[#285] object/eacl: Validate X-headers from the requests, not the responses

In previous implementation of eACL service v2 the response X-headers were validated at the stage of re-checking eACL. This provoked a mismatch of records in the eACL table with requests. Fix this behavior by checking the headers from the request, not the response. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2020-12-28 18:59:42 +03:00 · 2020-12-28 18:59:42 +03:00 · 2897e83fb2
commit 2897e83fb2
parent c69f867af1
4 changed files with 24 additions and 4 deletions
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@ -77,6 +77,8 @@ type (
 		senderKey []byte

 		bearer *bearer.BearerToken // bearer token of request
+
+		srcRequest interface{}
 	}
 )

@ -149,6 +151,7 @@ func (b Service) Get(request *object.GetRequest, stream objectSvc.GetObjectStrea
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet)
@ -197,6 +200,7 @@ func (b Service) Head(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead)
@ -235,6 +239,7 @@ func (b Service) Search(request *object.SearchRequest, stream objectSvc.SearchSt
 		vheader: request.GetVerificationHeader(),
 		token:   request.GetMetaHeader().GetSessionToken(),
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch)
@ -272,6 +277,7 @@ func (b Service) Delete(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete)
@ -303,6 +309,7 @@ func (b Service) GetRange(request *object.GetRangeRequest, stream objectSvc.GetO
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange)
@ -341,6 +348,7 @@ func (b Service) GetRangeHash(
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
 		bearer:  request.GetMetaHeader().GetBearerToken(),
+		src:     request,
 	}

 	reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash)
@ -384,6 +392,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
 			vheader: request.GetVerificationHeader(),
 			token:   sTok,
 			bearer:  request.GetMetaHeader().GetBearerToken(),
+			src:     request,
 		}

 		reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut)
@ -473,6 +482,8 @@ func (b Service) findRequestInfo(
 	// add bearer token if it is present in request
 	info.bearer = req.bearer

+	info.srcRequest = req.src
+
 	return info, nil
 }

@ -620,7 +631,12 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
 	if req, ok := msg.(eaclV2.Request); ok {
 		hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceRequest(req))
 	} else {
-		hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithServiceResponse(msg.(eaclV2.Response)))
+		hdrSrcOpts = append(hdrSrcOpts,
+			eaclV2.WithServiceResponse(
+				msg.(eaclV2.Response),
+				reqInfo.srcRequest.(eaclV2.Request),
+			),
+		)
 	}

 	action := cfg.eACL.CalculateAction(new(eacl.ValidationUnit).