ale64bit/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#2028] node: Check session token's NBF and IAT

Browse source 
ACL service did not check "Not Valid Before" and "Issued At" claims.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
Pavel Karpy 2022-11-10 20:58:06 +03:00 committed by fyrchik
parent aadd2ad050
commit 481b48b942
2 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -23,6 +23,7 @@ Changelog for NeoFS Node
- Child object collection on CLI side with a bearer token (#2000) - Child object collection on CLI side with a bearer token (#2000)
- Fix concurrent map writes in `Object.Put` service (#2037) - Fix concurrent map writes in `Object.Put` service (#2037)
- Malformed request errors' reasons in the responses (#2028) - Malformed request errors' reasons in the responses (#2028)
- Session token's IAT and NBF checks in ACL service (#2028)
### Removed ### Removed
### Updated ### Updated

4
pkg/services/object/acl/v2/service.go
View file

@ -573,8 +573,8 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in
if err != nil { if err != nil {
return info, errors.New("can't fetch current epoch") return info, errors.New("can't fetch current epoch")
} }
if req.token.ExpiredAt(currentEpoch) { if req.token.InvalidAt(currentEpoch) {
return info, fmt.Errorf("%s: token has expired (current epoch: %d)", return info, fmt.Errorf("%s: token is invalid at %d epoch)",
invalidRequestMessage, currentEpoch) invalidRequestMessage, currentEpoch)
} }