From bbf8b8e74dada4d0911fef1f6c0a3f8405276514 Mon Sep 17 00:00:00 2001 From: Evgenii Stratonikov Date: Wed, 8 Jun 2022 11:53:15 +0300 Subject: [PATCH] [#1494] services/object: Do not ignore bearer token decode errors Signed-off-by: Evgenii Stratonikov --- pkg/services/object/acl/v2/service.go | 49 +++++++++++++++++++++---- pkg/services/object/acl/v2/util.go | 8 ++-- pkg/services/object/acl/v2/util_test.go | 25 +++++++++---- pkg/services/object/util/prm.go | 5 ++- 4 files changed, 67 insertions(+), 20 deletions(-) diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go index 55756f147..4c9b4f223 100644 --- a/pkg/services/object/acl/v2/service.go +++ b/pkg/services/object/acl/v2/service.go @@ -118,10 +118,15 @@ func (b Service) Get(request *objectV2.GetRequest, stream object.GetObjectStream return err } + bTok, err := originalBearerToken(request.GetMetaHeader()) + if err != nil { + return err + } + req := MetaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: originalBearerToken(request.GetMetaHeader()), + bearer: bTok, src: request, } @@ -172,10 +177,15 @@ func (b Service) Head( return nil, err } + bTok, err := originalBearerToken(request.GetMetaHeader()) + if err != nil { + return nil, err + } + req := MetaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: originalBearerToken(request.GetMetaHeader()), + bearer: bTok, src: request, } @@ -218,10 +228,15 @@ func (b Service) Search(request *objectV2.SearchRequest, stream object.SearchStr return err } + bTok, err := originalBearerToken(request.GetMetaHeader()) + if err != nil { + return err + } + req := MetaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: originalBearerToken(request.GetMetaHeader()), + bearer: bTok, src: request, } @@ -261,10 +276,15 @@ func (b Service) Delete( return nil, err } + bTok, err := originalBearerToken(request.GetMetaHeader()) + if err != nil { + return nil, err + } + req := MetaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: originalBearerToken(request.GetMetaHeader()), + bearer: bTok, src: request, } @@ -300,10 +320,15 @@ func (b Service) GetRange(request *objectV2.GetRangeRequest, stream object.GetOb return err } + bTok, err := originalBearerToken(request.GetMetaHeader()) + if err != nil { + return err + } + req := MetaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: originalBearerToken(request.GetMetaHeader()), + bearer: bTok, src: request, } @@ -344,10 +369,15 @@ func (b Service) GetRangeHash( return nil, err } + bTok, err := originalBearerToken(request.GetMetaHeader()) + if err != nil { + return nil, err + } + req := MetaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: originalBearerToken(request.GetMetaHeader()), + bearer: bTok, src: request, } @@ -408,10 +438,15 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error { } } + bTok, err := originalBearerToken(request.GetMetaHeader()) + if err != nil { + return err + } + req := MetaWithToken{ vheader: request.GetVerificationHeader(), token: sTok, - bearer: originalBearerToken(request.GetMetaHeader()), + bearer: bTok, src: request, } diff --git a/pkg/services/object/acl/v2/util.go b/pkg/services/object/acl/v2/util.go index 31d047e42..706ede4e5 100644 --- a/pkg/services/object/acl/v2/util.go +++ b/pkg/services/object/acl/v2/util.go @@ -57,20 +57,18 @@ func getContainerIDFromRequest(req interface{}) (cid.ID, error) { // originalBearerToken goes down to original request meta header and fetches // bearer token from there. -func originalBearerToken(header *sessionV2.RequestMetaHeader) *bearer.Token { +func originalBearerToken(header *sessionV2.RequestMetaHeader) (*bearer.Token, error) { for header.GetOrigin() != nil { header = header.GetOrigin() } tokV2 := header.GetBearerToken() if tokV2 == nil { - return nil + return nil, nil } var tok bearer.Token - tok.ReadFromV2(*tokV2) - - return &tok + return &tok, tok.ReadFromV2(*tokV2) } // originalSessionToken goes down to original request meta header and fetches diff --git a/pkg/services/object/acl/v2/util_test.go b/pkg/services/object/acl/v2/util_test.go index 2ad72e2be..15321d8b8 100644 --- a/pkg/services/object/acl/v2/util_test.go +++ b/pkg/services/object/acl/v2/util_test.go @@ -1,12 +1,14 @@ package v2 import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" "testing" "github.com/nspcc-dev/neofs-api-go/v2/acl" - acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test" "github.com/nspcc-dev/neofs-api-go/v2/session" - "github.com/nspcc-dev/neofs-sdk-go/bearer" + bearertest "github.com/nspcc-dev/neofs-sdk-go/bearer/test" "github.com/nspcc-dev/neofs-sdk-go/eacl" sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session" sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test" @@ -15,20 +17,29 @@ import ( func TestOriginalTokens(t *testing.T) { sToken := sessiontest.ObjectSigned() - bTokenV2 := acltest.GenerateBearerToken(false) + bToken := bearertest.Token() - var bToken bearer.Token - bToken.ReadFromV2(*bTokenV2) + pk, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + require.NoError(t, bToken.Sign(*pk)) + + var bTokenV2 acl.BearerToken + bToken.WriteToV2(&bTokenV2) + // This line is needed because SDK uses some custom format for + // reserved filters, so `cid.ID` is not converted to string immediately. + require.NoError(t, bToken.ReadFromV2(bTokenV2)) var sTokenV2 session.Token sToken.WriteToV2(&sTokenV2) for i := 0; i < 10; i++ { - metaHeaders := testGenerateMetaHeader(uint32(i), bTokenV2, &sTokenV2) + metaHeaders := testGenerateMetaHeader(uint32(i), &bTokenV2, &sTokenV2) res, err := originalSessionToken(metaHeaders) require.NoError(t, err) require.Equal(t, sToken, res, i) - require.Equal(t, &bToken, originalBearerToken(metaHeaders), i) + + bTok, err := originalBearerToken(metaHeaders) + require.NoError(t, err) + require.Equal(t, &bToken, bTok, i) } } diff --git a/pkg/services/object/util/prm.go b/pkg/services/object/util/prm.go index 9b577c4d4..80dd84b01 100644 --- a/pkg/services/object/util/prm.go +++ b/pkg/services/object/util/prm.go @@ -127,7 +127,10 @@ func CommonPrmFromV2(req interface { if tok := meta.GetBearerToken(); tok != nil { prm.bearer = new(bearer.Token) - prm.bearer.ReadFromV2(*tok) + err = prm.bearer.ReadFromV2(*tok) + if err != nil { + return nil, fmt.Errorf("invalid bearer token: %w", err) + } } for i := range xHdrs {