TrueCloudLab/frostfs-node
20
1
Fork 28
Code Issues 108 Pull requests 4 Projects Releases 2 Packages 4 Activity Actions

Revert "[#1689] ape: Fix bearer token validation"

Browse source 
This reverts commit a5f76a609d.

The fix won't cover a case when an issuer does not own the container
but he's still able to create an impersonated bearer token - validation
shouldn't reject this request. Thus, we just need to pass all verification checks
if token is impersonated.

Change-Id: Ifd73b3666ec4736d7258eedf1cf3dae969b4162a
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2025-05-12 15:53:52 +03:00
parent ab18ce0f20
commit bf638cce67
2 changed files with 2 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

8
pkg/services/common/ape/checker.go
View file

@ -157,17 +157,9 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
var usrSender user.ID var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey)) user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
// Then check if sender is valid. If it is an impersonated token, the sender is set to the token's issuer's
// public key, but not the actual sender.
if !token.Impersonate() {
if !token.AssertUser(usrSender) { if !token.AssertUser(usrSender) {
return errBearerInvalidOwner return errBearerInvalidOwner
} }
} else {
if !bearer.ResolveIssuer(*token).Equals(usrSender) {
return errBearerInvalidOwner
}
}
return nil return nil
} }

24
pkg/services/tree/signature_test.go
View file

@ -297,30 +297,6 @@ func TestMessageSign(t *testing.T) {
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet)) require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
}) })
t.Run("impersonate, but target user is still set", func(t *testing.T) {
var bt bearer.Token
bt.SetExp(10)
bt.SetImpersonate(true)
var reqSigner user.ID
user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*privs[1].PublicKey()))
bt.ForUser(reqSigner)
bt.SetAPEOverride(bearer.APEOverride{
Target: ape.ChainTarget{
TargetType: ape.TargetTypeContainer,
Name: cid1.EncodeToString(),
},
Chains: []ape.Chain{},
})
require.NoError(t, bt.Sign(privs[0].PrivateKey))
req.Body.BearerToken = bt.Marshal()
require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
})
t.Run("impersonate but invalid signer", func(t *testing.T) { t.Run("impersonate but invalid signer", func(t *testing.T) {
var bt bearer.Token var bt bearer.Token
bt.SetExp(10) bt.SetExp(10)