fix: fix verify permission bug

bnb-chain · Mar 20, 2023 · e7a1fb7 · e7a1fb7
1 parent e2168ab
commit e7a1fb7
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 5 deletions.
diff --git a/go.mod b/go.mod
@@ -23,6 +23,7 @@ require (
 	github.com/bytedance/gopkg v0.0.0-20221122125632-68358b8ecec6
 	github.com/cloudflare/cfssl v1.6.3
 	github.com/cosmos/cosmos-sdk v0.46.7
+	github.com/cosmos/gogoproto v1.4.6
 	github.com/ethereum/go-ethereum v1.10.19
 	github.com/forbole/juno/v4 v4.0.0-00010101000000-000000000000
 	github.com/gin-gonic/gin v1.8.2
@@ -69,7 +70,6 @@ require (
 	github.com/cosmos/btcutil v1.0.5 // indirect
 	github.com/cosmos/cosmos-proto v1.0.0-beta.1 // indirect
 	github.com/cosmos/go-bip39 v1.0.0 // indirect
-	github.com/cosmos/gogoproto v1.4.6 // indirect
 	github.com/cosmos/gorocksdb v1.2.0 // indirect
 	github.com/cosmos/iavl v0.19.4 // indirect
 	github.com/cosmos/ibc-go/v5 v5.2.0 // indirect

diff --git a/pkg/greenfield/query_service.go b/pkg/greenfield/query_service.go
@@ -154,6 +154,7 @@ func (greenfield *Greenfield) VerifyGetObjectPermission(ctx context.Context, acc
 		Operator:   account,
 		BucketName: bucket,
 		ObjectName: object,
+		ActionType: permissiontypes.ACTION_GET_OBJECT,
 	})
 	if err != nil {
 		log.Errorw("failed to verify get object permission", "account", account, "error", err)
@@ -164,3 +165,22 @@ func (greenfield *Greenfield) VerifyGetObjectPermission(ctx context.Context, acc
 	}
 	return false, err
 }
+
+// VerifyPutObjectPermission verify put object permission.
+func (greenfield *Greenfield) VerifyPutObjectPermission(ctx context.Context, account, bucket, object string) (bool, error) {
+	client := greenfield.getCurrentClient().GnfdCompositeClient()
+	resp, err := client.VerifyPermission(ctx, &storagetypes.QueryVerifyPermissionRequest{
+		Operator:   account,
+		BucketName: bucket,
+		ObjectName: object,
+		ActionType: permissiontypes.ACTION_CREATE_OBJECT,
+	})
+	if err != nil {
+		log.Errorw("failed to verify put object permission", "account", account, "error", err)
+		return false, err
+	}
+	if resp.GetEffect() == permissiontypes.EFFECT_ALLOW {
+		return true, err
+	}
+	return false, err
+}
diff --git a/service/gateway/request_util.go b/service/gateway/request_util.go
@@ -259,10 +259,10 @@ func (g *Gateway) checkAuthorization(reqContext *requestContext, addr sdk.AccAdd
 				"object_status", reqContext.objectInfo.GetObjectStatus())
 			return errors.ErrCheckObjectCreated
 		}
-		if reqContext.objectInfo.GetOwner() != addr.String() {
-			log.Errorw("failed to auth due to account is not equal to object owner",
-				"object_owner", reqContext.objectInfo.GetOwner(),
-				"request_address", addr.String())
+		if isAllow, err := g.chain.VerifyPutObjectPermission(context.Background(), addr.String(),
+			reqContext.bucketName, reqContext.objectName); !isAllow || err != nil {
+			log.Errorw("failed to auth due to verify permission",
+				"is_allow", isAllow, "error", err)
 			return errors.ErrNoPermission
 		}
 		if reqContext.bucketInfo.GetPrimarySpAddress() != g.config.SpOperatorAddress {