TrueCloudLab/frostfs-node
20
1
Fork 28
Code Issues 107 Pull requests 4 Projects Releases 2 Packages 4 Activity Actions

[#1689] ape: Fix bearer token validation
All checks were successful
Vulncheck / Vulncheck (push) Successful in 1m12s
Details
Pre-commit hooks / Pre-commit (push) Successful in 1m32s
Details
Build / Build Components (push) Successful in 1m47s
Details
Tests and linters / Lint (push) Successful in 3m25s
Details
Tests and linters / Run gofumpt (push) Successful in 3m18s
Details
Tests and linters / Tests (push) Successful in 3m26s
Details
Tests and linters / Staticcheck (push) Successful in 3m28s
Details
Tests and linters / Tests with -race (push) Successful in 3m50s
Details
Tests and linters / gopls check (push) Successful in 3m54s
Details
OCI image / Build container images (push) Successful in 4m6s
Details

Browse source 
* Request's sender is set to the token's issuer's public key if
  it's impersonated. Thus, token's user assertion must be fixed;
* Add unit-test: check impersonated token but set user with `ForUser`.

Change-Id: I5e299947761e237b1b4b339cf2d1278ef518239d
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2025-05-05 16:33:07 +03:00
parent 6cedfbc17a
commit a5f76a609d
2 changed files with 34 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
pkg/services/common/ape/checker.go
View file

@ -157,9 +157,17 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
// Then check if sender is valid. If it is an impersonated token, the sender is set to the token's issuer's
// public key, but not the actual sender.
if !token.Impersonate() {
if !token.AssertUser(usrSender) {
return errBearerInvalidOwner
}
} else {
if !bearer.ResolveIssuer(*token).Equals(usrSender) {
return errBearerInvalidOwner
}
}
return nil
}

24
pkg/services/tree/signature_test.go
View file

@ -297,6 +297,30 @@ func TestMessageSign(t *testing.T) {
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
})
t.Run("impersonate, but target user is still set", func(t *testing.T) {
var bt bearer.Token
bt.SetExp(10)
bt.SetImpersonate(true)
var reqSigner user.ID
user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*privs[1].PublicKey()))
bt.ForUser(reqSigner)
bt.SetAPEOverride(bearer.APEOverride{
Target: ape.ChainTarget{
TargetType: ape.TargetTypeContainer,
Name: cid1.EncodeToString(),
},
Chains: []ape.Chain{},
})
require.NoError(t, bt.Sign(privs[0].PrivateKey))
req.Body.BearerToken = bt.Marshal()
require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
})
t.Run("impersonate but invalid signer", func(t *testing.T) {
var bt bearer.Token
bt.SetExp(10)