diff --git a/pkg/services/tree/ape.go b/pkg/services/tree/ape.go index 116adf5d..a6202d1a 100644 --- a/pkg/services/tree/ape.go +++ b/pkg/services/tree/ape.go @@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe return nil } - // 1. First check token lifetime. Simplest verification. + // First check token lifetime. Simplest verification. if token.InvalidAt(st.CurrentEpoch()) { return errBearerExpired } - // 2. Then check if bearer token is signed correctly. + // Then check if bearer token is signed correctly. if !token.VerifySignature() { return errBearerInvalidSignature } - // 3. Then check if container is either empty or equal to the container in the request. + // Check for ape overrides defined in the bearer token. apeOverride := token.APEOverride() - if apeOverride.Target.TargetType != ape.TargetTypeContainer { - return errInvalidTargetType + if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer { + return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String()) } + // Then check if container is either empty or equal to the container in the request. var targetCnr cid.ID err := targetCnr.DecodeString(apeOverride.Target.Name) if err != nil { @@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe return errBearerInvalidContainerID } - // 4. Then check if container owner signed this token. + // Then check if container owner signed this token. if !bearer.ResolveIssuer(*token).Equals(ownerCnr) { return errBearerNotSignedByOwner } - // 5. Then check if request sender has rights to use this token. + // Then check if request sender has rights to use this token. var usrSender user.ID user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))