object/put: Process session token of the original request in ACL checks

Previously, when checking write access to an object, the storage node used only the session token from the last request sent. In case of a chain of more than one request, the original session token was ignored. As a result, it did not allow to correctly interpret on whose behalf the action was performed. In particular, in private containers, gateways were deprived of the right to write data on behalf of the user. From now storage node always processes the session token from the original request. Signed-off-by: Leonard Lyubich <[email protected]>
nspcc-dev · Jul 28, 2023 · cf3d615 · cf3d615
1 parent 14ad097
commit cf3d615
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ Changelog for NeoFS Node
 - Concurrent morph cache misses (#1248)
 - Double voting for validators on IR startup (#2365)
 - Skip unexpected notary events on notary request parsing step (#2315)
+- Session inactivity on object PUT request relay (#2460)
 
 ### Removed
 - Deprecated `morph.rpc_endpoint` SN and `morph.endpoint.client` IR config sections (#2400)

diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go
@@ -479,16 +479,12 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
 			}
 		}
 
-		var sTok *sessionSDK.Object
-
-		if tokV2 := request.GetMetaHeader().GetSessionToken(); tokV2 != nil {
-			sTok = new(sessionSDK.Object)
-
-			err = sTok.ReadFromV2(*tokV2)
-			if err != nil {
-				return fmt.Errorf("invalid session token: %w", err)
-			}
+		sTok, err := originalSessionToken(request.GetMetaHeader())
+		if err != nil {
+			return err
+		}
 
+		if sTok != nil {
 			if sTok.AssertVerb(sessionSDK.VerbObjectDelete) {
 				// if session relates to object's removal, we don't check
 				// relation of the tombstone to the session here since user