From 49131f1bc71674756bed88bd12fc2c0c64613f8c Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Tue, 15 Dec 2020 12:06:04 +0300 Subject: [PATCH] [#247] object/eacl: Use address from session token in request validation Signed-off-by: Leonard Lyubich --- pkg/services/object/acl/acl.go | 18 +++++----- pkg/services/object/acl/eacl/v2/headers.go | 42 ++++++++++++---------- pkg/services/object/acl/eacl/v2/object.go | 7 ++-- pkg/services/object/acl/eacl/v2/opts.go | 11 ++++-- pkg/services/object/acl/eacl/v2/xheader.go | 3 -- 5 files changed, 44 insertions(+), 37 deletions(-) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 9c033623f..f4de5bad4 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -606,19 +606,21 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool { return false } - hdrSrcOpts := make([]eaclV2.Option, 0, 2) + hdrSrcOpts := make([]eaclV2.Option, 0, 3) - hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithLocalObjectStorage(cfg.localStorage)) + addr := objectSDK.NewAddress() + addr.SetContainerID(reqInfo.cid) + addr.SetObjectID(reqInfo.oid) + + hdrSrcOpts = append(hdrSrcOpts, + eaclV2.WithLocalObjectStorage(cfg.localStorage), + eaclV2.WithAddress(addr.ToV2()), + ) if req, ok := msg.(eaclV2.Request); ok { hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req)) } else { - addr := objectSDK.NewAddress() - addr.SetContainerID(reqInfo.cid) - addr.SetObjectID(reqInfo.oid) - - // TODO: Add 'WithAddress' option to config and use address from reqInfo - hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response), addr.ToV2())) + hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response))) } action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit). diff --git a/pkg/services/object/acl/eacl/v2/headers.go b/pkg/services/object/acl/eacl/v2/headers.go index 2d7cf0359..d1deb6e6b 100644 --- a/pkg/services/object/acl/eacl/v2/headers.go +++ b/pkg/services/object/acl/eacl/v2/headers.go @@ -21,6 +21,8 @@ type cfg struct { storage ObjectStorage msg xHeaderSource + + addr *refs.Address } type ObjectStorage interface { @@ -81,22 +83,27 @@ func requestHeaders(msg xHeaderSource) []eacl.Header { } func (h *headerSource) objectHeaders() ([]eacl.Header, bool) { + var addr *objectSDK.Address + if h.addr != nil { + addr = objectSDK.NewAddressFromV2(h.addr) + } + switch m := h.msg.(type) { default: panic(fmt.Sprintf("unexpected message type %T", h.msg)) case *requestXHeaderSource: switch req := m.req.(type) { case *objectV2.GetRequest: - return h.localObjectHeaders(req.GetBody().GetAddress()) + return h.localObjectHeaders(h.addr) case *objectV2.DeleteRequest: - hs, _ := h.localObjectHeaders(req.GetBody().GetAddress()) + hs, _ := h.localObjectHeaders(h.addr) return hs, true case *objectV2.HeadRequest: - return h.localObjectHeaders(req.GetBody().GetAddress()) + return h.localObjectHeaders(h.addr) case *objectV2.GetRangeRequest: - return addressHeaders(objectSDK.NewAddressFromV2(req.GetBody().GetAddress())), true + return addressHeaders(objectSDK.NewAddressFromV2(h.addr)), true case *objectV2.GetRangeHashRequest: - hs, _ := h.localObjectHeaders(req.GetBody().GetAddress()) + hs, _ := h.localObjectHeaders(h.addr) return hs, true case *objectV2.PutRequest: if v, ok := req.GetBody().GetObjectPart().(*objectV2.PutObjectPartInit); ok { @@ -104,14 +111,14 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) { oV2.SetObjectID(v.GetObjectID()) oV2.SetHeader(v.GetHeader()) - hs := headersFromObject(object.NewFromV2(oV2)) - if tok := oV2.GetHeader().GetSessionToken(); tok != nil { - objCtx, ok := tok.GetBody().GetContext().(*session.ObjectSessionContext) - if ok { - hs = append(hs, addressHeaders(objectSDK.NewAddressFromV2(objCtx.GetAddress()))...) - } + if addr == nil { + addr = objectSDK.NewAddress() + addr.SetContainerID(container.NewIDFromV2(v.GetHeader().GetContainerID())) + addr.SetObjectID(objectSDK.NewIDFromV2(v.GetObjectID())) } + hs := headersFromObject(object.NewFromV2(oV2), addr) + return hs, true } case *objectV2.SearchRequest: @@ -123,7 +130,7 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) { case *responseXHeaderSource: switch resp := m.resp.(type) { default: - hs, _ := h.localObjectHeaders(m.addr) + hs, _ := h.localObjectHeaders(h.addr) return hs, true case *objectV2.GetResponse: if v, ok := resp.GetBody().GetObjectPart().(*objectV2.GetObjectPartInit); ok { @@ -131,7 +138,7 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) { oV2.SetObjectID(v.GetObjectID()) oV2.SetHeader(v.GetHeader()) - return headersFromObject(object.NewFromV2(oV2)), true + return headersFromObject(object.NewFromV2(oV2), addr), true } case *objectV2.HeadResponse: oV2 := new(objectV2.Object) @@ -142,7 +149,7 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) { case *objectV2.ShortHeader: hdr = new(objectV2.Header) - hdr.SetContainerID(m.addr.GetContainerID()) + hdr.SetContainerID(h.addr.GetContainerID()) hdr.SetVersion(v.GetVersion()) hdr.SetCreationEpoch(v.GetCreationEpoch()) hdr.SetOwnerID(v.GetOwnerID()) @@ -154,10 +161,7 @@ func (h *headerSource) objectHeaders() ([]eacl.Header, bool) { oV2.SetHeader(hdr) - return append( - headersFromObject(object.NewFromV2(oV2)), - oidHeader(objectSDK.NewIDFromV2(m.addr.GetObjectID())), - ), true + return headersFromObject(object.NewFromV2(oV2), addr), true } } @@ -169,7 +173,7 @@ func (h *headerSource) localObjectHeaders(addrV2 *refs.Address) ([]eacl.Header, obj, err := h.storage.Head(addr) if err == nil { - return append(headersFromObject(obj), addressHeaders(addr)...), true + return headersFromObject(obj, addr), true } return addressHeaders(addr), false diff --git a/pkg/services/object/acl/eacl/v2/object.go b/pkg/services/object/acl/eacl/v2/object.go index 22d5816a0..eb0b4a4b2 100644 --- a/pkg/services/object/acl/eacl/v2/object.go +++ b/pkg/services/object/acl/eacl/v2/object.go @@ -39,14 +39,13 @@ func u64Value(v uint64) string { return strconv.FormatUint(v, 10) } -func headersFromObject(obj *object.Object) []eacl.Header { +func headersFromObject(obj *object.Object, addr *objectSDK.Address) []eacl.Header { // TODO: optimize allocs res := make([]eacl.Header, 0) for ; obj != nil; obj = obj.GetParent() { res = append(res, - // container ID - cidHeader(obj.ContainerID()), + cidHeader(addr.ContainerID()), // owner ID &sysObjHdr{ k: acl.FilterObjectOwnerID, @@ -62,7 +61,7 @@ func headersFromObject(obj *object.Object) []eacl.Header { k: acl.FilterObjectPayloadLength, v: u64Value(obj.PayloadSize()), }, - oidHeader(obj.ID()), + oidHeader(addr.ObjectID()), // TODO: add others fields after neofs-api#84 ) diff --git a/pkg/services/object/acl/eacl/v2/opts.go b/pkg/services/object/acl/eacl/v2/opts.go index 571744a10..42e9b8597 100644 --- a/pkg/services/object/acl/eacl/v2/opts.go +++ b/pkg/services/object/acl/eacl/v2/opts.go @@ -1,8 +1,8 @@ package v2 import ( - "github.com/nspcc-dev/neofs-node/pkg/local_object_storage/engine" "github.com/nspcc-dev/neofs-api-go/v2/refs" + "github.com/nspcc-dev/neofs-node/pkg/local_object_storage/engine" ) func WithObjectStorage(v ObjectStorage) Option { @@ -27,11 +27,16 @@ func WithServiceRequest(v Request) Option { } } -func WithServiceResponse(v Response, addr *refs.Address) Option { +func WithServiceResponse(v Response) Option { return func(c *cfg) { c.msg = &responseXHeaderSource{ resp: v, - addr: addr, } } } + +func WithAddress(v *refs.Address) Option { + return func(c *cfg) { + c.addr = v + } +} diff --git a/pkg/services/object/acl/eacl/v2/xheader.go b/pkg/services/object/acl/eacl/v2/xheader.go index b01545dd6..642c94a76 100644 --- a/pkg/services/object/acl/eacl/v2/xheader.go +++ b/pkg/services/object/acl/eacl/v2/xheader.go @@ -1,7 +1,6 @@ package v2 import ( - "github.com/nspcc-dev/neofs-api-go/v2/refs" "github.com/nspcc-dev/neofs-api-go/v2/session" ) @@ -15,8 +14,6 @@ type requestXHeaderSource struct { type responseXHeaderSource struct { resp Response - - addr *refs.Address } func (s *requestXHeaderSource) GetXHeaders() []*session.XHeader {