()
|
||||||
|
if bt != nil && bt.Impersonate() {
|
||||||
|
rawKey = bt.SigningKeyBytes()
|
||||||
|
}
|
||||||
|
|
||||||
|
pub, err := keys.NewPublicKeyFromBytes(rawKey, elliptic.P256())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return role, fmt.Errorf("invalid public key: %w", err)
|
return role, fmt.Errorf("invalid public key: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue