Skip to content

Commit

Permalink
acl: Check the account alongside the public key
Browse files Browse the repository at this point in the history
Signed-off-by: Evgenii Baidakov <[email protected]>
  • Loading branch information
smallhive committed Jul 4, 2024
1 parent 5ef73c8 commit 70ca640
Show file tree
Hide file tree
Showing 7 changed files with 28 additions and 14 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ Changelog for NeoFS Node

### Added
- Indexes inspection command to neofs-lens (#2882)
- Check the account alongside the public key in ACL (#2883)

### Fixed
- Control service's Drop call does not clean metabase (#2822)
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ require (
github.com/nspcc-dev/neo-go v0.106.2
github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4
github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6
github.com/nspcc-dev/tzhash v1.8.0
github.com/olekukonko/tablewriter v0.0.5
github.com/panjf2000/ants/v2 v2.9.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -136,8 +136,8 @@ github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4 h1:ar
github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4/go.mod h1:7Tm1NKEoUVVIUlkVwFrPh7GG5+Lmta2m7EGr4oVpBd8=
github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2 h1:VT9/vs92xth7c2PIxiGt1NIK77VK2kjSFqLMWmMY/pc=
github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2/go.mod h1:5nBFjgF2/SNpEty5oZzfTLck3YCSHLgnL4Tlv2xo54c=
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12 h1:mdxtlSU2I4oVZ/7AXTLKyz8uUPbDWikZw4DM8gvrddA=
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12/go.mod h1:JdsEM1qgNukrWqgOBDChcYp8oY4XUzidcKaxY4hNJvQ=
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6 h1:6Z61E1NqyxjnUKzaSQqZWmP67TZ2GB5WLgozBtTS7j8=
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6/go.mod h1:JdsEM1qgNukrWqgOBDChcYp8oY4XUzidcKaxY4hNJvQ=
github.com/nspcc-dev/rfc6979 v0.2.1 h1:8wWxkamHWFmO790GsewSoKUSJjVnL1fmdRpokU/RgRM=
github.com/nspcc-dev/rfc6979 v0.2.1/go.mod h1:Tk7h5kyUWkhjyO3zUgFFhy1v2vQv3BvQEntakdtqrWc=
github.com/nspcc-dev/tzhash v1.8.0 h1:pJvzME2mZzP/h5rcy/Wb6amT9FJBFeKbJ3HEnWEeUpY=
Expand Down
1 change: 1 addition & 0 deletions pkg/services/object/acl/acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,7 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
WithOperation(eaclSDK.Operation(reqInfo.Operation())).
WithContainerID(&cnr).
WithSenderKey(reqInfo.SenderKey()).
WithAccount(reqInfo.SenderAccount()).

Check warning on line 202 in pkg/services/object/acl/acl.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/acl.go#L202

Added line #L202 was not covered by tests
WithHeaderSource(hdrSrc).
WithEACLTable(&table),
)
Expand Down
25 changes: 15 additions & 10 deletions pkg/services/object/acl/v2/classifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,9 @@ type senderClassifier struct {
}

type classifyResult struct {
role acl.Role
key []byte
role acl.Role
key []byte
account []byte
}

func (c senderClassifier) classify(
Expand All @@ -36,8 +37,9 @@ func (c senderClassifier) classify(
// if request owner is the same as container owner, return RoleUser
if ownerID.Equals(cnr.Owner()) {
return &classifyResult{
role: acl.RoleOwner,
key: ownerKey,
role: acl.RoleOwner,
key: ownerKey,
account: ownerID.WalletBytes(),

Check warning on line 42 in pkg/services/object/acl/v2/classifier.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/v2/classifier.go#L40-L42

Added lines #L40 - L42 were not covered by tests
}, nil
}

Expand All @@ -48,8 +50,9 @@ func (c senderClassifier) classify(
zap.String("error", err.Error()))
} else if isInnerRingNode {
return &classifyResult{
role: acl.RoleInnerRing,
key: ownerKey,
role: acl.RoleInnerRing,
key: ownerKey,
account: ownerID.WalletBytes(),

Check warning on line 55 in pkg/services/object/acl/v2/classifier.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/v2/classifier.go#L53-L55

Added lines #L53 - L55 were not covered by tests
}, nil
}

Expand All @@ -62,15 +65,17 @@ func (c senderClassifier) classify(
zap.String("error", err.Error()))
} else if isContainerNode {
return &classifyResult{
role: acl.RoleContainer,
key: ownerKey,
role: acl.RoleContainer,
key: ownerKey,
account: ownerID.WalletBytes(),

Check warning on line 70 in pkg/services/object/acl/v2/classifier.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/v2/classifier.go#L68-L70

Added lines #L68 - L70 were not covered by tests
}, nil
}

// if none of above, return RoleOthers
return &classifyResult{
role: acl.RoleOthers,
key: ownerKey,
role: acl.RoleOthers,
key: ownerKey,
account: ownerID.WalletBytes(),

Check warning on line 78 in pkg/services/object/acl/v2/classifier.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/v2/classifier.go#L76-L78

Added lines #L76 - L78 were not covered by tests
}, nil
}

Expand Down
8 changes: 7 additions & 1 deletion pkg/services/object/acl/v2/request.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ type RequestInfo struct {
// e.g. Put, Search
obj *oid.ID

senderKey []byte
senderKey []byte
senderAccount []byte

bearer *bearer.Token // bearer token of request

Expand Down Expand Up @@ -88,6 +89,11 @@ func (r RequestInfo) SenderKey() []byte {
return r.senderKey
}

// SenderAccount returns account of the request's sender.
func (r RequestInfo) SenderAccount() []byte {
return r.senderAccount

Check warning on line 94 in pkg/services/object/acl/v2/request.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/v2/request.go#L93-L94

Added lines #L93 - L94 were not covered by tests
}

// Operation returns request's operation.
func (r RequestInfo) Operation() acl.Op {
return r.operation
Expand Down
1 change: 1 addition & 0 deletions pkg/services/object/acl/v2/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -628,6 +628,7 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in
// it is assumed that at the moment the key will be valid,
// otherwise the request would not pass validation
info.senderKey = res.key
info.senderAccount = res.account

Check warning on line 631 in pkg/services/object/acl/v2/service.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/v2/service.go#L631

Added line #L631 was not covered by tests

// add bearer token if it is present in request
info.bearer = req.bearer
Expand Down

0 comments on commit 70ca640

Please sign in to comment.