From 8654458b190175fd878b582f25caa16ab2c2081a Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Mon, 14 Dec 2020 16:50:45 +0300 Subject: [PATCH] [#247] object/eacl: Use object ID from session token context Signed-off-by: Leonard Lyubich --- pkg/services/object/acl/acl.go | 45 +++++++++++++++++++--- pkg/services/object/acl/eacl/v2/headers.go | 41 ++++++++++++-------- 2 files changed, 65 insertions(+), 21 deletions(-) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 0f49502af..9c033623f 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -143,9 +143,11 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea return err } + sTok := request.GetMetaHeader().GetSessionToken() + req := metaWithToken{ vheader: request.GetVerificationHeader(), - token: request.GetMetaHeader().GetSessionToken(), + token: sTok, bearer: request.GetMetaHeader().GetBearerToken(), } @@ -155,6 +157,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea } reqInfo.oid = getObjectIDFromRequestBody(request.GetBody()) + useObjectIDFromSession(&reqInfo, sTok) if !basicACLCheck(reqInfo) { return basicACLErr(reqInfo) @@ -188,9 +191,11 @@ func (b Service) Head( return nil, err } + sTok := request.GetMetaHeader().GetSessionToken() + req := metaWithToken{ vheader: request.GetVerificationHeader(), - token: request.GetMetaHeader().GetSessionToken(), + token: sTok, bearer: request.GetMetaHeader().GetBearerToken(), } @@ -200,6 +205,7 @@ func (b Service) Head( } reqInfo.oid = getObjectIDFromRequestBody(request.GetBody()) + useObjectIDFromSession(&reqInfo, sTok) if !basicACLCheck(reqInfo) { return nil, basicACLErr(reqInfo) @@ -260,9 +266,11 @@ func (b Service) Delete( return nil, err } + sTok := request.GetMetaHeader().GetSessionToken() + req := metaWithToken{ vheader: request.GetVerificationHeader(), - token: request.GetMetaHeader().GetSessionToken(), + token: sTok, bearer: request.GetMetaHeader().GetBearerToken(), } @@ -272,6 +280,7 @@ func (b Service) Delete( } reqInfo.oid = getObjectIDFromRequestBody(request.GetBody()) + useObjectIDFromSession(&reqInfo, sTok) if !basicACLCheck(reqInfo) { return nil, basicACLErr(reqInfo) @@ -288,9 +297,11 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO return err } + sTok := request.GetMetaHeader().GetSessionToken() + req := metaWithToken{ vheader: request.GetVerificationHeader(), - token: request.GetMetaHeader().GetSessionToken(), + token: sTok, bearer: request.GetMetaHeader().GetBearerToken(), } @@ -300,6 +311,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO } reqInfo.oid = getObjectIDFromRequestBody(request.GetBody()) + useObjectIDFromSession(&reqInfo, sTok) if !basicACLCheck(reqInfo) { return basicACLErr(reqInfo) @@ -323,9 +335,11 @@ func (b Service) GetRangeHash( return nil, err } + sTok := request.GetMetaHeader().GetSessionToken() + req := metaWithToken{ vheader: request.GetVerificationHeader(), - token: request.GetMetaHeader().GetSessionToken(), + token: sTok, bearer: request.GetMetaHeader().GetBearerToken(), } @@ -335,6 +349,7 @@ func (b Service) GetRangeHash( } reqInfo.oid = getObjectIDFromRequestBody(request.GetBody()) + useObjectIDFromSession(&reqInfo, sTok) if !basicACLCheck(reqInfo) { return nil, basicACLErr(reqInfo) @@ -363,9 +378,11 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error { return err } + sTok := part.GetHeader().GetSessionToken() + req := metaWithToken{ vheader: request.GetVerificationHeader(), - token: part.GetHeader().GetSessionToken(), + token: sTok, bearer: request.GetMetaHeader().GetBearerToken(), } @@ -375,6 +392,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error { } reqInfo.oid = getObjectIDFromRequestBody(part) + useObjectIDFromSession(&reqInfo, sTok) if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, ownerID) { return basicACLErr(reqInfo) @@ -484,6 +502,21 @@ func getContainerIDFromRequest(req interface{}) (id *container.ID, err error) { } } +func useObjectIDFromSession(req *requestInfo, token *session.SessionToken) { + if token == nil { + return + } + + objCtx, ok := token.GetBody().GetContext().(*session.ObjectSessionContext) + if !ok { + return + } + + req.oid = objectSDK.NewIDFromV2( + objCtx.GetAddress().GetObjectID(), + ) +} + func getObjectIDFromRequestBody(body interface{}) *objectSDK.ID { switch v := body.(type) { default: diff --git a/pkg/services/object/acl/eacl/v2/headers.go b/pkg/services/object/acl/eacl/v2/headers.go index fb6c0896a..5e2a675bd 100644 --- a/pkg/services/object/acl/eacl/v2/headers.go +++ b/pkg/services/object/acl/eacl/v2/headers.go @@ -64,7 +64,7 @@ func (h *headerSource) HeadersOfType(typ eaclSDK.FilterHeaderType) ([]eacl.Heade case eaclSDK.HeaderFromRequest: return requestHeaders(h.msg), true case eaclSDK.HeaderFromObject: - return h.objectHeaders(), true + return h.objectHeaders() } } @@ -80,7 +80,7 @@ func requestHeaders(msg xHeaderSource) []eacl.Header { return res } -func (h *headerSource) objectHeaders() []eacl.Header { +func (h *headerSource) objectHeaders() ([]eacl.Header, bool) { switch m := h.msg.(type) { default: panic(fmt.Sprintf("unexpected message type %T", h.msg)) @@ -89,39 +89,50 @@ func (h *headerSource) objectHeaders() []eacl.Header { case *objectV2.GetRequest: return h.localObjectHeaders(req.GetBody().GetAddress()) case *objectV2.DeleteRequest: - return h.localObjectHeaders(req.GetBody().GetAddress()) + hs, _ := h.localObjectHeaders(req.GetBody().GetAddress()) + return hs, true case *objectV2.HeadRequest: return h.localObjectHeaders(req.GetBody().GetAddress()) case *objectV2.GetRangeRequest: - return h.localObjectHeaders(req.GetBody().GetAddress()) + hs, _ := h.localObjectHeaders(req.GetBody().GetAddress()) + return hs, true case *objectV2.GetRangeHashRequest: - return h.localObjectHeaders(req.GetBody().GetAddress()) + hs, _ := h.localObjectHeaders(req.GetBody().GetAddress()) + return hs, true case *objectV2.PutRequest: if v, ok := req.GetBody().GetObjectPart().(*objectV2.PutObjectPartInit); ok { oV2 := new(objectV2.Object) oV2.SetObjectID(v.GetObjectID()) oV2.SetHeader(v.GetHeader()) - return headersFromObject(object.NewFromV2(oV2)) + hs := headersFromObject(object.NewFromV2(oV2)) + if tok := oV2.GetHeader().GetSessionToken(); tok != nil { + objCtx, ok := tok.GetBody().GetContext().(*session.ObjectSessionContext) + if ok { + hs = append(hs, addressHeaders(objectSDK.NewAddressFromV2(objCtx.GetAddress()))...) + } + } + + return hs, true } case *objectV2.SearchRequest: return []eacl.Header{cidHeader( container.NewIDFromV2( req.GetBody().GetContainerID()), - ), - } + )}, true } case *responseXHeaderSource: switch resp := m.resp.(type) { default: - return h.localObjectHeaders(m.addr) + hs, _ := h.localObjectHeaders(m.addr) + return hs, true case *objectV2.GetResponse: if v, ok := resp.GetBody().GetObjectPart().(*objectV2.GetObjectPartInit); ok { oV2 := new(objectV2.Object) oV2.SetObjectID(v.GetObjectID()) oV2.SetHeader(v.GetHeader()) - return headersFromObject(object.NewFromV2(oV2)) + return headersFromObject(object.NewFromV2(oV2)), true } case *objectV2.HeadResponse: oV2 := new(objectV2.Object) @@ -147,22 +158,22 @@ func (h *headerSource) objectHeaders() []eacl.Header { return append( headersFromObject(object.NewFromV2(oV2)), oidHeader(objectSDK.NewIDFromV2(m.addr.GetObjectID())), - ) + ), true } } - return nil + return nil, true } -func (h *headerSource) localObjectHeaders(addrV2 *refs.Address) []eacl.Header { +func (h *headerSource) localObjectHeaders(addrV2 *refs.Address) ([]eacl.Header, bool) { addr := objectSDK.NewAddressFromV2(addrV2) obj, err := h.storage.Head(addr) if err == nil { - return headersFromObject(obj) + return append(headersFromObject(obj), addressHeaders(addr)...), true } - return addressHeaders(addr) + return addressHeaders(addr), false } func cidHeader(cid *container.ID) eacl.Header {