From ff1912aa2a009fbc857e88b99538df79adf5827d Mon Sep 17 00:00:00 2001 From: Evgenii Stratonikov Date: Tue, 29 Mar 2022 14:38:01 +0300 Subject: [PATCH] services/acl: check session token expiration epoch Signed-off-by: Evgenii Stratonikov --- pkg/services/object/acl/v2/service.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go index eb2511ea..cba1d3e8 100644 --- a/pkg/services/object/acl/v2/service.go +++ b/pkg/services/object/acl/v2/service.go @@ -417,6 +417,17 @@ func (b Service) findRequestInfo( return info, errors.New("missing owner in container descriptor") } + if req.token != nil && req.token.Exp() != 0 { + currentEpoch, err := b.nm.Epoch() + if err != nil { + return info, errors.New("can't fetch current epoch") + } + if req.token.Exp() < currentEpoch { + return info, fmt.Errorf("%w: token has expired (current epoch: %d, expired at %d)", + ErrMalformedRequest, currentEpoch, req.token.Exp()) + } + } + // find request role and key res, err := b.c.classify(req, cid, cnr) if err != nil {