From 801999c577d052f0b09f3d1e8f3e8f6170595b7d Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Fri, 2 Oct 2020 14:40:09 +0300 Subject: [PATCH] [#66] Impersonate object service verb from session token Signed-off-by: Alex Vanin --- pkg/services/object/acl/basic.go | 42 +++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/pkg/services/object/acl/basic.go b/pkg/services/object/acl/basic.go index 0ccfff7f01..4cebeaff19 100644 --- a/pkg/services/object/acl/basic.go +++ b/pkg/services/object/acl/basic.go @@ -324,9 +324,13 @@ func (b BasicChecker) findRequestInfo( return info, ErrUnknownRole } + // find verb from token if it is present + verb := sourceVerbOfRequest(req, op) + // todo: check verb sanity, if it was generated correctly. Do we need it ? + info.basicACL = cnr.GetBasicACL() info.requestRole = role - info.operation = op + info.operation = verb info.owner = owner.NewIDFromV2(cnr.GetOwnerID()) return info, nil @@ -414,3 +418,39 @@ func stickyBitCheck(info requestInfo, owner *owner.ID) bool { return bytes.Equal(owner.ToV2().GetValue(), info.owner.ToV2().GetValue()) } + +// sourceVerbOfRequest looks for verb in session token and if it is not found, +// returns reqVerb. +func sourceVerbOfRequest(req metaWithToken, reqVerb acl.Operation) acl.Operation { + if req.token != nil { + switch v := req.token.GetBody().GetContext().(type) { + case *session.ObjectSessionContext: + return tokenVerbToOperation(v.GetVerb()) + default: + // do nothing, return request verb + } + } + + return reqVerb +} + +func tokenVerbToOperation(verb session.ObjectSessionVerb) acl.Operation { + switch verb { + case session.ObjectVerbGet: + return acl.OperationGet + case session.ObjectVerbPut: + return acl.OperationPut + case session.ObjectVerbHead: + return acl.OperationHead + case session.ObjectVerbSearch: + return acl.OperationSearch + case session.ObjectVerbDelete: + return acl.OperationDelete + case session.ObjectVerbRange: + return acl.OperationRange + case session.ObjectVerbRangeHash: + return acl.OperationRangeHash + default: + return acl.OperationUnknown + } +}