forked from TrueCloudLab/frostfs-s3-gw
[#395] Fix grantee in ACL
Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva
Alex Vanin
parent
ed47bc1596
commit
f3df5ff633
3 changed files with 27 additions and 25 deletions
|
|
@ -3,6 +3,7 @@ package handler
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"encoding/xml"
|
"encoding/xml"
|
||||||
|
|
@ -145,30 +146,31 @@ func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *handler) gateKey(ctx context.Context) (*keys.PublicKey, error) {
|
func (h *handler) bearerTokenIssuerKey(ctx context.Context) (*keys.PublicKey, error) {
|
||||||
gateKey := h.obj.EphemeralKey()
|
|
||||||
box, err := layer.GetBoxData(ctx)
|
box, err := layer.GetBoxData(ctx)
|
||||||
if err == nil {
|
if err != nil {
|
||||||
if box.Gate.GateKey == nil {
|
return nil, err
|
||||||
return nil, fmt.Errorf("gate key must not be nil")
|
|
||||||
}
|
|
||||||
gateKey = box.Gate.GateKey
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return gateKey, nil
|
key, err := keys.NewPublicKeyFromBytes(box.Gate.BearerToken.Signature().Key(), elliptic.P256())
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return key, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) {
|
func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
reqInfo := api.GetReqInfo(r.Context())
|
reqInfo := api.GetReqInfo(r.Context())
|
||||||
gateKey, err := h.gateKey(r.Context())
|
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
h.logAndSendError(w, "couldn't get bearer token issuer key", reqInfo, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
list := &AccessControlPolicy{}
|
list := &AccessControlPolicy{}
|
||||||
if r.ContentLength == 0 {
|
if r.ContentLength == 0 {
|
||||||
list, err = parseACLHeaders(r.Header, gateKey)
|
list, err = parseACLHeaders(r.Header, key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
||||||
return
|
return
|
||||||
|
|
@ -256,7 +258,7 @@ func (h *handler) GetObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
reqInfo := api.GetReqInfo(r.Context())
|
reqInfo := api.GetReqInfo(r.Context())
|
||||||
versionID := reqInfo.URL.Query().Get(api.QueryVersionID)
|
versionID := reqInfo.URL.Query().Get(api.QueryVersionID)
|
||||||
gateKey, err := h.gateKey(r.Context())
|
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
||||||
return
|
return
|
||||||
|
|
@ -264,7 +266,7 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
list := &AccessControlPolicy{}
|
list := &AccessControlPolicy{}
|
||||||
if r.ContentLength == 0 {
|
if r.ContentLength == 0 {
|
||||||
list, err = parseACLHeaders(r.Header, gateKey)
|
list, err = parseACLHeaders(r.Header, key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
||||||
return
|
return
|
||||||
|
|
@ -375,16 +377,16 @@ func (h *handler) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseACLHeaders(header http.Header, gateKey *keys.PublicKey) (*AccessControlPolicy, error) {
|
func parseACLHeaders(header http.Header, key *keys.PublicKey) (*AccessControlPolicy, error) {
|
||||||
var err error
|
var err error
|
||||||
acp := &AccessControlPolicy{Owner: Owner{
|
acp := &AccessControlPolicy{Owner: Owner{
|
||||||
ID: hex.EncodeToString(gateKey.Bytes()),
|
ID: hex.EncodeToString(key.Bytes()),
|
||||||
DisplayName: gateKey.Address(),
|
DisplayName: key.Address(),
|
||||||
}}
|
}}
|
||||||
acp.AccessControlList = []*Grant{{
|
acp.AccessControlList = []*Grant{{
|
||||||
Grantee: &Grantee{
|
Grantee: &Grantee{
|
||||||
ID: hex.EncodeToString(gateKey.Bytes()),
|
ID: hex.EncodeToString(key.Bytes()),
|
||||||
DisplayName: gateKey.Address(),
|
DisplayName: key.Address(),
|
||||||
Type: acpCanonicalUser,
|
Type: acpCanonicalUser,
|
||||||
},
|
},
|
||||||
Permission: aclFullControl,
|
Permission: aclFullControl,
|
||||||
|
|
|
||||||
|
|
@ -127,12 +127,12 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
|
||||||
)
|
)
|
||||||
|
|
||||||
if containsACLHeaders(r) {
|
if containsACLHeaders(r) {
|
||||||
gateKey, err := h.gateKey(r.Context())
|
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
data.ACL, err = parseACLHeaders(r.Header, gateKey)
|
data.ACL, err = parseACLHeaders(r.Header, key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "could not parse acl", reqInfo, err)
|
h.logAndSendError(w, "could not parse acl", reqInfo, err)
|
||||||
return
|
return
|
||||||
|
|
|
||||||
|
|
@ -462,11 +462,11 @@ func containsACLHeaders(r *http.Request) bool {
|
||||||
|
|
||||||
func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) {
|
func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) {
|
||||||
var newEaclTable *eacl.Table
|
var newEaclTable *eacl.Table
|
||||||
gateKey, err := h.gateKey(r.Context())
|
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
objectACL, err := parseACLHeaders(r.Header, gateKey)
|
objectACL, err := parseACLHeaders(r.Header, key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not parse object acl: %w", err)
|
return nil, fmt.Errorf("could not parse object acl: %w", err)
|
||||||
}
|
}
|
||||||
|
|
@ -552,13 +552,13 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
gateKey, err := h.gateKey(r.Context())
|
key, err := h.bearerTokenIssuerKey(r.Context())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
|
h.logAndSendError(w, "couldn't get bearer token signature key", reqInfo, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
bktACL, err := parseACLHeaders(r.Header, gateKey)
|
bktACL, err := parseACLHeaders(r.Header, key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
||||||
return
|
return
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue