frostfs: Reject tokens with slash character

Current reverse proxy configs assume that token is a valid filename
with no nesting levels. It's better to reject unsupported tokens early

Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
This commit is contained in:
Vitaliy Potyarkin 2024-10-16 17:16:35 +03:00
parent 61ce76f648
commit 597d147c7d

View file

@ -8,6 +8,7 @@ import (
"errors"
"fmt"
"strconv"
"strings"
"time"
"github.com/go-acme/lego/v4/challenge"
@ -46,7 +47,9 @@ func NewHTTPProvider(endpoint, cid, walletPath, walletAccount, walletPassword st
}
func (w *HTTPProvider) Present(domain, token, keyAuth string) error {
var err error
if strings.Contains(token, "/") {
return fmt.Errorf("token with slash character is not supported: %s", token)
}
if w.oid != "" {
return fmt.Errorf("%T is not safe to re-enter: object was saved and not yet cleaned up: %s", w, w.oid)
}
@ -54,6 +57,7 @@ func (w *HTTPProvider) Present(domain, token, keyAuth string) error {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
var err error
expires, err := w.frostfs.Epoch(ctx, time.Now().Add(tokenLifetime))
if err != nil {
return fmt.Errorf("failed to calculate token expiration: %w", err)