pkg/services/object/ape/checker.go

@@ -97,22 +97,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
 		return nil
 	}
 
-	// 1. First check token lifetime. Simplest verification.
+	// First check token lifetime. Simplest verification.
 	if token.InvalidAt(st.CurrentEpoch()) {
 		return errBearerExpired
 	}
 
-	// 2. Then check if bearer token is signed correctly.
+	// Then check if bearer token is signed correctly.
 	if !token.VerifySignature() {
 		return errBearerInvalidSignature
 	}
 
-	// 3. Then check if container is either empty or equal to the container in the request.
+	// Check for ape overrides defined in the bearer token.
 	apeOverride := token.APEOverride()
-	if apeOverride.Target.TargetType != ape.TargetTypeContainer {
-		return errInvalidTargetType
+	if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
+		return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
 	}
 
+	// Then check if container is either empty or equal to the container in the request.
 	var targetCnr cid.ID
 	err := targetCnr.DecodeString(apeOverride.Target.Name)
 	if err != nil {
@@ -122,12 +123,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu
 		return errBearerInvalidContainerID
 	}
 
-	// 4. Then check if container owner signed this token.
+	// Then check if container owner signed this token.
 	if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
 		return errBearerNotSignedByOwner
 	}
 
-	// 5. Then check if request sender has rights to use this token.
+	// Then check if request sender has rights to use this token.
 	var usrSender user.ID
 	user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
 

pkg/services/object/ape/service.go

@@ -164,6 +164,7 @@ func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectSt
 		apeChecker:      c.apeChecker,
 		namespace:       reqCtx.Namespace,
 		senderKey:       reqCtx.SenderKey,
+		containerOwner:  reqCtx.ContainerOwner,
 		role:            nativeSchemaRole(reqCtx.Role),
 		softAPECheck:    reqCtx.SoftAPECheck,
 		bearerToken:     reqCtx.BearerToken,

pkg/services/tree/ape.go

@@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
 		return nil
 	}
 
-	// 1. First check token lifetime. Simplest verification.
+	// First check token lifetime. Simplest verification.
 	if token.InvalidAt(st.CurrentEpoch()) {
 		return errBearerExpired
 	}
 
-	// 2. Then check if bearer token is signed correctly.
+	// Then check if bearer token is signed correctly.
 	if !token.VerifySignature() {
 		return errBearerInvalidSignature
 	}
 
-	// 3. Then check if container is either empty or equal to the container in the request.
+	// Check for ape overrides defined in the bearer token.
 	apeOverride := token.APEOverride()
-	if apeOverride.Target.TargetType != ape.TargetTypeContainer {
-		return errInvalidTargetType
+	if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
+		return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
 	}
 
+	// Then check if container is either empty or equal to the container in the request.
 	var targetCnr cid.ID
 	err := targetCnr.DecodeString(apeOverride.Target.Name)
 	if err != nil {
@@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
 		return errBearerInvalidContainerID
 	}
 
-	// 4. Then check if container owner signed this token.
+	// Then check if container owner signed this token.
 	if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
 		return errBearerNotSignedByOwner
 	}
 
-	// 5. Then check if request sender has rights to use this token.
+	// Then check if request sender has rights to use this token.
 	var usrSender user.ID
 	user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))