[#899] containerSvc: Fix invalid session token type
Some checks failed
DCO action / DCO (pull_request) Successful in 1m23s
Vulncheck / Vulncheck (pull_request) Successful in 3m29s
Tests and linters / Tests (1.21) (pull_request) Failing after 3m58s
Build / Build Components (1.21) (pull_request) Successful in 3m46s
Build / Build Components (1.20) (pull_request) Successful in 3m52s
Tests and linters / Lint (pull_request) Successful in 4m48s
Tests and linters / Staticcheck (pull_request) Successful in 5m5s
Tests and linters / Tests (1.20) (pull_request) Successful in 7m4s
Tests and linters / Tests with -race (pull_request) Successful in 8m36s

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
Dmitrii Stepanov 2024-01-10 18:37:54 +03:00
parent 79bebe4a68
commit 5c0a736a25
2 changed files with 11 additions and 9 deletions

View file

@ -35,6 +35,8 @@ var (
errInvalidSessionTokenOwner = errors.New("malformed request: invalid session token owner")
errEmptyBodySignature = errors.New("malformed request: empty body signature")
errMissingOwnerID = errors.New("malformed request: missing owner ID")
undefinedContainerID = cid.ID{}
)
type ir interface {
@ -196,7 +198,7 @@ func (ac *apeChecker) getRoleWithoutContainerID(oID *refs.OwnerID, mh *session.R
return "", nil, err
}
actor, pk, err := ac.getActorAndPublicKey(mh, vh, cid.ID{})
actor, pk, err := ac.getActorAndPublicKey(mh, vh, undefinedContainerID)
if err != nil {
return "", nil, err
}
@ -403,7 +405,7 @@ func (ac *apeChecker) getActorAndPKFromSignature(vh *session.RequestVerification
return &userID, key, nil
}
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Object, error) {
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Container, error) {
for mh.GetOrigin() != nil {
mh = mh.GetOrigin()
}
@ -412,7 +414,7 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
return nil, nil
}
var tok sessionSDK.Object
var tok sessionSDK.Container
err := tok.ReadFromV2(*st)
if err != nil {
return nil, fmt.Errorf("invalid session token: %w", err)
@ -421,8 +423,8 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
return &tok, nil
}
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Object, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
if !st.AssertContainer(cnrID) {
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Container, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
if cnrID != undefinedContainerID && !st.AppliedTo(cnrID) {
return nil, nil, errSessionContainerMissmatch
}
if !st.VerifySignature() {

View file

@ -253,8 +253,8 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
sessionPK, err := keys.NewPrivateKey()
require.NoError(t, err)
sToken := sessiontest.ObjectSigned()
sToken.BindContainer(contID)
sToken := sessiontest.ContainerSigned()
sToken.ApplyOnlyTo(contID)
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
var sTokenV2 session.Token
sToken.WriteToV2(&sTokenV2)
@ -325,8 +325,8 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
sessionPK, err := keys.NewPrivateKey()
require.NoError(t, err)
sToken := sessiontest.ObjectSigned()
sToken.BindContainer(cid.ID{})
sToken := sessiontest.ContainerSigned()
sToken.ApplyOnlyTo(cid.ID{})
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
var sTokenV2 session.Token
sToken.WriteToV2(&sTokenV2)