[#1218] tree: Fix bearer token validation

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>

pkg/services/tree/ape.go

@@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
 		return nil
 	}
 
-	// 1. First check token lifetime. Simplest verification.
+	// First check token lifetime. Simplest verification.
 	if token.InvalidAt(st.CurrentEpoch()) {
 		return errBearerExpired
 	}
 
-	// 2. Then check if bearer token is signed correctly.
+	// Then check if bearer token is signed correctly.
 	if !token.VerifySignature() {
 		return errBearerInvalidSignature
 	}
 
-	// 3. Then check if container is either empty or equal to the container in the request.
+	// Check for ape overrides defined in the bearer token.
 	apeOverride := token.APEOverride()
-	if apeOverride.Target.TargetType != ape.TargetTypeContainer {
-		return errInvalidTargetType
+	if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
+		return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
 	}
 
+	// Then check if container is either empty or equal to the container in the request.
 	var targetCnr cid.ID
 	err := targetCnr.DecodeString(apeOverride.Target.Name)
 	if err != nil {
@@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
 		return errBearerInvalidContainerID
 	}
 
-	// 4. Then check if container owner signed this token.
+	// Then check if container owner signed this token.
 	if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
 		return errBearerNotSignedByOwner
 	}
 
-	// 5. Then check if request sender has rights to use this token.
+	// Then check if request sender has rights to use this token.
 	var usrSender user.ID
 	user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))