[#106] Put simplest bearer token check first

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
2020-10-22 15:45:28 +03:00 · 2020-10-22 15:45:28 +03:00 · 7464254680
commit 7464254680
parent 23ec33e821
1 changed files with 8 additions and 8 deletions
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@ -618,7 +618,12 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
 		return true
 	}

-	// 1. First check if bearer token is signed correctly.
+	// 1. First check token lifetime. Simplest verification.
+	if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) {
+		return false
+	}
+
+	// 2. Then check if bearer token is signed correctly.
 	signWrapper := v2signature.StableMarshalerWrapper{SM: token.GetBody()}
 	if err := signature.VerifyDataWithSource(signWrapper, func() (key, sig []byte) {
 		tokenSignature := token.GetSignature()
@ -627,7 +632,7 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
 		return false // invalid signature
 	}

-	// 2. Then check if container owner signed this token.
+	// 3. Then check if container owner signed this token.
 	tokenIssuerKey := crypto.UnmarshalPublicKey(token.GetSignature().GetKey())
 	tokenIssuerWallet, err := owner.NEO3WalletFromPublicKey(tokenIssuerKey)
 	if err != nil {
@ -642,7 +647,7 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
 		return false
 	}

-	// 3. Then check if request sender has rights to use this token.
+	// 4. Then check if request sender has rights to use this token.
 	tokenOwnerField := token.GetBody().GetOwnerID()
 	if tokenOwnerField != nil { // see bearer token owner field description
 		requestSenderKey := crypto.UnmarshalPublicKey(reqInfo.senderKey)
@ -656,11 +661,6 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
 		}
 	}

-	// 4. Then check token lifetime.
-	if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) {
-		return false
-	}
-
 	return true
 }