[#229] acl: Allow Impersonate

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
Alexey Vanin 2022-10-24 16:29:05 +03:00 committed by Denis Kirillov
parent 04be9415d9
commit c04f6c5e59
2 changed files with 14 additions and 4 deletions

View file

@ -125,15 +125,17 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
return nil return nil
} }
bearerTok := reqInfo.Bearer()
impersonate := bearerTok != nil && bearerTok.Impersonate()
// if bearer token is not allowed, then ignore it // if bearer token is not allowed, then ignore it
if !basicACL.AllowedBearerRules(reqInfo.Operation()) { if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
reqInfo.CleanBearer() reqInfo.CleanBearer()
} }
var table eaclSDK.Table var table eaclSDK.Table
cnr := reqInfo.ContainerID() cnr := reqInfo.ContainerID()
bearerTok := reqInfo.Bearer()
if bearerTok == nil { if bearerTok == nil {
eaclInfo, err := c.eaclSrc.GetEACL(cnr) eaclInfo, err := c.eaclSrc.GetEACL(cnr)
if err != nil { if err != nil {

View file

@ -113,6 +113,10 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
return nil, nil, errEmptyVerificationHeader return nil, nil, errEmptyVerificationHeader
} }
if r.bearer != nil && r.bearer.Impersonate() {
return unmarshalPublicKeyWithOwner(r.bearer.SigningKeyBytes())
}
// if session token is presented, use it as truth source // if session token is presented, use it as truth source
if r.token != nil { if r.token != nil {
// verify signature of session token // verify signature of session token
@ -125,9 +129,13 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
return nil, nil, errEmptyBodySig return nil, nil, errEmptyBodySig
} }
key, err := unmarshalPublicKey(bodySignature.GetKey()) return unmarshalPublicKeyWithOwner(bodySignature.GetKey())
}
func unmarshalPublicKeyWithOwner(rawKey []byte) (*user.ID, *keys.PublicKey, error) {
key, err := unmarshalPublicKey(rawKey)
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("invalid key in body signature: %w", err) return nil, nil, fmt.Errorf("invalid signature key: %w", err)
} }
var idSender user.ID var idSender user.ID