forked from TrueCloudLab/frostfs-node
[#106] Put simplest bearer token check first
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
parent
23ec33e821
commit
7464254680
1 changed files with 8 additions and 8 deletions
|
@ -618,7 +618,12 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1. First check if bearer token is signed correctly.
|
// 1. First check token lifetime. Simplest verification.
|
||||||
|
if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// 2. Then check if bearer token is signed correctly.
|
||||||
signWrapper := v2signature.StableMarshalerWrapper{SM: token.GetBody()}
|
signWrapper := v2signature.StableMarshalerWrapper{SM: token.GetBody()}
|
||||||
if err := signature.VerifyDataWithSource(signWrapper, func() (key, sig []byte) {
|
if err := signature.VerifyDataWithSource(signWrapper, func() (key, sig []byte) {
|
||||||
tokenSignature := token.GetSignature()
|
tokenSignature := token.GetSignature()
|
||||||
|
@ -627,7 +632,7 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
|
||||||
return false // invalid signature
|
return false // invalid signature
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2. Then check if container owner signed this token.
|
// 3. Then check if container owner signed this token.
|
||||||
tokenIssuerKey := crypto.UnmarshalPublicKey(token.GetSignature().GetKey())
|
tokenIssuerKey := crypto.UnmarshalPublicKey(token.GetSignature().GetKey())
|
||||||
tokenIssuerWallet, err := owner.NEO3WalletFromPublicKey(tokenIssuerKey)
|
tokenIssuerWallet, err := owner.NEO3WalletFromPublicKey(tokenIssuerKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -642,7 +647,7 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Then check if request sender has rights to use this token.
|
// 4. Then check if request sender has rights to use this token.
|
||||||
tokenOwnerField := token.GetBody().GetOwnerID()
|
tokenOwnerField := token.GetBody().GetOwnerID()
|
||||||
if tokenOwnerField != nil { // see bearer token owner field description
|
if tokenOwnerField != nil { // see bearer token owner field description
|
||||||
requestSenderKey := crypto.UnmarshalPublicKey(reqInfo.senderKey)
|
requestSenderKey := crypto.UnmarshalPublicKey(reqInfo.senderKey)
|
||||||
|
@ -656,11 +661,6 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4. Then check token lifetime.
|
|
||||||
if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue