From ff1912aa2a009fbc857e88b99538df79adf5827d Mon Sep 17 00:00:00 2001
From: Evgenii Stratonikov <evgeniy@nspcc.ru>
Date: Tue, 29 Mar 2022 14:38:01 +0300
Subject: [PATCH] services/acl: check session token expiration epoch

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
---
 pkg/services/object/acl/v2/service.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go
index eb2511eaf..cba1d3e82 100644
--- a/pkg/services/object/acl/v2/service.go
+++ b/pkg/services/object/acl/v2/service.go
@@ -417,6 +417,17 @@ func (b Service) findRequestInfo(
 		return info, errors.New("missing owner in container descriptor")
 	}
 
+	if req.token != nil && req.token.Exp() != 0 {
+		currentEpoch, err := b.nm.Epoch()
+		if err != nil {
+			return info, errors.New("can't fetch current epoch")
+		}
+		if req.token.Exp() < currentEpoch {
+			return info, fmt.Errorf("%w: token has expired (current epoch: %d, expired at %d)",
+				ErrMalformedRequest, currentEpoch, req.token.Exp())
+		}
+	}
+
 	// find request role and key
 	res, err := b.c.classify(req, cid, cnr)
 	if err != nil {