From ab2614ec2d444e06c1407854f6a451cc36a03f1d Mon Sep 17 00:00:00 2001 From: Dmitrii Stepanov Date: Mon, 17 Jul 2023 16:46:46 +0300 Subject: [PATCH] [#528] objectcore: Validate token issuer Add token issuer against object owner validation. Signed-off-by: Dmitrii Stepanov --- pkg/core/object/fmt.go | 7 ++++++- pkg/core/object/fmt_test.go | 30 ++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/pkg/core/object/fmt.go b/pkg/core/object/fmt.go index e6d8174fa..fe6654517 100644 --- a/pkg/core/object/fmt.go +++ b/pkg/core/object/fmt.go @@ -153,9 +153,14 @@ func (v *FormatValidator) validateSignatureKey(obj *objectSDK.Object) error { } token := obj.SessionToken() + ownerID := *obj.OwnerID() if token == nil || !token.AssertAuthKey(&key) { - return v.checkOwnerKey(*obj.OwnerID(), key) + return v.checkOwnerKey(ownerID, key) + } + + if !token.Issuer().Equals(ownerID) { + return fmt.Errorf("(%T) different token issuer and object owner identifiers %s/%s", v, token.Issuer(), ownerID) } return nil diff --git a/pkg/core/object/fmt_test.go b/pkg/core/object/fmt_test.go index d04c16709..392ecf605 100644 --- a/pkg/core/object/fmt_test.go +++ b/pkg/core/object/fmt_test.go @@ -8,11 +8,13 @@ import ( objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object" cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test" + frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa" objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test" sessiontest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session/test" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user" + "github.com/google/uuid" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/stretchr/testify/require" ) @@ -104,6 +106,34 @@ func TestFormatValidator_Validate(t *testing.T) { require.NoError(t, v.Validate(context.Background(), obj, false)) }) + t.Run("invalid w/ session token", func(t *testing.T) { + var idOwner user.ID + user.IDFromKey(&idOwner, ownerKey.PrivateKey.PublicKey) + + var randomUserID user.ID + randPrivKey, err := keys.NewPrivateKey() + require.NoError(t, err) + user.IDFromKey(&randomUserID, randPrivKey.PrivateKey.PublicKey) + + tok := sessiontest.Object() + fsPubKey := frostfsecdsa.PublicKey(*ownerKey.PublicKey()) + tok.SetID(uuid.New()) + tok.SetAuthKey(&fsPubKey) + tok.SetExp(100500) + tok.SetIat(1) + tok.SetNbf(1) + err = tok.Sign(ownerKey.PrivateKey) + require.NoError(t, err) + + obj := objectSDK.New() + obj.SetContainerID(cidtest.ID()) + obj.SetSessionToken(tok) + obj.SetOwnerID(&randomUserID) + require.NoError(t, objectSDK.SetIDWithSignature(ownerKey.PrivateKey, obj)) + + require.Error(t, v.Validate(context.Background(), obj, false)) //invalid owner + }) + t.Run("correct w/o session token", func(t *testing.T) { obj := blankValidObject(&ownerKey.PrivateKey)