[#1494] services/object: Do not ignore bearer token decode errors
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
parent
795d1e0789
commit
bbf8b8e74d
4 changed files with 67 additions and 20 deletions
|
@ -118,10 +118,15 @@ func (b Service) Get(request *objectV2.GetRequest, stream object.GetObjectStream
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bTok, err := originalBearerToken(request.GetMetaHeader())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
req := MetaWithToken{
|
req := MetaWithToken{
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: originalBearerToken(request.GetMetaHeader()),
|
bearer: bTok,
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -172,10 +177,15 @@ func (b Service) Head(
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bTok, err := originalBearerToken(request.GetMetaHeader())
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
req := MetaWithToken{
|
req := MetaWithToken{
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: originalBearerToken(request.GetMetaHeader()),
|
bearer: bTok,
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -218,10 +228,15 @@ func (b Service) Search(request *objectV2.SearchRequest, stream object.SearchStr
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bTok, err := originalBearerToken(request.GetMetaHeader())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
req := MetaWithToken{
|
req := MetaWithToken{
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: originalBearerToken(request.GetMetaHeader()),
|
bearer: bTok,
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -261,10 +276,15 @@ func (b Service) Delete(
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bTok, err := originalBearerToken(request.GetMetaHeader())
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
req := MetaWithToken{
|
req := MetaWithToken{
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: originalBearerToken(request.GetMetaHeader()),
|
bearer: bTok,
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -300,10 +320,15 @@ func (b Service) GetRange(request *objectV2.GetRangeRequest, stream object.GetOb
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bTok, err := originalBearerToken(request.GetMetaHeader())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
req := MetaWithToken{
|
req := MetaWithToken{
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: originalBearerToken(request.GetMetaHeader()),
|
bearer: bTok,
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -344,10 +369,15 @@ func (b Service) GetRangeHash(
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bTok, err := originalBearerToken(request.GetMetaHeader())
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
req := MetaWithToken{
|
req := MetaWithToken{
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: originalBearerToken(request.GetMetaHeader()),
|
bearer: bTok,
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -408,10 +438,15 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bTok, err := originalBearerToken(request.GetMetaHeader())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
req := MetaWithToken{
|
req := MetaWithToken{
|
||||||
vheader: request.GetVerificationHeader(),
|
vheader: request.GetVerificationHeader(),
|
||||||
token: sTok,
|
token: sTok,
|
||||||
bearer: originalBearerToken(request.GetMetaHeader()),
|
bearer: bTok,
|
||||||
src: request,
|
src: request,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -57,20 +57,18 @@ func getContainerIDFromRequest(req interface{}) (cid.ID, error) {
|
||||||
|
|
||||||
// originalBearerToken goes down to original request meta header and fetches
|
// originalBearerToken goes down to original request meta header and fetches
|
||||||
// bearer token from there.
|
// bearer token from there.
|
||||||
func originalBearerToken(header *sessionV2.RequestMetaHeader) *bearer.Token {
|
func originalBearerToken(header *sessionV2.RequestMetaHeader) (*bearer.Token, error) {
|
||||||
for header.GetOrigin() != nil {
|
for header.GetOrigin() != nil {
|
||||||
header = header.GetOrigin()
|
header = header.GetOrigin()
|
||||||
}
|
}
|
||||||
|
|
||||||
tokV2 := header.GetBearerToken()
|
tokV2 := header.GetBearerToken()
|
||||||
if tokV2 == nil {
|
if tokV2 == nil {
|
||||||
return nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var tok bearer.Token
|
var tok bearer.Token
|
||||||
tok.ReadFromV2(*tokV2)
|
return &tok, tok.ReadFromV2(*tokV2)
|
||||||
|
|
||||||
return &tok
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// originalSessionToken goes down to original request meta header and fetches
|
// originalSessionToken goes down to original request meta header and fetches
|
||||||
|
|
|
@ -1,12 +1,14 @@
|
||||||
package v2
|
package v2
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/rand"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/v2/acl"
|
"github.com/nspcc-dev/neofs-api-go/v2/acl"
|
||||||
acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/bearer"
|
bearertest "github.com/nspcc-dev/neofs-sdk-go/bearer/test"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/eacl"
|
"github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||||
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
|
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
|
||||||
sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
|
sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
|
||||||
|
@ -15,20 +17,29 @@ import (
|
||||||
|
|
||||||
func TestOriginalTokens(t *testing.T) {
|
func TestOriginalTokens(t *testing.T) {
|
||||||
sToken := sessiontest.ObjectSigned()
|
sToken := sessiontest.ObjectSigned()
|
||||||
bTokenV2 := acltest.GenerateBearerToken(false)
|
bToken := bearertest.Token()
|
||||||
|
|
||||||
var bToken bearer.Token
|
pk, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
bToken.ReadFromV2(*bTokenV2)
|
require.NoError(t, bToken.Sign(*pk))
|
||||||
|
|
||||||
|
var bTokenV2 acl.BearerToken
|
||||||
|
bToken.WriteToV2(&bTokenV2)
|
||||||
|
// This line is needed because SDK uses some custom format for
|
||||||
|
// reserved filters, so `cid.ID` is not converted to string immediately.
|
||||||
|
require.NoError(t, bToken.ReadFromV2(bTokenV2))
|
||||||
|
|
||||||
var sTokenV2 session.Token
|
var sTokenV2 session.Token
|
||||||
sToken.WriteToV2(&sTokenV2)
|
sToken.WriteToV2(&sTokenV2)
|
||||||
|
|
||||||
for i := 0; i < 10; i++ {
|
for i := 0; i < 10; i++ {
|
||||||
metaHeaders := testGenerateMetaHeader(uint32(i), bTokenV2, &sTokenV2)
|
metaHeaders := testGenerateMetaHeader(uint32(i), &bTokenV2, &sTokenV2)
|
||||||
res, err := originalSessionToken(metaHeaders)
|
res, err := originalSessionToken(metaHeaders)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, sToken, res, i)
|
require.Equal(t, sToken, res, i)
|
||||||
require.Equal(t, &bToken, originalBearerToken(metaHeaders), i)
|
|
||||||
|
bTok, err := originalBearerToken(metaHeaders)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, &bToken, bTok, i)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -127,7 +127,10 @@ func CommonPrmFromV2(req interface {
|
||||||
|
|
||||||
if tok := meta.GetBearerToken(); tok != nil {
|
if tok := meta.GetBearerToken(); tok != nil {
|
||||||
prm.bearer = new(bearer.Token)
|
prm.bearer = new(bearer.Token)
|
||||||
prm.bearer.ReadFromV2(*tok)
|
err = prm.bearer.ReadFromV2(*tok)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("invalid bearer token: %w", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for i := range xHdrs {
|
for i := range xHdrs {
|
||||||
|
|
Loading…
Reference in a new issue