[#81] Use impersonate bearer token

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2022-10-25 12:30:18 +03:00 · 2022-10-25 12:30:18 +03:00 · b366e75366
commit b366e75366
parent e487ee5b7d
6 changed files with 39 additions and 11 deletions
--- a/cmd/s3-authmate/main.go
+++ b/cmd/s3-authmate/main.go
@ -56,6 +56,7 @@ var (
 	accountAddressFlag       string
 	peerAddressFlag          string
 	eaclRulesFlag            string
+	disableImpersonateFlag   bool
 	gateWalletPathFlag       string
 	gateAccountAddressFlag   string
 	accessKeyIDFlag          string
@ -207,10 +208,16 @@ func issueSecret() *cli.Command {
 			},
 			&cli.StringFlag{
 				Name:        "bearer-rules",
-				Usage:       "rules for bearer token (filepath or a plain json string are allowed)",
+				Usage:       "rules for bearer token (filepath or a plain json string are allowed, can be used only with --disable-impersonate)",
 				Required:    false,
 				Destination: &eaclRulesFlag,
 			},
+			&cli.BoolFlag{
+				Name:        "disable-impersonate",
+				Usage:       "mark token as not impersonate to don't consider token signer as request owner (must be provided to use --bearer-rules flag)",
+				Required:    false,
+				Destination: &disableImpersonateFlag,
+			},
 			&cli.StringSliceFlag{
 				Name:        "gate-public-key",
 				Usage:       "public 256r1 key of a gate (use flags repeatedly for multiple gates)",
@ -345,6 +352,10 @@ It will be ceil rounded to the nearest amount of epoch.`,
 				return cli.Exit(fmt.Sprintf("couldn't parse container policy: %s", err.Error()), 6)
 			}

+			if !disableImpersonateFlag && eaclRulesFlag != "" {
+				return cli.Exit("--bearer-rules flag can be used only with --disable-impersonate", 6)
+			}
+
 			bearerRules, err := getJSONRules(eaclRulesFlag)
 			if err != nil {
 				return cli.Exit(fmt.Sprintf("couldn't parse 'bearer-rules' flag: %s", err.Error()), 7)
@ -364,6 +375,7 @@ It will be ceil rounded to the nearest amount of epoch.`,
 				FrostFSKey:            key,
 				GatesPublicKeys:       gatesPublicKeys,
 				EACLRules:             bearerRules,
+				Impersonate:           !disableImpersonateFlag,
 				SessionTokenRules:     sessionRules,
 				SkipSessionRules:      skipSessionRules,
 				ContainerPolicies:     policies,