From ab2614ec2d444e06c1407854f6a451cc36a03f1d Mon Sep 17 00:00:00 2001
From: Dmitrii Stepanov <d.stepanov@yadro.com>
Date: Mon, 17 Jul 2023 16:46:46 +0300
Subject: [PATCH] [#528] objectcore: Validate token issuer

Add token issuer against object owner validation.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
---
 pkg/core/object/fmt.go      |  7 ++++++-
 pkg/core/object/fmt_test.go | 30 ++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/pkg/core/object/fmt.go b/pkg/core/object/fmt.go
index e6d8174f..fe665451 100644
--- a/pkg/core/object/fmt.go
+++ b/pkg/core/object/fmt.go
@@ -153,9 +153,14 @@ func (v *FormatValidator) validateSignatureKey(obj *objectSDK.Object) error {
 	}
 
 	token := obj.SessionToken()
+	ownerID := *obj.OwnerID()
 
 	if token == nil || !token.AssertAuthKey(&key) {
-		return v.checkOwnerKey(*obj.OwnerID(), key)
+		return v.checkOwnerKey(ownerID, key)
+	}
+
+	if !token.Issuer().Equals(ownerID) {
+		return fmt.Errorf("(%T) different token issuer and object owner identifiers %s/%s", v, token.Issuer(), ownerID)
 	}
 
 	return nil
diff --git a/pkg/core/object/fmt_test.go b/pkg/core/object/fmt_test.go
index d04c1670..392ecf60 100644
--- a/pkg/core/object/fmt_test.go
+++ b/pkg/core/object/fmt_test.go
@@ -8,11 +8,13 @@ import (
 
 	objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
 	cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
+	frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
 	objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
 	sessiontest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session/test"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
+	"github.com/google/uuid"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/stretchr/testify/require"
 )
@@ -104,6 +106,34 @@ func TestFormatValidator_Validate(t *testing.T) {
 		require.NoError(t, v.Validate(context.Background(), obj, false))
 	})
 
+	t.Run("invalid w/ session token", func(t *testing.T) {
+		var idOwner user.ID
+		user.IDFromKey(&idOwner, ownerKey.PrivateKey.PublicKey)
+
+		var randomUserID user.ID
+		randPrivKey, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		user.IDFromKey(&randomUserID, randPrivKey.PrivateKey.PublicKey)
+
+		tok := sessiontest.Object()
+		fsPubKey := frostfsecdsa.PublicKey(*ownerKey.PublicKey())
+		tok.SetID(uuid.New())
+		tok.SetAuthKey(&fsPubKey)
+		tok.SetExp(100500)
+		tok.SetIat(1)
+		tok.SetNbf(1)
+		err = tok.Sign(ownerKey.PrivateKey)
+		require.NoError(t, err)
+
+		obj := objectSDK.New()
+		obj.SetContainerID(cidtest.ID())
+		obj.SetSessionToken(tok)
+		obj.SetOwnerID(&randomUserID)
+		require.NoError(t, objectSDK.SetIDWithSignature(ownerKey.PrivateKey, obj))
+
+		require.Error(t, v.Validate(context.Background(), obj, false)) //invalid owner
+	})
+
 	t.Run("correct w/o session token", func(t *testing.T) {
 		obj := blankValidObject(&ownerKey.PrivateKey)