forked from TrueCloudLab/frostfs-node
[#1628] tree: Skip eACL filters for tree requests
Do not call `CalculateAction` for the eACL checks since it requires object headers that are meaningless in the tree context. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
Pavel Karpy
parent
876e014b5d
commit
8d0906c6ab
1 changed files with 56 additions and 14 deletions
|
|
@ -1,6 +1,7 @@
|
||||||
package tree
|
package tree
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
"crypto/elliptic"
|
"crypto/elliptic"
|
||||||
"errors"
|
"errors"
|
||||||
|
|
@ -97,20 +98,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
||||||
tb = *tbCore.Value
|
tb = *tbCore.Value
|
||||||
}
|
}
|
||||||
|
|
||||||
// The default action should be DENY.
|
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
|
||||||
action, found := eacl.NewValidator().CalculateAction(new(eacl.ValidationUnit).
|
|
||||||
WithEACLTable(&tb).
|
|
||||||
WithContainerID(&cid).
|
|
||||||
WithRole(eACLRole(role)).
|
|
||||||
WithSenderKey(req.GetSignature().GetKey()).
|
|
||||||
WithOperation(eaclOp))
|
|
||||||
if !found {
|
|
||||||
return eACLErr(eaclOp, errors.New("not found allowing rules for the request"))
|
|
||||||
} else if action != eacl.ActionAllow {
|
|
||||||
return eACLErr(eaclOp, errors.New("DENY eACL rule"))
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func verifyMessage(m message) error {
|
func verifyMessage(m message) error {
|
||||||
|
|
@ -200,3 +188,57 @@ func eACLRole(role acl.Role) eacl.Role {
|
||||||
panic(fmt.Sprintf("unexpected tree service ACL role: %s", role))
|
panic(fmt.Sprintf("unexpected tree service ACL role: %s", role))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// checkEACL searches for the eACL rules that could be applied to the request
|
||||||
|
// (a tuple of a signer key, his NeoFS role and a request operation).
|
||||||
|
// It does not filter the request by the filters of the eACL table since tree
|
||||||
|
// requests do not contain any "object" information that could be filtered and,
|
||||||
|
// therefore, filtering leads to unexpected results.
|
||||||
|
// The code was copied with the minor updates from the SDK repo:
|
||||||
|
// https://github.com/nspcc-dev/neofs-sdk-go/blob/43a57d42dd50dc60465bfd3482f7f12bcfcf3411/eacl/validator.go#L28.
|
||||||
|
func checkEACL(tb eacl.Table, signer []byte, role eacl.Role, op eacl.Operation) error {
|
||||||
|
for _, record := range tb.Records() {
|
||||||
|
// check type of operation
|
||||||
|
if record.Operation() != op {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// check target
|
||||||
|
if !targetMatches(record, role, signer) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
switch a := record.Action(); a {
|
||||||
|
case eacl.ActionAllow:
|
||||||
|
return nil
|
||||||
|
case eacl.ActionDeny:
|
||||||
|
return eACLErr(op, errors.New("DENY eACL rule"))
|
||||||
|
default:
|
||||||
|
return eACLErr(op, fmt.Errorf("unexpected action: %s", a))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return eACLErr(op, errors.New("not found allowing rules for the request"))
|
||||||
|
}
|
||||||
|
|
||||||
|
func targetMatches(rec eacl.Record, role eacl.Role, signer []byte) bool {
|
||||||
|
for _, target := range rec.Targets() {
|
||||||
|
// check public key match
|
||||||
|
if pubs := target.BinaryKeys(); len(pubs) != 0 {
|
||||||
|
for _, key := range pubs {
|
||||||
|
if bytes.Equal(key, signer) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// check target group match
|
||||||
|
if role == target.Role() {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue