[#1266] object/acl: Check bearer token container ID
If the container ID is not nil and not equal to the container ID in the request, consider bearer token invalid. See also nspcc-dev/neofs-api#207. Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
parent
3a2c025843
commit
0504c3e0c6
1 changed files with 14 additions and 7 deletions
|
@ -60,11 +60,12 @@ type Checker struct {
|
||||||
|
|
||||||
// Various EACL check errors.
|
// Various EACL check errors.
|
||||||
var (
|
var (
|
||||||
errEACLDeniedByRule = errors.New("denied by rule")
|
errEACLDeniedByRule = errors.New("denied by rule")
|
||||||
errBearerExpired = errors.New("bearer token has expired")
|
errBearerExpired = errors.New("bearer token has expired")
|
||||||
errBearerInvalidSignature = errors.New("bearer token has invalid signature")
|
errBearerInvalidSignature = errors.New("bearer token has invalid signature")
|
||||||
errBearerNotSignedByOwner = errors.New("bearer token is not signed by the container owner")
|
errBearerInvalidContainerID = errors.New("bearer token was created for another container")
|
||||||
errBearerInvalidOwner = errors.New("bearer token owner differs from the request sender")
|
errBearerNotSignedByOwner = errors.New("bearer token is not signed by the container owner")
|
||||||
|
errBearerInvalidOwner = errors.New("bearer token owner differs from the request sender")
|
||||||
)
|
)
|
||||||
|
|
||||||
// NewChecker creates Checker.
|
// NewChecker creates Checker.
|
||||||
|
@ -225,13 +226,19 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
|
||||||
return errBearerInvalidSignature
|
return errBearerInvalidSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Then check if container owner signed this token.
|
// 3. Then check if container is either empty or equal to the container in the request.
|
||||||
|
cnr, isSet := token.EACLTable().CID()
|
||||||
|
if isSet && !cnr.Equals(reqInfo.ContainerID()) {
|
||||||
|
return errBearerInvalidContainerID
|
||||||
|
}
|
||||||
|
|
||||||
|
// 4. Then check if container owner signed this token.
|
||||||
if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) {
|
if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) {
|
||||||
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
||||||
return errBearerNotSignedByOwner
|
return errBearerNotSignedByOwner
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4. Then check if request sender has rights to use this token.
|
// 5. Then check if request sender has rights to use this token.
|
||||||
var keySender neofsecdsa.PublicKey
|
var keySender neofsecdsa.PublicKey
|
||||||
|
|
||||||
err := keySender.Decode(reqInfo.SenderKey())
|
err := keySender.Decode(reqInfo.SenderKey())
|
||||||
|
|
Loading…
Reference in a new issue