[#1689] ape: Fix bearer token validation

* Request's sender is set to the token's issuer's public key if
  it's impersonated. Thus, token's user assertion must be fixed;
* Add unit-test: check impersonated token but set user with `ForUser`.

Change-Id: I5e299947761e237b1b4b339cf2d1278ef518239d
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>

pkg/services/common/ape/checker.go

@@ -157,8 +157,16 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
 	var usrSender user.ID
 	user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
 
-	if !token.AssertUser(usrSender) {
-		return errBearerInvalidOwner
+	// Then check if sender is valid. If it is an impersonated token, the sender is set to the token's issuer's
+	// public key, but not the actual sender.
+	if !token.Impersonate() {
+		if !token.AssertUser(usrSender) {
+			return errBearerInvalidOwner
+		}
+	} else {
+		if !bearer.ResolveIssuer(*token).Equals(usrSender) {
+			return errBearerInvalidOwner
+		}
 	}
 
 	return nil