From 2897e83fb2355bd2c1026ae080545b5bc0e05a9c Mon Sep 17 00:00:00 2001
From: Leonard Lyubich <leonard@nspcc.ru>
Date: Mon, 28 Dec 2020 18:59:42 +0300
Subject: [PATCH] [#285] object/eacl: Validate X-headers from the requests, not
 the responses

In previous implementation of eACL service v2 the response X-headers were
validated at the stage of re-checking eACL. This provoked a mismatch of
records in the eACL table with requests. Fix this behavior by checking the
headers from the request, not the response.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
---
 pkg/services/object/acl/acl.go             | 18 +++++++++++++++++-
 pkg/services/object/acl/classifier.go      |  1 +
 pkg/services/object/acl/eacl/v2/opts.go    |  5 +++--
 pkg/services/object/acl/eacl/v2/xheader.go |  4 +++-
 4 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index f4de5bad4..a1156710a 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -77,6 +77,8 @@ type (
 		senderKey []byte
 
 		bearer *bearer.BearerToken // bearer token of request
+
+		srcRequest interface{}
 	}
 )
 
@@ -149,6 +151,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}
 
 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
@@ -197,6 +200,7 @@ func (b Service) Head(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}
 
 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
@@ -235,6 +239,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
 		vheader: request.GetVerificationHeader(),
 		token:   request.GetMetaHeader().GetSessionToken(),
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}
 
 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch)
@@ -272,6 +277,7 @@ func (b Service) Delete(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}
 
 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
@@ -303,6 +309,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}
 
 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
@@ -341,6 +348,7 @@ func (b Service) GetRangeHash(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}
 
 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
@@ -384,6 +392,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
 			vheader: request.GetVerificationHeader(),
 			token:   sTok,
 			bearer:  request.GetMetaHeader().GetBearerToken(),
+			src:     request,
 		}
 
 		reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
@@ -473,6 +482,8 @@ func (b Service) findRequestInfo(
 	// add bearer token if it is present in request
 	info.bearer = req.bearer
 
+	info.srcRequest = req.src
+
 	return info, nil
 }
 
@@ -620,7 +631,12 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
 	if req, ok := msg.(eaclV2.Request); ok {
 		hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req))
 	} else {
-		hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response)))
+		hdrSrcOpts = append(hdrSrcOpts,
+			eaclV2.WithServiceResponse(
+				msg.(eaclV2.Response),
+				reqInfo.srcRequest.(eaclV2.Request),
+			),
+		)
 	}
 
 	action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit).
diff --git a/pkg/services/object/acl/classifier.go b/pkg/services/object/acl/classifier.go
index 6528461af..e08ce1c9a 100644
--- a/pkg/services/object/acl/classifier.go
+++ b/pkg/services/object/acl/classifier.go
@@ -27,6 +27,7 @@ type (
 		vheader *session.RequestVerificationHeader
 		token   *session.SessionToken
 		bearer  *bearer.BearerToken
+		src     interface{}
 	}
 
 	SenderClassifier struct {
diff --git a/pkg/services/object/acl/eacl/v2/opts.go b/pkg/services/object/acl/eacl/v2/opts.go
index 42e9b8597..c8d32eb66 100644
--- a/pkg/services/object/acl/eacl/v2/opts.go
+++ b/pkg/services/object/acl/eacl/v2/opts.go
@@ -27,10 +27,11 @@ func WithServiceRequest(v Request) Option {
 	}
 }
 
-func WithServiceResponse(v Response) Option {
+func WithServiceResponse(resp Response, req Request) Option {
 	return func(c *cfg) {
 		c.msg = &responseXHeaderSource{
-			resp: v,
+			resp: resp,
+			req:  req,
 		}
 	}
 }
diff --git a/pkg/services/object/acl/eacl/v2/xheader.go b/pkg/services/object/acl/eacl/v2/xheader.go
index 642c94a76..a0874b42e 100644
--- a/pkg/services/object/acl/eacl/v2/xheader.go
+++ b/pkg/services/object/acl/eacl/v2/xheader.go
@@ -14,6 +14,8 @@ type requestXHeaderSource struct {
 
 type responseXHeaderSource struct {
 	resp Response
+
+	req Request
 }
 
 func (s *requestXHeaderSource) GetXHeaders() []*session.XHeader {
@@ -43,7 +45,7 @@ func (s *responseXHeaderSource) GetXHeaders() []*session.XHeader {
 	ln := 0
 	xHdrs := make([][]*session.XHeader, 0)
 
-	for meta := s.resp.GetMetaHeader(); meta != nil; meta = meta.GetOrigin() {
+	for meta := s.req.GetMetaHeader(); meta != nil; meta = meta.GetOrigin() {
 		x := meta.GetXHeaders()
 
 		ln += len(x)