From 0504c3e0c6ff57fce505ac2174bc73f3fb6b9e13 Mon Sep 17 00:00:00 2001 From: Evgenii Stratonikov Date: Tue, 29 Mar 2022 14:46:37 +0300 Subject: [PATCH] [#1266] object/acl: Check bearer token container ID If the container ID is not nil and not equal to the container ID in the request, consider bearer token invalid. See also nspcc-dev/neofs-api#207. Signed-off-by: Evgenii Stratonikov --- pkg/services/object/acl/acl.go | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 69458527a..370c250ed 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -60,11 +60,12 @@ type Checker struct { // Various EACL check errors. var ( - errEACLDeniedByRule = errors.New("denied by rule") - errBearerExpired = errors.New("bearer token has expired") - errBearerInvalidSignature = errors.New("bearer token has invalid signature") - errBearerNotSignedByOwner = errors.New("bearer token is not signed by the container owner") - errBearerInvalidOwner = errors.New("bearer token owner differs from the request sender") + errEACLDeniedByRule = errors.New("denied by rule") + errBearerExpired = errors.New("bearer token has expired") + errBearerInvalidSignature = errors.New("bearer token has invalid signature") + errBearerInvalidContainerID = errors.New("bearer token was created for another container") + errBearerNotSignedByOwner = errors.New("bearer token is not signed by the container owner") + errBearerInvalidOwner = errors.New("bearer token owner differs from the request sender") ) // NewChecker creates Checker. @@ -225,13 +226,19 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error { return errBearerInvalidSignature } - // 3. Then check if container owner signed this token. + // 3. Then check if container is either empty or equal to the container in the request. + cnr, isSet := token.EACLTable().CID() + if isSet && !cnr.Equals(reqInfo.ContainerID()) { + return errBearerInvalidContainerID + } + + // 4. Then check if container owner signed this token. if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) { // TODO: #767 in this case we can issue all owner keys from neofs.id and check once again return errBearerNotSignedByOwner } - // 4. Then check if request sender has rights to use this token. + // 5. Then check if request sender has rights to use this token. var keySender neofsecdsa.PublicKey err := keySender.Decode(reqInfo.SenderKey())