[#229] service/tree: Disable container owner check in tree service

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
Alexey Vanin 2022-10-25 12:52:41 +03:00 committed by Denis Kirillov
parent c04f6c5e59
commit 89530534a1

View file

@ -57,7 +57,23 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
return fmt.Errorf("can't get container %s: %w", cid, err) return fmt.Errorf("can't get container %s: %w", cid, err)
} }
role, err := roleFromReq(cnr, req) eaclOp := eACLOp(op)
var bt *bearer.Token
if len(rawBearer) > 0 {
bt = new(bearer.Token)
if err = bt.Unmarshal(rawBearer); err != nil {
return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
}
if !bt.AssertContainer(cid) {
return eACLErr(eaclOp, errBearerWrongContainer)
}
if !bt.VerifySignature() {
return eACLErr(eaclOp, errBearerSignature)
}
}
role, err := roleFromReq(cnr, req, bt)
if err != nil { if err != nil {
return fmt.Errorf("can't get request role: %w", err) return fmt.Errorf("can't get request role: %w", err)
} }
@ -72,8 +88,6 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
return nil return nil
} }
eaclOp := eACLOp(op)
var tableFromBearer bool var tableFromBearer bool
if len(rawBearer) != 0 { if len(rawBearer) != 0 {
if !basicACL.AllowedBearerRules(op) { if !basicACL.AllowedBearerRules(op) {
@ -88,29 +102,22 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
var tb eacl.Table var tb eacl.Table
if tableFromBearer { if tableFromBearer {
var bt bearer.Token if bt.Impersonate() {
if err = bt.Unmarshal(rawBearer); err != nil { tbCore, err := s.eaclSource.GetEACL(cid)
return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err)) if err != nil {
return handleGetEACLError(err)
} }
if !bearer.ResolveIssuer(bt).Equals(cnr.Value.Owner()) { tb = *tbCore.Value
} else {
if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
return eACLErr(eaclOp, errBearerWrongOwner) return eACLErr(eaclOp, errBearerWrongOwner)
} }
if !bt.AssertContainer(cid) {
return eACLErr(eaclOp, errBearerWrongContainer)
}
if !bt.VerifySignature() {
return eACLErr(eaclOp, errBearerSignature)
}
tb = bt.EACLTable() tb = bt.EACLTable()
}
} else { } else {
tbCore, err := s.eaclSource.GetEACL(cid) tbCore, err := s.eaclSource.GetEACL(cid)
if err != nil { if err != nil {
if client.IsErrEACLNotFound(err) { return handleGetEACLError(err)
return nil
}
return fmt.Errorf("get eACL table: %w", err)
} }
tb = *tbCore.Value tb = *tbCore.Value
@ -119,6 +126,14 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp) return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
} }
func handleGetEACLError(err error) error {
if client.IsErrEACLNotFound(err) {
return nil
}
return fmt.Errorf("get eACL table: %w", err)
}
func verifyMessage(m message) error { func verifyMessage(m message) error {
binBody, err := m.ReadSignedData(nil) binBody, err := m.ReadSignedData(nil)
if err != nil { if err != nil {
@ -169,11 +184,16 @@ func SignMessage(m message, key *ecdsa.PrivateKey) error {
return nil return nil
} }
func roleFromReq(cnr *core.Container, req message) (acl.Role, error) { func roleFromReq(cnr *core.Container, req message, bt *bearer.Token) (acl.Role, error) {
role := acl.RoleOthers role := acl.RoleOthers
owner := cnr.Value.Owner() owner := cnr.Value.Owner()
pub, err := keys.NewPublicKeyFromBytes(req.GetSignature().GetKey(), elliptic.P256()) rawKey := req.GetSignature().GetKey()
if bt != nil && bt.Impersonate() {
rawKey = bt.SigningKeyBytes()
}
pub, err := keys.NewPublicKeyFromBytes(rawKey, elliptic.P256())
if err != nil { if err != nil {
return role, fmt.Errorf("invalid public key: %w", err) return role, fmt.Errorf("invalid public key: %w", err)
} }