[#1689] ape: Fix bearer token validation

* Request's sender is set to the token's issuer's public key if it's impersonated. Thus, token's user assertion must be fixed; * Add unit-test: check impersonated token but set user with `ForUser`. Change-Id: I5e299947761e237b1b4b339cf2d1278ef518239d Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2025-05-05 16:33:07 +03:00 · 2025-05-05 16:33:07 +03:00 · a5f76a609d
commit a5f76a609d
parent 6cedfbc17a
2 changed files with 34 additions and 2 deletions
--- a/pkg/services/common/ape/checker.go
+++ b/pkg/services/common/ape/checker.go
@ -157,8 +157,16 @@ func isValidBearer(token *bearer.Token, ownerCnr user.ID, cntID cid.ID, publicKe
 	var usrSender user.ID
 	user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey))

-	if !token.AssertUser(usrSender) {
-		return errBearerInvalidOwner
+	// Then check if sender is valid. If it is an impersonated token, the sender is set to the token's issuer's
+	// public key, but not the actual sender.
+	if !token.Impersonate() {
+		if !token.AssertUser(usrSender) {
+			return errBearerInvalidOwner
+		}
+	} else {
+		if !bearer.ResolveIssuer(*token).Equals(usrSender) {
+			return errBearerInvalidOwner
+		}
 	}

 	return nil
--- a/pkg/services/tree/signature_test.go
+++ b/pkg/services/tree/signature_test.go
@ -297,6 +297,30 @@ func TestMessageSign(t *testing.T) {
 			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
 		})

+		t.Run("impersonate, but target user is still set", func(t *testing.T) {
+			var bt bearer.Token
+			bt.SetExp(10)
+			bt.SetImpersonate(true)
+
+			var reqSigner user.ID
+			user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*privs[1].PublicKey()))
+
+			bt.ForUser(reqSigner)
+			bt.SetAPEOverride(bearer.APEOverride{
+				Target: ape.ChainTarget{
+					TargetType: ape.TargetTypeContainer,
+					Name:       cid1.EncodeToString(),
+				},
+				Chains: []ape.Chain{},
+			})
+			require.NoError(t, bt.Sign(privs[0].PrivateKey))
+			req.Body.BearerToken = bt.Marshal()
+
+			require.NoError(t, SignMessage(req, &privs[1].PrivateKey))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectPut))
+			require.NoError(t, s.verifyClient(context.Background(), req, cid1, versionTreeID, req.GetBody().GetBearerToken(), acl.OpObjectGet))
+		})
+
 		t.Run("impersonate but invalid signer", func(t *testing.T) {
 			var bt bearer.Token
 			bt.SetExp(10)