TrueCloudLab/frostfs-node
20
1
Fork 27
Code Issues 97 Pull requests 3 Projects Releases 1 Activity Actions

Compare commits

merge into: TrueCloudLab:master
Branches Tags
TrueCloudLab:master
TrueCloudLab:support/v0.42
TrueCloudLab:support/v0.38
TrueCloudLab:support/v0.37
TrueCloudLab:support/v0.36
TrueCloudLab:support/v0.34
TrueCloudLab:support/v0.30
TrueCloudLab:support/v0.27
aarifullin:feat/refactor_ape_cli
aarifullin:fix/cnt_svc_ape_target
aarifullin:feat/dual_service_support
aarifullin:fix/adm_local_actor
aarifullin:fix/bump_sdk_go
aarifullin:poc/dual_service_support
aarifullin:fix/patch/sign
aarifullin:fix/tree_remove_ape
aarifullin:fix/check_ape_cnr_owner
aarifullin:fix/check_ape_ns
aarifullin:fix/patch_refactor
aarifullin:fix/patch/5
aarifullin:feat/ape/object_tree_refactor
aarifullin:fix/target_put
aarifullin:feat/patch/refactor/1
aarifullin:fix/apemanager/audit
aarifullin:fix/patch/3
aarifullin:feat/patch/1
aarifullin:fix/adm_ape
aarifullin:fix/wsreader_hang
aarifullin:fix/wsconn_invalid
aarifullin:fix/audit_logreq
aarifullin:fix/ape_attr
aarifullin:fix/cli_parse
aarifullin:fix/1229-sessiontok_exp
aarifullin:feat/bt_router
aarifullin:fix/bt_get
aarifullin:feat/groupids_target
aarifullin:feat/cli_eaclconv
aarifullin:feat/treesvc_verbs
aarifullin:feat/cli_bearer
aarifullin:fix/aperule_parser
aarifullin:feat/ec_search
aarifullin:feat/apemanager_refactor
aarifullin:feat/beartoken_ape
aarifullin:feat/ape_sourceip
aarifullin:feat/ape_manager
aarifullin:feat/ec_userobj
aarifullin:feat/improve_ape_parsing
aarifullin:master
aarifullin:feat/ape_fill_group_id
aarifullin:feat/ape_fill_groupid
aarifullin:fix/policy_engine_list_iterator
aarifullin:feat/ape_user_claim_tag
aarifullin:fix/tree_svc_ape
aarifullin:fix/1061_morph-cache-ttl
aarifullin:feat/validate_create_cnr_ec
aarifullin:fix/object_ape_ignore_tombstone
aarifullin:fix/object_ape_cnr_owner
aarifullin:fix/revert_async_notary_deposit
aarifullin:fix/status_ape_errors
aarifullin:fix/check_ape_role
aarifullin:fix/963-control_svc_iface_down
aarifullin:fix/ape_read_withot_wallet
aarifullin:fix/1012-ape_msg
aarifullin:fix/898_removed-true
aarifullin:fix/strict_ape_checks
aarifullin:feat/cli_parse_json
aarifullin:feat/cli_parse_json_any
aarifullin:feat/cli-ape
aarifullin:fix/chainbase_chain_decoding
aarifullin:fix/object_svc_req_ctx
aarifullin:fix/934-invalid_ape_request
aarifullin:fix/rpc-actor-guard
aarifullin:feature/ape_errors
aarifullin:fix/915-ape_get_object_bug
aarifullin:fix/control-svc-root-ns
aarifullin:feature/872-object_svc_ape
aarifullin:feature/851-use_policy_contract
aarifullin:fix/dont_convert_cid_to_native_fmt
aarifullin:feature/851-policy_contract
aarifullin:fix/dont_convert_cid_to_native_format
aarifullin:feature/804_override_storage
aarifullin:feature/chain_control_api
aarifullin:development/frostfs-adm-policy
aarifullin:feature/chain_id_add_rule
aarifullin:feature/rebase_updated_ape
aarifullin:feature/prm_init_prm_dial
aarifullin:fix/bforest_tree_drop
aarifullin:fix/object_head_eacl
aarifullin:feature/ape_rules_impl
aarifullin:feature/prm_balance_get
aarifullin:feature/121-client/object_put_single
aarifullin:fix/subscriber_ch_sizes
aarifullin:fix/unsubcribe-all
aarifullin:fix/OBJECT-4461_unsubcribe
aarifullin:aarifullin/debug/2
aarifullin:aarifullin/example/subscriber
aarifullin:feature/667-cache_unittest_logs
aarifullin:feature/121-client/prm_announce
aarifullin:feature/121-client/delete
aarifullin:feature/561-init_count
aarifullin:feature/121-client/object_read
aarifullin:fix/574-cnt_ever_existed
aarifullin:feature/121-client/set_eacl
aarifullin:fix/574-tree_del_info
aarifullin:feature/121-client/eacl
aarifullin:feature/121-client/container_delete
aarifullin:fix/sdk_types_usage
aarifullin:feature/5177-get_op_log_meta
aarifullin:fix/eacl_errors
aarifullin:feature/121-client/container_put
aarifullin:fix/119-update_modules
aarifullin:feature/refactor_sdk_api_types
aarifullin:feature/390-tree_cli
aarifullin:feature/390-tree_cli-backup
aarifullin:aarifullin/refactor/1
aarifullin:fix/113-list_name_flag
aarifullin:fix/197-correct_delete_status
aarifullin:feature/371-morph_cache_metr
aarifullin:feature/325-policer_off
aarifullin:feature/19-list_mul_cursor
aarifullin:feature/166-batch_tree_apply
aarifullin:fix/118-unit_test
aarifullin:feature/blobstor_concurrent_tests
aarifullin:feature/113-get_cnr_by_name
aarifullin:fix/use_uber_atomic
aarifullin:fix/116-generated_extra_files
aarifullin:feature/116-engine_constructor
aarifullin:feature/166-sync_tree
aarifullin:bug/use_uber_sync
aarifullin:feature/180-factor_out_panics
aarifullin:fix/86-fix_unittests
aarifullin:refactor/86-move_test_utils
aarifullin:fyrchik/simplify-services
aarifullin:carpawell/upd/neo-go-subs
aarifullin:KirillovDenis/poc/impersonate
aarifullin:carpawell/optional-profiles
aarifullin:carpawell/fix/multiple-cache-update-requests-FROST
aarifullin:support/v0.34
aarifullin:neofs-adm-fix-update
aarifullin:support/v0.30
aarifullin:experimental
aarifullin:neofs-adm-notary-disabled
aarifullin:support/v0.27
TrueCloudLab:v0.44.0-rc.12
TrueCloudLab:v0.44.0-rc.11
TrueCloudLab:v0.42.16
TrueCloudLab:v0.44.0-rc.10
TrueCloudLab:v0.44.0-rc.9
TrueCloudLab:v0.44.0-rc.8
TrueCloudLab:v0.44.0-rc.7
TrueCloudLab:v0.44.0-rc.6
TrueCloudLab:v0.44.0-rc.5
TrueCloudLab:v0.44.0-rc.4
TrueCloudLab:v0.44.0-rc.3
TrueCloudLab:v0.44.0-rc.2
TrueCloudLab:v0.44.0-rc.1
TrueCloudLab:v0.43.2
TrueCloudLab:v0.43.1
TrueCloudLab:v0.43.0
TrueCloudLab:v0.42.15
TrueCloudLab:v0.42.14
TrueCloudLab:v0.42.13
TrueCloudLab:v0.42.12
TrueCloudLab:v0.42.11
TrueCloudLab:v0.42.10
TrueCloudLab:v0.42.9
TrueCloudLab:v0.42.8
TrueCloudLab:v0.42.7
TrueCloudLab:v0.42.6
TrueCloudLab:v0.42.5
TrueCloudLab:v0.42.4
TrueCloudLab:v0.42.3
TrueCloudLab:v0.42.2
TrueCloudLab:v0.42.1
TrueCloudLab:v0.42.0
TrueCloudLab:v0.42.0-rc.9
TrueCloudLab:v0.42.0-rc.8
TrueCloudLab:v0.42.0-rc.7
TrueCloudLab:v0.38.9
TrueCloudLab:v0.42.0-rc.6
TrueCloudLab:v0.42.0-rc.5
TrueCloudLab:v0.42.0-rc.4
TrueCloudLab:v0.42.0-rc.3
TrueCloudLab:v0.42.0-rc.2
TrueCloudLab:v0.42.0-rc.1
TrueCloudLab:v0.38.8
TrueCloudLab:v0.41.0
TrueCloudLab:v0.38.7
TrueCloudLab:v0.40.0
TrueCloudLab:v0.39.0
TrueCloudLab:v0.38.6
TrueCloudLab:v0.38.5
TrueCloudLab:v0.38.4
TrueCloudLab:v0.38.3
TrueCloudLab:v0.38.2
TrueCloudLab:v0.38.1
TrueCloudLab:v0.38.0
TrueCloudLab:v0.38.0-rc.2
TrueCloudLab:v0.38.0-rc.1
TrueCloudLab:v0.37.0
TrueCloudLab:v0.37.0-rc.1
TrueCloudLab:v0.36.0
TrueCloudLab:v0.34.0
TrueCloudLab:v0.22.1
TrueCloudLab:v0.22.0
TrueCloudLab:v0.21.1
TrueCloudLab:v0.21.0
TrueCloudLab:v0.20.0
TrueCloudLab:v0.19.0
TrueCloudLab:v0.18.0
TrueCloudLab:v0.17.0
TrueCloudLab:v0.16.0
TrueCloudLab:v0.15.0
TrueCloudLab:v0.14.3
TrueCloudLab:v0.14.2
TrueCloudLab:v0.14.1
TrueCloudLab:v0.14.0
TrueCloudLab:v0.14.0-rc.1
TrueCloudLab:v0.13.2
TrueCloudLab:v0.13.1
TrueCloudLab:v0.13.0
TrueCloudLab:v0.13.0-rc.1
TrueCloudLab:v0.12.1
TrueCloudLab:v0.12.0
TrueCloudLab:v0.12.0-rc3
TrueCloudLab:v0.12.0-rc2
TrueCloudLab:v0.12.0-rc1
TrueCloudLab:v0.11.0
TrueCloudLab:v0.10.0
aarifullin:v0.22.1
aarifullin:v0.22.0
aarifullin:v0.21.1
aarifullin:v0.21.0
aarifullin:v0.20.0
aarifullin:v0.19.0
aarifullin:v0.18.0
aarifullin:v0.17.0
aarifullin:v0.16.0
aarifullin:v0.15.0
aarifullin:v0.14.3
aarifullin:v0.14.2
aarifullin:v0.14.1
aarifullin:v0.14.0
aarifullin:v0.14.0-rc.1
aarifullin:v0.13.2
aarifullin:v0.13.1
aarifullin:v0.13.0
aarifullin:v0.13.0-rc.1
aarifullin:v0.12.1
aarifullin:v0.12.0
aarifullin:v0.12.0-rc3
aarifullin:v0.12.0-rc2
aarifullin:v0.12.0-rc1
aarifullin:v0.11.0
aarifullin:v0.10.0
...
pull from: aarifullin:fix/bt_get
Branches Tags
aarifullin:feat/refactor_ape_cli
aarifullin:fix/cnt_svc_ape_target
aarifullin:feat/dual_service_support
aarifullin:fix/adm_local_actor
aarifullin:fix/bump_sdk_go
aarifullin:poc/dual_service_support
aarifullin:fix/patch/sign
aarifullin:fix/tree_remove_ape
aarifullin:fix/check_ape_cnr_owner
aarifullin:fix/check_ape_ns
aarifullin:fix/patch_refactor
aarifullin:fix/patch/5
aarifullin:feat/ape/object_tree_refactor
aarifullin:fix/target_put
aarifullin:feat/patch/refactor/1
aarifullin:fix/apemanager/audit
aarifullin:fix/patch/3
aarifullin:feat/patch/1
aarifullin:fix/adm_ape
aarifullin:fix/wsreader_hang
aarifullin:fix/wsconn_invalid
aarifullin:fix/audit_logreq
aarifullin:fix/ape_attr
aarifullin:fix/cli_parse
aarifullin:fix/1229-sessiontok_exp
aarifullin:feat/bt_router
aarifullin:fix/bt_get
aarifullin:feat/groupids_target
aarifullin:feat/cli_eaclconv
aarifullin:feat/treesvc_verbs
aarifullin:feat/cli_bearer
aarifullin:fix/aperule_parser
aarifullin:feat/ec_search
aarifullin:feat/apemanager_refactor
aarifullin:feat/beartoken_ape
aarifullin:feat/ape_sourceip
aarifullin:feat/ape_manager
aarifullin:feat/ec_userobj
aarifullin:feat/improve_ape_parsing
aarifullin:master
aarifullin:feat/ape_fill_group_id
aarifullin:feat/ape_fill_groupid
aarifullin:fix/policy_engine_list_iterator
aarifullin:feat/ape_user_claim_tag
aarifullin:fix/tree_svc_ape
aarifullin:fix/1061_morph-cache-ttl
aarifullin:feat/validate_create_cnr_ec
aarifullin:fix/object_ape_ignore_tombstone
aarifullin:fix/object_ape_cnr_owner
aarifullin:fix/revert_async_notary_deposit
aarifullin:fix/status_ape_errors
aarifullin:fix/check_ape_role
aarifullin:fix/963-control_svc_iface_down
aarifullin:fix/ape_read_withot_wallet
aarifullin:fix/1012-ape_msg
aarifullin:fix/898_removed-true
aarifullin:fix/strict_ape_checks
aarifullin:feat/cli_parse_json
aarifullin:feat/cli_parse_json_any
aarifullin:feat/cli-ape
aarifullin:fix/chainbase_chain_decoding
aarifullin:fix/object_svc_req_ctx
aarifullin:fix/934-invalid_ape_request
aarifullin:fix/rpc-actor-guard
aarifullin:feature/ape_errors
aarifullin:fix/915-ape_get_object_bug
aarifullin:fix/control-svc-root-ns
aarifullin:feature/872-object_svc_ape
aarifullin:feature/851-use_policy_contract
aarifullin:fix/dont_convert_cid_to_native_fmt
aarifullin:feature/851-policy_contract
aarifullin:fix/dont_convert_cid_to_native_format
aarifullin:feature/804_override_storage
aarifullin:feature/chain_control_api
aarifullin:development/frostfs-adm-policy
aarifullin:feature/chain_id_add_rule
aarifullin:feature/rebase_updated_ape
aarifullin:feature/prm_init_prm_dial
aarifullin:fix/bforest_tree_drop
aarifullin:fix/object_head_eacl
aarifullin:feature/ape_rules_impl
aarifullin:feature/prm_balance_get
aarifullin:feature/121-client/object_put_single
aarifullin:fix/subscriber_ch_sizes
aarifullin:fix/unsubcribe-all
aarifullin:fix/OBJECT-4461_unsubcribe
aarifullin:aarifullin/debug/2
aarifullin:aarifullin/example/subscriber
aarifullin:feature/667-cache_unittest_logs
aarifullin:feature/121-client/prm_announce
aarifullin:feature/121-client/delete
aarifullin:feature/561-init_count
aarifullin:feature/121-client/object_read
aarifullin:fix/574-cnt_ever_existed
aarifullin:feature/121-client/set_eacl
aarifullin:fix/574-tree_del_info
aarifullin:feature/121-client/eacl
aarifullin:feature/121-client/container_delete
aarifullin:fix/sdk_types_usage
aarifullin:feature/5177-get_op_log_meta
aarifullin:fix/eacl_errors
aarifullin:feature/121-client/container_put
aarifullin:fix/119-update_modules
aarifullin:feature/refactor_sdk_api_types
aarifullin:feature/390-tree_cli
aarifullin:feature/390-tree_cli-backup
aarifullin:aarifullin/refactor/1
aarifullin:fix/113-list_name_flag
aarifullin:fix/197-correct_delete_status
aarifullin:feature/371-morph_cache_metr
aarifullin:feature/325-policer_off
aarifullin:feature/19-list_mul_cursor
aarifullin:feature/166-batch_tree_apply
aarifullin:fix/118-unit_test
aarifullin:feature/blobstor_concurrent_tests
aarifullin:feature/113-get_cnr_by_name
aarifullin:fix/use_uber_atomic
aarifullin:fix/116-generated_extra_files
aarifullin:feature/116-engine_constructor
aarifullin:feature/166-sync_tree
aarifullin:bug/use_uber_sync
aarifullin:feature/180-factor_out_panics
aarifullin:fix/86-fix_unittests
aarifullin:refactor/86-move_test_utils
aarifullin:fyrchik/simplify-services
aarifullin:carpawell/upd/neo-go-subs
aarifullin:KirillovDenis/poc/impersonate
aarifullin:carpawell/optional-profiles
aarifullin:carpawell/fix/multiple-cache-update-requests-FROST
aarifullin:support/v0.34
aarifullin:neofs-adm-fix-update
aarifullin:support/v0.30
aarifullin:experimental
aarifullin:neofs-adm-notary-disabled
aarifullin:support/v0.27
TrueCloudLab:master
TrueCloudLab:support/v0.42
TrueCloudLab:support/v0.38
TrueCloudLab:support/v0.37
TrueCloudLab:support/v0.36
TrueCloudLab:support/v0.34
TrueCloudLab:support/v0.30
TrueCloudLab:support/v0.27
aarifullin:v0.22.1
aarifullin:v0.22.0
aarifullin:v0.21.1
aarifullin:v0.21.0
aarifullin:v0.20.0
aarifullin:v0.19.0
aarifullin:v0.18.0
aarifullin:v0.17.0
aarifullin:v0.16.0
aarifullin:v0.15.0
aarifullin:v0.14.3
aarifullin:v0.14.2
aarifullin:v0.14.1
aarifullin:v0.14.0
aarifullin:v0.14.0-rc.1
aarifullin:v0.13.2
aarifullin:v0.13.1
aarifullin:v0.13.0
aarifullin:v0.13.0-rc.1
aarifullin:v0.12.1
aarifullin:v0.12.0
aarifullin:v0.12.0-rc3
aarifullin:v0.12.0-rc2
aarifullin:v0.12.0-rc1
aarifullin:v0.11.0
aarifullin:v0.10.0
TrueCloudLab:v0.44.0-rc.12
TrueCloudLab:v0.44.0-rc.11
TrueCloudLab:v0.42.16
TrueCloudLab:v0.44.0-rc.10
TrueCloudLab:v0.44.0-rc.9
TrueCloudLab:v0.44.0-rc.8
TrueCloudLab:v0.44.0-rc.7
TrueCloudLab:v0.44.0-rc.6
TrueCloudLab:v0.44.0-rc.5
TrueCloudLab:v0.44.0-rc.4
TrueCloudLab:v0.44.0-rc.3
TrueCloudLab:v0.44.0-rc.2
TrueCloudLab:v0.44.0-rc.1
TrueCloudLab:v0.43.2
TrueCloudLab:v0.43.1
TrueCloudLab:v0.43.0
TrueCloudLab:v0.42.15
TrueCloudLab:v0.42.14
TrueCloudLab:v0.42.13
TrueCloudLab:v0.42.12
TrueCloudLab:v0.42.11
TrueCloudLab:v0.42.10
TrueCloudLab:v0.42.9
TrueCloudLab:v0.42.8
TrueCloudLab:v0.42.7
TrueCloudLab:v0.42.6
TrueCloudLab:v0.42.5
TrueCloudLab:v0.42.4
TrueCloudLab:v0.42.3
TrueCloudLab:v0.42.2
TrueCloudLab:v0.42.1
TrueCloudLab:v0.42.0
TrueCloudLab:v0.42.0-rc.9
TrueCloudLab:v0.42.0-rc.8
TrueCloudLab:v0.42.0-rc.7
TrueCloudLab:v0.38.9
TrueCloudLab:v0.42.0-rc.6
TrueCloudLab:v0.42.0-rc.5
TrueCloudLab:v0.42.0-rc.4
TrueCloudLab:v0.42.0-rc.3
TrueCloudLab:v0.42.0-rc.2
TrueCloudLab:v0.42.0-rc.1
TrueCloudLab:v0.38.8
TrueCloudLab:v0.41.0
TrueCloudLab:v0.38.7
TrueCloudLab:v0.40.0
TrueCloudLab:v0.39.0
TrueCloudLab:v0.38.6
TrueCloudLab:v0.38.5
TrueCloudLab:v0.38.4
TrueCloudLab:v0.38.3
TrueCloudLab:v0.38.2
TrueCloudLab:v0.38.1
TrueCloudLab:v0.38.0
TrueCloudLab:v0.38.0-rc.2
TrueCloudLab:v0.38.0-rc.1
TrueCloudLab:v0.37.0
TrueCloudLab:v0.37.0-rc.1
TrueCloudLab:v0.36.0
TrueCloudLab:v0.34.0
TrueCloudLab:v0.22.1
TrueCloudLab:v0.22.0
TrueCloudLab:v0.21.1
TrueCloudLab:v0.21.0
TrueCloudLab:v0.20.0
TrueCloudLab:v0.19.0
TrueCloudLab:v0.18.0
TrueCloudLab:v0.17.0
TrueCloudLab:v0.16.0
TrueCloudLab:v0.15.0
TrueCloudLab:v0.14.3
TrueCloudLab:v0.14.2
TrueCloudLab:v0.14.1
TrueCloudLab:v0.14.0
TrueCloudLab:v0.14.0-rc.1
TrueCloudLab:v0.13.2
TrueCloudLab:v0.13.1
TrueCloudLab:v0.13.0
TrueCloudLab:v0.13.0-rc.1
TrueCloudLab:v0.12.1
TrueCloudLab:v0.12.0
TrueCloudLab:v0.12.0-rc3
TrueCloudLab:v0.12.0-rc2
TrueCloudLab:v0.12.0-rc1
TrueCloudLab:v0.11.0
TrueCloudLab:v0.10.0

3 commits
master ... fix/bt_get

Author SHA1 Message Date
Airat Arifullin
b02370a789 [#1218] tree: Fix bearer token validation
All checks were successful
DCO action / DCO (pull_request) Successful in 2m47s
Details
Vulncheck / Vulncheck (pull_request) Successful in 3m37s
Details
Build / Build Components (1.21) (pull_request) Successful in 8m56s
Details
Build / Build Components (1.22) (pull_request) Successful in 8m50s
Details
Tests and linters / gopls check (pull_request) Successful in 10m12s
Details
Tests and linters / Lint (pull_request) Successful in 11m52s
Details
Pre-commit hooks / Pre-commit (pull_request) Successful in 13m34s
Details
Tests and linters / Tests with -race (pull_request) Successful in 14m1s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 14m40s
Details
Tests and linters / Tests (1.22) (pull_request) Successful in 14m39s
Details
Tests and linters / Staticcheck (pull_request) Successful in 14m28s
Details 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-07-02 14:40:27 +03:00
Airat Arifullin
1db4b0e020 [#1218] object: Fix bearer token validation 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-07-02 14:39:43 +03:00
Airat Arifullin
a59694e9f3 [#1218] object: Pass container owner for backward get method check 
* `getStreamBasicChecker` must define `containerOwner` for backward checks,
  otherwise bearer token cannot be validated for the token issuer.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-07-02 13:13:41 +03:00
3 changed files with 17 additions and 14 deletions
Show stats Expand all files Collapse all files

15
pkg/services/object/ape/checker.go
View file

@ -97,22 +97,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
return nil
}
// 1. First check token lifetime. Simplest verification.
// First check token lifetime. Simplest verification.
if token.InvalidAt(st.CurrentEpoch()) {
return errBearerExpired
}
// 2. Then check if bearer token is signed correctly.
// Then check if bearer token is signed correctly.
if !token.VerifySignature() {
return errBearerInvalidSignature
}
// 3. Then check if container is either empty or equal to the container in the request.
// Check for ape overrides defined in the bearer token.
apeOverride := token.APEOverride()
if apeOverride.Target.TargetType != ape.TargetTypeContainer {
return errInvalidTargetType
if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
}
// Then check if container is either empty or equal to the container in the request.
var targetCnr cid.ID
err := targetCnr.DecodeString(apeOverride.Target.Name)
if err != nil {
@ -122,12 +123,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
return errBearerInvalidContainerID
}
// 4. Then check if container owner signed this token.
// Then check if container owner signed this token.
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
return errBearerNotSignedByOwner
}
// 5. Then check if request sender has rights to use this token.
// Then check if request sender has rights to use this token.
var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))

1
pkg/services/object/ape/service.go
View file

@ -164,6 +164,7 @@ func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectSt
apeChecker: c.apeChecker,
namespace: reqCtx.Namespace,
senderKey: reqCtx.SenderKey,
containerOwner: reqCtx.ContainerOwner,
role: nativeSchemaRole(reqCtx.Role),
softAPECheck: reqCtx.SoftAPECheck,
bearerToken: reqCtx.BearerToken,

15
pkg/services/tree/ape.go
View file

@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
return nil
}
// 1. First check token lifetime. Simplest verification.
// First check token lifetime. Simplest verification.
if token.InvalidAt(st.CurrentEpoch()) {
return errBearerExpired
}
// 2. Then check if bearer token is signed correctly.
// Then check if bearer token is signed correctly.
if !token.VerifySignature() {
return errBearerInvalidSignature
}
// 3. Then check if container is either empty or equal to the container in the request.
// Check for ape overrides defined in the bearer token.
apeOverride := token.APEOverride()
if apeOverride.Target.TargetType != ape.TargetTypeContainer {
return errInvalidTargetType
if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
}
// Then check if container is either empty or equal to the container in the request.
var targetCnr cid.ID
err := targetCnr.DecodeString(apeOverride.Target.Name)
if err != nil {
@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
return errBearerInvalidContainerID
}
// 4. Then check if container owner signed this token.
// Then check if container owner signed this token.
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
return errBearerNotSignedByOwner
}
// 5. Then check if request sender has rights to use this token.
// Then check if request sender has rights to use this token.
var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))