Pass container owner for backward get method APE-check #1218
3 changed files with 17 additions and 14 deletions
|
|
@ -97,22 +97,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1. First check token lifetime. Simplest verification.
|
// First check token lifetime. Simplest verification.
|
||||||
if token.InvalidAt(st.CurrentEpoch()) {
|
if token.InvalidAt(st.CurrentEpoch()) {
|
||||||
return errBearerExpired
|
return errBearerExpired
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2. Then check if bearer token is signed correctly.
|
// Then check if bearer token is signed correctly.
|
||||||
if !token.VerifySignature() {
|
if !token.VerifySignature() {
|
||||||
return errBearerInvalidSignature
|
return errBearerInvalidSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Then check if container is either empty or equal to the container in the request.
|
// Check for ape overrides defined in the bearer token.
|
||||||
apeOverride := token.APEOverride()
|
apeOverride := token.APEOverride()
|
||||||
if apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
||||||
return errInvalidTargetType
|
return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Then check if container is either empty or equal to the container in the request.
|
||||||
var targetCnr cid.ID
|
var targetCnr cid.ID
|
||||||
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -122,12 +123,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
|
||||||
return errBearerInvalidContainerID
|
return errBearerInvalidContainerID
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4. Then check if container owner signed this token.
|
// Then check if container owner signed this token.
|
||||||
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
||||||
return errBearerNotSignedByOwner
|
return errBearerNotSignedByOwner
|
||||||
}
|
}
|
||||||
|
|
||||||
// 5. Then check if request sender has rights to use this token.
|
// Then check if request sender has rights to use this token.
|
||||||
var usrSender user.ID
|
var usrSender user.ID
|
||||||
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -164,6 +164,7 @@ func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectSt
|
||||||
apeChecker: c.apeChecker,
|
apeChecker: c.apeChecker,
|
||||||
namespace: reqCtx.Namespace,
|
namespace: reqCtx.Namespace,
|
||||||
senderKey: reqCtx.SenderKey,
|
senderKey: reqCtx.SenderKey,
|
||||||
|
containerOwner: reqCtx.ContainerOwner,
|
||||||
role: nativeSchemaRole(reqCtx.Role),
|
role: nativeSchemaRole(reqCtx.Role),
|
||||||
softAPECheck: reqCtx.SoftAPECheck,
|
softAPECheck: reqCtx.SoftAPECheck,
|
||||||
bearerToken: reqCtx.BearerToken,
|
bearerToken: reqCtx.BearerToken,
|
||||||
|
|
|
||||||
|
|
@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1. First check token lifetime. Simplest verification.
|
// First check token lifetime. Simplest verification.
|
||||||
if token.InvalidAt(st.CurrentEpoch()) {
|
if token.InvalidAt(st.CurrentEpoch()) {
|
||||||
return errBearerExpired
|
return errBearerExpired
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2. Then check if bearer token is signed correctly.
|
// Then check if bearer token is signed correctly.
|
||||||
if !token.VerifySignature() {
|
if !token.VerifySignature() {
|
||||||
return errBearerInvalidSignature
|
return errBearerInvalidSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Then check if container is either empty or equal to the container in the request.
|
// Check for ape overrides defined in the bearer token.
|
||||||
apeOverride := token.APEOverride()
|
apeOverride := token.APEOverride()
|
||||||
if apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
||||||
return errInvalidTargetType
|
return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Then check if container is either empty or equal to the container in the request.
|
||||||
var targetCnr cid.ID
|
var targetCnr cid.ID
|
||||||
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
|
||||||
return errBearerInvalidContainerID
|
return errBearerInvalidContainerID
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4. Then check if container owner signed this token.
|
// Then check if container owner signed this token.
|
||||||
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
||||||
return errBearerNotSignedByOwner
|
return errBearerNotSignedByOwner
|
||||||
}
|
}
|
||||||
|
|
||||||
// 5. Then check if request sender has rights to use this token.
|
// Then check if request sender has rights to use this token.
|
||||||
var usrSender user.ID
|
var usrSender user.ID
|
||||||
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue