[#1494] services/object: Do not ignore bearer token decode errors

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2022-06-08 11:53:15 +03:00 · 2022-06-08 11:53:15 +03:00 · bbf8b8e74d
commit bbf8b8e74d
parent 795d1e0789
4 changed files with 67 additions and 20 deletions
--- a/pkg/services/object/acl/v2/service.go
+++ b/pkg/services/object/acl/v2/service.go
@ -118,10 +118,15 @@ func (b Service) Get(request *objectV2.GetRequest, stream object.GetObjectStream
 		return err
 	}

+	bTok, err := originalBearerToken(request.GetMetaHeader())
+	if err != nil {
+		return err
+	}
+
 	req := MetaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  originalBearerToken(request.GetMetaHeader()),
+		bearer:  bTok,
 		src:     request,
 	}

@ -172,10 +177,15 @@ func (b Service) Head(
 		return nil, err
 	}

+	bTok, err := originalBearerToken(request.GetMetaHeader())
+	if err != nil {
+		return nil, err
+	}
+
 	req := MetaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  originalBearerToken(request.GetMetaHeader()),
+		bearer:  bTok,
 		src:     request,
 	}

@ -218,10 +228,15 @@ func (b Service) Search(request *objectV2.SearchRequest, stream object.SearchStr
 		return err
 	}

+	bTok, err := originalBearerToken(request.GetMetaHeader())
+	if err != nil {
+		return err
+	}
+
 	req := MetaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  originalBearerToken(request.GetMetaHeader()),
+		bearer:  bTok,
 		src:     request,
 	}

@ -261,10 +276,15 @@ func (b Service) Delete(
 		return nil, err
 	}

+	bTok, err := originalBearerToken(request.GetMetaHeader())
+	if err != nil {
+		return nil, err
+	}
+
 	req := MetaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  originalBearerToken(request.GetMetaHeader()),
+		bearer:  bTok,
 		src:     request,
 	}

@ -300,10 +320,15 @@ func (b Service) GetRange(request *objectV2.GetRangeRequest, stream object.GetOb
 		return err
 	}

+	bTok, err := originalBearerToken(request.GetMetaHeader())
+	if err != nil {
+		return err
+	}
+
 	req := MetaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  originalBearerToken(request.GetMetaHeader()),
+		bearer:  bTok,
 		src:     request,
 	}

@ -344,10 +369,15 @@ func (b Service) GetRangeHash(
 		return nil, err
 	}

+	bTok, err := originalBearerToken(request.GetMetaHeader())
+	if err != nil {
+		return nil, err
+	}
+
 	req := MetaWithToken{
 		vheader: request.GetVerificationHeader(),
 		token:   sTok,
-		bearer:  originalBearerToken(request.GetMetaHeader()),
+		bearer:  bTok,
 		src:     request,
 	}

@ -408,10 +438,15 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
 			}
 		}

+		bTok, err := originalBearerToken(request.GetMetaHeader())
+		if err != nil {
+			return err
+		}
+
 		req := MetaWithToken{
 			vheader: request.GetVerificationHeader(),
 			token:   sTok,
-			bearer:  originalBearerToken(request.GetMetaHeader()),
+			bearer:  bTok,
 			src:     request,
 		}

--- a/pkg/services/object/acl/v2/util.go
+++ b/pkg/services/object/acl/v2/util.go
@ -57,20 +57,18 @@ func getContainerIDFromRequest(req interface{}) (cid.ID, error) {

 // originalBearerToken goes down to original request meta header and fetches
 // bearer token from there.
-func originalBearerToken(header *sessionV2.RequestMetaHeader) *bearer.Token {
+func originalBearerToken(header *sessionV2.RequestMetaHeader) (*bearer.Token, error) {
 	for header.GetOrigin() != nil {
 		header = header.GetOrigin()
 	}

 	tokV2 := header.GetBearerToken()
 	if tokV2 == nil {
-		return nil
+		return nil, nil
 	}

 	var tok bearer.Token
-	tok.ReadFromV2(*tokV2)
-
-	return &tok
+	return &tok, tok.ReadFromV2(*tokV2)
 }

 // originalSessionToken goes down to original request meta header and fetches
--- a/pkg/services/object/acl/v2/util_test.go
+++ b/pkg/services/object/acl/v2/util_test.go
@ -1,12 +1,14 @@
 package v2

 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"testing"

 	"github.com/nspcc-dev/neofs-api-go/v2/acl"
-	acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
 	"github.com/nspcc-dev/neofs-api-go/v2/session"
-	"github.com/nspcc-dev/neofs-sdk-go/bearer"
+	bearertest "github.com/nspcc-dev/neofs-sdk-go/bearer/test"
 	"github.com/nspcc-dev/neofs-sdk-go/eacl"
 	sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
 	sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
@ -15,20 +17,29 @@ import (

 func TestOriginalTokens(t *testing.T) {
 	sToken := sessiontest.ObjectSigned()
-	bTokenV2 := acltest.GenerateBearerToken(false)
+	bToken := bearertest.Token()

-	var bToken bearer.Token
-	bToken.ReadFromV2(*bTokenV2)
+	pk, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, bToken.Sign(*pk))
+
+	var bTokenV2 acl.BearerToken
+	bToken.WriteToV2(&bTokenV2)
+	// This line is needed because SDK uses some custom format for
+	// reserved filters, so `cid.ID` is not converted to string immediately.
+	require.NoError(t, bToken.ReadFromV2(bTokenV2))

 	var sTokenV2 session.Token
 	sToken.WriteToV2(&sTokenV2)

 	for i := 0; i < 10; i++ {
-		metaHeaders := testGenerateMetaHeader(uint32(i), bTokenV2, &sTokenV2)
+		metaHeaders := testGenerateMetaHeader(uint32(i), &bTokenV2, &sTokenV2)
 		res, err := originalSessionToken(metaHeaders)
 		require.NoError(t, err)
 		require.Equal(t, sToken, res, i)
-		require.Equal(t, &bToken, originalBearerToken(metaHeaders), i)
+
+		bTok, err := originalBearerToken(metaHeaders)
+		require.NoError(t, err)
+		require.Equal(t, &bToken, bTok, i)
 	}
 }

--- a/pkg/services/object/util/prm.go
+++ b/pkg/services/object/util/prm.go
@ -127,7 +127,10 @@ func CommonPrmFromV2(req interface {

 	if tok := meta.GetBearerToken(); tok != nil {
 		prm.bearer = new(bearer.Token)
-		prm.bearer.ReadFromV2(*tok)
+		err = prm.bearer.ReadFromV2(*tok)
+		if err != nil {
+			return nil, fmt.Errorf("invalid bearer token: %w", err)
+		}
 	}

 	for i := range xHdrs {