[#1191] object/acl: check session token verb

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
Evgenii Stratonikov 2022-02-28 15:35:10 +03:00 committed by Alex Vanin
parent 5e90d85020
commit 0bf59522f7
4 changed files with 68 additions and 10 deletions

View file

@ -13,6 +13,8 @@ var (
ErrUnknownRole = errors.New("can't classify request sender") ErrUnknownRole = errors.New("can't classify request sender")
// ErrUnknownContainer is returned when container fetching errors appeared. // ErrUnknownContainer is returned when container fetching errors appeared.
ErrUnknownContainer = errors.New("can't fetch container info") ErrUnknownContainer = errors.New("can't fetch container info")
// ErrInvalidVerb is returned when session token verb doesn't include necessary operation.
ErrInvalidVerb = errors.New("session token verb is invalid")
) )
type accessErr struct { type accessErr struct {

View file

@ -425,7 +425,10 @@ func (b Service) findRequestInfo(
} }
// find verb from token if it is present // find verb from token if it is present
verb := sourceVerbOfRequest(req, op) verb, isUnknown := sourceVerbOfRequest(req.token, op)
if !isUnknown && verb != op && !isVerbCompatible(verb, op) {
return info, ErrInvalidVerb
}
info.basicACL = cnr.BasicACL() info.basicACL = cnr.BasicACL()
info.requestRole = res.role info.requestRole = res.role

View file

@ -102,18 +102,17 @@ func getObjectOwnerFromMessage(req interface{}) (id *owner.ID, err error) {
} }
// sourceVerbOfRequest looks for verb in session token and if it is not found, // sourceVerbOfRequest looks for verb in session token and if it is not found,
// returns reqVerb. // returns reqVerb. Second return value is true if operation is unknown.
func sourceVerbOfRequest(req MetaWithToken, reqVerb eaclSDK.Operation) eaclSDK.Operation { func sourceVerbOfRequest(tok *sessionSDK.Token, reqVerb eaclSDK.Operation) (eaclSDK.Operation, bool) {
if req.token != nil { ctx, ok := tok.Context().(*sessionSDK.ObjectContext)
switch v := req.token.Context().(type) { if ok {
case *sessionSDK.ObjectContext: op := tokenVerbToOperation(ctx)
return tokenVerbToOperation(v) if op != eaclSDK.OperationUnknown {
default: return op, false
// do nothing, return request verb
} }
} }
return reqVerb return reqVerb, true
} }
func useObjectIDFromSession(req *RequestInfo, token *sessionSDK.Token) { func useObjectIDFromSession(req *RequestInfo, token *sessionSDK.Token) {
@ -195,3 +194,18 @@ func isOwnerFromKey(id *owner.ID, key *keys.PublicKey) bool {
return id.Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key))) return id.Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key)))
} }
// isVerbCompatible checks that tokenVerb operation can create auxiliary op operation.
func isVerbCompatible(tokenVerb, op eaclSDK.Operation) bool {
switch tokenVerb {
case eaclSDK.OperationGet:
return op == eaclSDK.OperationGet || op == eaclSDK.OperationHead
case eaclSDK.OperationDelete:
return op == eaclSDK.OperationPut || op == eaclSDK.OperationHead ||
op == eaclSDK.OperationSearch
case eaclSDK.OperationRange, eaclSDK.OperationRangeHash:
return op == eaclSDK.OperationRange || op == eaclSDK.OperationHead
default:
return tokenVerb == op
}
}

View file

@ -7,6 +7,7 @@ import (
acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test" acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
"github.com/nspcc-dev/neofs-api-go/v2/session" "github.com/nspcc-dev/neofs-api-go/v2/session"
sessiontest "github.com/nspcc-dev/neofs-api-go/v2/session/test" sessiontest "github.com/nspcc-dev/neofs-api-go/v2/session/test"
"github.com/nspcc-dev/neofs-sdk-go/eacl"
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session" sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/token" bearerSDK "github.com/nspcc-dev/neofs-sdk-go/token"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -36,3 +37,41 @@ func testGenerateMetaHeader(depth uint32, b *acl.BearerToken, s *session.Session
return metaHeader return metaHeader
} }
func TestIsVerbCompatible(t *testing.T) {
// Source: https://nspcc.ru/upload/neofs-spec-latest.pdf#page=28
table := map[eacl.Operation][]eacl.Operation{
eacl.OperationPut: {eacl.OperationPut},
eacl.OperationDelete: {eacl.OperationPut, eacl.OperationHead, eacl.OperationSearch},
eacl.OperationHead: {eacl.OperationHead},
eacl.OperationRange: {eacl.OperationRange, eacl.OperationHead},
eacl.OperationRangeHash: {eacl.OperationRange, eacl.OperationHead},
eacl.OperationGet: {eacl.OperationGet, eacl.OperationHead},
eacl.OperationSearch: {eacl.OperationSearch},
}
ops := []eacl.Operation{
eacl.OperationPut,
eacl.OperationDelete,
eacl.OperationHead,
eacl.OperationRange,
eacl.OperationRangeHash,
eacl.OperationGet,
eacl.OperationSearch,
}
for _, opToken := range ops {
for _, op := range ops {
var contains bool
for _, o := range table[opToken] {
if o == op {
contains = true
break
}
}
require.Equal(t, contains, isVerbCompatible(opToken, op),
"%s in token, %s executing", opToken, op)
}
}
}