[#1721] object: Make CheckAPE always validate bearer token

* The bearer token must always be validated, regardless of whether it has been impersonated; * Fix unit-tests for tree service which check verification with bearer token. Close #1721 Change-Id: I5f715c498ae10b2e758244e60b8f21849328a04f Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2025-04-22 18:14:00 +03:00 · 2025-04-22 18:14:00 +03:00 · b0f39dca16
commit b0f39dca16
parent 6bdbe6a18b
2 changed files with 35 additions and 5 deletions
--- a/pkg/services/common/ape/checker.go
+++ b/pkg/services/common/ape/checker.go
@ -73,15 +73,19 @@ func New(localOverrideStorage policyengine.LocalOverrideStorage, morphChainStora
 // CheckAPE performs the common policy-engine check logic on a prepared request.
 func (c *checkerCoreImpl) CheckAPE(ctx context.Context, prm CheckPrm) error {
 	var cr policyengine.ChainRouter
-	if prm.BearerToken != nil && !prm.BearerToken.Impersonate() {
+	if prm.BearerToken != nil {
 		var err error
 		if err = isValidBearer(prm.BearerToken, prm.ContainerOwner, prm.Container, prm.PublicKey, c.State); err != nil {
 			return fmt.Errorf("bearer validation error: %w", err)
 		}
+		if prm.BearerToken.Impersonate() {
+			cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage)
+		} else {
 			cr, err = router.BearerChainFeedRouter(c.LocalOverrideStorage, c.MorphChainStorage, prm.BearerToken.APEOverride())
 			if err != nil {
 				return fmt.Errorf("create chain router error: %w", err)
 			}
+		}
 	} else {
 		cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage)
 	}
--- a/pkg/services/tree/signature_test.go
+++ b/pkg/services/tree/signature_test.go
@ -238,14 +238,40 @@ func TestMessageSign(t *testing.T) {
 		t.Run("impersonate", func(t *testing.T) {
 			cnr.Value.SetBasicACL(acl.PublicRWExtended)
 			var bt bearer.Token
+			bt.SetExp(10)
 			bt.SetImpersonate(true)
+			bt.SetAPEOverride(bearer.APEOverride{
+				Target: ape.ChainTarget{
+					TargetType: ape.TargetTypeContainer,
+					Name:       cid1.EncodeToString(),
+				},
+				Chains: []ape.Chain{},
+			})
+			require.NoError(t, bt.Sign(privs[0].PrivateKey))
+			req.Body.BearerToken = bt.Marshal()

+			require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+		})
+
+		t.Run("impersonate but invalid signer", func(t *testing.T) {
+			var bt bearer.Token
+			bt.SetExp(10)
+			bt.SetImpersonate(true)
+			bt.SetAPEOverride(bearer.APEOverride{
+				Target: ape.ChainTarget{
+					TargetType: ape.TargetTypeContainer,
+					Name:       cid1.EncodeToString(),
+				},
+				Chains: []ape.Chain{},
+			})
 			require.NoError(t, bt.Sign(privs[1].PrivateKey))
 			req.Body.BearerToken = bt.Marshal()

 			require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
 			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
-			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+			require.Error(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})

 		bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())