From 72f55417d11b9d3d34febe8c9c3e7b2e2d2cfd1f Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Thu, 4 Jul 2024 14:17:41 +0400 Subject: [PATCH] acl: Check the account alongside the public key Signed-off-by: Evgenii Baidakov --- go.mod | 2 +- go.sum | 4 ++-- pkg/services/object/acl/acl.go | 1 + pkg/services/object/acl/v2/classifier.go | 25 ++++++++++++++---------- pkg/services/object/acl/v2/request.go | 8 +++++++- pkg/services/object/acl/v2/service.go | 1 + 6 files changed, 27 insertions(+), 14 deletions(-) diff --git a/go.mod b/go.mod index b1df1f40c6..91c2ca4012 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/nspcc-dev/neo-go v0.106.2 github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4 github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2 - github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12 + github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6 github.com/nspcc-dev/tzhash v1.8.0 github.com/olekukonko/tablewriter v0.0.5 github.com/panjf2000/ants/v2 v2.9.0 diff --git a/go.sum b/go.sum index 68088f680e..57ac3d903a 100644 --- a/go.sum +++ b/go.sum @@ -136,8 +136,8 @@ github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4 h1:ar github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4/go.mod h1:7Tm1NKEoUVVIUlkVwFrPh7GG5+Lmta2m7EGr4oVpBd8= github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2 h1:VT9/vs92xth7c2PIxiGt1NIK77VK2kjSFqLMWmMY/pc= github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2/go.mod h1:5nBFjgF2/SNpEty5oZzfTLck3YCSHLgnL4Tlv2xo54c= -github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12 h1:mdxtlSU2I4oVZ/7AXTLKyz8uUPbDWikZw4DM8gvrddA= -github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12/go.mod h1:JdsEM1qgNukrWqgOBDChcYp8oY4XUzidcKaxY4hNJvQ= +github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6 h1:6Z61E1NqyxjnUKzaSQqZWmP67TZ2GB5WLgozBtTS7j8= +github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6/go.mod h1:JdsEM1qgNukrWqgOBDChcYp8oY4XUzidcKaxY4hNJvQ= github.com/nspcc-dev/rfc6979 v0.2.1 h1:8wWxkamHWFmO790GsewSoKUSJjVnL1fmdRpokU/RgRM= github.com/nspcc-dev/rfc6979 v0.2.1/go.mod h1:Tk7h5kyUWkhjyO3zUgFFhy1v2vQv3BvQEntakdtqrWc= github.com/nspcc-dev/tzhash v1.8.0 h1:pJvzME2mZzP/h5rcy/Wb6amT9FJBFeKbJ3HEnWEeUpY= diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 423f7360ac..fa66737b6a 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -199,6 +199,7 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error { WithOperation(eaclSDK.Operation(reqInfo.Operation())). WithContainerID(&cnr). WithSenderKey(reqInfo.SenderKey()). + WithAccount(reqInfo.SenderAccount()). WithHeaderSource(hdrSrc). WithEACLTable(&table), ) diff --git a/pkg/services/object/acl/v2/classifier.go b/pkg/services/object/acl/v2/classifier.go index d4901a3903..12b0355a9a 100644 --- a/pkg/services/object/acl/v2/classifier.go +++ b/pkg/services/object/acl/v2/classifier.go @@ -18,8 +18,9 @@ type senderClassifier struct { } type classifyResult struct { - role acl.Role - key []byte + role acl.Role + key []byte + account []byte } func (c senderClassifier) classify( @@ -36,8 +37,9 @@ func (c senderClassifier) classify( // if request owner is the same as container owner, return RoleUser if ownerID.Equals(cnr.Owner()) { return &classifyResult{ - role: acl.RoleOwner, - key: ownerKey, + role: acl.RoleOwner, + key: ownerKey, + account: ownerID.WalletBytes(), }, nil } @@ -48,8 +50,9 @@ func (c senderClassifier) classify( zap.String("error", err.Error())) } else if isInnerRingNode { return &classifyResult{ - role: acl.RoleInnerRing, - key: ownerKey, + role: acl.RoleInnerRing, + key: ownerKey, + account: ownerID.WalletBytes(), }, nil } @@ -62,15 +65,17 @@ func (c senderClassifier) classify( zap.String("error", err.Error())) } else if isContainerNode { return &classifyResult{ - role: acl.RoleContainer, - key: ownerKey, + role: acl.RoleContainer, + key: ownerKey, + account: ownerID.WalletBytes(), }, nil } // if none of above, return RoleOthers return &classifyResult{ - role: acl.RoleOthers, - key: ownerKey, + role: acl.RoleOthers, + key: ownerKey, + account: ownerID.WalletBytes(), }, nil } diff --git a/pkg/services/object/acl/v2/request.go b/pkg/services/object/acl/v2/request.go index 16985a83e6..bf9041ee73 100644 --- a/pkg/services/object/acl/v2/request.go +++ b/pkg/services/object/acl/v2/request.go @@ -29,7 +29,8 @@ type RequestInfo struct { // e.g. Put, Search obj *oid.ID - senderKey []byte + senderKey []byte + senderAccount []byte bearer *bearer.Token // bearer token of request @@ -88,6 +89,11 @@ func (r RequestInfo) SenderKey() []byte { return r.senderKey } +// SenderAccount returns account of the request's sender. +func (r RequestInfo) SenderAccount() []byte { + return r.senderAccount +} + // Operation returns request's operation. func (r RequestInfo) Operation() acl.Op { return r.operation diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go index 2ed3ef880c..c8a34cd581 100644 --- a/pkg/services/object/acl/v2/service.go +++ b/pkg/services/object/acl/v2/service.go @@ -628,6 +628,7 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in // it is assumed that at the moment the key will be valid, // otherwise the request would not pass validation info.senderKey = res.key + info.senderAccount = res.account // add bearer token if it is present in request info.bearer = req.bearer