[#66] Impersonate object service verb from session token

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
2020-10-02 14:40:09 +03:00 · 2020-10-02 14:40:09 +03:00 · 801999c577
commit 801999c577
parent afeebd310c
1 changed files with 41 additions and 1 deletions
--- a/pkg/services/object/acl/basic.go
+++ b/pkg/services/object/acl/basic.go
@ -324,9 +324,13 @@ func (b BasicChecker) findRequestInfo(
 		return info, ErrUnknownRole
 	}

+	// find verb from token if it is present
+	verb := sourceVerbOfRequest(req, op)
+	// todo: check verb sanity, if it was generated correctly. Do we need it ?
+
 	info.basicACL = cnr.GetBasicACL()
 	info.requestRole = role
-	info.operation = op
+	info.operation = verb
 	info.owner = owner.NewIDFromV2(cnr.GetOwnerID())

 	return info, nil
@ -414,3 +418,39 @@ func stickyBitCheck(info requestInfo, owner *owner.ID) bool {

 	return bytes.Equal(owner.ToV2().GetValue(), info.owner.ToV2().GetValue())
 }
+
+// sourceVerbOfRequest looks for verb in session token and if it is not found,
+// returns reqVerb.
+func sourceVerbOfRequest(req metaWithToken, reqVerb acl.Operation) acl.Operation {
+	if req.token != nil {
+		switch v := req.token.GetBody().GetContext().(type) {
+		case *session.ObjectSessionContext:
+			return tokenVerbToOperation(v.GetVerb())
+		default:
+			// do nothing, return request verb
+		}
+	}
+
+	return reqVerb
+}
+
+func tokenVerbToOperation(verb session.ObjectSessionVerb) acl.Operation {
+	switch verb {
+	case session.ObjectVerbGet:
+		return acl.OperationGet
+	case session.ObjectVerbPut:
+		return acl.OperationPut
+	case session.ObjectVerbHead:
+		return acl.OperationHead
+	case session.ObjectVerbSearch:
+		return acl.OperationSearch
+	case session.ObjectVerbDelete:
+		return acl.OperationDelete
+	case session.ObjectVerbRange:
+		return acl.OperationRange
+	case session.ObjectVerbRangeHash:
+		return acl.OperationRangeHash
+	default:
+		return acl.OperationUnknown
+	}
+}