ale64bit/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#1494] services/object: Do not ignore bearer token decode errors

Browse source 
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
Evgenii Stratonikov 2022-06-08 11:53:15 +03:00 committed by fyrchik
parent 795d1e0789
commit bbf8b8e74d
4 changed files with 67 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
pkg/services/object/acl/v2/service.go
View file

@ -118,10 +118,15 @@ func (b Service) Get(request *objectV2.GetRequest, stream object.GetObjectStream
return err return err
} }
bTok, err := originalBearerToken(request.GetMetaHeader())
if err != nil {
return err
}
req := MetaWithToken{ req := MetaWithToken{
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: originalBearerToken(request.GetMetaHeader()), bearer: bTok,
src: request, src: request,
} }
@ -172,10 +177,15 @@ func (b Service) Head(
return nil, err return nil, err
} }
bTok, err := originalBearerToken(request.GetMetaHeader())
if err != nil {
return nil, err
}
req := MetaWithToken{ req := MetaWithToken{
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: originalBearerToken(request.GetMetaHeader()), bearer: bTok,
src: request, src: request,
} }
@ -218,10 +228,15 @@ func (b Service) Search(request *objectV2.SearchRequest, stream object.SearchStr
return err return err
} }
bTok, err := originalBearerToken(request.GetMetaHeader())
if err != nil {
return err
}
req := MetaWithToken{ req := MetaWithToken{
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: originalBearerToken(request.GetMetaHeader()), bearer: bTok,
src: request, src: request,
} }
@ -261,10 +276,15 @@ func (b Service) Delete(
return nil, err return nil, err
} }
bTok, err := originalBearerToken(request.GetMetaHeader())
if err != nil {
return nil, err
}
req := MetaWithToken{ req := MetaWithToken{
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: originalBearerToken(request.GetMetaHeader()), bearer: bTok,
src: request, src: request,
} }
@ -300,10 +320,15 @@ func (b Service) GetRange(request *objectV2.GetRangeRequest, stream object.GetOb
return err return err
} }
bTok, err := originalBearerToken(request.GetMetaHeader())
if err != nil {
return err
}
req := MetaWithToken{ req := MetaWithToken{
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: originalBearerToken(request.GetMetaHeader()), bearer: bTok,
src: request, src: request,
} }
@ -344,10 +369,15 @@ func (b Service) GetRangeHash(
return nil, err return nil, err
} }
bTok, err := originalBearerToken(request.GetMetaHeader())
if err != nil {
return nil, err
}
req := MetaWithToken{ req := MetaWithToken{
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: originalBearerToken(request.GetMetaHeader()), bearer: bTok,
src: request, src: request,
} }
@ -408,10 +438,15 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
} }
} }
bTok, err := originalBearerToken(request.GetMetaHeader())
if err != nil {
return err
}
req := MetaWithToken{ req := MetaWithToken{
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: originalBearerToken(request.GetMetaHeader()), bearer: bTok,
src: request, src: request,
} }

8
pkg/services/object/acl/v2/util.go
View file

@ -57,20 +57,18 @@ func getContainerIDFromRequest(req interface{}) (cid.ID, error) {
// originalBearerToken goes down to original request meta header and fetches // originalBearerToken goes down to original request meta header and fetches
// bearer token from there. // bearer token from there.
func originalBearerToken(header *sessionV2.RequestMetaHeader) *bearer.Token { func originalBearerToken(header *sessionV2.RequestMetaHeader) (*bearer.Token, error) {
for header.GetOrigin() != nil { for header.GetOrigin() != nil {
header = header.GetOrigin() header = header.GetOrigin()
} }
tokV2 := header.GetBearerToken() tokV2 := header.GetBearerToken()
if tokV2 == nil { if tokV2 == nil {
return nil return nil, nil
} }
var tok bearer.Token var tok bearer.Token
tok.ReadFromV2(*tokV2) return &tok, tok.ReadFromV2(*tokV2)
return &tok
} }
// originalSessionToken goes down to original request meta header and fetches // originalSessionToken goes down to original request meta header and fetches

25
pkg/services/object/acl/v2/util_test.go
View file

@ -1,12 +1,14 @@
package v2 package v2
import ( import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"testing" "testing"
"github.com/nspcc-dev/neofs-api-go/v2/acl" "github.com/nspcc-dev/neofs-api-go/v2/acl"
acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
"github.com/nspcc-dev/neofs-api-go/v2/session" "github.com/nspcc-dev/neofs-api-go/v2/session"
"github.com/nspcc-dev/neofs-sdk-go/bearer" bearertest "github.com/nspcc-dev/neofs-sdk-go/bearer/test"
"github.com/nspcc-dev/neofs-sdk-go/eacl" "github.com/nspcc-dev/neofs-sdk-go/eacl"
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session" sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test" sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
@ -15,20 +17,29 @@ import (
func TestOriginalTokens(t *testing.T) { func TestOriginalTokens(t *testing.T) {
sToken := sessiontest.ObjectSigned() sToken := sessiontest.ObjectSigned()
bTokenV2 := acltest.GenerateBearerToken(false) bToken := bearertest.Token()
var bToken bearer.Token pk, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
bToken.ReadFromV2(*bTokenV2) require.NoError(t, bToken.Sign(*pk))
var bTokenV2 acl.BearerToken
bToken.WriteToV2(&bTokenV2)
// This line is needed because SDK uses some custom format for
// reserved filters, so `cid.ID` is not converted to string immediately.
require.NoError(t, bToken.ReadFromV2(bTokenV2))
var sTokenV2 session.Token var sTokenV2 session.Token
sToken.WriteToV2(&sTokenV2) sToken.WriteToV2(&sTokenV2)
for i := 0; i < 10; i++ { for i := 0; i < 10; i++ {
metaHeaders := testGenerateMetaHeader(uint32(i), bTokenV2, &sTokenV2) metaHeaders := testGenerateMetaHeader(uint32(i), &bTokenV2, &sTokenV2)
res, err := originalSessionToken(metaHeaders) res, err := originalSessionToken(metaHeaders)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, sToken, res, i) require.Equal(t, sToken, res, i)
require.Equal(t, &bToken, originalBearerToken(metaHeaders), i)
bTok, err := originalBearerToken(metaHeaders)
require.NoError(t, err)
require.Equal(t, &bToken, bTok, i)
} }
} }

5
pkg/services/object/util/prm.go
View file

@ -127,7 +127,10 @@ func CommonPrmFromV2(req interface {
if tok := meta.GetBearerToken(); tok != nil { if tok := meta.GetBearerToken(); tok != nil {
prm.bearer = new(bearer.Token) prm.bearer = new(bearer.Token)
prm.bearer.ReadFromV2(*tok) err = prm.bearer.ReadFromV2(*tok)
if err != nil {
return nil, fmt.Errorf("invalid bearer token: %w", err)
}
} }
for i := range xHdrs { for i := range xHdrs {