[#1218] tree: Fix bearer token validation
All checks were successful
DCO action / DCO (pull_request) Successful in 2m47s
Vulncheck / Vulncheck (pull_request) Successful in 3m37s
Build / Build Components (1.21) (pull_request) Successful in 8m56s
Build / Build Components (1.22) (pull_request) Successful in 8m50s
Tests and linters / gopls check (pull_request) Successful in 10m12s
Tests and linters / Lint (pull_request) Successful in 11m52s
Pre-commit hooks / Pre-commit (pull_request) Successful in 13m34s
Tests and linters / Tests with -race (pull_request) Successful in 14m1s
Tests and linters / Tests (1.21) (pull_request) Successful in 14m40s
Tests and linters / Tests (1.22) (pull_request) Successful in 14m39s
Tests and linters / Staticcheck (pull_request) Successful in 14m28s

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2024-07-02 13:10:32 +03:00
parent 1db4b0e020
commit b02370a789

View file

@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
return nil return nil
} }
// 1. First check token lifetime. Simplest verification. // First check token lifetime. Simplest verification.
if token.InvalidAt(st.CurrentEpoch()) { if token.InvalidAt(st.CurrentEpoch()) {
return errBearerExpired return errBearerExpired
} }
// 2. Then check if bearer token is signed correctly. // Then check if bearer token is signed correctly.
if !token.VerifySignature() { if !token.VerifySignature() {
return errBearerInvalidSignature return errBearerInvalidSignature
} }
// 3. Then check if container is either empty or equal to the container in the request. // Check for ape overrides defined in the bearer token.
apeOverride := token.APEOverride() apeOverride := token.APEOverride()
if apeOverride.Target.TargetType != ape.TargetTypeContainer { if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
return errInvalidTargetType return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
} }
// Then check if container is either empty or equal to the container in the request.
var targetCnr cid.ID var targetCnr cid.ID
err := targetCnr.DecodeString(apeOverride.Target.Name) err := targetCnr.DecodeString(apeOverride.Target.Name)
if err != nil { if err != nil {
@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
return errBearerInvalidContainerID return errBearerInvalidContainerID
} }
// 4. Then check if container owner signed this token. // Then check if container owner signed this token.
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) { if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
return errBearerNotSignedByOwner return errBearerNotSignedByOwner
} }
// 5. Then check if request sender has rights to use this token. // Then check if request sender has rights to use this token.
var usrSender user.ID var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey)) user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))