From 5c0a736a25ed2e30f19a1ecd86796390277b6a50 Mon Sep 17 00:00:00 2001 From: Dmitrii Stepanov Date: Wed, 10 Jan 2024 18:37:54 +0300 Subject: [PATCH] [#899] containerSvc: Fix invalid session token type Signed-off-by: Dmitrii Stepanov --- pkg/services/container/ape.go | 12 +++++++----- pkg/services/container/ape_test.go | 8 ++++---- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/pkg/services/container/ape.go b/pkg/services/container/ape.go index e1ef43c6..36edf451 100644 --- a/pkg/services/container/ape.go +++ b/pkg/services/container/ape.go @@ -35,6 +35,8 @@ var ( errInvalidSessionTokenOwner = errors.New("malformed request: invalid session token owner") errEmptyBodySignature = errors.New("malformed request: empty body signature") errMissingOwnerID = errors.New("malformed request: missing owner ID") + + undefinedContainerID = cid.ID{} ) type ir interface { @@ -196,7 +198,7 @@ func (ac *apeChecker) getRoleWithoutContainerID(oID *refs.OwnerID, mh *session.R return "", nil, err } - actor, pk, err := ac.getActorAndPublicKey(mh, vh, cid.ID{}) + actor, pk, err := ac.getActorAndPublicKey(mh, vh, undefinedContainerID) if err != nil { return "", nil, err } @@ -403,7 +405,7 @@ func (ac *apeChecker) getActorAndPKFromSignature(vh *session.RequestVerification return &userID, key, nil } -func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Object, error) { +func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Container, error) { for mh.GetOrigin() != nil { mh = mh.GetOrigin() } @@ -412,7 +414,7 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD return nil, nil } - var tok sessionSDK.Object + var tok sessionSDK.Container err := tok.ReadFromV2(*st) if err != nil { return nil, fmt.Errorf("invalid session token: %w", err) @@ -421,8 +423,8 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD return &tok, nil } -func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Object, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) { - if !st.AssertContainer(cnrID) { +func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Container, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) { + if cnrID != undefinedContainerID && !st.AppliedTo(cnrID) { return nil, nil, errSessionContainerMissmatch } if !st.VerifySignature() { diff --git a/pkg/services/container/ape_test.go b/pkg/services/container/ape_test.go index b61e68eb..f4dfbe50 100644 --- a/pkg/services/container/ape_test.go +++ b/pkg/services/container/ape_test.go @@ -253,8 +253,8 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) { sessionPK, err := keys.NewPrivateKey() require.NoError(t, err) - sToken := sessiontest.ObjectSigned() - sToken.BindContainer(contID) + sToken := sessiontest.ContainerSigned() + sToken.ApplyOnlyTo(contID) require.NoError(t, sToken.Sign(sessionPK.PrivateKey)) var sTokenV2 session.Token sToken.WriteToV2(&sTokenV2) @@ -325,8 +325,8 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) { sessionPK, err := keys.NewPrivateKey() require.NoError(t, err) - sToken := sessiontest.ObjectSigned() - sToken.BindContainer(cid.ID{}) + sToken := sessiontest.ContainerSigned() + sToken.ApplyOnlyTo(cid.ID{}) require.NoError(t, sToken.Sign(sessionPK.PrivateKey)) var sTokenV2 session.Token sToken.WriteToV2(&sTokenV2)