forked from TrueCloudLab/frostfs-node
[#285] object/eacl: Validate X-headers from the requests, not the responses
In previous implementation of eACL service v2 the response X-headers were validated at the stage of re-checking eACL. This provoked a mismatch of records in the eACL table with requests. Fix this behavior by checking the headers from the request, not the response. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
c69f867af1
commit
2897e83fb2
4 changed files with 24 additions and 4 deletions
|
@ -77,6 +77,8 @@ type (
|
||||||
senderKey []byte
|
senderKey []byte
|
||||||
|
|
||||||
bearer *bearer.BearerToken // bearer token of request
|
bearer *bearer.BearerToken // bearer token of request
|
||||||
|
|
||||||
|
srcRequest interface{}
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -149,6 +151,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: request.GetMetaHeader().GetBearerToken(),
|
bearer: request.GetMetaHeader().GetBearerToken(),
|
||||||
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
|
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
|
||||||
|
@ -197,6 +200,7 @@ func (b Service) Head(
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: request.GetMetaHeader().GetBearerToken(),
|
bearer: request.GetMetaHeader().GetBearerToken(),
|
||||||
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
|
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
|
||||||
|
@ -235,6 +239,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: request.GetMetaHeader().GetSessionToken(),
|
token: request.GetMetaHeader().GetSessionToken(),
|
||||||
bearer: request.GetMetaHeader().GetBearerToken(),
|
bearer: request.GetMetaHeader().GetBearerToken(),
|
||||||
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch)
|
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch)
|
||||||
|
@ -272,6 +277,7 @@ func (b Service) Delete(
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: request.GetMetaHeader().GetBearerToken(),
|
bearer: request.GetMetaHeader().GetBearerToken(),
|
||||||
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
|
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
|
||||||
|
@ -303,6 +309,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: request.GetMetaHeader().GetBearerToken(),
|
bearer: request.GetMetaHeader().GetBearerToken(),
|
||||||
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
|
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
|
||||||
|
@ -341,6 +348,7 @@ func (b Service) GetRangeHash(
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: request.GetMetaHeader().GetBearerToken(),
|
bearer: request.GetMetaHeader().GetBearerToken(),
|
||||||
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
|
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
|
||||||
|
@ -384,6 +392,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: request.GetMetaHeader().GetBearerToken(),
|
bearer: request.GetMetaHeader().GetBearerToken(),
|
||||||
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
|
reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
|
||||||
|
@ -473,6 +482,8 @@ func (b Service) findRequestInfo(
|
||||||
// add bearer token if it is present in request
|
// add bearer token if it is present in request
|
||||||
info.bearer = req.bearer
|
info.bearer = req.bearer
|
||||||
|
|
||||||
|
info.srcRequest = req.src
|
||||||
|
|
||||||
return info, nil
|
return info, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -620,7 +631,12 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
||||||
if req, ok := msg.(eaclV2.Request); ok {
|
if req, ok := msg.(eaclV2.Request); ok {
|
||||||
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req))
|
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req))
|
||||||
} else {
|
} else {
|
||||||
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response)))
|
hdrSrcOpts = append(hdrSrcOpts,
|
||||||
|
eaclV2.WithServiceResponse(
|
||||||
|
msg.(eaclV2.Response),
|
||||||
|
reqInfo.srcRequest.(eaclV2.Request),
|
||||||
|
),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit).
|
action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit).
|
||||||
|
|
|
@ -27,6 +27,7 @@ type (
|
||||||
vheader *session.RequestVerificationHeader
|
vheader *session.RequestVerificationHeader
|
||||||
token *session.SessionToken
|
token *session.SessionToken
|
||||||
bearer *bearer.BearerToken
|
bearer *bearer.BearerToken
|
||||||
|
src interface{}
|
||||||
}
|
}
|
||||||
|
|
||||||
SenderClassifier struct {
|
SenderClassifier struct {
|
||||||
|
|
|
@ -27,10 +27,11 @@ func WithServiceRequest(v Request) Option {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func WithServiceResponse(v Response) Option {
|
func WithServiceResponse(resp Response, req Request) Option {
|
||||||
return func(c *cfg) {
|
return func(c *cfg) {
|
||||||
c.msg = &responseXHeaderSource{
|
c.msg = &responseXHeaderSource{
|
||||||
resp: v,
|
resp: resp,
|
||||||
|
req: req,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,8 @@ type requestXHeaderSource struct {
|
||||||
|
|
||||||
type responseXHeaderSource struct {
|
type responseXHeaderSource struct {
|
||||||
resp Response
|
resp Response
|
||||||
|
|
||||||
|
req Request
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *requestXHeaderSource) GetXHeaders() []*session.XHeader {
|
func (s *requestXHeaderSource) GetXHeaders() []*session.XHeader {
|
||||||
|
@ -43,7 +45,7 @@ func (s *responseXHeaderSource) GetXHeaders() []*session.XHeader {
|
||||||
ln := 0
|
ln := 0
|
||||||
xHdrs := make([][]*session.XHeader, 0)
|
xHdrs := make([][]*session.XHeader, 0)
|
||||||
|
|
||||||
for meta := s.resp.GetMetaHeader(); meta != nil; meta = meta.GetOrigin() {
|
for meta := s.req.GetMetaHeader(); meta != nil; meta = meta.GetOrigin() {
|
||||||
x := meta.GetXHeaders()
|
x := meta.GetXHeaders()
|
||||||
|
|
||||||
ln += len(x)
|
ln += len(x)
|
||||||
|
|
Loading…
Reference in a new issue