forked from TrueCloudLab/frostfs-node
[#1689] ape: Fix bearer token validation
* Request's sender is set to the token's issuer's public key if it's impersonated. Thus, token's user assertion must be fixed; * Add unit-test: check impersonated token but set user with `ForUser`. Change-Id: I5e299947761e237b1b4b339cf2d1278ef518239d Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
6cedfbc17a
commit
a5f76a609d
2 changed files with 34 additions and 2 deletions
|
|
@ -157,8 +157,16 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
|
||||||
var usrSender user.ID
|
var usrSender user.ID
|
||||||
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))
|
||||||
|
|
||||||
if !token.AssertUser(usrSender) {
|
// Then check if sender is valid. If it is an impersonated token, the sender is set to the token's issuer's
|
||||||
return errBearerInvalidOwner
|
// public key, but not the actual sender.
|
||||||
|
if !token.Impersonate() {
|
||||||
|
if !token.AssertUser(usrSender) {
|
||||||
|
return errBearerInvalidOwner
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if !bearer.ResolveIssuer(*token).Equals(usrSender) {
|
||||||
|
return errBearerInvalidOwner
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
|
|
||||||
|
|
@ -297,6 +297,30 @@ func TestMessageSign(t *testing.T) {
|
||||||
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
|
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("impersonate, but target user is still set", func(t *testing.T) {
|
||||||
|
var bt bearer.Token
|
||||||
|
bt.SetExp(10)
|
||||||
|
bt.SetImpersonate(true)
|
||||||
|
|
||||||
|
var reqSigner user.ID
|
||||||
|
user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*privs[1].PublicKey()))
|
||||||
|
|
||||||
|
bt.ForUser(reqSigner)
|
||||||
|
bt.SetAPEOverride(bearer.APEOverride{
|
||||||
|
Target: ape.ChainTarget{
|
||||||
|
TargetType: ape.TargetTypeContainer,
|
||||||
|
Name: cid1.EncodeToString(),
|
||||||
|
},
|
||||||
|
Chains: []ape.Chain{},
|
||||||
|
})
|
||||||
|
require.NoError(t, bt.Sign(privs[0].PrivateKey))
|
||||||
|
req.Body.BearerToken = bt.Marshal()
|
||||||
|
|
||||||
|
require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
|
||||||
|
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
|
||||||
|
require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
|
||||||
|
})
|
||||||
|
|
||||||
t.Run("impersonate but invalid signer", func(t *testing.T) {
|
t.Run("impersonate but invalid signer", func(t *testing.T) {
|
||||||
var bt bearer.Token
|
var bt bearer.Token
|
||||||
bt.SetExp(10)
|
bt.SetExp(10)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue