Fix invalid session token type for container creation #900
2 changed files with 11 additions and 9 deletions
|
@ -35,6 +35,8 @@ var (
|
||||||
errInvalidSessionTokenOwner = errors.New("malformed request: invalid session token owner")
|
errInvalidSessionTokenOwner = errors.New("malformed request: invalid session token owner")
|
||||||
errEmptyBodySignature = errors.New("malformed request: empty body signature")
|
errEmptyBodySignature = errors.New("malformed request: empty body signature")
|
||||||
errMissingOwnerID = errors.New("malformed request: missing owner ID")
|
errMissingOwnerID = errors.New("malformed request: missing owner ID")
|
||||||
|
|
||||||
|
undefinedContainerID = cid.ID{}
|
||||||
)
|
)
|
||||||
|
|
||||||
type ir interface {
|
type ir interface {
|
||||||
|
@ -196,7 +198,7 @@ func (ac *apeChecker) getRoleWithoutContainerID(oID *refs.OwnerID, mh *session.R
|
||||||
return "", nil, err
|
return "", nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
actor, pk, err := ac.getActorAndPublicKey(mh, vh, cid.ID{})
|
actor, pk, err := ac.getActorAndPublicKey(mh, vh, undefinedContainerID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", nil, err
|
return "", nil, err
|
||||||
}
|
}
|
||||||
|
@ -403,7 +405,7 @@ func (ac *apeChecker) getActorAndPKFromSignature(vh *session.RequestVerification
|
||||||
return &userID, key, nil
|
return &userID, key, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Object, error) {
|
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Container, error) {
|
||||||
for mh.GetOrigin() != nil {
|
for mh.GetOrigin() != nil {
|
||||||
mh = mh.GetOrigin()
|
mh = mh.GetOrigin()
|
||||||
}
|
}
|
||||||
|
@ -412,7 +414,7 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var tok sessionSDK.Object
|
var tok sessionSDK.Container
|
||||||
err := tok.ReadFromV2(*st)
|
err := tok.ReadFromV2(*st)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("invalid session token: %w", err)
|
return nil, fmt.Errorf("invalid session token: %w", err)
|
||||||
|
@ -421,8 +423,8 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
|
||||||
return &tok, nil
|
return &tok, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Object, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
|
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Container, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
|
||||||
if !st.AssertContainer(cnrID) {
|
if cnrID != undefinedContainerID && !st.AppliedTo(cnrID) {
|
||||||
|
|||||||
return nil, nil, errSessionContainerMissmatch
|
return nil, nil, errSessionContainerMissmatch
|
||||||
}
|
}
|
||||||
if !st.VerifySignature() {
|
if !st.VerifySignature() {
|
||||||
|
|
|
@ -253,8 +253,8 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
|
||||||
|
|
||||||
sessionPK, err := keys.NewPrivateKey()
|
sessionPK, err := keys.NewPrivateKey()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
sToken := sessiontest.ObjectSigned()
|
sToken := sessiontest.ContainerSigned()
|
||||||
sToken.BindContainer(contID)
|
sToken.ApplyOnlyTo(contID)
|
||||||
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
|
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
|
||||||
var sTokenV2 session.Token
|
var sTokenV2 session.Token
|
||||||
sToken.WriteToV2(&sTokenV2)
|
sToken.WriteToV2(&sTokenV2)
|
||||||
|
@ -325,8 +325,8 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
|
||||||
|
|
||||||
sessionPK, err := keys.NewPrivateKey()
|
sessionPK, err := keys.NewPrivateKey()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
sToken := sessiontest.ObjectSigned()
|
sToken := sessiontest.ContainerSigned()
|
||||||
sToken.BindContainer(cid.ID{})
|
sToken.ApplyOnlyTo(cid.ID{})
|
||||||
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
|
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
|
||||||
var sTokenV2 session.Token
|
var sTokenV2 session.Token
|
||||||
sToken.WriteToV2(&sTokenV2)
|
sToken.WriteToV2(&sTokenV2)
|
||||||
|
|
Loading…
Reference in a new issue
Like by innerring:
if v.idContainerSet && !tok.AppliedTo(v.idContainer) {