Pass container owner for backward get method APE-check #1218

Merged
fyrchik merged 3 commits from aarifullin/frostfs-node:fix/bt_get into master 2024-07-03 07:22:19 +00:00
3 changed files with 17 additions and 14 deletions

View file

@ -97,22 +97,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
return nil return nil
} }
// 1. First check token lifetime. Simplest verification. // First check token lifetime. Simplest verification.
if token.InvalidAt(st.CurrentEpoch()) { if token.InvalidAt(st.CurrentEpoch()) {
return errBearerExpired return errBearerExpired
} }
// 2. Then check if bearer token is signed correctly. // Then check if bearer token is signed correctly.
if !token.VerifySignature() { if !token.VerifySignature() {
return errBearerInvalidSignature return errBearerInvalidSignature
} }
// 3. Then check if container is either empty or equal to the container in the request. // Check for ape overrides defined in the bearer token.
apeOverride := token.APEOverride() apeOverride := token.APEOverride()
if apeOverride.Target.TargetType != ape.TargetTypeContainer { if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
return errInvalidTargetType return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
} }
// Then check if container is either empty or equal to the container in the request.
var targetCnr cid.ID var targetCnr cid.ID
err := targetCnr.DecodeString(apeOverride.Target.Name) err := targetCnr.DecodeString(apeOverride.Target.Name)
if err != nil { if err != nil {
@ -122,12 +123,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
return errBearerInvalidContainerID return errBearerInvalidContainerID
} }
// 4. Then check if container owner signed this token. // Then check if container owner signed this token.

Let's remove number all together? The changes on multiple unrelated lines blow up the diff.

Let's remove number all together? The changes on multiple unrelated lines blow up the diff.

Let's remove number all together? The changes on multiple unrelated lines blow up the diff.

Let's remove number all together? The changes on multiple unrelated lines blow up the diff.

Fixed

Fixed
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) { if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
return errBearerNotSignedByOwner return errBearerNotSignedByOwner
} }
// 5. Then check if request sender has rights to use this token. // Then check if request sender has rights to use this token.
var usrSender user.ID var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey)) user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))

View file

@ -164,6 +164,7 @@ func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectSt
apeChecker: c.apeChecker, apeChecker: c.apeChecker,
namespace: reqCtx.Namespace, namespace: reqCtx.Namespace,
senderKey: reqCtx.SenderKey, senderKey: reqCtx.SenderKey,
containerOwner: reqCtx.ContainerOwner,
role: nativeSchemaRole(reqCtx.Role), role: nativeSchemaRole(reqCtx.Role),
softAPECheck: reqCtx.SoftAPECheck, softAPECheck: reqCtx.SoftAPECheck,
bearerToken: reqCtx.BearerToken, bearerToken: reqCtx.BearerToken,

View file

@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
return nil return nil
} }
// 1. First check token lifetime. Simplest verification. // First check token lifetime. Simplest verification.
if token.InvalidAt(st.CurrentEpoch()) { if token.InvalidAt(st.CurrentEpoch()) {
return errBearerExpired return errBearerExpired
} }
// 2. Then check if bearer token is signed correctly. // Then check if bearer token is signed correctly.
if !token.VerifySignature() { if !token.VerifySignature() {
return errBearerInvalidSignature return errBearerInvalidSignature
} }
// 3. Then check if container is either empty or equal to the container in the request. // Check for ape overrides defined in the bearer token.
apeOverride := token.APEOverride() apeOverride := token.APEOverride()
if apeOverride.Target.TargetType != ape.TargetTypeContainer { if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
return errInvalidTargetType return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
} }
// Then check if container is either empty or equal to the container in the request.
var targetCnr cid.ID var targetCnr cid.ID
err := targetCnr.DecodeString(apeOverride.Target.Name) err := targetCnr.DecodeString(apeOverride.Target.Name)
if err != nil { if err != nil {
@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
return errBearerInvalidContainerID return errBearerInvalidContainerID
} }
// 4. Then check if container owner signed this token. // Then check if container owner signed this token.
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) { if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
return errBearerNotSignedByOwner return errBearerNotSignedByOwner
} }
// 5. Then check if request sender has rights to use this token. // Then check if request sender has rights to use this token.
var usrSender user.ID var usrSender user.ID
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey)) user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))