achuprov/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Pull requests Activity

[#899] containerSvc: Fix invalid session token type

Browse source 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
Dmitrii Stepanov 2024-01-10 18:37:54 +03:00
parent 79bebe4a68
commit 5c0a736a25
2 changed files with 11 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
pkg/services/container/ape.go
View file

@ -35,6 +35,8 @@ var (
errInvalidSessionTokenOwner = errors.New("malformed request: invalid session token owner") errInvalidSessionTokenOwner = errors.New("malformed request: invalid session token owner")
errEmptyBodySignature = errors.New("malformed request: empty body signature") errEmptyBodySignature = errors.New("malformed request: empty body signature")
errMissingOwnerID = errors.New("malformed request: missing owner ID") errMissingOwnerID = errors.New("malformed request: missing owner ID")
undefinedContainerID = cid.ID{}
) )
type ir interface { type ir interface {
@ -196,7 +198,7 @@ func (ac *apeChecker) getRoleWithoutContainerID(oID *refs.OwnerID, mh *session.R
return "", nil, err return "", nil, err
} }
actor, pk, err := ac.getActorAndPublicKey(mh, vh, cid.ID{}) actor, pk, err := ac.getActorAndPublicKey(mh, vh, undefinedContainerID)
if err != nil { if err != nil {
return "", nil, err return "", nil, err
} }
@ -403,7 +405,7 @@ func (ac *apeChecker) getActorAndPKFromSignature(vh *session.RequestVerification
return &userID, key, nil return &userID, key, nil
} }
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Object, error) { func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Container, error) {
for mh.GetOrigin() != nil { for mh.GetOrigin() != nil {
mh = mh.GetOrigin() mh = mh.GetOrigin()
} }
@ -412,7 +414,7 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
return nil, nil return nil, nil
} }
var tok sessionSDK.Object var tok sessionSDK.Container
err := tok.ReadFromV2(*st) err := tok.ReadFromV2(*st)
if err != nil { if err != nil {
return nil, fmt.Errorf("invalid session token: %w", err) return nil, fmt.Errorf("invalid session token: %w", err)
@ -421,8 +423,8 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
return &tok, nil return &tok, nil
} }
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Object, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) { func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Container, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
if !st.AssertContainer(cnrID) { if cnrID != undefinedContainerID && !st.AppliedTo(cnrID) {
return nil, nil, errSessionContainerMissmatch return nil, nil, errSessionContainerMissmatch
} }
if !st.VerifySignature() { if !st.VerifySignature() {

8
pkg/services/container/ape_test.go
View file

@ -253,8 +253,8 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
sessionPK, err := keys.NewPrivateKey() sessionPK, err := keys.NewPrivateKey()
require.NoError(t, err) require.NoError(t, err)
sToken := sessiontest.ObjectSigned() sToken := sessiontest.ContainerSigned()
sToken.BindContainer(contID) sToken.ApplyOnlyTo(contID)
require.NoError(t, sToken.Sign(sessionPK.PrivateKey)) require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
var sTokenV2 session.Token var sTokenV2 session.Token
sToken.WriteToV2(&sTokenV2) sToken.WriteToV2(&sTokenV2)
@ -325,8 +325,8 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
sessionPK, err := keys.NewPrivateKey() sessionPK, err := keys.NewPrivateKey()
require.NoError(t, err) require.NoError(t, err)
sToken := sessiontest.ObjectSigned() sToken := sessiontest.ContainerSigned()
sToken.BindContainer(cid.ID{}) sToken.ApplyOnlyTo(cid.ID{})
require.NoError(t, sToken.Sign(sessionPK.PrivateKey)) require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
var sTokenV2 session.Token var sTokenV2 session.Token
sToken.WriteToV2(&sTokenV2) sToken.WriteToV2(&sTokenV2)