Pass container owner for backward get method APE-check #1218
3 changed files with 17 additions and 14 deletions
|
@ -97,22 +97,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1. First check token lifetime. Simplest verification.
|
// First check token lifetime. Simplest verification.
|
||||||
if token.InvalidAt(st.CurrentEpoch()) {
|
if token.InvalidAt(st.CurrentEpoch()) {
|
||||||
return errBearerExpired
|
return errBearerExpired
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2. Then check if bearer token is signed correctly.
|
// Then check if bearer token is signed correctly.
|
||||||
if !token.VerifySignature() {
|
if !token.VerifySignature() {
|
||||||
return errBearerInvalidSignature
|
return errBearerInvalidSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Then check if container is either empty or equal to the container in the request.
|
// Check for ape overrides defined in the bearer token.
|
||||||
apeOverride := token.APEOverride()
|
apeOverride := token.APEOverride()
|
||||||
if apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
||||||
return errInvalidTargetType
|
return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Then check if container is either empty or equal to the container in the request.
|
||||||
var targetCnr cid.ID
|
var targetCnr cid.ID
|
||||||
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -122,12 +123,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
|
||||||
return errBearerInvalidContainerID
|
return errBearerInvalidContainerID
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4. Then check if container owner signed this token.
|
// Then check if container owner signed this token.
|
||||||
|
|||||||
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
||||||
return errBearerNotSignedByOwner
|
return errBearerNotSignedByOwner
|
||||||
}
|
}
|
||||||
|
|
||||||
// 5. Then check if request sender has rights to use this token.
|
// Then check if request sender has rights to use this token.
|
||||||
var usrSender user.ID
|
var usrSender user.ID
|
||||||
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
||||||
|
|
||||||
|
|
|
@ -164,6 +164,7 @@ func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectSt
|
||||||
apeChecker: c.apeChecker,
|
apeChecker: c.apeChecker,
|
||||||
namespace: reqCtx.Namespace,
|
namespace: reqCtx.Namespace,
|
||||||
senderKey: reqCtx.SenderKey,
|
senderKey: reqCtx.SenderKey,
|
||||||
|
containerOwner: reqCtx.ContainerOwner,
|
||||||
role: nativeSchemaRole(reqCtx.Role),
|
role: nativeSchemaRole(reqCtx.Role),
|
||||||
softAPECheck: reqCtx.SoftAPECheck,
|
softAPECheck: reqCtx.SoftAPECheck,
|
||||||
bearerToken: reqCtx.BearerToken,
|
bearerToken: reqCtx.BearerToken,
|
||||||
|
|
|
@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1. First check token lifetime. Simplest verification.
|
// First check token lifetime. Simplest verification.
|
||||||
if token.InvalidAt(st.CurrentEpoch()) {
|
if token.InvalidAt(st.CurrentEpoch()) {
|
||||||
return errBearerExpired
|
return errBearerExpired
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2. Then check if bearer token is signed correctly.
|
// Then check if bearer token is signed correctly.
|
||||||
if !token.VerifySignature() {
|
if !token.VerifySignature() {
|
||||||
return errBearerInvalidSignature
|
return errBearerInvalidSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Then check if container is either empty or equal to the container in the request.
|
// Check for ape overrides defined in the bearer token.
|
||||||
apeOverride := token.APEOverride()
|
apeOverride := token.APEOverride()
|
||||||
if apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
||||||
return errInvalidTargetType
|
return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Then check if container is either empty or equal to the container in the request.
|
||||||
var targetCnr cid.ID
|
var targetCnr cid.ID
|
||||||
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
|
||||||
return errBearerInvalidContainerID
|
return errBearerInvalidContainerID
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4. Then check if container owner signed this token.
|
// Then check if container owner signed this token.
|
||||||
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
||||||
return errBearerNotSignedByOwner
|
return errBearerNotSignedByOwner
|
||||||
}
|
}
|
||||||
|
|
||||||
// 5. Then check if request sender has rights to use this token.
|
// Then check if request sender has rights to use this token.
|
||||||
var usrSender user.ID
|
var usrSender user.ID
|
||||||
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue
Let's remove number all together? The changes on multiple unrelated lines blow up the diff.
Let's remove number all together? The changes on multiple unrelated lines blow up the diff.
Fixed