forked from TrueCloudLab/frostfs-node
[#899] containerSvc: Fix invalid session token type
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
parent
79bebe4a68
commit
5c0a736a25
2 changed files with 11 additions and 9 deletions
|
|
@ -35,6 +35,8 @@ var (
|
|||
errInvalidSessionTokenOwner = errors.New("malformed request: invalid session token owner")
|
||||
errEmptyBodySignature = errors.New("malformed request: empty body signature")
|
||||
errMissingOwnerID = errors.New("malformed request: missing owner ID")
|
||||
|
||||
undefinedContainerID = cid.ID{}
|
||||
)
|
||||
|
||||
type ir interface {
|
||||
|
|
@ -196,7 +198,7 @@ func (ac *apeChecker) getRoleWithoutContainerID(oID *refs.OwnerID, mh *session.R
|
|||
return "", nil, err
|
||||
}
|
||||
|
||||
actor, pk, err := ac.getActorAndPublicKey(mh, vh, cid.ID{})
|
||||
actor, pk, err := ac.getActorAndPublicKey(mh, vh, undefinedContainerID)
|
||||
if err != nil {
|
||||
return "", nil, err
|
||||
}
|
||||
|
|
@ -403,7 +405,7 @@ func (ac *apeChecker) getActorAndPKFromSignature(vh *session.RequestVerification
|
|||
return &userID, key, nil
|
||||
}
|
||||
|
||||
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Object, error) {
|
||||
func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSDK.Container, error) {
|
||||
for mh.GetOrigin() != nil {
|
||||
mh = mh.GetOrigin()
|
||||
}
|
||||
|
|
@ -412,7 +414,7 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
var tok sessionSDK.Object
|
||||
var tok sessionSDK.Container
|
||||
err := tok.ReadFromV2(*st)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid session token: %w", err)
|
||||
|
|
@ -421,8 +423,8 @@ func (ac *apeChecker) getSessionToken(mh *session.RequestMetaHeader) (*sessionSD
|
|||
return &tok, nil
|
||||
}
|
||||
|
||||
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Object, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
|
||||
if !st.AssertContainer(cnrID) {
|
||||
func (ac *apeChecker) getActorAndPKFromSessionToken(st *sessionSDK.Container, cnrID cid.ID) (*user.ID, *keys.PublicKey, error) {
|
||||
if cnrID != undefinedContainerID && !st.AppliedTo(cnrID) {
|
||||
return nil, nil, errSessionContainerMissmatch
|
||||
}
|
||||
if !st.VerifySignature() {
|
||||
|
|
|
|||
|
|
@ -253,8 +253,8 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
|
|||
|
||||
sessionPK, err := keys.NewPrivateKey()
|
||||
require.NoError(t, err)
|
||||
sToken := sessiontest.ObjectSigned()
|
||||
sToken.BindContainer(contID)
|
||||
sToken := sessiontest.ContainerSigned()
|
||||
sToken.ApplyOnlyTo(contID)
|
||||
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
|
||||
var sTokenV2 session.Token
|
||||
sToken.WriteToV2(&sTokenV2)
|
||||
|
|
@ -325,8 +325,8 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
|
|||
|
||||
sessionPK, err := keys.NewPrivateKey()
|
||||
require.NoError(t, err)
|
||||
sToken := sessiontest.ObjectSigned()
|
||||
sToken.BindContainer(cid.ID{})
|
||||
sToken := sessiontest.ContainerSigned()
|
||||
sToken.ApplyOnlyTo(cid.ID{})
|
||||
require.NoError(t, sToken.Sign(sessionPK.PrivateKey))
|
||||
var sTokenV2 session.Token
|
||||
sToken.WriteToV2(&sTokenV2)
|
||||
|
|
|
|||
Loading…
Reference in a new issue