Allow Impersonate

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
Alexey Vanin 2022-10-24 16:29:05 +03:00 committed by Denis Kirillov
parent 3d873237d5
commit 56f12c77b9
2 changed files with 11 additions and 2 deletions

View file

@ -124,15 +124,17 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
return nil
}
bearerTok := reqInfo.Bearer()
impersonate := bearerTok != nil && bearerTok.Impersonate()
// if bearer token is not allowed, then ignore it
if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
reqInfo.CleanBearer()
}
var table eaclSDK.Table
cnr := reqInfo.ContainerID()
bearerTok := reqInfo.Bearer()
if bearerTok == nil {
eaclInfo, err := c.eaclSrc.GetEACL(cnr)
if err != nil {

View file

@ -2,6 +2,7 @@ package v2
import (
"crypto/ecdsa"
"crypto/elliptic"
"fmt"
sessionV2 "github.com/TrueCloudLab/frostfs-api-go/v2/session"
@ -113,6 +114,12 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
return nil, nil, errEmptyVerificationHeader
}
if r.bearer != nil && r.bearer.Impersonate() {
issuer := bearer.ResolveIssuer(*r.bearer)
pubKey, err := keys.NewPublicKeyFromBytes(r.bearer.SigningKeyBytes(), elliptic.P256())
return &issuer, pubKey, err
}
// if session token is presented, use it as truth source
if r.token != nil {
// verify signature of session token