From dce5924a89dd5058bf3b1c3edf78413b7a5ffce8 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <denis@nspcc.ru>
Date: Tue, 25 Oct 2022 15:24:06 +0300
Subject: [PATCH] [#229] services/tree: Use bearer owner as signer

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
---
 go.mod                              |   2 +-
 go.sum                              | Bin 95867 -> 95867 bytes
 pkg/services/tree/signature.go      |   4 ++-
 pkg/services/tree/signature_test.go |  40 +++++++++++++++++++++++++---
 4 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 8cbb4ba3..d54770ba 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.18
 require (
 	git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb
-	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204
+	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68
 	git.frostfs.info/TrueCloudLab/hrw v1.2.0
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	github.com/cheggaaa/pb v1.0.29
diff --git a/go.sum b/go.sum
index a1616a7b56f41b94ec4790f75583aae0752c48d5..7b140a44d5128a359df6c36bcd6e625d924db2e7 100644
GIT binary patch
delta 171
zcmezUhV}Ow)(xrxPKG9?CI+UuDM_YD7M3QKW+`SC3K@o0xt1P2Mdd-BekBG5$-#jJ
z<{9200j?GPDUP|hY5o?u`o@{=sX2Ke`9}GZ8+bJ)^9zW1VlhfTJzp<3KLuoBNTQdQ
zzngJrMrol%Vquw)b5UApq)}x?MQT83W?s0lX+(-~d0K=|n7${_M1^KP!R>s4jJc@*
DI_EWd

delta 171
zcmezUhV}Ow)(xrxP6p<tMuuj(DF(@=DHg`&DMkh+3K@o0`GMJHZh6JpriNYtC5h#s
zL8i%Gm5~8~#-^3d7Vep5sb&HC0p8h3WuD2C8+bJ)^9zW1VlhfTJzp<3KLuoBVNz;j
zl|_`kaaxptuR&I(SEPPbWpZhRld(&nzC}f#k7-4yk-ND?Vs;?VM1^KP!R>s4jJc@*
D=36uS

diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go
index 4aacbc3b..43991296 100644
--- a/pkg/services/tree/signature.go
+++ b/pkg/services/tree/signature.go
@@ -101,6 +101,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 	}
 
 	var tb eacl.Table
+	signer := req.GetSignature().GetKey()
 	if tableFromBearer {
 		if bt.Impersonate() {
 			tbCore, err := s.eaclSource.GetEACL(cid)
@@ -108,6 +109,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 				return handleGetEACLError(err)
 			}
 			tb = *tbCore.Value
+			signer = bt.SigningKeyBytes()
 		} else {
 			if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
 				return eACLErr(eaclOp, errBearerWrongOwner)
@@ -123,7 +125,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 		tb = *tbCore.Value
 	}
 
-	return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
+	return checkEACL(tb, signer, eACLRole(role), eaclOp)
 }
 
 func handleGetEACLError(err error) error {
diff --git a/pkg/services/tree/signature_test.go b/pkg/services/tree/signature_test.go
index b336e60a..eaf9b8b7 100644
--- a/pkg/services/tree/signature_test.go
+++ b/pkg/services/tree/signature_test.go
@@ -53,6 +53,16 @@ func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) {
 	return cnt, nil
 }
 
+type dummyEACLSource map[string]*containercore.EACL
+
+func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) {
+	cntEACL, ok := s[id.String()]
+	if !ok {
+		return nil, errors.New("container not found")
+	}
+	return cntEACL, nil
+}
+
 func testContainer(owner user.ID) container.Container {
 	var r netmapSDK.ReplicaDescriptor
 	r.SetNumberOfObjects(1)
@@ -93,6 +103,11 @@ func TestMessageSign(t *testing.T) {
 			cnrSource: dummyContainerSource{
 				cid1.String(): cnr,
 			},
+			eaclSource: dummyEACLSource{
+				cid1.String(): &containercore.EACL{
+					Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()),
+				},
+			},
 		},
 	}
 
@@ -178,6 +193,19 @@ func TestMessageSign(t *testing.T) {
 			require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
 		})
 
+		t.Run("impersonate", func(t *testing.T) {
+			cnr.Value.SetBasicACL(acl.PublicRWExtended)
+			var bt bearer.Token
+			bt.SetImpersonate(true)
+
+			require.NoError(t, bt.Sign(privs[1].PrivateKey))
+			req.Body.BearerToken = bt.Marshal()
+
+			require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
+			require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+		})
+
 		bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
 		require.NoError(t, bt.Sign(privs[0].PrivateKey))
 		req.Body.BearerToken = bt.Marshal()
@@ -202,6 +230,13 @@ func TestMessageSign(t *testing.T) {
 }
 
 func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token {
+	var b bearer.Token
+	b.SetEACLTable(*testTable(cid, forPutGet, forGet))
+
+	return b
+}
+
+func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table {
 	tgtGet := eaclSDK.NewTarget()
 	tgtGet.SetRole(eaclSDK.RoleUnknown)
 	tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()})
@@ -237,8 +272,5 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token
 
 	tb.SetCID(cid)
 
-	var b bearer.Token
-	b.SetEACLTable(*tb)
-
-	return b
+	return tb
 }