Poc/impersonate

cmd/frostfs-cli/internal/client/sdk.go

@@ -48,7 +48,7 @@ func GetSDKClient(cmd *cobra.Command, key *ecdsa.PrivateKey, addr network.Addres
 	)
 
 	prmInit.SetDefaultPrivateKey(*key)
-	prmInit.ResolveNeoFSFailures()
+	prmInit.ResolveFrostFSFailures()
 	prmDial.SetServerURI(addr.URIAddr())
 	if timeout := viper.GetDuration(commonflags.Timeout); timeout > 0 {
 		// In CLI we can only set a timeout for the whole operation.

go.mod

@@ -39,10 +39,15 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 )
 
+replace (
+	github.com/TrueCloudLab/frostfs-api-go/v2 v2.0.0-20221212144048-1351b6656d68 => github.com/KirillovDenis/frostfs-api-go/v2 v2.11.2-0.20230221082308-ac00938fa447
+	github.com/TrueCloudLab/frostfs-sdk-go v0.0.0-20221214065929-4c779423f556 => github.com/KirillovDenis/frostfs-sdk-go v0.0.0-20230221122223-9424a67fb108
+)
+
 require (
 	github.com/TrueCloudLab/frostfs-crypto v0.5.0 // indirect
 	github.com/TrueCloudLab/rfc6979 v0.3.0 // indirect
-	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20221202181307-76fa05c21b12 // indirect
 	github.com/benbjohnson/clock v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
@@ -54,7 +59,7 @@ require (
 	github.com/golang/snappy v0.0.3 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gorilla/websocket v1.4.2 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/golang-lru v0.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/holiman/uint256 v1.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
@@ -89,8 +94,9 @@ require (
 	github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954 // indirect
 	github.com/twmb/murmur3 v1.1.5 // indirect
 	github.com/urfave/cli v1.22.5 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/crypto v0.4.0 // indirect
+	golang.org/x/exp v0.0.0-20221227203929-1b447090c38c // indirect
 	golang.org/x/net v0.4.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/sys v0.3.0 // indirect

go.sum

@@ -42,14 +42,14 @@ github.com/CityOfZion/neo-go v0.62.1-pre.0.20191114145240-e740fbe708f8/go.mod h1
 github.com/CityOfZion/neo-go v0.70.1-pre.0.20191209120015-fccb0085941e/go.mod h1:0enZl0az8xA6PVkwzEOwPWVJGqlt/GO4hA4kmQ5Xzig=
 github.com/CityOfZion/neo-go v0.70.1-pre.0.20191212173117-32ac01130d4c/go.mod h1:JtlHfeqLywZLswKIKFnAp+yzezY4Dji9qlfQKB2OD/I=
 github.com/CityOfZion/neo-go v0.71.1-pre.0.20200129171427-f773ec69fb84/go.mod h1:FLI526IrRWHmcsO+mHsCbj64pJZhwQFTLJZu+A4PGOA=
-github.com/TrueCloudLab/frostfs-api-go/v2 v2.0.0-20221212144048-1351b6656d68 h1:mwZr15qCuIcWojIOmH6LILPohbWIkknZe9vhBRapmfQ=
-github.com/TrueCloudLab/frostfs-api-go/v2 v2.0.0-20221212144048-1351b6656d68/go.mod h1:u3P6aL/NpAIY5IFRsJhmV+61Q3pJ3BkLENqySkf5zZQ=
+github.com/KirillovDenis/frostfs-api-go/v2 v2.11.2-0.20230221082308-ac00938fa447 h1:8PH1Wdzdk96XwMQheflK9uS9lsSDtLaE9Wfr1sBq+Ng=
+github.com/KirillovDenis/frostfs-api-go/v2 v2.11.2-0.20230221082308-ac00938fa447/go.mod h1:u3P6aL/NpAIY5IFRsJhmV+61Q3pJ3BkLENqySkf5zZQ=
+github.com/KirillovDenis/frostfs-sdk-go v0.0.0-20230221122223-9424a67fb108 h1:EbH3LgjwB+XuaICaWnK/ZnecSzfGSUBlwJ+kT4uOq68=
+github.com/KirillovDenis/frostfs-sdk-go v0.0.0-20230221122223-9424a67fb108/go.mod h1:kEJuY2GhRZ3MFBwZvTLMlA2D5mrjjoB+g/Q2Lz1dwyQ=
 github.com/TrueCloudLab/frostfs-contract v0.0.0-20221213081248-6c805c1b4e42 h1:P/gisZxTzJ9R3tuYDaQWe0tY6m1Zea3gzdPpNYK+NP4=
 github.com/TrueCloudLab/frostfs-contract v0.0.0-20221213081248-6c805c1b4e42/go.mod h1:qmf648elr+FWBZH3hqND8KVrXMnqu/e0z48k+sX8C2s=
 github.com/TrueCloudLab/frostfs-crypto v0.5.0 h1:ZoLjixSkQv3j1EwZ1WJzMEJY2NR+9nO4Pd8WSyM/RRI=
 github.com/TrueCloudLab/frostfs-crypto v0.5.0/go.mod h1:775MUewpH8AWpXrimAG2NYWOXB6lpKOI5kqgu+eI5zs=
-github.com/TrueCloudLab/frostfs-sdk-go v0.0.0-20221214065929-4c779423f556 h1:Cc1jjYxKPfyw7TIJh3Bje7m8DOSn2dx+2zmr0yusWGw=
-github.com/TrueCloudLab/frostfs-sdk-go v0.0.0-20221214065929-4c779423f556/go.mod h1:4ZiG4jNLzrqeJbmZUrPI7wDZhQVPaf0zEIWa/eBsqBg=
 github.com/TrueCloudLab/hrw v1.1.0 h1:2U69PpUX1UtMWgh/RAg6D8mQW+/WsxbLNE+19EUhLhY=
 github.com/TrueCloudLab/hrw v1.1.0/go.mod h1:Pzi8Hy3qx12cew+ajVxgbtDVM4sRG9/gJnJLcL/yRyY=
 github.com/TrueCloudLab/rfc6979 v0.3.0 h1:0SYMAfQWh/TjnofqYQHy+s3rmQ5gi0fvOaDbqd60/Ic=
@@ -70,8 +70,8 @@ github.com/alicebob/gopher-json v0.0.0-20180125190556-5a6b3ba71ee6/go.mod h1:SGn
 github.com/alicebob/miniredis v2.5.0+incompatible/go.mod h1:8HZjEj4yU0dwhYHky+DxYx+6BMjkBbe5ONFIF1MXffk=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210521073959-f0d4d129b7f1/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
-github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves=
-github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20221202181307-76fa05c21b12 h1:npHgfD4Tl2WJS3AJaMUi5ynGDPUBfkg3U3fCzDyXZ+4=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20221202181307-76fa05c21b12/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -241,8 +241,9 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4=
+github.com/hashicorp/golang-lru v0.6.0/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/golang-lru/v2 v2.0.1 h1:5pv5N1lT1fjLg2VQ5KWc7kmucp2x/kvFOnxuVTqZ6x4=
 github.com/hashicorp/golang-lru/v2 v2.0.1/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
@@ -511,8 +512,8 @@ go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
-go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
+go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
+go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
@@ -544,6 +545,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20221227203929-1b447090c38c h1:Govq2W3bnHJimHT2ium65kXcI7ZzTniZHcFATnLJM0Q=
+golang.org/x/exp v0.0.0-20221227203929-1b447090c38c/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -568,7 +571,7 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
+golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
 golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -776,7 +779,7 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
+golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

pkg/services/object/acl/acl.go

@@ -124,15 +124,17 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
 		return nil
 	}
 
+	bearerTok := reqInfo.Bearer()
+	impersonate := bearerTok != nil && bearerTok.Impersonate()
+
 	// if bearer token is not allowed, then ignore it
-	if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
+	if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
 		reqInfo.CleanBearer()
 	}
 
 	var table eaclSDK.Table
 	cnr := reqInfo.ContainerID()
 
-	bearerTok := reqInfo.Bearer()
 	if bearerTok == nil {
 		eaclInfo, err := c.eaclSrc.GetEACL(cnr)
 		if err != nil {

pkg/services/object/acl/v2/request.go

@@ -2,6 +2,7 @@ package v2
 
 import (
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"fmt"
 
 	sessionV2 "github.com/TrueCloudLab/frostfs-api-go/v2/session"
@@ -113,6 +114,12 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
 		return nil, nil, errEmptyVerificationHeader
 	}
 
+	if r.bearer != nil && r.bearer.Impersonate() {
+		issuer := bearer.ResolveIssuer(*r.bearer)
+		pubKey, err := keys.NewPublicKeyFromBytes(r.bearer.SigningKeyBytes(), elliptic.P256())
+		return &issuer, pubKey, err
+	}
+
 	// if session token is presented, use it as truth source
 	if r.token != nil {
 		// verify signature of session token

pkg/services/tree/signature.go

@@ -56,7 +56,23 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 		return fmt.Errorf("can't get container %s: %w", cid, err)
 	}
 
-	role, err := roleFromReq(cnr, req)
+	eaclOp := eACLOp(op)
+
+	var bt *bearer.Token
+	if len(rawBearer) > 0 {
+		bt = new(bearer.Token)
+		if err = bt.Unmarshal(rawBearer); err != nil {
+			return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
+		}
+		if !bt.VerifySignature() {
+			return eACLErr(eaclOp, errBearerSignature)
+		}
+		if !bt.AssertContainer(cid) {
+			return eACLErr(eaclOp, errBearerWrongContainer)
+		}
+	}
+
+	role, err := roleFromReq(cnr, req, bt)
 	if err != nil {
 		return fmt.Errorf("can't get request role: %w", err)
 	}
@@ -71,8 +87,6 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 		return nil
 	}
 
-	eaclOp := eACLOp(op)
-
 	var tableFromBearer bool
 	if len(rawBearer) != 0 {
 		if !basicACL.AllowedBearerRules(op) {
@@ -86,22 +100,25 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 	}
 
 	var tb eacl.Table
+	signer := req.GetSignature().GetKey()
 	if tableFromBearer {
-		var bt bearer.Token
-		if err = bt.Unmarshal(rawBearer); err != nil {
-			return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
-		}
-		if !bearer.ResolveIssuer(bt).Equals(cnr.Value.Owner()) {
-			return eACLErr(eaclOp, errBearerWrongOwner)
-		}
-		if !bt.AssertContainer(cid) {
-			return eACLErr(eaclOp, errBearerWrongContainer)
-		}
-		if !bt.VerifySignature() {
-			return eACLErr(eaclOp, errBearerSignature)
-		}
+		if bt.Impersonate() {
+			tbCore, err := s.eaclSource.GetEACL(cid)
+			if err != nil {
+				if client.IsErrEACLNotFound(err) {
+					return nil
+				}
 
-		tb = bt.EACLTable()
+				return fmt.Errorf("get eACL table: %w", err)
+			}
+			tb = *tbCore.Value
+			signer = bt.SigningKeyBytes()
+		} else {
+			if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
+				return eACLErr(eaclOp, errBearerWrongOwner)
+			}
+			tb = bt.EACLTable()
+		}
 	} else {
 		tbCore, err := s.eaclSource.GetEACL(cid)
 		if err != nil {
@@ -115,7 +132,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 		tb = *tbCore.Value
 	}
 
-	return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
+	return checkEACL(tb, signer, eACLRole(role), eaclOp)
 }
 
 func verifyMessage(m message) error {
@@ -168,7 +185,7 @@ func SignMessage(m message, key *ecdsa.PrivateKey) error {
 	return nil
 }
 
-func roleFromReq(cnr *core.Container, req message) (acl.Role, error) {
+func roleFromReq(cnr *core.Container, req message, bt *bearer.Token) (acl.Role, error) {
 	role := acl.RoleOthers
 	owner := cnr.Value.Owner()
 
@@ -177,6 +194,13 @@ func roleFromReq(cnr *core.Container, req message) (acl.Role, error) {
 		return role, fmt.Errorf("invalid public key: %w", err)
 	}
 
+	if bt != nil && bt.Impersonate() {
+		pub, err = keys.NewPublicKeyFromBytes(bt.SigningKeyBytes(), elliptic.P256())
+		if err != nil {
+			return role, fmt.Errorf("invalid public key: %w", err)
+		}
+	}
+
 	var reqSigner user.ID
 	user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*pub))