[#175] Use gate owner as object owner

This is required because node check session token owner TrueCloudLab/frostfs-node#528 For client cut TrueCloudLab/frostfs-sdk-go#114 such owner will be gate owner Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2023-08-03 15:08:22 +03:00 · 2023-08-03 15:08:22 +03:00 · 18878b66d3
commit 18878b66d3
parent 46eae4a356
22 changed files with 122 additions and 84 deletions
--- a/api/layer/frostfs_mock.go
+++ b/api/layer/frostfs_mock.go
@ -23,6 +23,7 @@ import (
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 )

 type TestFrostFS struct {
@ -34,15 +35,17 @@ type TestFrostFS struct {
 	containers      map[string]*container.Container
 	eaclTables      map[string]*eacl.Table
 	currentEpoch    uint64
+	key             *keys.PrivateKey
 }

-func NewTestFrostFS() *TestFrostFS {
+func NewTestFrostFS(key *keys.PrivateKey) *TestFrostFS {
 	return &TestFrostFS{
 		objects:         make(map[string]*object.Object),
 		objectErrors:    make(map[string]error),
 		objectPutErrors: make(map[string]error),
 		containers:      make(map[string]*container.Container),
 		eaclTables:      make(map[string]*eacl.Table),
+		key:             key,
 	}
 }

@ -178,8 +181,8 @@ func (t *TestFrostFS) ReadObject(ctx context.Context, prm PrmObjectRead) (*Objec
 	}

 	if obj, ok := t.objects[sAddr]; ok {
-		owner := getOwner(ctx)
-		if !obj.OwnerID().Equals(owner) && !t.isPublicRead(prm.Container) {
+		owner := getBearerOwner(ctx)
+		if !t.checkAccess(prm.Container, owner, eacl.OperationGet) {
 			return nil, ErrAccessDenied
 		}

@ -227,13 +230,16 @@ func (t *TestFrostFS) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
 		attrs = append(attrs, *a)
 	}

+	var owner user.ID
+	user.IDFromKey(&owner, t.key.PrivateKey.PublicKey)
+
 	obj := object.New()
 	obj.SetContainerID(prm.Container)
 	obj.SetID(id)
 	obj.SetPayloadSize(prm.PayloadSize)
 	obj.SetAttributes(attrs...)
 	obj.SetCreationEpoch(t.currentEpoch)
-	obj.SetOwnerID(&prm.Creator)
+	obj.SetOwnerID(&owner)
 	t.currentEpoch++

 	if len(prm.Locks) > 0 {
@ -271,9 +277,9 @@ func (t *TestFrostFS) DeleteObject(ctx context.Context, prm PrmObjectDelete) err
 		return err
 	}

-	if obj, ok := t.objects[addr.EncodeToString()]; ok {
-		owner := getOwner(ctx)
-		if !obj.OwnerID().Equals(owner) {
+	if _, ok := t.objects[addr.EncodeToString()]; ok {
+		owner := getBearerOwner(ctx)
+		if !t.checkAccess(prm.Container, owner, eacl.OperationDelete) {
 			return ErrAccessDenied
 		}

@ -325,26 +331,42 @@ func (t *TestFrostFS) ContainerEACL(_ context.Context, cnrID cid.ID) (*eacl.Tabl
 	return table, nil
 }

-func (t *TestFrostFS) isPublicRead(cnrID cid.ID) bool {
-	table, ok := t.eaclTables[cnrID.EncodeToString()]
+func (t *TestFrostFS) checkAccess(cnrID cid.ID, owner user.ID, op eacl.Operation) bool {
+	cnr, ok := t.containers[cnrID.EncodeToString()]
 	if !ok {
 		return false
 	}

+	if !cnr.BasicACL().Extendable() {
+		return cnr.Owner().Equals(owner)
+	}
+
+	table, ok := t.eaclTables[cnrID.EncodeToString()]
+	if !ok {
+		return true
+	}
+
 	for _, rec := range table.Records() {
-		if rec.Operation() == eacl.OperationGet && len(rec.Filters()) == 0 {
+		if rec.Operation() == op && len(rec.Filters()) == 0 {
 			for _, trgt := range rec.Targets() {
 				if trgt.Role() == eacl.RoleOthers {
 					return rec.Action() == eacl.ActionAllow
 				}
+				var targetOwner user.ID
+				for _, pk := range eacl.TargetECDSAKeys(&trgt) {
+					user.IDFromKey(&targetOwner, *pk)
+					if targetOwner.Equals(owner) {
+						return rec.Action() == eacl.ActionAllow
+					}
+				}
 			}
 		}
 	}

-	return false
+	return true
 }

-func getOwner(ctx context.Context) user.ID {
+func getBearerOwner(ctx context.Context) user.ID {
 	if bd, ok := ctx.Value(middleware.BoxData).(*accessbox.Box); ok && bd != nil && bd.Gate != nil && bd.Gate.BearerToken != nil {
 		return bearer.ResolveIssuer(*bd.Gate.BearerToken)
 	}