[#285] object/eacl: Validate X-headers from the requests, not the responses

In previous implementation of eACL service v2 the response X-headers were
validated at the stage of re-checking eACL. This provoked a mismatch of
records in the eACL table with requests. Fix this behavior by checking the
headers from the request, not the response.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2020-12-28 18:59:42 +03:00 committed by Alex Vanin
parent c69f867af1
commit 2897e83fb2
4 changed files with 24 additions and 4 deletions

View file

@ -77,6 +77,8 @@ type (
senderKey []byte senderKey []byte
bearer *bearer.BearerToken // bearer token of request bearer *bearer.BearerToken // bearer token of request
srcRequest interface{}
} }
) )
@ -149,6 +151,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(), bearer: request.GetMetaHeader().GetBearerToken(),
src: request,
} }
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet) reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
@ -197,6 +200,7 @@ func (b Service) Head(
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(), bearer: request.GetMetaHeader().GetBearerToken(),
src: request,
} }
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead) reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
@ -235,6 +239,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: request.GetMetaHeader().GetSessionToken(), token: request.GetMetaHeader().GetSessionToken(),
bearer: request.GetMetaHeader().GetBearerToken(), bearer: request.GetMetaHeader().GetBearerToken(),
src: request,
} }
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch) reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch)
@ -272,6 +277,7 @@ func (b Service) Delete(
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(), bearer: request.GetMetaHeader().GetBearerToken(),
src: request,
} }
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete) reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
@ -303,6 +309,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(), bearer: request.GetMetaHeader().GetBearerToken(),
src: request,
} }
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange) reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
@ -341,6 +348,7 @@ func (b Service) GetRangeHash(
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(), bearer: request.GetMetaHeader().GetBearerToken(),
src: request,
} }
reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash) reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
@ -384,6 +392,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
vheader: request.GetVerificationHeader(), vheader: request.GetVerificationHeader(),
token: sTok, token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(), bearer: request.GetMetaHeader().GetBearerToken(),
src: request,
} }
reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut) reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
@ -473,6 +482,8 @@ func (b Service) findRequestInfo(
// add bearer token if it is present in request // add bearer token if it is present in request
info.bearer = req.bearer info.bearer = req.bearer
info.srcRequest = req.src
return info, nil return info, nil
} }
@ -620,7 +631,12 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
if req, ok := msg.(eaclV2.Request); ok { if req, ok := msg.(eaclV2.Request); ok {
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req)) hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req))
} else { } else {
hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response))) hdrSrcOpts = append(hdrSrcOpts,
eaclV2.WithServiceResponse(
msg.(eaclV2.Response),
reqInfo.srcRequest.(eaclV2.Request),
),
)
} }
action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit). action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit).

View file

@ -27,6 +27,7 @@ type (
vheader *session.RequestVerificationHeader vheader *session.RequestVerificationHeader
token *session.SessionToken token *session.SessionToken
bearer *bearer.BearerToken bearer *bearer.BearerToken
src interface{}
} }
SenderClassifier struct { SenderClassifier struct {

View file

@ -27,10 +27,11 @@ func WithServiceRequest(v Request) Option {
} }
} }
func WithServiceResponse(v Response) Option { func WithServiceResponse(resp Response, req Request) Option {
return func(c *cfg) { return func(c *cfg) {
c.msg = &responseXHeaderSource{ c.msg = &responseXHeaderSource{
resp: v, resp: resp,
req: req,
} }
} }
} }

View file

@ -14,6 +14,8 @@ type requestXHeaderSource struct {
type responseXHeaderSource struct { type responseXHeaderSource struct {
resp Response resp Response
req Request
} }
func (s *requestXHeaderSource) GetXHeaders() []*session.XHeader { func (s *requestXHeaderSource) GetXHeaders() []*session.XHeader {
@ -43,7 +45,7 @@ func (s *responseXHeaderSource) GetXHeaders() []*session.XHeader {
ln := 0 ln := 0
xHdrs := make([][]*session.XHeader, 0) xHdrs := make([][]*session.XHeader, 0)
for meta := s.resp.GetMetaHeader(); meta != nil; meta = meta.GetOrigin() { for meta := s.req.GetMetaHeader(); meta != nil; meta = meta.GetOrigin() {
x := meta.GetXHeaders() x := meta.GetXHeaders()
ln += len(x) ln += len(x)