From a59694e9f3397fd5d3fa6a72e4abc5779166d220 Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Tue, 2 Jul 2024 13:02:26 +0300 Subject: [PATCH 1/3] [#1218] object: Pass container owner for backward get method check * `getStreamBasicChecker` must define `containerOwner` for backward checks, otherwise bearer token cannot be validated for the token issuer. Signed-off-by: Airat Arifullin --- pkg/services/object/ape/service.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/services/object/ape/service.go b/pkg/services/object/ape/service.go index 609b117d0..853c3b80d 100644 --- a/pkg/services/object/ape/service.go +++ b/pkg/services/object/ape/service.go @@ -164,6 +164,7 @@ func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectSt apeChecker: c.apeChecker, namespace: reqCtx.Namespace, senderKey: reqCtx.SenderKey, + containerOwner: reqCtx.ContainerOwner, role: nativeSchemaRole(reqCtx.Role), softAPECheck: reqCtx.SoftAPECheck, bearerToken: reqCtx.BearerToken, -- 2.45.2 From 1db4b0e020879d5dfe8d461dc40d057814a50b17 Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Tue, 2 Jul 2024 13:08:59 +0300 Subject: [PATCH 2/3] [#1218] object: Fix bearer token validation Signed-off-by: Airat Arifullin --- pkg/services/object/ape/checker.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/pkg/services/object/ape/checker.go b/pkg/services/object/ape/checker.go index ee12d7b97..7541ad116 100644 --- a/pkg/services/object/ape/checker.go +++ b/pkg/services/object/ape/checker.go @@ -97,22 +97,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu return nil } - // 1. First check token lifetime. Simplest verification. + // First check token lifetime. Simplest verification. if token.InvalidAt(st.CurrentEpoch()) { return errBearerExpired } - // 2. Then check if bearer token is signed correctly. + // Then check if bearer token is signed correctly. if !token.VerifySignature() { return errBearerInvalidSignature } - // 3. Then check if container is either empty or equal to the container in the request. + // Check for ape overrides defined in the bearer token. apeOverride := token.APEOverride() - if apeOverride.Target.TargetType != ape.TargetTypeContainer { - return errInvalidTargetType + if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer { + return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String()) } + // Then check if container is either empty or equal to the container in the request. var targetCnr cid.ID err := targetCnr.DecodeString(apeOverride.Target.Name) if err != nil { @@ -122,12 +123,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu return errBearerInvalidContainerID } - // 4. Then check if container owner signed this token. + // Then check if container owner signed this token. if !bearer.ResolveIssuer(*token).Equals(ownerCnr) { return errBearerNotSignedByOwner } - // 5. Then check if request sender has rights to use this token. + // Then check if request sender has rights to use this token. var usrSender user.ID user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey)) -- 2.45.2 From b02370a789146f621aecea7721dc5a6f37396627 Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Tue, 2 Jul 2024 13:10:32 +0300 Subject: [PATCH 3/3] [#1218] tree: Fix bearer token validation Signed-off-by: Airat Arifullin --- pkg/services/tree/ape.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/pkg/services/tree/ape.go b/pkg/services/tree/ape.go index 116adf5db..a6202d1a3 100644 --- a/pkg/services/tree/ape.go +++ b/pkg/services/tree/ape.go @@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe return nil } - // 1. First check token lifetime. Simplest verification. + // First check token lifetime. Simplest verification. if token.InvalidAt(st.CurrentEpoch()) { return errBearerExpired } - // 2. Then check if bearer token is signed correctly. + // Then check if bearer token is signed correctly. if !token.VerifySignature() { return errBearerInvalidSignature } - // 3. Then check if container is either empty or equal to the container in the request. + // Check for ape overrides defined in the bearer token. apeOverride := token.APEOverride() - if apeOverride.Target.TargetType != ape.TargetTypeContainer { - return errInvalidTargetType + if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer { + return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String()) } + // Then check if container is either empty or equal to the container in the request. var targetCnr cid.ID err := targetCnr.DecodeString(apeOverride.Target.Name) if err != nil { @@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe return errBearerInvalidContainerID } - // 4. Then check if container owner signed this token. + // Then check if container owner signed this token. if !bearer.ResolveIssuer(*token).Equals(ownerCnr) { return errBearerNotSignedByOwner } - // 5. Then check if request sender has rights to use this token. + // Then check if request sender has rights to use this token. var usrSender user.ID user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey)) -- 2.45.2