forked from TrueCloudLab/frostfs-node
[#1218] tree: Fix bearer token validation
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
1db4b0e020
commit
b02370a789
1 changed files with 8 additions and 7 deletions
|
@ -85,22 +85,23 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
|
|||
return nil
|
||||
}
|
||||
|
||||
// 1. First check token lifetime. Simplest verification.
|
||||
// First check token lifetime. Simplest verification.
|
||||
if token.InvalidAt(st.CurrentEpoch()) {
|
||||
return errBearerExpired
|
||||
}
|
||||
|
||||
// 2. Then check if bearer token is signed correctly.
|
||||
// Then check if bearer token is signed correctly.
|
||||
if !token.VerifySignature() {
|
||||
return errBearerInvalidSignature
|
||||
}
|
||||
|
||||
// 3. Then check if container is either empty or equal to the container in the request.
|
||||
// Check for ape overrides defined in the bearer token.
|
||||
apeOverride := token.APEOverride()
|
||||
if apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
||||
return errInvalidTargetType
|
||||
if len(apeOverride.Chains) > 0 && apeOverride.Target.TargetType != ape.TargetTypeContainer {
|
||||
return fmt.Errorf("%w: %s", errInvalidTargetType, apeOverride.Target.TargetType.ToV2().String())
|
||||
}
|
||||
|
||||
// Then check if container is either empty or equal to the container in the request.
|
||||
var targetCnr cid.ID
|
||||
err := targetCnr.DecodeString(apeOverride.Target.Name)
|
||||
if err != nil {
|
||||
|
@ -110,12 +111,12 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
|
|||
return errBearerInvalidContainerID
|
||||
}
|
||||
|
||||
// 4. Then check if container owner signed this token.
|
||||
// Then check if container owner signed this token.
|
||||
if !bearer.ResolveIssuer(*token).Equals(ownerCnr) {
|
||||
return errBearerNotSignedByOwner
|
||||
}
|
||||
|
||||
// 5. Then check if request sender has rights to use this token.
|
||||
// Then check if request sender has rights to use this token.
|
||||
var usrSender user.ID
|
||||
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
||||
|
||||
|
|
Loading…
Reference in a new issue