realloc/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Releases Packages Activity

[#1721] object: Make CheckAPE always validate bearer token

Browse source 
* The bearer token must always be validated, regardless of whether it has been impersonated;
* Fix unit-tests for tree service which check verification with bearer token.

Close #1721

Change-Id: I5f715c498ae10b2e758244e60b8f21849328a04f
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2025-04-22 18:14:00 +03:00
parent 6bdbe6a18b
commit b0f39dca16
2 changed files with 35 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
pkg/services/common/ape/checker.go
View file

@ -73,14 +73,18 @@ func New(localOverrideStorage policyengine.LocalOverrideStorage, morphChainStora
// CheckAPE performs the common policy-engine check logic on a prepared request.
func (c *checkerCoreImpl) CheckAPE(ctx context.Context, prm CheckPrm) error {
var cr policyengine.ChainRouter
if prm.BearerToken != nil && !prm.BearerToken.Impersonate() {
if prm.BearerToken != nil {
var err error
if err = isValidBearer(prm.BearerToken, prm.ContainerOwner, prm.Container, prm.PublicKey, c.State); err != nil {
return fmt.Errorf("bearer validation error: %w", err)
}
cr, err = router.BearerChainFeedRouter(c.LocalOverrideStorage, c.MorphChainStorage, prm.BearerToken.APEOverride())
if err != nil {
return fmt.Errorf("create chain router error: %w", err)
if prm.BearerToken.Impersonate() {
cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage)
} else {
cr, err = router.BearerChainFeedRouter(c.LocalOverrideStorage, c.MorphChainStorage, prm.BearerToken.APEOverride())
if err != nil {
return fmt.Errorf("create chain router error: %w", err)
}
}
} else {
cr = policyengine.NewDefaultChainRouterWithLocalOverrides(c.MorphChainStorage, c.LocalOverrideStorage)