From d368afffe5f5aff6f44283cae4d73b89e8fc0e14 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Wed, 26 May 2021 19:49:42 +0300 Subject: [PATCH] [#561] acl: Fetch bearer token from original request meta header Request meta headers are organized in a layers, where upper layers re-sign down layers. Bearer token should be a part of original meta header and it can be omitted in upper layers. Therefore we need to traverse over linked list of meta header to the original meta header to get bearer token. Signed-off-by: Alex Vanin --- pkg/services/object/acl/acl.go | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index c1b78b9867..9f834206dc 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -149,7 +149,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea req := metaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: request.GetMetaHeader().GetBearerToken(), + bearer: originalBearerToken(request.GetMetaHeader()), src: request, } @@ -197,7 +197,7 @@ func (b Service) Head( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: request.GetMetaHeader().GetBearerToken(), + bearer: originalBearerToken(request.GetMetaHeader()), src: request, } @@ -236,7 +236,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt req := metaWithToken{ vheader: request.GetVerificationHeader(), token: request.GetMetaHeader().GetSessionToken(), - bearer: request.GetMetaHeader().GetBearerToken(), + bearer: originalBearerToken(request.GetMetaHeader()), src: request, } @@ -273,7 +273,7 @@ func (b Service) Delete( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: request.GetMetaHeader().GetBearerToken(), + bearer: originalBearerToken(request.GetMetaHeader()), src: request, } @@ -305,7 +305,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO req := metaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: request.GetMetaHeader().GetBearerToken(), + bearer: originalBearerToken(request.GetMetaHeader()), src: request, } @@ -343,7 +343,7 @@ func (b Service) GetRangeHash( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: request.GetMetaHeader().GetBearerToken(), + bearer: originalBearerToken(request.GetMetaHeader()), src: request, } @@ -387,7 +387,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error { req := metaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: request.GetMetaHeader().GetBearerToken(), + bearer: originalBearerToken(request.GetMetaHeader()), src: request, } @@ -771,3 +771,13 @@ func isOwnerFromKey(id *owner.ID, key *ecdsa.PublicKey) bool { // binary comparison is better but MarshalBinary is more expensive return bytes.Equal(id.ToV2().GetValue(), wallet.Bytes()) } + +// originalBearerToken goes down to original request meta header and fetches +// bearer token from there. +func originalBearerToken(header *session.RequestMetaHeader) *bearer.BearerToken { + for header.GetOrigin() != nil { + header = header.GetOrigin() + } + + return header.GetBearerToken() +}