TrueCloudLab/frostfs-node
20
1
Fork 28
Code Issues 109 Pull requests 4 Projects Releases 2 Packages 4 Activity Actions

[#1689] ape: Fix bearer token validation
All checks were successful
Vulncheck / Vulncheck (push) Successful in 1m12s
Details
Pre-commit hooks / Pre-commit (push) Successful in 1m32s
Details
Build / Build Components (push) Successful in 1m47s
Details
Tests and linters / Lint (push) Successful in 3m25s
Details
Tests and linters / Run gofumpt (push) Successful in 3m18s
Details
Tests and linters / Tests (push) Successful in 3m26s
Details
Tests and linters / Staticcheck (push) Successful in 3m28s
Details
Tests and linters / Tests with -race (push) Successful in 3m50s
Details
Tests and linters / gopls check (push) Successful in 3m54s
Details
OCI image / Build container images (push) Successful in 4m6s
Details

Browse source 
* Request's sender is set to the token's issuer's public key if
  it's impersonated. Thus, token's user assertion must be fixed;
* Add unit-test: check impersonated token but set user with `ForUser`.

Change-Id: I5e299947761e237b1b4b339cf2d1278ef518239d
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2025-05-05 16:33:07 +03:00
parent 6cedfbc17a
commit a5f76a609d
2 changed files with 34 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

12
pkg/services/common/ape/checker.go
View file

@ -157,8 +157,16 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
if !token.AssertUser(usrSender) {
return errBearerInvalidOwner
// Then check if sender is valid. If it is an impersonated token, the sender is set to the token's issuer's
// public key, but not the actual sender.
if !token.Impersonate() {
if !token.AssertUser(usrSender) {
return errBearerInvalidOwner
}
} else {
if !bearer.ResolveIssuer(*token).Equals(usrSender) {
return errBearerInvalidOwner
}
}
return nil