forked from TrueCloudLab/frostfs-node
[#528] objectcore: Validate token issuer
Add token issuer against object owner validation. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
parent
4ea0df77d0
commit
ab2614ec2d
2 changed files with 36 additions and 1 deletions
|
|
@ -153,9 +153,14 @@ func (v *FormatValidator) validateSignatureKey(obj *objectSDK.Object) error {
|
|||
}
|
||||
|
||||
token := obj.SessionToken()
|
||||
ownerID := *obj.OwnerID()
|
||||
|
||||
if token == nil || !token.AssertAuthKey(&key) {
|
||||
return v.checkOwnerKey(*obj.OwnerID(), key)
|
||||
return v.checkOwnerKey(ownerID, key)
|
||||
}
|
||||
|
||||
if !token.Issuer().Equals(ownerID) {
|
||||
return fmt.Errorf("(%T) different token issuer and object owner identifiers %s/%s", v, token.Issuer(), ownerID)
|
||||
}
|
||||
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -8,11 +8,13 @@ import (
|
|||
|
||||
objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
|
||||
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
|
||||
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
||||
objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
||||
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
||||
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
|
||||
sessiontest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session/test"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||
"github.com/google/uuid"
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
|
@ -104,6 +106,34 @@ func TestFormatValidator_Validate(t *testing.T) {
|
|||
require.NoError(t, v.Validate(context.Background(), obj, false))
|
||||
})
|
||||
|
||||
t.Run("invalid w/ session token", func(t *testing.T) {
|
||||
var idOwner user.ID
|
||||
user.IDFromKey(&idOwner, ownerKey.PrivateKey.PublicKey)
|
||||
|
||||
var randomUserID user.ID
|
||||
randPrivKey, err := keys.NewPrivateKey()
|
||||
require.NoError(t, err)
|
||||
user.IDFromKey(&randomUserID, randPrivKey.PrivateKey.PublicKey)
|
||||
|
||||
tok := sessiontest.Object()
|
||||
fsPubKey := frostfsecdsa.PublicKey(*ownerKey.PublicKey())
|
||||
tok.SetID(uuid.New())
|
||||
tok.SetAuthKey(&fsPubKey)
|
||||
tok.SetExp(100500)
|
||||
tok.SetIat(1)
|
||||
tok.SetNbf(1)
|
||||
err = tok.Sign(ownerKey.PrivateKey)
|
||||
require.NoError(t, err)
|
||||
|
||||
obj := objectSDK.New()
|
||||
obj.SetContainerID(cidtest.ID())
|
||||
obj.SetSessionToken(tok)
|
||||
obj.SetOwnerID(&randomUserID)
|
||||
require.NoError(t, objectSDK.SetIDWithSignature(ownerKey.PrivateKey, obj))
|
||||
|
||||
require.Error(t, v.Validate(context.Background(), obj, false)) //invalid owner
|
||||
})
|
||||
|
||||
t.Run("correct w/o session token", func(t *testing.T) {
|
||||
obj := blankValidObject(&ownerKey.PrivateKey)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue