Fix invalid session token type for container creation #900

Merged
fyrchik merged 1 commit from dstepanov-yadro/frostfs-node:fix/create_container_session_context into master 2024-01-11 07:20:32 +00:00
2 changed files with 11 additions and 9 deletions

View file

@ -35,6 +35,8 @@ var (
errInvalidSessionTokenOwner = errors.New("malformed request: invalid session token owner")
errEmptyBodySignature = errors.New("malformed request: empty body signature")
errMissingOwnerID = errors.New("malformed request: missing owner ID")
undefinedContainerID = cid.ID{}
)
type ir interface {
@ -196,7 +198,7 @@ func (ac *apeChecker) getRoleWithoutContainerID(oID *refs.OwnerID, mh *session.R
return "", nil, err
}
actor, pk, err := ac.getActorAndPublicKey(mh, vh, cid.ID{})
actor, pk, err := ac.getActorAndPublicKey(mh, vh, undefinedContainerID)
if err != nil {
return "", nil, err
}
@ -403,7 +405,7 @@ func (ac *apeChecker) getActorAndPKFromSignature(vh *session.RequestVerification
return &userID, key, nil
}
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Object, error) {
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Container, error) {
for mh.GetOrigin() != nil {
mh = mh.GetOrigin()
}
@ -412,7 +414,7 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
return nil, nil
}
var tok sessionSDK.Object
var tok sessionSDK.Container
err := tok.ReadFromV2(*st)
if err != nil {
return nil, fmt.Errorf("invalid session token: %w", err)
@ -421,8 +423,8 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
return &tok, nil
}
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Object, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
if !st.AssertContainer(cnrID) {
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Container, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
if cnrID != undefinedContainerID && !st.AppliedTo(cnrID) {
Review

Like by innerring:

if v.idContainerSet && !tok.AppliedTo(v.idContainer) {

Like by innerring: https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/79bebe4a683ceab420742577a46bfc536bc2e118/pkg/innerring/processors/container/common.go#L113
return nil, nil, errSessionContainerMissmatch
}
if !st.VerifySignature() {

View file

@ -253,8 +253,8 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
sessionPK, err := keys.NewPrivateKey()
require.NoError(t, err)
sToken := sessiontest.ObjectSigned()
sToken.BindContainer(contID)
sToken := sessiontest.ContainerSigned()
sToken.ApplyOnlyTo(contID)
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
var sTokenV2 session.Token
sToken.WriteToV2(&sTokenV2)
@ -325,8 +325,8 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
sessionPK, err := keys.NewPrivateKey()
require.NoError(t, err)
sToken := sessiontest.ObjectSigned()
sToken.BindContainer(cid.ID{})
sToken := sessiontest.ContainerSigned()
sToken.ApplyOnlyTo(cid.ID{})
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
var sTokenV2 session.Token
sToken.WriteToV2(&sTokenV2)