Pass container owner for backward get method APE-check #1218

Merged
fyrchik merged 3 commits from aarifullin/frostfs-node:fix/bt_get into master 2024-07-03 07:22:19 +00:00
Showing only changes of commit 1db4b0e020 - Show all commits

View file

@ -97,22 +97,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
return nil
}
// 1. First check token lifetime. Simplest verification.
// First check token lifetime. Simplest verification.
if token.InvalidAt(st.CurrentEpoch()) {
return errBearerExpired
}
// 2. Then check if bearer token is signed correctly.
// Then check if bearer token is signed correctly.
if !token.VerifySignature() {
return errBearerInvalidSignature
}
// 3. Then check if container is either empty or equal to the container in the request.
// Check for ape overrides defined in the bearer token.
apeOverride := token.APEOverride()
if apeOverride.Target.TargetType != ape.TargetTypeContainer {
return errInvalidTargetType
if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
}
// Then check if container is either empty or equal to the container in the request.
var targetCnr cid.ID
err := targetCnr.DecodeString(apeOverride.Target.Name)
if err != nil {
@ -122,12 +123,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
return errBearerInvalidContainerID
}
// 4. Then check if container owner signed this token.
// Then check if container owner signed this token.
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
return errBearerNotSignedByOwner
}
// 5. Then check if request sender has rights to use this token.
// Then check if request sender has rights to use this token.
var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))