[#1266] object/acl: Check bearer token container ID

If the container ID is not nil and not equal to the container ID in the request, consider bearer token invalid. See also nspcc-dev/neofs-api#207. Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2022-03-29 14:46:37 +03:00 · 2022-03-29 14:46:37 +03:00 · 0504c3e0c6
commit 0504c3e0c6
parent 3a2c025843
1 changed files with 14 additions and 7 deletions
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@ -63,6 +63,7 @@ var (
 	errEACLDeniedByRule         = errors.New("denied by rule")
 	errBearerExpired            = errors.New("bearer token has expired")
 	errBearerInvalidSignature   = errors.New("bearer token has invalid signature")
 	errBearerInvalidContainerID = errors.New("bearer token was created for another container")
 	errBearerNotSignedByOwner   = errors.New("bearer token is not signed by the container owner")
 	errBearerInvalidOwner       = errors.New("bearer token owner differs from the request sender")
 )
@ -225,13 +226,19 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
 		return errBearerInvalidSignature
 	}
-	// 3. Then check if container owner signed this token.
+	// 3. Then check if container is either empty or equal to the container in the request.
 	cnr, isSet := token.EACLTable().CID()
 	if isSet && !cnr.Equals(reqInfo.ContainerID()) {
 		return errBearerInvalidContainerID
 	}
 	// 4. Then check if container owner signed this token.
 	if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) {
 		// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
 		return errBearerNotSignedByOwner
 	}
-	// 4. Then check if request sender has rights to use this token.
+	// 5. Then check if request sender has rights to use this token.
 	var keySender neofsecdsa.PublicKey
 	err := keySender.Decode(reqInfo.SenderKey())