forked from TrueCloudLab/frostfs-s3-gw
[#487] Remove attach of bearer token
When bucket owner is not an issuer of the bearer token Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
parent
4f43aad495
commit
4767eeed8c
7 changed files with 59 additions and 65 deletions
|
@ -164,7 +164,6 @@ func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
|
|||
ObjectInfo: info,
|
||||
Writer: w,
|
||||
Range: params,
|
||||
VersionID: p.VersionID,
|
||||
}
|
||||
if err = h.obj.GetObject(r.Context(), getParams); err != nil {
|
||||
h.logAndSendError(w, "could not get object", reqInfo, err)
|
||||
|
|
|
@ -74,7 +74,6 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
|
|||
ObjectInfo: info,
|
||||
Writer: buffer,
|
||||
Range: getRangeToDetectContentType(info.Size),
|
||||
VersionID: reqInfo.URL.Query().Get(api.QueryVersionID),
|
||||
}
|
||||
if err = h.obj.GetObject(r.Context(), getParams); err != nil {
|
||||
h.logAndSendError(w, "could not get object", reqInfo, err, zap.Stringer("oid", info.ID))
|
||||
|
|
|
@ -79,7 +79,6 @@ type (
|
|||
Range *RangeParams
|
||||
ObjectInfo *data.ObjectInfo
|
||||
Writer io.Writer
|
||||
VersionID string
|
||||
}
|
||||
|
||||
// HeadObjectParams stores object head request parameters.
|
||||
|
@ -323,11 +322,13 @@ func (n *layer) Owner(ctx context.Context) user.ID {
|
|||
return ownerID
|
||||
}
|
||||
|
||||
func (n *layer) prepareAuthParameters(ctx context.Context, prm *neofs.PrmAuth) {
|
||||
func (n *layer) prepareAuthParameters(ctx context.Context, prm *neofs.PrmAuth, bktOwner user.ID) {
|
||||
if bd, ok := ctx.Value(api.BoxData).(*accessbox.Box); ok && bd != nil && bd.Gate != nil {
|
||||
if issuer, ok := bd.Gate.BearerToken.Issuer(); ok && bktOwner.Equals(issuer) {
|
||||
prm.BearerToken = bd.Gate.BearerToken
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
prm.PrivateKey = &n.anonKey.Key.PrivateKey
|
||||
}
|
||||
|
@ -380,8 +381,7 @@ func (n *layer) ListBuckets(ctx context.Context) ([]*data.BucketInfo, error) {
|
|||
func (n *layer) GetObject(ctx context.Context, p *GetObjectParams) error {
|
||||
var params getParams
|
||||
|
||||
params.oid = p.ObjectInfo.ID
|
||||
params.cid = p.ObjectInfo.CID
|
||||
params.objInfo = p.ObjectInfo
|
||||
|
||||
if p.Range != nil {
|
||||
if p.Range.Start > p.Range.End {
|
||||
|
@ -584,7 +584,7 @@ func (n *layer) deleteObject(ctx context.Context, bkt *data.BucketInfo, settings
|
|||
}
|
||||
|
||||
for _, id := range ids {
|
||||
if err = n.objectDelete(ctx, bkt.CID, id); err != nil {
|
||||
if err = n.objectDelete(ctx, bkt, id); err != nil {
|
||||
obj.Error = err
|
||||
return obj
|
||||
}
|
||||
|
|
|
@ -209,7 +209,7 @@ func (x *multiObjectReader) Read(p []byte) (n int, err error) {
|
|||
return n, io.EOF
|
||||
}
|
||||
|
||||
x.prm.oid = x.parts[0].ID
|
||||
x.prm.objInfo = x.parts[0]
|
||||
|
||||
x.curReader, err = x.layer.initObjectPayloadReader(x.ctx, x.prm)
|
||||
if err != nil {
|
||||
|
@ -307,8 +307,6 @@ func (n *layer) CompleteMultipartUpload(ctx context.Context, p *CompleteMultipar
|
|||
parts: parts,
|
||||
}
|
||||
|
||||
r.prm.cid = p.Info.Bkt.CID
|
||||
|
||||
obj, err = n.PutObject(ctx, &PutObjectParams{
|
||||
BktInfo: p.Info.Bkt,
|
||||
Object: p.Info.Key,
|
||||
|
@ -328,7 +326,7 @@ func (n *layer) CompleteMultipartUpload(ctx context.Context, p *CompleteMultipar
|
|||
if partNum == 0 {
|
||||
continue
|
||||
}
|
||||
if err = n.objectDelete(ctx, p.Info.Bkt.CID, objInfo.ID); err != nil {
|
||||
if err = n.objectDelete(ctx, p.Info.Bkt, objInfo.ID); err != nil {
|
||||
n.log.Warn("could not delete upload part",
|
||||
zap.Stringer("object id", objInfo.ID),
|
||||
zap.Stringer("bucket id", p.Info.Bkt.CID),
|
||||
|
@ -348,7 +346,7 @@ func (n *layer) ListMultipartUploads(ctx context.Context, p *ListMultipartUpload
|
|||
|
||||
f := &findParams{
|
||||
attr: [2]string{UploadPartNumberAttributeName, "0"},
|
||||
cid: p.Bkt.CID,
|
||||
bkt: p.Bkt,
|
||||
}
|
||||
|
||||
ids, err := n.objectSearch(ctx, f)
|
||||
|
@ -360,7 +358,7 @@ func (n *layer) ListMultipartUploads(ctx context.Context, p *ListMultipartUpload
|
|||
uniqDirs := make(map[string]struct{})
|
||||
|
||||
for i := range ids {
|
||||
meta, err := n.objectHead(ctx, p.Bkt.CID, ids[i])
|
||||
meta, err := n.objectHead(ctx, p.Bkt, ids[i])
|
||||
if err != nil {
|
||||
n.log.Warn("couldn't head object",
|
||||
zap.Stringer("object id", &ids[i]),
|
||||
|
@ -420,7 +418,7 @@ func (n *layer) AbortMultipartUpload(ctx context.Context, p *UploadInfoParams) e
|
|||
}
|
||||
|
||||
for _, info := range objects {
|
||||
err := n.objectDelete(ctx, info.CID, info.ID)
|
||||
err := n.objectDelete(ctx, p.Bkt, info.ID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -493,7 +491,7 @@ func (n *layer) getUploadParts(ctx context.Context, p *UploadInfoParams) (map[in
|
|||
// and search in attributes by prefix is not supported
|
||||
f := &findParams{
|
||||
attr: [2]string{UploadIDAttributeName, p.UploadID},
|
||||
cid: p.Bkt.CID,
|
||||
bkt: p.Bkt,
|
||||
}
|
||||
|
||||
ids, err := n.objectSearch(ctx, f)
|
||||
|
@ -504,7 +502,7 @@ func (n *layer) getUploadParts(ctx context.Context, p *UploadInfoParams) (map[in
|
|||
res := make(map[int]*data.ObjectInfo)
|
||||
|
||||
for i := range ids {
|
||||
meta, err := n.objectHead(ctx, p.Bkt.CID, ids[i])
|
||||
meta, err := n.objectHead(ctx, p.Bkt, ids[i])
|
||||
if err != nil {
|
||||
n.log.Warn("couldn't head a part of upload",
|
||||
zap.Stringer("object id", &ids[i]),
|
||||
|
|
|
@ -27,7 +27,7 @@ import (
|
|||
type (
|
||||
findParams struct {
|
||||
attr [2]string
|
||||
cid cid.ID
|
||||
bkt *data.BucketInfo
|
||||
prefix string
|
||||
}
|
||||
|
||||
|
@ -35,8 +35,7 @@ type (
|
|||
// payload range
|
||||
off, ln uint64
|
||||
|
||||
cid cid.ID
|
||||
oid oid.ID
|
||||
objInfo *data.ObjectInfo
|
||||
}
|
||||
|
||||
// ListObjectsParamsCommon contains common parameters for ListObjectsV1 and ListObjectsV2.
|
||||
|
@ -69,10 +68,10 @@ type (
|
|||
}
|
||||
)
|
||||
|
||||
func (n *layer) objectSearchByName(ctx context.Context, cnr cid.ID, filename string) ([]oid.ID, error) {
|
||||
func (n *layer) objectSearchByName(ctx context.Context, bktInfo *data.BucketInfo, filename string) ([]oid.ID, error) {
|
||||
f := &findParams{
|
||||
attr: [2]string{object.AttributeFileName, filename},
|
||||
cid: cnr,
|
||||
bkt: bktInfo,
|
||||
}
|
||||
return n.objectSearch(ctx, f)
|
||||
}
|
||||
|
@ -80,12 +79,12 @@ func (n *layer) objectSearchByName(ctx context.Context, cnr cid.ID, filename str
|
|||
// objectSearch returns all available objects by search params.
|
||||
func (n *layer) objectSearch(ctx context.Context, p *findParams) ([]oid.ID, error) {
|
||||
prm := neofs.PrmObjectSelect{
|
||||
Container: p.cid,
|
||||
Container: p.bkt.CID,
|
||||
ExactAttribute: p.attr,
|
||||
FilePrefix: p.prefix,
|
||||
}
|
||||
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth)
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth, p.bkt.Owner)
|
||||
|
||||
res, err := n.neoFS.SelectObjects(ctx, prm)
|
||||
|
||||
|
@ -100,14 +99,14 @@ func newAddress(cnr cid.ID, obj oid.ID) oid.Address {
|
|||
}
|
||||
|
||||
// objectHead returns all object's headers.
|
||||
func (n *layer) objectHead(ctx context.Context, idCnr cid.ID, idObj oid.ID) (*object.Object, error) {
|
||||
func (n *layer) objectHead(ctx context.Context, bktInfo *data.BucketInfo, idObj oid.ID) (*object.Object, error) {
|
||||
prm := neofs.PrmObjectRead{
|
||||
Container: idCnr,
|
||||
Container: bktInfo.CID,
|
||||
Object: idObj,
|
||||
WithHeader: true,
|
||||
}
|
||||
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth)
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
|
||||
|
||||
res, err := n.neoFS.ReadObject(ctx, prm)
|
||||
if err != nil {
|
||||
|
@ -121,13 +120,19 @@ func (n *layer) objectHead(ctx context.Context, idCnr cid.ID, idObj oid.ID) (*ob
|
|||
// Zero range corresponds to full payload (panics if only offset is set).
|
||||
func (n *layer) initObjectPayloadReader(ctx context.Context, p getParams) (io.Reader, error) {
|
||||
prm := neofs.PrmObjectRead{
|
||||
Container: p.cid,
|
||||
Object: p.oid,
|
||||
Container: p.objInfo.CID,
|
||||
Object: p.objInfo.ID,
|
||||
WithPayload: true,
|
||||
PayloadRange: [2]uint64{p.off, p.ln},
|
||||
}
|
||||
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth)
|
||||
// should be taken from cache
|
||||
bktInfo, err := n.GetBucketInfo(ctx, p.objInfo.Bucket)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
|
||||
|
||||
res, err := n.neoFS.ReadObject(ctx, prm)
|
||||
if err != nil {
|
||||
|
@ -138,15 +143,15 @@ func (n *layer) initObjectPayloadReader(ctx context.Context, p getParams) (io.Re
|
|||
}
|
||||
|
||||
// objectGet returns an object with payload in the object.
|
||||
func (n *layer) objectGet(ctx context.Context, addr oid.Address) (*object.Object, error) {
|
||||
func (n *layer) objectGet(ctx context.Context, bktInfo *data.BucketInfo, objID oid.ID) (*object.Object, error) {
|
||||
prm := neofs.PrmObjectRead{
|
||||
Container: addr.Container(),
|
||||
Object: addr.Object(),
|
||||
Container: bktInfo.CID,
|
||||
Object: objID,
|
||||
WithHeader: true,
|
||||
WithPayload: true,
|
||||
}
|
||||
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth)
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
|
||||
|
||||
res, err := n.neoFS.ReadObject(ctx, prm)
|
||||
if err != nil {
|
||||
|
@ -198,7 +203,7 @@ func (n *layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.Object
|
|||
}
|
||||
}
|
||||
|
||||
id, hash, err := n.objectPutAndHash(ctx, prm)
|
||||
id, hash, err := n.objectPutAndHash(ctx, prm, p.BktInfo)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -229,7 +234,7 @@ func (n *layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.Object
|
|||
n.listsCache.CleanCacheEntriesContainingObject(p.Object, p.BktInfo.CID)
|
||||
|
||||
for _, id := range idsToDeleteArr {
|
||||
if err = n.objectDelete(ctx, p.BktInfo.CID, id); err != nil {
|
||||
if err = n.objectDelete(ctx, p.BktInfo, id); err != nil {
|
||||
n.log.Warn("couldn't delete object",
|
||||
zap.Stringer("version id", id),
|
||||
zap.Error(err))
|
||||
|
@ -356,7 +361,7 @@ func (n *layer) headLastVersionIfNotDeleted(ctx context.Context, bkt *data.Bucke
|
|||
}
|
||||
|
||||
func (n *layer) headVersions(ctx context.Context, bkt *data.BucketInfo, objectName string) (*objectVersions, error) {
|
||||
ids, err := n.objectSearchByName(ctx, bkt.CID, objectName)
|
||||
ids, err := n.objectSearchByName(ctx, bkt, objectName)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -367,7 +372,7 @@ func (n *layer) headVersions(ctx context.Context, bkt *data.BucketInfo, objectNa
|
|||
}
|
||||
|
||||
for i := range ids {
|
||||
meta, err := n.objectHead(ctx, bkt.CID, ids[i])
|
||||
meta, err := n.objectHead(ctx, bkt, ids[i])
|
||||
if err != nil {
|
||||
n.log.Warn("couldn't head object",
|
||||
zap.Stringer("object id", &ids[i]),
|
||||
|
@ -416,7 +421,7 @@ func (n *layer) headVersion(ctx context.Context, bkt *data.BucketInfo, p *HeadOb
|
|||
return objInfoFromMeta(bkt, headInfo), nil
|
||||
}
|
||||
|
||||
meta, err := n.objectHead(ctx, bkt.CID, id)
|
||||
meta, err := n.objectHead(ctx, bkt, id)
|
||||
if err != nil {
|
||||
if client.IsErrObjectNotFound(err) {
|
||||
return nil, apiErrors.GetAPIError(apiErrors.ErrNoSuchVersion)
|
||||
|
@ -438,23 +443,23 @@ func (n *layer) headVersion(ctx context.Context, bkt *data.BucketInfo, p *HeadOb
|
|||
}
|
||||
|
||||
// objectDelete puts tombstone object into neofs.
|
||||
func (n *layer) objectDelete(ctx context.Context, idCnr cid.ID, idObj oid.ID) error {
|
||||
func (n *layer) objectDelete(ctx context.Context, bktInfo *data.BucketInfo, idObj oid.ID) error {
|
||||
prm := neofs.PrmObjectDelete{
|
||||
Container: idCnr,
|
||||
Container: bktInfo.CID,
|
||||
Object: idObj,
|
||||
}
|
||||
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth)
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
|
||||
|
||||
n.objCache.Delete(newAddress(idCnr, idObj))
|
||||
n.objCache.Delete(newAddress(bktInfo.CID, idObj))
|
||||
|
||||
return n.transformNeofsError(ctx, n.neoFS.DeleteObject(ctx, prm))
|
||||
}
|
||||
|
||||
// objectPutAndHash prepare auth parameters and invoke neofs.CreateObject.
|
||||
// Returns object ID and payload sha256 hash.
|
||||
func (n *layer) objectPutAndHash(ctx context.Context, prm neofs.PrmObjectCreate) (*oid.ID, []byte, error) {
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth)
|
||||
func (n *layer) objectPutAndHash(ctx context.Context, prm neofs.PrmObjectCreate, bktInfo *data.BucketInfo) (*oid.ID, []byte, error) {
|
||||
n.prepareAuthParameters(ctx, &prm.PrmAuth, bktInfo.Owner)
|
||||
hash := sha256.New()
|
||||
prm.Payload = wrapReader(prm.Payload, 64*1024, func(buf []byte) {
|
||||
hash.Write(buf)
|
||||
|
@ -565,7 +570,7 @@ func (n *layer) getAllObjectsVersions(ctx context.Context, bkt *data.BucketInfo,
|
|||
ids := n.listsCache.Get(cacheKey)
|
||||
|
||||
if ids == nil {
|
||||
ids, err = n.objectSearch(ctx, &findParams{cid: bkt.CID, prefix: prefix})
|
||||
ids, err = n.objectSearch(ctx, &findParams{bkt: bkt, prefix: prefix})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -577,7 +582,7 @@ func (n *layer) getAllObjectsVersions(ctx context.Context, bkt *data.BucketInfo,
|
|||
versions := make(map[string]*objectVersions, len(ids)/2)
|
||||
|
||||
for i := 0; i < len(ids); i++ {
|
||||
obj := n.objectFromObjectsCacheOrNeoFS(ctx, bkt.CID, ids[i])
|
||||
obj := n.objectFromObjectsCacheOrNeoFS(ctx, bkt, ids[i])
|
||||
if obj == nil {
|
||||
continue
|
||||
}
|
||||
|
@ -681,13 +686,13 @@ func (n *layer) isVersioningEnabled(ctx context.Context, bktInfo *data.BucketInf
|
|||
return settings.VersioningEnabled
|
||||
}
|
||||
|
||||
func (n *layer) objectFromObjectsCacheOrNeoFS(ctx context.Context, cnr cid.ID, obj oid.ID) *object.Object {
|
||||
func (n *layer) objectFromObjectsCacheOrNeoFS(ctx context.Context, bktInfo *data.BucketInfo, obj oid.ID) *object.Object {
|
||||
var (
|
||||
err error
|
||||
meta = n.objCache.Get(newAddress(cnr, obj))
|
||||
meta = n.objCache.Get(newAddress(bktInfo.CID, obj))
|
||||
)
|
||||
if meta == nil {
|
||||
meta, err = n.objectHead(ctx, cnr, obj)
|
||||
meta, err = n.objectHead(ctx, bktInfo, obj)
|
||||
if err != nil {
|
||||
n.log.Warn("could not fetch object meta", zap.Error(err))
|
||||
return nil
|
||||
|
|
|
@ -15,7 +15,6 @@ import (
|
|||
"github.com/nspcc-dev/neofs-s3-gw/api/layer/neofs"
|
||||
"github.com/nspcc-dev/neofs-s3-gw/internal/misc"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/object"
|
||||
oid "github.com/nspcc-dev/neofs-sdk-go/object/id"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
|
@ -60,7 +59,7 @@ func (n *layer) HeadSystemObject(ctx context.Context, bkt *data.BucketInfo, objN
|
|||
func (n *layer) DeleteSystemObject(ctx context.Context, bktInfo *data.BucketInfo, name string) error {
|
||||
f := &findParams{
|
||||
attr: [2]string{objectSystemAttributeName, name},
|
||||
cid: bktInfo.CID,
|
||||
bkt: bktInfo,
|
||||
}
|
||||
ids, err := n.objectSearch(ctx, f)
|
||||
if err != nil {
|
||||
|
@ -69,7 +68,7 @@ func (n *layer) DeleteSystemObject(ctx context.Context, bktInfo *data.BucketInfo
|
|||
|
||||
n.systemCache.Delete(systemObjectKey(bktInfo, name))
|
||||
for i := range ids {
|
||||
if err = n.objectDelete(ctx, bktInfo.CID, ids[i]); err != nil {
|
||||
if err = n.objectDelete(ctx, bktInfo, ids[i]); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
@ -119,7 +118,7 @@ func (n *layer) putSystemObjectIntoNeoFS(ctx context.Context, p *PutSystemObject
|
|||
prm.Attributes = append(prm.Attributes, [2]string{k, v})
|
||||
}
|
||||
|
||||
id, hash, err := n.objectPutAndHash(ctx, prm)
|
||||
id, hash, err := n.objectPutAndHash(ctx, prm, p.BktInfo)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -133,7 +132,7 @@ func (n *layer) putSystemObjectIntoNeoFS(ctx context.Context, p *PutSystemObject
|
|||
}
|
||||
|
||||
for _, id := range idsToDeleteArr {
|
||||
if err = n.objectDelete(ctx, p.BktInfo.CID, id); err != nil {
|
||||
if err = n.objectDelete(ctx, p.BktInfo, id); err != nil {
|
||||
n.log.Warn("couldn't delete system object",
|
||||
zap.Stringer("version id", id),
|
||||
zap.String("name", misc.SanitizeString(p.ObjName)),
|
||||
|
@ -169,12 +168,7 @@ func (n *layer) getSystemObjectFromNeoFS(ctx context.Context, bkt *data.BucketIn
|
|||
|
||||
objInfo := versions.getLast()
|
||||
|
||||
var addr oid.Address
|
||||
|
||||
addr.SetContainer(bkt.CID)
|
||||
addr.SetObject(objInfo.ID)
|
||||
|
||||
obj, err := n.objectGet(ctx, addr)
|
||||
obj, err := n.objectGet(ctx, bkt, objInfo.ID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -215,7 +209,7 @@ func (n *layer) getCORS(ctx context.Context, bkt *data.BucketInfo, sysName strin
|
|||
func (n *layer) headSystemVersions(ctx context.Context, bkt *data.BucketInfo, sysName string) (*objectVersions, error) {
|
||||
f := &findParams{
|
||||
attr: [2]string{objectSystemAttributeName, sysName},
|
||||
cid: bkt.CID,
|
||||
bkt: bkt,
|
||||
}
|
||||
ids, err := n.objectSearch(ctx, f)
|
||||
if err != nil {
|
||||
|
@ -224,7 +218,7 @@ func (n *layer) headSystemVersions(ctx context.Context, bkt *data.BucketInfo, sy
|
|||
|
||||
versions := newObjectVersions(sysName)
|
||||
for i := range ids {
|
||||
meta, err := n.objectHead(ctx, bkt.CID, ids[i])
|
||||
meta, err := n.objectHead(ctx, bkt, ids[i])
|
||||
if err != nil {
|
||||
n.log.Warn("couldn't head object",
|
||||
zap.Stringer("object id", &ids[i]),
|
||||
|
|
|
@ -50,7 +50,6 @@ func (tc *testContext) getObject(objectName, versionID string, needError bool) (
|
|||
err = tc.layer.GetObject(tc.ctx, &GetObjectParams{
|
||||
ObjectInfo: objInfo,
|
||||
Writer: content,
|
||||
VersionID: versionID,
|
||||
})
|
||||
require.NoError(tc.t, err)
|
||||
|
||||
|
|
Loading…
Reference in a new issue