[#816] object/acl: fix eACL target processing

Ignore role if public keys are present.

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
Evgenii Stratonikov 2021-09-10 11:18:04 +03:00 committed by Alex Vanin
parent 7a13053fab
commit 5f86d54721
2 changed files with 58 additions and 3 deletions

View file

@ -159,11 +159,14 @@ func matchFilters(hdrSrc TypedHeaderSource, filters []*eacl.Filter) int {
func targetMatches(unit *ValidationUnit, record *eacl.Record) bool {
for _, target := range record.Targets() {
// check public key match
for _, key := range target.BinaryKeys() {
if pubs := target.BinaryKeys(); len(pubs) != 0 {
for _, key := range pubs {
if bytes.Equal(key, unit.key) {
return true
}
}
continue
}
// check target group match
if unit.role == target.Role() {

View file

@ -0,0 +1,52 @@
package eacl
import (
"math/rand"
"testing"
"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
"github.com/stretchr/testify/require"
)
func TestTargetMatches(t *testing.T) {
pubs := make([][]byte, 3)
for i := range pubs {
pubs[i] = make([]byte, 33)
pubs[i][0] = 0x02
_, err := rand.Read(pubs[i][1:])
require.NoError(t, err)
}
tgt1 := eacl.NewTarget()
tgt1.SetBinaryKeys(pubs[0:2])
tgt1.SetRole(eacl.RoleUser)
tgt2 := eacl.NewTarget()
tgt2.SetRole(eacl.RoleOthers)
r := eacl.NewRecord()
r.SetTargets(tgt1, tgt2)
u := newValidationUnit(eacl.RoleUser, pubs[0])
require.True(t, targetMatches(u, r))
u = newValidationUnit(eacl.RoleUser, pubs[2])
require.False(t, targetMatches(u, r))
u = newValidationUnit(eacl.RoleUnknown, pubs[1])
require.True(t, targetMatches(u, r))
u = newValidationUnit(eacl.RoleOthers, pubs[2])
require.True(t, targetMatches(u, r))
u = newValidationUnit(eacl.RoleSystem, pubs[2])
require.False(t, targetMatches(u, r))
}
func newValidationUnit(role eacl.Role, key []byte) *ValidationUnit {
return &ValidationUnit{
role: role,
key: key,
}
}