[#1689] ape: Fix validation for overrides in bearer

* APE-overrides are optional for bearer. So, it should validate only set override; * Bearer can set overrides for containers, not only the one container - validation expects for any target type for set override. Basically, APE-overrides for all container must be set for namespace target; * Add unit-test cases to check bearer token validation. Change-Id: I6b8e19eb73d24f8cd8799bf99b6c551287da67d9 Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2025-04-28 20:10:09 +03:00 · 2025-04-28 20:10:09 +03:00 · 64b46746e4
commit 64b46746e4
parent 8e2f919df0
2 changed files with 78 additions and 15 deletions
--- a/pkg/services/tree/signature_test.go
+++ b/pkg/services/tree/signature_test.go
@ -235,6 +235,48 @@ func TestMessageSign(t *testing.T) {
 			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
 		})

+		t.Run("omit override within bt", func(t *testing.T) {
+			t.Run("personated", func(t *testing.T) {
+				bt := testBearerTokenNoOverride()
+				require.NoError(t, bt.Sign(privs[0].PrivateKey))
+				req.Body.BearerToken = bt.Marshal()
+
+				require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
+				require.ErrorContains(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut), "expected for override")
+			})
+
+			t.Run("impersonated", func(t *testing.T) {
+				bt := testBearerTokenNoOverride()
+				bt.SetImpersonate(true)
+				require.NoError(t, bt.Sign(privs[0].PrivateKey))
+				req.Body.BearerToken = bt.Marshal()
+
+				require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
+				require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			})
+		})
+
+		t.Run("invalid override within bearer token", func(t *testing.T) {
+			t.Run("personated", func(t *testing.T) {
+				bt := testBearerTokenCorruptOverride(privs[1].PublicKey(), privs[2].PublicKey())
+				require.NoError(t, bt.Sign(privs[0].PrivateKey))
+				req.Body.BearerToken = bt.Marshal()
+
+				require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
+				require.ErrorContains(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut), "invalid cid")
+			})
+
+			t.Run("impersonated", func(t *testing.T) {
+				bt := testBearerTokenCorruptOverride(privs[1].PublicKey(), privs[2].PublicKey())
+				bt.SetImpersonate(true)
+				require.NoError(t, bt.Sign(privs[0].PrivateKey))
+				req.Body.BearerToken = bt.Marshal()
+
+				require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
+				require.ErrorContains(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut), "invalid cid")
+			})
+		})
+
 		t.Run("impersonate", func(t *testing.T) {
 			cnr.Value.SetBasicACL(acl.PublicRWExtended)
 			var bt bearer.Token
@ -311,6 +353,25 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token
 	return b
 }

+func testBearerTokenCorruptOverride(forPutGet, forGet *keys.PublicKey) bearer.Token {
+	var b bearer.Token
+	b.SetExp(currentEpoch + 1)
+	b.SetAPEOverride(bearer.APEOverride{
+		Target: ape.ChainTarget{
+			TargetType: ape.TargetTypeContainer,
+		},
+		Chains: []ape.Chain{{Raw: testChain(forPutGet, forGet).Bytes()}},
+	})
+
+	return b
+}
+
+func testBearerTokenNoOverride() bearer.Token {
+	var b bearer.Token
+	b.SetExp(currentEpoch + 1)
+	return b
+}
+
 func testChain(forPutGet, forGet *keys.PublicKey) *chain.Chain {
 	ruleGet := chain.Rule{
 		Status:    chain.Allow,