From d368afffe5f5aff6f44283cae4d73b89e8fc0e14 Mon Sep 17 00:00:00 2001
From: Alex Vanin <alexey@nspcc.ru>
Date: Wed, 26 May 2021 19:49:42 +0300
Subject: [PATCH] [#561] acl: Fetch bearer token from original request meta
 header

Request meta headers are organized in a layers, where
upper layers re-sign down layers. Bearer token should be
a part of original meta header and it can be omitted in
upper layers. Therefore we need to traverse over linked list
of meta header to the original meta header to get bearer token.

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
---
 pkg/services/object/acl/acl.go | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index c1b78b986..9f834206d 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -149,7 +149,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -197,7 +197,7 @@ func (b Service) Head(
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -236,7 +236,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   request.GetMetaHeader().GetSessionToken(),
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -273,7 +273,7 @@ func (b Service) Delete(
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -305,7 +305,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -343,7 +343,7 @@ func (b Service) GetRangeHash(
 	req := metaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  request.GetMetaHeader().GetBearerToken(),
+		bearer:  originalBearerToken(request.GetMetaHeader()),
 		src:     request,
 	}
 
@@ -387,7 +387,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
 		req := metaWithToken{
 			vheader: request.GetVerificationHeader(),
 			token:   sTok,
-			bearer:  request.GetMetaHeader().GetBearerToken(),
+			bearer:  originalBearerToken(request.GetMetaHeader()),
 			src:     request,
 		}
 
@@ -771,3 +771,13 @@ func isOwnerFromKey(id *owner.ID, key *ecdsa.PublicKey) bool {
 	// binary comparison is better but MarshalBinary is more expensive
 	return bytes.Equal(id.ToV2().GetValue(), wallet.Bytes())
 }
+
+// originalBearerToken goes down to original request meta header and fetches
+// bearer token from there.
+func originalBearerToken(header *session.RequestMetaHeader) *bearer.BearerToken {
+	for header.GetOrigin() != nil {
+		header = header.GetOrigin()
+	}
+
+	return header.GetBearerToken()
+}