[] object/eacl: Use object ID from session token context

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2020-12-14 16:50:45 +03:00 committed by Leonard Lyubich
parent 168dcbdccd
commit 8654458b19
2 changed files with 65 additions and 21 deletions
pkg/services/object/acl

View file

@ -143,9 +143,11 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
return err
}
sTok := request.GetMetaHeader().GetSessionToken()
req := metaWithToken{
vheader: request.GetVerificationHeader(),
token: request.GetMetaHeader().GetSessionToken(),
token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(),
}
@ -155,6 +157,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
}
reqInfo.oid = getObjectIDFromRequestBody(request.GetBody())
useObjectIDFromSession(&reqInfo, sTok)
if !basicACLCheck(reqInfo) {
return basicACLErr(reqInfo)
@ -188,9 +191,11 @@ func (b Service) Head(
return nil, err
}
sTok := request.GetMetaHeader().GetSessionToken()
req := metaWithToken{
vheader: request.GetVerificationHeader(),
token: request.GetMetaHeader().GetSessionToken(),
token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(),
}
@ -200,6 +205,7 @@ func (b Service) Head(
}
reqInfo.oid = getObjectIDFromRequestBody(request.GetBody())
useObjectIDFromSession(&reqInfo, sTok)
if !basicACLCheck(reqInfo) {
return nil, basicACLErr(reqInfo)
@ -260,9 +266,11 @@ func (b Service) Delete(
return nil, err
}
sTok := request.GetMetaHeader().GetSessionToken()
req := metaWithToken{
vheader: request.GetVerificationHeader(),
token: request.GetMetaHeader().GetSessionToken(),
token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(),
}
@ -272,6 +280,7 @@ func (b Service) Delete(
}
reqInfo.oid = getObjectIDFromRequestBody(request.GetBody())
useObjectIDFromSession(&reqInfo, sTok)
if !basicACLCheck(reqInfo) {
return nil, basicACLErr(reqInfo)
@ -288,9 +297,11 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
return err
}
sTok := request.GetMetaHeader().GetSessionToken()
req := metaWithToken{
vheader: request.GetVerificationHeader(),
token: request.GetMetaHeader().GetSessionToken(),
token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(),
}
@ -300,6 +311,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
}
reqInfo.oid = getObjectIDFromRequestBody(request.GetBody())
useObjectIDFromSession(&reqInfo, sTok)
if !basicACLCheck(reqInfo) {
return basicACLErr(reqInfo)
@ -323,9 +335,11 @@ func (b Service) GetRangeHash(
return nil, err
}
sTok := request.GetMetaHeader().GetSessionToken()
req := metaWithToken{
vheader: request.GetVerificationHeader(),
token: request.GetMetaHeader().GetSessionToken(),
token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(),
}
@ -335,6 +349,7 @@ func (b Service) GetRangeHash(
}
reqInfo.oid = getObjectIDFromRequestBody(request.GetBody())
useObjectIDFromSession(&reqInfo, sTok)
if !basicACLCheck(reqInfo) {
return nil, basicACLErr(reqInfo)
@ -363,9 +378,11 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
return err
}
sTok := part.GetHeader().GetSessionToken()
req := metaWithToken{
vheader: request.GetVerificationHeader(),
token: part.GetHeader().GetSessionToken(),
token: sTok,
bearer: request.GetMetaHeader().GetBearerToken(),
}
@ -375,6 +392,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
}
reqInfo.oid = getObjectIDFromRequestBody(part)
useObjectIDFromSession(&reqInfo, sTok)
if !basicACLCheck(reqInfo) || !stickyBitCheck(reqInfo, ownerID) {
return basicACLErr(reqInfo)
@ -484,6 +502,21 @@ func getContainerIDFromRequest(req interface{}) (id *container.ID, err error) {
}
}
func useObjectIDFromSession(req *requestInfo, token *session.SessionToken) {
if token == nil {
return
}
objCtx, ok := token.GetBody().GetContext().(*session.ObjectSessionContext)
if !ok {
return
}
req.oid = objectSDK.NewIDFromV2(
objCtx.GetAddress().GetObjectID(),
)
}
func getObjectIDFromRequestBody(body interface{}) *objectSDK.ID {
switch v := body.(type) {
default:

View file

@ -64,7 +64,7 @@ func (h *headerSource) HeadersOfType(typ eaclSDK.FilterHeaderType) ([]eacl.Heade
case eaclSDK.HeaderFromRequest:
return requestHeaders(h.msg), true
case eaclSDK.HeaderFromObject:
return h.objectHeaders(), true
return h.objectHeaders()
}
}
@ -80,7 +80,7 @@ func requestHeaders(msg xHeaderSource) []eacl.Header {
return res
}
func (h *headerSource) objectHeaders() []eacl.Header {
func (h *headerSource) objectHeaders() ([]eacl.Header, bool) {
switch m := h.msg.(type) {
default:
panic(fmt.Sprintf("unexpected message type %T", h.msg))
@ -89,39 +89,50 @@ func (h *headerSource) objectHeaders() []eacl.Header {
case *objectV2.GetRequest:
return h.localObjectHeaders(req.GetBody().GetAddress())
case *objectV2.DeleteRequest:
return h.localObjectHeaders(req.GetBody().GetAddress())
hs, _ := h.localObjectHeaders(req.GetBody().GetAddress())
return hs, true
case *objectV2.HeadRequest:
return h.localObjectHeaders(req.GetBody().GetAddress())
case *objectV2.GetRangeRequest:
return h.localObjectHeaders(req.GetBody().GetAddress())
hs, _ := h.localObjectHeaders(req.GetBody().GetAddress())
return hs, true
case *objectV2.GetRangeHashRequest:
return h.localObjectHeaders(req.GetBody().GetAddress())
hs, _ := h.localObjectHeaders(req.GetBody().GetAddress())
return hs, true
case *objectV2.PutRequest:
if v, ok := req.GetBody().GetObjectPart().(*objectV2.PutObjectPartInit); ok {
oV2 := new(objectV2.Object)
oV2.SetObjectID(v.GetObjectID())
oV2.SetHeader(v.GetHeader())
return headersFromObject(object.NewFromV2(oV2))
hs := headersFromObject(object.NewFromV2(oV2))
if tok := oV2.GetHeader().GetSessionToken(); tok != nil {
objCtx, ok := tok.GetBody().GetContext().(*session.ObjectSessionContext)
if ok {
hs = append(hs, addressHeaders(objectSDK.NewAddressFromV2(objCtx.GetAddress()))...)
}
}
return hs, true
}
case *objectV2.SearchRequest:
return []eacl.Header{cidHeader(
container.NewIDFromV2(
req.GetBody().GetContainerID()),
),
}
)}, true
}
case *responseXHeaderSource:
switch resp := m.resp.(type) {
default:
return h.localObjectHeaders(m.addr)
hs, _ := h.localObjectHeaders(m.addr)
return hs, true
case *objectV2.GetResponse:
if v, ok := resp.GetBody().GetObjectPart().(*objectV2.GetObjectPartInit); ok {
oV2 := new(objectV2.Object)
oV2.SetObjectID(v.GetObjectID())
oV2.SetHeader(v.GetHeader())
return headersFromObject(object.NewFromV2(oV2))
return headersFromObject(object.NewFromV2(oV2)), true
}
case *objectV2.HeadResponse:
oV2 := new(objectV2.Object)
@ -147,22 +158,22 @@ func (h *headerSource) objectHeaders() []eacl.Header {
return append(
headersFromObject(object.NewFromV2(oV2)),
oidHeader(objectSDK.NewIDFromV2(m.addr.GetObjectID())),
)
), true
}
}
return nil
return nil, true
}
func (h *headerSource) localObjectHeaders(addrV2 *refs.Address) []eacl.Header {
func (h *headerSource) localObjectHeaders(addrV2 *refs.Address) ([]eacl.Header, bool) {
addr := objectSDK.NewAddressFromV2(addrV2)
obj, err := h.storage.Head(addr)
if err == nil {
return headersFromObject(obj)
return append(headersFromObject(obj), addressHeaders(addr)...), true
}
return addressHeaders(addr)
return addressHeaders(addr), false
}
func cidHeader(cid *container.ID) eacl.Header {