[#285] object/eacl: Validate X-headers from the requests, not the responses

In previous implementation of eACL service v2 the response X-headers were validated at the stage of re-checking eACL. This provoked a mismatch of records in the eACL table with requests. Fix this behavior by checking the headers from the request, not the response. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2020-12-28 18:59:42 +03:00 · 2020-12-28 18:59:42 +03:00 · 2897e83fb2
commit 2897e83fb2
parent c69f867af1
4 changed files with 24 additions and 4 deletions
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@ -77,6 +77,8 @@ type (
 		senderKey []byte

 		bearer *bearer.BearerToken // bearer token of request
+
+		srcRequest interface{}
 	}
 )

@ -149,6 +151,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
@ -197,6 +200,7 @@ func (b Service) Head(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
@ -235,6 +239,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
 		vheader: request.GetVerificationHeader(),
 		token:   request.GetMetaHeader().GetSessionToken(),
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch)
@ -272,6 +277,7 @@ func (b Service) Delete(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
@ -303,6 +309,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
@ -341,6 +348,7 @@ func (b Service) GetRangeHash(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
@ -384,6 +392,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
 			vheader: request.GetVerificationHeader(),
 			token:   sTok,
 			bearer:  request.GetMetaHeader().GetBearerToken(),
+			src:     request,
 		}

 		reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
@ -473,6 +482,8 @@ func (b Service) findRequestInfo(
 	// add bearer token if it is present in request
 	info.bearer = req.bearer

+	info.srcRequest = req.src
+
 	return info, nil
 }

@ -620,7 +631,12 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
 	if req, ok := msg.(eaclV2.Request); ok {
 		hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req))
 	} else {
-		hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response)))
+		hdrSrcOpts = append(hdrSrcOpts,
+			eaclV2.WithServiceResponse(
+				msg.(eaclV2.Response),
+				reqInfo.srcRequest.(eaclV2.Request),
+			),
+		)
 	}

 	action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit).
--- a/pkg/services/object/acl/classifier.go
+++ b/pkg/services/object/acl/classifier.go
@ -27,6 +27,7 @@ type (
 		vheader *session.RequestVerificationHeader
 		token   *session.SessionToken
 		bearer  *bearer.BearerToken
+		src     interface{}
 	}

 	SenderClassifier struct {
--- a/pkg/services/object/acl/eacl/v2/opts.go
+++ b/pkg/services/object/acl/eacl/v2/opts.go
@ -27,10 +27,11 @@ func WithServiceRequest(v Request) Option {
 	}
 }

-func WithServiceResponse(v Response) Option {
+func WithServiceResponse(resp Response, req Request) Option {
 	return func(c *cfg) {
 		c.msg = &responseXHeaderSource{
-			resp: v,
+			resp: resp,
+			req:  req,
 		}
 	}
 }
--- a/pkg/services/object/acl/eacl/v2/xheader.go
+++ b/pkg/services/object/acl/eacl/v2/xheader.go
@ -14,6 +14,8 @@ type requestXHeaderSource struct {

 type responseXHeaderSource struct {
 	resp Response
+
+	req Request
 }

 func (s *requestXHeaderSource) GetXHeaders() []*session.XHeader {
@ -43,7 +45,7 @@ func (s *responseXHeaderSource) GetXHeaders() []*session.XHeader {
 	ln := 0
 	xHdrs := make([][]*session.XHeader, 0)

-	for meta := s.resp.GetMetaHeader(); meta != nil; meta = meta.GetOrigin() {
+	for meta := s.req.GetMetaHeader(); meta != nil; meta = meta.GetOrigin() {
 		x := meta.GetXHeaders()

 		ln += len(x)