TrueCloudLab/frostfs-node
20
1
Fork 28
Code Issues 106 Pull requests 4 Projects Releases 2 Packages 4 Activity Actions

[#1721] object: Make CheckAPE always validate bearer token
All checks were successful
Vulncheck / Vulncheck (push) Successful in 1m13s
Details
Pre-commit hooks / Pre-commit (push) Successful in 1m42s
Details
Build / Build Components (push) Successful in 1m53s
Details
Tests and linters / gopls check (push) Successful in 3m39s
Details
Tests and linters / Run gofumpt (push) Successful in 3m49s
Details
Tests and linters / Tests (push) Successful in 3m54s
Details
Tests and linters / Staticcheck (push) Successful in 4m8s
Details
Tests and linters / Lint (push) Successful in 4m16s
Details
OCI image / Build container images (push) Successful in 5m0s
Details
Tests and linters / Tests with -race (push) Successful in 5m18s
Details

Browse source 
* The bearer token must always be validated, regardless of whether it has been impersonated;
* Fix unit-tests for tree service which check verification with bearer token.

Close #1721

Change-Id: I5f715c498ae10b2e758244e60b8f21849328a04f
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2025-04-22 18:14:00 +03:00
parent 6bdbe6a18b
commit b0f39dca16
2 changed files with 35 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
pkg/services/common/ape/checker.go
View file

@ -73,14 +73,18 @@ func New(localOverrideStorage policyengine.LocalOverrideStorage, morphChainStora
// CheckAPE performs the common policy-engine check logic on a prepared request. // CheckAPE performs the common policy-engine check logic on a prepared request.
func (c *checkerCoreImpl) CheckAPE(ctx context.Context, prm CheckPrm) error { func (c *checkerCoreImpl) CheckAPE(ctx context.Context, prm CheckPrm) error {
var cr policyengine.ChainRouter var cr policyengine.ChainRouter
if prm.BearerToken != nil && !prm.BearerToken.Impersonate() { if prm.BearerToken != nil {
var err error var err error
if err = isValidBearer(prm.BearerToken, prm.ContainerOwner, prm.Container, prm.PublicKey, c.State); err != nil { if err = isValidBearer(prm.BearerToken, prm.ContainerOwner, prm.Container, prm.PublicKey, c.State); err != nil {
return fmt.Errorf("bearer validation error: %w", err) return fmt.Errorf("bearer validation error: %w", err)
} }
cr, err = router.BearerChainFeedRouter(c.LocalOverrideStorage, c.MorphChainStorage, prm.BearerToken.APEOverride()) if prm.BearerToken.Impersonate() {
if err != nil { cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage)
return fmt.Errorf("create chain router error: %w", err) } else {
cr, err = router.BearerChainFeedRouter(c.LocalOverrideStorage, c.MorphChainStorage, prm.BearerToken.APEOverride())
if err != nil {
return fmt.Errorf("create chain router error: %w", err)
}
} }
} else { } else {
cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage) cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage)

28
pkg/services/tree/signature_test.go
View file

@ -238,14 +238,40 @@ func TestMessageSign(t *testing.T) {
t.Run("impersonate", func(t *testing.T) { t.Run("impersonate", func(t *testing.T) {
cnr.Value.SetBasicACL(acl.PublicRWExtended) cnr.Value.SetBasicACL(acl.PublicRWExtended)
var bt bearer.Token var bt bearer.Token
bt.SetExp(10)
bt.SetImpersonate(true) bt.SetImpersonate(true)
bt.SetAPEOverride(bearer.APEOverride{
Target: ape.ChainTarget{
TargetType: ape.TargetTypeContainer,
Name: cid1.EncodeToString(),
},
Chains: []ape.Chain{},
})
require.NoError(t, bt.Sign(privs[0].PrivateKey))
req.Body.BearerToken = bt.Marshal()
require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
})
t.Run("impersonate but invalid signer", func(t *testing.T) {
var bt bearer.Token
bt.SetExp(10)
bt.SetImpersonate(true)
bt.SetAPEOverride(bearer.APEOverride{
Target: ape.ChainTarget{
TargetType: ape.TargetTypeContainer,
Name: cid1.EncodeToString(),
},
Chains: []ape.Chain{},
})
require.NoError(t, bt.Sign(privs[1].PrivateKey)) require.NoError(t, bt.Sign(privs[1].PrivateKey))
req.Body.BearerToken = bt.Marshal() req.Body.BearerToken = bt.Marshal()
require.NoError(t, SignMessage(req, &privs[0].PrivateKey)) require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut)) require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet)) require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
}) })
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey()) bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())