object/put: Process session token of the original request in ACL checks

Previously, when checking write access to an object, the storage node used only the session token from the last request sent. In case of a chain of more than one request, the original session token was ignored. As a result, it did not allow to correctly interpret on whose behalf the action was performed. In particular, in private containers, gateways were deprived of the right to write data on behalf of the user. From now storage node always processes the session token from the original request. Signed-off-by: Leonard Lyubich <[email protected]>
nspcc-dev · Jul 26, 2023 · 6287bc9 · 6287bc9
1 parent f751d71
commit 6287bc9
Showing 1 changed file with 4 additions and 10 deletions.
diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go
@@ -480,16 +480,10 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
 			}
 		}
 
-		var sTok *sessionSDK.Object
-
-		if tokV2 := request.GetMetaHeader().GetSessionToken(); tokV2 != nil {
-			sTok = new(sessionSDK.Object)
-
-			err = sTok.ReadFromV2(*tokV2)
-			if err != nil {
-				return fmt.Errorf("invalid session token: %w", err)
-			}
-
+		sTok, err := originalSessionToken(request.GetMetaHeader())
+		if err != nil {
+			return err
+		} else if sTok != nil {
 			if sTok.AssertVerb(sessionSDK.VerbObjectDelete) {
 				// if session relates to object's removal, we don't check
 				// relation of the tombstone to the session here since user