[#1266] object/acl: Check bearer token container ID

If the container ID is not nil and not equal to the container ID in the
request, consider bearer token invalid.

See also nspcc-dev/neofs-api#207.

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
Evgenii Stratonikov 2022-03-29 14:46:37 +03:00 committed by fyrchik
parent 3a2c025843
commit 0504c3e0c6

View file

@ -60,11 +60,12 @@ type Checker struct {
// Various EACL check errors. // Various EACL check errors.
var ( var (
errEACLDeniedByRule = errors.New("denied by rule") errEACLDeniedByRule = errors.New("denied by rule")
errBearerExpired = errors.New("bearer token has expired") errBearerExpired = errors.New("bearer token has expired")
errBearerInvalidSignature = errors.New("bearer token has invalid signature") errBearerInvalidSignature = errors.New("bearer token has invalid signature")
errBearerNotSignedByOwner = errors.New("bearer token is not signed by the container owner") errBearerInvalidContainerID = errors.New("bearer token was created for another container")
errBearerInvalidOwner = errors.New("bearer token owner differs from the request sender") errBearerNotSignedByOwner = errors.New("bearer token is not signed by the container owner")
errBearerInvalidOwner = errors.New("bearer token owner differs from the request sender")
) )
// NewChecker creates Checker. // NewChecker creates Checker.
@ -225,13 +226,19 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
return errBearerInvalidSignature return errBearerInvalidSignature
} }
// 3. Then check if container owner signed this token. // 3. Then check if container is either empty or equal to the container in the request.
cnr, isSet := token.EACLTable().CID()
if isSet && !cnr.Equals(reqInfo.ContainerID()) {
return errBearerInvalidContainerID
}
// 4. Then check if container owner signed this token.
if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) { if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) {
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again // TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
return errBearerNotSignedByOwner return errBearerNotSignedByOwner
} }
// 4. Then check if request sender has rights to use this token. // 5. Then check if request sender has rights to use this token.
var keySender neofsecdsa.PublicKey var keySender neofsecdsa.PublicKey
err := keySender.Decode(reqInfo.SenderKey()) err := keySender.Decode(reqInfo.SenderKey())