From 56f12c77b9f93eedd29913ce14d09aa331d598bf Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Mon, 24 Oct 2022 16:29:05 +0300 Subject: [PATCH] Allow Impersonate Signed-off-by: Alex Vanin --- pkg/services/object/acl/acl.go | 6 ++++-- pkg/services/object/acl/v2/request.go | 7 +++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 78e972eae..354c5d92d 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -124,15 +124,17 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error { return nil } + bearerTok := reqInfo.Bearer() + impersonate := bearerTok != nil && bearerTok.Impersonate() + // if bearer token is not allowed, then ignore it - if !basicACL.AllowedBearerRules(reqInfo.Operation()) { + if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) { reqInfo.CleanBearer() } var table eaclSDK.Table cnr := reqInfo.ContainerID() - bearerTok := reqInfo.Bearer() if bearerTok == nil { eaclInfo, err := c.eaclSrc.GetEACL(cnr) if err != nil { diff --git a/pkg/services/object/acl/v2/request.go b/pkg/services/object/acl/v2/request.go index 2a708c3f5..4aa115cb5 100644 --- a/pkg/services/object/acl/v2/request.go +++ b/pkg/services/object/acl/v2/request.go @@ -2,6 +2,7 @@ package v2 import ( "crypto/ecdsa" + "crypto/elliptic" "fmt" sessionV2 "github.com/TrueCloudLab/frostfs-api-go/v2/session" @@ -113,6 +114,12 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) { return nil, nil, errEmptyVerificationHeader } + if r.bearer != nil && r.bearer.Impersonate() { + issuer := bearer.ResolveIssuer(*r.bearer) + pubKey, err := keys.NewPublicKeyFromBytes(r.bearer.SigningKeyBytes(), elliptic.P256()) + return &issuer, pubKey, err + } + // if session token is presented, use it as truth source if r.token != nil { // verify signature of session token