[#1721] object: Make CheckAPE always validate bearer token
All checks were successful
Vulncheck / Vulncheck (push) Successful in 1m13s
Pre-commit hooks / Pre-commit (push) Successful in 1m42s
Build / Build Components (push) Successful in 1m53s
Tests and linters / gopls check (push) Successful in 3m39s
Tests and linters / Run gofumpt (push) Successful in 3m49s
Tests and linters / Tests (push) Successful in 3m54s
Tests and linters / Staticcheck (push) Successful in 4m8s
Tests and linters / Lint (push) Successful in 4m16s
OCI image / Build container images (push) Successful in 5m0s
Tests and linters / Tests with -race (push) Successful in 5m18s
All checks were successful
Vulncheck / Vulncheck (push) Successful in 1m13s
Pre-commit hooks / Pre-commit (push) Successful in 1m42s
Build / Build Components (push) Successful in 1m53s
Tests and linters / gopls check (push) Successful in 3m39s
Tests and linters / Run gofumpt (push) Successful in 3m49s
Tests and linters / Tests (push) Successful in 3m54s
Tests and linters / Staticcheck (push) Successful in 4m8s
Tests and linters / Lint (push) Successful in 4m16s
OCI image / Build container images (push) Successful in 5m0s
Tests and linters / Tests with -race (push) Successful in 5m18s
* The bearer token must always be validated, regardless of whether it has been impersonated; * Fix unit-tests for tree service which check verification with bearer token. Close #1721 Change-Id: I5f715c498ae10b2e758244e60b8f21849328a04f Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
6bdbe6a18b
commit
b0f39dca16
2 changed files with 35 additions and 5 deletions
|
|
@ -73,14 +73,18 @@ func New(localOverrideStorage policyengine.LocalOverrideStorage, morphChainStora
|
|||
// CheckAPE performs the common policy-engine check logic on a prepared request.
|
||||
func (c *checkerCoreImpl) CheckAPE(ctx context.Context, prm CheckPrm) error {
|
||||
var cr policyengine.ChainRouter
|
||||
if prm.BearerToken != nil && !prm.BearerToken.Impersonate() {
|
||||
if prm.BearerToken != nil {
|
||||
var err error
|
||||
if err = isValidBearer(prm.BearerToken, prm.ContainerOwner, prm.Container, prm.PublicKey, c.State); err != nil {
|
||||
return fmt.Errorf("bearer validation error: %w", err)
|
||||
}
|
||||
cr, err = router.BearerChainFeedRouter(c.LocalOverrideStorage, c.MorphChainStorage, prm.BearerToken.APEOverride())
|
||||
if err != nil {
|
||||
return fmt.Errorf("create chain router error: %w", err)
|
||||
if prm.BearerToken.Impersonate() {
|
||||
cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage)
|
||||
} else {
|
||||
cr, err = router.BearerChainFeedRouter(c.LocalOverrideStorage, c.MorphChainStorage, prm.BearerToken.APEOverride())
|
||||
if err != nil {
|
||||
return fmt.Errorf("create chain router error: %w", err)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue