From 1db4b0e020879d5dfe8d461dc40d057814a50b17 Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Tue, 2 Jul 2024 13:08:59 +0300 Subject: [PATCH] [#1218] object: Fix bearer token validation Signed-off-by: Airat Arifullin --- pkg/services/object/ape/checker.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/pkg/services/object/ape/checker.go b/pkg/services/object/ape/checker.go index ee12d7b9..7541ad11 100644 --- a/pkg/services/object/ape/checker.go +++ b/pkg/services/object/ape/checker.go @@ -97,22 +97,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu return nil } - // 1. First check token lifetime. Simplest verification. + // First check token lifetime. Simplest verification. if token.InvalidAt(st.CurrentEpoch()) { return errBearerExpired } - // 2. Then check if bearer token is signed correctly. + // Then check if bearer token is signed correctly. if !token.VerifySignature() { return errBearerInvalidSignature } - // 3. Then check if container is either empty or equal to the container in the request. + // Check for ape overrides defined in the bearer token. apeOverride := token.APEOverride() - if apeOverride.Target.TargetType != ape.TargetTypeContainer { - return errInvalidTargetType + if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer { + return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String()) } + // Then check if container is either empty or equal to the container in the request. var targetCnr cid.ID err := targetCnr.DecodeString(apeOverride.Target.Name) if err != nil { @@ -122,12 +123,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, pu return errBearerInvalidContainerID } - // 4. Then check if container owner signed this token. + // Then check if container owner signed this token. if !bearer.ResolveIssuer(*token).Equals(ownerCnr) { return errBearerNotSignedByOwner } - // 5. Then check if request sender has rights to use this token. + // Then check if request sender has rights to use this token. var usrSender user.ID user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))