forked from TrueCloudLab/frostfs-node
[#1191] object/acl: check session token verb
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
parent
5e90d85020
commit
0bf59522f7
4 changed files with 68 additions and 10 deletions
|
@ -13,6 +13,8 @@ var (
|
||||||
ErrUnknownRole = errors.New("can't classify request sender")
|
ErrUnknownRole = errors.New("can't classify request sender")
|
||||||
// ErrUnknownContainer is returned when container fetching errors appeared.
|
// ErrUnknownContainer is returned when container fetching errors appeared.
|
||||||
ErrUnknownContainer = errors.New("can't fetch container info")
|
ErrUnknownContainer = errors.New("can't fetch container info")
|
||||||
|
// ErrInvalidVerb is returned when session token verb doesn't include necessary operation.
|
||||||
|
ErrInvalidVerb = errors.New("session token verb is invalid")
|
||||||
)
|
)
|
||||||
|
|
||||||
type accessErr struct {
|
type accessErr struct {
|
||||||
|
|
|
@ -425,7 +425,10 @@ func (b Service) findRequestInfo(
|
||||||
}
|
}
|
||||||
|
|
||||||
// find verb from token if it is present
|
// find verb from token if it is present
|
||||||
verb := sourceVerbOfRequest(req, op)
|
verb, isUnknown := sourceVerbOfRequest(req.token, op)
|
||||||
|
if !isUnknown && verb != op && !isVerbCompatible(verb, op) {
|
||||||
|
return info, ErrInvalidVerb
|
||||||
|
}
|
||||||
|
|
||||||
info.basicACL = cnr.BasicACL()
|
info.basicACL = cnr.BasicACL()
|
||||||
info.requestRole = res.role
|
info.requestRole = res.role
|
||||||
|
|
|
@ -102,18 +102,17 @@ func getObjectOwnerFromMessage(req interface{}) (id *owner.ID, err error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// sourceVerbOfRequest looks for verb in session token and if it is not found,
|
// sourceVerbOfRequest looks for verb in session token and if it is not found,
|
||||||
// returns reqVerb.
|
// returns reqVerb. Second return value is true if operation is unknown.
|
||||||
func sourceVerbOfRequest(req MetaWithToken, reqVerb eaclSDK.Operation) eaclSDK.Operation {
|
func sourceVerbOfRequest(tok *sessionSDK.Token, reqVerb eaclSDK.Operation) (eaclSDK.Operation, bool) {
|
||||||
if req.token != nil {
|
ctx, ok := tok.Context().(*sessionSDK.ObjectContext)
|
||||||
switch v := req.token.Context().(type) {
|
if ok {
|
||||||
case *sessionSDK.ObjectContext:
|
op := tokenVerbToOperation(ctx)
|
||||||
return tokenVerbToOperation(v)
|
if op != eaclSDK.OperationUnknown {
|
||||||
default:
|
return op, false
|
||||||
// do nothing, return request verb
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return reqVerb
|
return reqVerb, true
|
||||||
}
|
}
|
||||||
|
|
||||||
func useObjectIDFromSession(req *RequestInfo, token *sessionSDK.Token) {
|
func useObjectIDFromSession(req *RequestInfo, token *sessionSDK.Token) {
|
||||||
|
@ -195,3 +194,18 @@ func isOwnerFromKey(id *owner.ID, key *keys.PublicKey) bool {
|
||||||
|
|
||||||
return id.Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key)))
|
return id.Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key)))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// isVerbCompatible checks that tokenVerb operation can create auxiliary op operation.
|
||||||
|
func isVerbCompatible(tokenVerb, op eaclSDK.Operation) bool {
|
||||||
|
switch tokenVerb {
|
||||||
|
case eaclSDK.OperationGet:
|
||||||
|
return op == eaclSDK.OperationGet || op == eaclSDK.OperationHead
|
||||||
|
case eaclSDK.OperationDelete:
|
||||||
|
return op == eaclSDK.OperationPut || op == eaclSDK.OperationHead ||
|
||||||
|
op == eaclSDK.OperationSearch
|
||||||
|
case eaclSDK.OperationRange, eaclSDK.OperationRangeHash:
|
||||||
|
return op == eaclSDK.OperationRange || op == eaclSDK.OperationHead
|
||||||
|
default:
|
||||||
|
return tokenVerb == op
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
|
acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
|
||||||
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
||||||
sessiontest "github.com/nspcc-dev/neofs-api-go/v2/session/test"
|
sessiontest "github.com/nspcc-dev/neofs-api-go/v2/session/test"
|
||||||
|
"github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||||
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
|
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
|
||||||
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/token"
|
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/token"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
@ -36,3 +37,41 @@ func testGenerateMetaHeader(depth uint32, b *acl.BearerToken, s *session.Session
|
||||||
|
|
||||||
return metaHeader
|
return metaHeader
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestIsVerbCompatible(t *testing.T) {
|
||||||
|
// Source: https://nspcc.ru/upload/neofs-spec-latest.pdf#page=28
|
||||||
|
table := map[eacl.Operation][]eacl.Operation{
|
||||||
|
eacl.OperationPut: {eacl.OperationPut},
|
||||||
|
eacl.OperationDelete: {eacl.OperationPut, eacl.OperationHead, eacl.OperationSearch},
|
||||||
|
eacl.OperationHead: {eacl.OperationHead},
|
||||||
|
eacl.OperationRange: {eacl.OperationRange, eacl.OperationHead},
|
||||||
|
eacl.OperationRangeHash: {eacl.OperationRange, eacl.OperationHead},
|
||||||
|
eacl.OperationGet: {eacl.OperationGet, eacl.OperationHead},
|
||||||
|
eacl.OperationSearch: {eacl.OperationSearch},
|
||||||
|
}
|
||||||
|
|
||||||
|
ops := []eacl.Operation{
|
||||||
|
eacl.OperationPut,
|
||||||
|
eacl.OperationDelete,
|
||||||
|
eacl.OperationHead,
|
||||||
|
eacl.OperationRange,
|
||||||
|
eacl.OperationRangeHash,
|
||||||
|
eacl.OperationGet,
|
||||||
|
eacl.OperationSearch,
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, opToken := range ops {
|
||||||
|
for _, op := range ops {
|
||||||
|
var contains bool
|
||||||
|
for _, o := range table[opToken] {
|
||||||
|
if o == op {
|
||||||
|
contains = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
require.Equal(t, contains, isVerbCompatible(opToken, op),
|
||||||
|
"%s in token, %s executing", opToken, op)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue