diff --git a/pkg/services/common/ape/checker.go b/pkg/services/common/ape/checker.go index eb6263320..fcd3efa44 100644 --- a/pkg/services/common/ape/checker.go +++ b/pkg/services/common/ape/checker.go @@ -157,16 +157,8 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe var usrSender user.ID user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey)) - // Then check if sender is valid. If it is an impersonated token, the sender is set to the token's issuer's - // public key, but not the actual sender. - if !token.Impersonate() { - if !token.AssertUser(usrSender) { - return errBearerInvalidOwner - } - } else { - if !bearer.ResolveIssuer(*token).Equals(usrSender) { - return errBearerInvalidOwner - } + if !token.AssertUser(usrSender) { + return errBearerInvalidOwner } return nil diff --git a/pkg/services/tree/signature_test.go b/pkg/services/tree/signature_test.go index 8815c227f..13a5c1395 100644 --- a/pkg/services/tree/signature_test.go +++ b/pkg/services/tree/signature_test.go @@ -297,30 +297,6 @@ func TestMessageSign(t *testing.T) { require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet)) }) - t.Run("impersonate, but target user is still set", func(t *testing.T) { - var bt bearer.Token - bt.SetExp(10) - bt.SetImpersonate(true) - - var reqSigner user.ID - user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*privs[1].PublicKey())) - - bt.ForUser(reqSigner) - bt.SetAPEOverride(bearer.APEOverride{ - Target: ape.ChainTarget{ - TargetType: ape.TargetTypeContainer, - Name: cid1.EncodeToString(), - }, - Chains: []ape.Chain{}, - }) - require.NoError(t, bt.Sign(privs[0].PrivateKey)) - req.Body.BearerToken = bt.Marshal() - - require.NoError(t, SignMessage(req, &privs[1].PrivateKey)) - require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut)) - require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet)) - }) - t.Run("impersonate but invalid signer", func(t *testing.T) { var bt bearer.Token bt.SetExp(10)