Allow Impersonate

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
2022-10-24 16:29:05 +03:00 · 2022-10-24 16:29:05 +03:00 · 56f12c77b9
commit 56f12c77b9
parent 3d873237d5
2 changed files with 11 additions and 2 deletions
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@ -124,15 +124,17 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
 		return nil
 	}

+	bearerTok := reqInfo.Bearer()
+	impersonate := bearerTok != nil && bearerTok.Impersonate()
+
 	// if bearer token is not allowed, then ignore it
-	if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
+	if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
 		reqInfo.CleanBearer()
 	}

 	var table eaclSDK.Table
 	cnr := reqInfo.ContainerID()

-	bearerTok := reqInfo.Bearer()
 	if bearerTok == nil {
 		eaclInfo, err := c.eaclSrc.GetEACL(cnr)
 		if err != nil {
--- a/pkg/services/object/acl/v2/request.go
+++ b/pkg/services/object/acl/v2/request.go
@ -2,6 +2,7 @@ package v2

 import (
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"fmt"

 	sessionV2 "github.com/TrueCloudLab/frostfs-api-go/v2/session"
@ -113,6 +114,12 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
 		return nil, nil, errEmptyVerificationHeader
 	}

+	if r.bearer != nil && r.bearer.Impersonate() {
+		issuer := bearer.ResolveIssuer(*r.bearer)
+		pubKey, err := keys.NewPublicKeyFromBytes(r.bearer.SigningKeyBytes(), elliptic.P256())
+		return &issuer, pubKey, err
+	}
+
 	// if session token is presented, use it as truth source
 	if r.token != nil {
 		// verify signature of session token