diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 87d2f9c82b..351b4ad3bc 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -125,15 +125,17 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error { return nil } + bearerTok := reqInfo.Bearer() + impersonate := bearerTok != nil && bearerTok.Impersonate() + // if bearer token is not allowed, then ignore it - if !basicACL.AllowedBearerRules(reqInfo.Operation()) { + if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) { reqInfo.CleanBearer() } var table eaclSDK.Table cnr := reqInfo.ContainerID() - bearerTok := reqInfo.Bearer() if bearerTok == nil { eaclInfo, err := c.eaclSrc.GetEACL(cnr) if err != nil { diff --git a/pkg/services/object/acl/v2/request.go b/pkg/services/object/acl/v2/request.go index 0cf734d7ab..6757689690 100644 --- a/pkg/services/object/acl/v2/request.go +++ b/pkg/services/object/acl/v2/request.go @@ -113,6 +113,10 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) { return nil, nil, errEmptyVerificationHeader } + if r.bearer != nil && r.bearer.Impersonate() { + return unmarshalPublicKeyWithOwner(r.bearer.SigningKeyBytes()) + } + // if session token is presented, use it as truth source if r.token != nil { // verify signature of session token @@ -125,9 +129,13 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) { return nil, nil, errEmptyBodySig } - key, err := unmarshalPublicKey(bodySignature.GetKey()) + return unmarshalPublicKeyWithOwner(bodySignature.GetKey()) +} + +func unmarshalPublicKeyWithOwner(rawKey []byte) (*user.ID, *keys.PublicKey, error) { + key, err := unmarshalPublicKey(rawKey) if err != nil { - return nil, nil, fmt.Errorf("invalid key in body signature: %w", err) + return nil, nil, fmt.Errorf("invalid signature key: %w", err) } var idSender user.ID