Revert "[#1689] ape: Fix bearer token validation"

This reverts commit a5f76a609d. The fix won't cover a case when an issuer does not own the container but he's still able to create an impersonated bearer token - validation shouldn't reject this request. Thus, we just need to pass all verification checks if token is impersonated. Change-Id: Ifd73b3666ec4736d7258eedf1cf3dae969b4162a Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2025-05-12 15:53:52 +03:00 · 2025-05-12 15:53:52 +03:00 · bf638cce67
commit bf638cce67
parent ab18ce0f20
2 changed files with 2 additions and 34 deletions
--- a/pkg/services/common/ape/checker.go
+++ b/pkg/services/common/ape/checker.go
@ -157,16 +157,8 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
 	var usrSender user.ID
 	user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))

-	// Then check if sender is valid. If it is an impersonated token, the sender is set to the token's issuer's
-	// public key, but not the actual sender.
-	if !token.Impersonate() {
-		if !token.AssertUser(usrSender) {
-			return errBearerInvalidOwner
-		}
-	} else {
-		if !bearer.ResolveIssuer(*token).Equals(usrSender) {
-			return errBearerInvalidOwner
-		}
+	if !token.AssertUser(usrSender) {
+		return errBearerInvalidOwner
 	}

 	return nil
--- a/pkg/services/tree/signature_test.go
+++ b/pkg/services/tree/signature_test.go
@ -297,30 +297,6 @@ func TestMessageSign(t *testing.T) {
 			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})

-		t.Run("impersonate, but target user is still set", func(t *testing.T) {
-			var bt bearer.Token
-			bt.SetExp(10)
-			bt.SetImpersonate(true)
-
-			var reqSigner user.ID
-			user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*privs[1].PublicKey()))
-
-			bt.ForUser(reqSigner)
-			bt.SetAPEOverride(bearer.APEOverride{
-				Target: ape.ChainTarget{
-					TargetType: ape.TargetTypeContainer,
-					Name:       cid1.EncodeToString(),
-				},
-				Chains: []ape.Chain{},
-			})
-			require.NoError(t, bt.Sign(privs[0].PrivateKey))
-			req.Body.BearerToken = bt.Marshal()
-
-			require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
-			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
-			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
-		})
-
 		t.Run("impersonate but invalid signer", func(t *testing.T) {
 			var bt bearer.Token
 			bt.SetExp(10)