From 91fef72bb6b791527de4fc5d97e3ebe50599cbf6 Mon Sep 17 00:00:00 2001
From: Alex Vanin <alexey@nspcc.ru>
Date: Tue, 22 Sep 2020 19:18:41 +0300
Subject: [PATCH] [#32] Make basic ACL check in all object request

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
---
 pkg/services/object/acl/basic.go | 111 +++++++++++++++++++++++++++++--
 1 file changed, 105 insertions(+), 6 deletions(-)

diff --git a/pkg/services/object/acl/basic.go b/pkg/services/object/acl/basic.go
index 12dcab9cf..21a73fb9a 100644
--- a/pkg/services/object/acl/basic.go
+++ b/pkg/services/object/acl/basic.go
@@ -1,6 +1,7 @@
 package acl
 
 import (
+	"bytes"
 	"context"
 
 	acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
@@ -25,7 +26,8 @@ type (
 	}
 
 	getStreamBasicChecker struct {
-		object.GetObjectStreamer
+		next object.GetObjectStreamer
+		info requestInfo
 	}
 
 	searchStreamBasicChecker struct {
@@ -40,6 +42,7 @@ type (
 		basicACL    uint32
 		requestRole acl.Role
 		operation   acl.Operation // put, get, head, etc.
+		owner       *refs.OwnerID // container owner
 	}
 )
 
@@ -47,7 +50,7 @@ var (
 	ErrMalformedRequest  = errors.New("malformed request")
 	ErrUnknownRole       = errors.New("can't classify request sender")
 	ErrUnknownContainer  = errors.New("can't fetch container info")
-	ErrBasicAccessDenied = errors.New("access denied by basic ACL")
+	ErrBasicAccessDenied = errors.New("access denied by basic acl")
 )
 
 // NewBasicChecker is a constructor for basic ACL checker of object requests.
@@ -82,7 +85,11 @@ func (b BasicChecker) Get(
 	}
 
 	stream, err := b.next.Get(ctx, request)
-	return getStreamBasicChecker{stream}, err
+
+	return getStreamBasicChecker{
+		next: stream,
+		info: reqInfo,
+	}, err
 }
 
 func (b BasicChecker) Put(ctx context.Context) (object.PutObjectStreamer, error) {
@@ -216,12 +223,17 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
 			return err
 		}
 
+		owner, err := getObjectOwnerFromMessage(request)
+		if err != nil {
+			return err
+		}
+
 		reqInfo, err := p.source.findRequestInfo(request, cid, acl.OperationPut)
 		if err != nil {
 			return err
 		}
 
-		if !basicACLCheck(reqInfo) {
+		if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, owner) {
 			return ErrBasicAccessDenied
 		}
 	}
@@ -233,6 +245,32 @@ func (p putStreamBasicChecker) CloseAndRecv() (*object.PutResponse, error) {
 	return p.next.CloseAndRecv()
 }
 
+func (g getStreamBasicChecker) Recv() (*object.GetResponse, error) {
+	resp, err := g.next.Recv()
+	if err != nil {
+		return resp, err
+	}
+
+	body := resp.GetBody()
+	if body == nil {
+		return resp, err
+	}
+
+	part := body.GetObjectPart()
+	if _, ok := part.(*object.GetObjectPartInit); ok {
+		owner, err := getObjectOwnerFromMessage(resp)
+		if err != nil {
+			return nil, err
+		}
+
+		if !stickyBitCheck(g.info, owner) {
+			return nil, ErrBasicAccessDenied
+		}
+	}
+
+	return resp, err
+}
+
 func (b BasicChecker) findRequestInfo(
 	req RequestV2,
 	cid *refs.ContainerID,
@@ -257,6 +295,7 @@ func (b BasicChecker) findRequestInfo(
 	info.basicACL = cnr.GetBasicACL()
 	info.requestRole = role
 	info.operation = op
+	info.owner = cnr.GetOwnerID()
 
 	return info, nil
 }
@@ -294,6 +333,66 @@ func getContainerIDFromRequest(req interface{}) (id *refs.ContainerID, err error
 	}
 }
 
-func basicACLCheck(info requestInfo) bool {
-	panic("implement me")
+func getObjectOwnerFromMessage(req interface{}) (id *refs.OwnerID, err error) {
+	defer func() {
+		// if there is a NPE on get body and get address
+		if r := recover(); r != nil {
+			err = ErrMalformedRequest
+		}
+	}()
+
+	switch v := req.(type) {
+	case *object.PutRequest:
+		objPart := v.GetBody().GetObjectPart()
+		if part, ok := objPart.(*object.PutObjectPartInit); ok {
+			return part.GetHeader().GetOwnerID(), nil
+		} else {
+			return nil, errors.New("can't get cid in chunk")
+		}
+	case *object.GetResponse:
+		objPart := v.GetBody().GetObjectPart()
+		if part, ok := objPart.(*object.GetObjectPartInit); ok {
+			return part.GetHeader().GetOwnerID(), nil
+		} else {
+			return nil, errors.New("can't get cid in chunk")
+		}
+	default:
+		return nil, errors.New("unsupported request type")
+	}
+
+}
+
+// main check function for basic ACL
+func basicACLCheck(info requestInfo) bool {
+	rule := basicACLHelper(info.basicACL)
+
+	// check basic ACL permissions
+	var checkFn func(acl.Operation) bool
+
+	switch info.requestRole {
+	case acl.RoleUser:
+		checkFn = rule.UserAllowed
+	case acl.RoleSystem:
+		checkFn = rule.SystemAllowed
+	case acl.RoleOthers:
+		checkFn = rule.OthersAllowed
+	default:
+		// log there
+		return false
+	}
+
+	return checkFn(info.operation)
+}
+
+func stickyBitCheck(info requestInfo, owner *refs.OwnerID) bool {
+	if owner == nil || info.owner == nil {
+		return false
+	}
+
+	rule := basicACLHelper(info.basicACL)
+	if !rule.Sticky() {
+		return true
+	}
+
+	return bytes.Equal(owner.GetValue(), info.owner.GetValue())
 }