forked from TrueCloudLab/frostfs-node
[#1423] session: Get session issuer from token structure
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
2dec3a0a93
commit
2bcc0051ab
9 changed files with 24 additions and 64 deletions
2
go.mod
2
go.mod
|
@ -19,7 +19,7 @@ require (
|
||||||
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect
|
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.1
|
github.com/nspcc-dev/neofs-api-go/v2 v2.12.1
|
||||||
github.com/nspcc-dev/neofs-contract v0.15.1
|
github.com/nspcc-dev/neofs-contract v0.15.1
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220525080251-1f7fe6864d34
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220526065457-bef4618cd6b9
|
||||||
github.com/nspcc-dev/tzhash v1.5.2
|
github.com/nspcc-dev/tzhash v1.5.2
|
||||||
github.com/panjf2000/ants/v2 v2.4.0
|
github.com/panjf2000/ants/v2 v2.4.0
|
||||||
github.com/paulmach/orb v0.2.2
|
github.com/paulmach/orb v0.2.2
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -407,8 +407,8 @@ github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnB
|
||||||
github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4=
|
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40=
|
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220525080251-1f7fe6864d34 h1:s9+ckFRFDVJfYh/QezTUE4g1JP3pyU5NaNxBfUIyGh8=
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220526065457-bef4618cd6b9 h1:TV2/sp/2CY7h7R2MJfU7HYDvXjKGAcOMJvpmV/w4lFk=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220525080251-1f7fe6864d34/go.mod h1:u567oWTnAyGXbPWMrbcN0NB5zCPF+PqkaKg+vcijcho=
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220526065457-bef4618cd6b9/go.mod h1:u567oWTnAyGXbPWMrbcN0NB5zCPF+PqkaKg+vcijcho=
|
||||||
github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||||
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
||||||
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||||
|
|
|
@ -164,29 +164,19 @@ func ownerFromToken(token *sessionSDK.Object) (*user.ID, *keys.PublicKey, error)
|
||||||
var tokV2 sessionV2.Token
|
var tokV2 sessionV2.Token
|
||||||
token.WriteToV2(&tokV2)
|
token.WriteToV2(&tokV2)
|
||||||
|
|
||||||
ownerSessionV2 := tokV2.GetBody().GetOwnerID()
|
|
||||||
if ownerSessionV2 == nil {
|
|
||||||
return nil, nil, errors.New("missing session owner")
|
|
||||||
}
|
|
||||||
|
|
||||||
var ownerSession user.ID
|
|
||||||
|
|
||||||
err := ownerSession.ReadFromV2(*ownerSessionV2)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, fmt.Errorf("invalid session token: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
tokenIssuerKey, err := unmarshalPublicKey(tokV2.GetSignature().GetKey())
|
tokenIssuerKey, err := unmarshalPublicKey(tokV2.GetSignature().GetKey())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, fmt.Errorf("invalid key in session token signature: %w", err)
|
return nil, nil, fmt.Errorf("invalid key in session token signature: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if !isOwnerFromKey(&ownerSession, tokenIssuerKey) {
|
tokenIssuer := token.Issuer()
|
||||||
|
|
||||||
|
if !isOwnerFromKey(&tokenIssuer, tokenIssuerKey) {
|
||||||
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
||||||
return nil, nil, fmt.Errorf("%w: invalid session token owner", ErrMalformedRequest)
|
return nil, nil, fmt.Errorf("%w: invalid session token owner", ErrMalformedRequest)
|
||||||
}
|
}
|
||||||
|
|
||||||
return &ownerSession, tokenIssuerKey, nil
|
return &tokenIssuer, tokenIssuerKey, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func originalBodySignature(v *sessionV2.RequestVerificationHeader) *refsV2.Signature {
|
func originalBodySignature(v *sessionV2.RequestVerificationHeader) *refsV2.Signature {
|
||||||
|
|
|
@ -243,18 +243,20 @@ func (exec *execCtx) initTombstoneObject() bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
tombOwnerID, ok := exec.commonParameters().SessionOwner()
|
|
||||||
if !ok {
|
|
||||||
// make local node a tombstone object owner
|
|
||||||
tombOwnerID = *exec.svc.netInfo.LocalNodeID()
|
|
||||||
}
|
|
||||||
|
|
||||||
exec.tombstoneObj = object.New()
|
exec.tombstoneObj = object.New()
|
||||||
exec.tombstoneObj.SetContainerID(*exec.containerID())
|
exec.tombstoneObj.SetContainerID(*exec.containerID())
|
||||||
exec.tombstoneObj.SetOwnerID(&tombOwnerID)
|
|
||||||
exec.tombstoneObj.SetType(object.TypeTombstone)
|
exec.tombstoneObj.SetType(object.TypeTombstone)
|
||||||
exec.tombstoneObj.SetPayload(payload)
|
exec.tombstoneObj.SetPayload(payload)
|
||||||
|
|
||||||
|
tokenSession := exec.commonParameters().SessionToken()
|
||||||
|
if tokenSession != nil {
|
||||||
|
issuer := tokenSession.Issuer()
|
||||||
|
exec.tombstoneObj.SetOwnerID(&issuer)
|
||||||
|
} else {
|
||||||
|
// make local node a tombstone object owner
|
||||||
|
exec.tombstoneObj.SetOwnerID(exec.svc.netInfo.LocalNodeID())
|
||||||
|
}
|
||||||
|
|
||||||
var a object.Attribute
|
var a object.Attribute
|
||||||
a.SetKey(objectV2.SysAttributeExpEpoch)
|
a.SetKey(objectV2.SysAttributeExpEpoch)
|
||||||
a.SetValue(strconv.FormatUint(exec.tombstone.ExpirationEpoch(), 10))
|
a.SetValue(strconv.FormatUint(exec.tombstone.ExpirationEpoch(), 10))
|
||||||
|
|
|
@ -109,11 +109,9 @@ func (exec execCtx) key() (*ecdsa.PrivateKey, error) {
|
||||||
var sessionInfo *util.SessionInfo
|
var sessionInfo *util.SessionInfo
|
||||||
|
|
||||||
if tok := exec.prm.common.SessionToken(); tok != nil {
|
if tok := exec.prm.common.SessionToken(); tok != nil {
|
||||||
ownerSession, _ := exec.prm.common.SessionOwner()
|
|
||||||
|
|
||||||
sessionInfo = &util.SessionInfo{
|
sessionInfo = &util.SessionInfo{
|
||||||
ID: tok.ID(),
|
ID: tok.ID(),
|
||||||
Owner: ownerSession,
|
Owner: tok.Issuer(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -51,11 +51,9 @@ func (t *remoteTarget) Close() (*transformer.AccessIdentifiers, error) {
|
||||||
var sessionInfo *util.SessionInfo
|
var sessionInfo *util.SessionInfo
|
||||||
|
|
||||||
if tok := t.commonPrm.SessionToken(); tok != nil {
|
if tok := t.commonPrm.SessionToken(); tok != nil {
|
||||||
ownerSession, _ := t.commonPrm.SessionOwner()
|
|
||||||
|
|
||||||
sessionInfo = &util.SessionInfo{
|
sessionInfo = &util.SessionInfo{
|
||||||
ID: tok.ID(),
|
ID: tok.ID(),
|
||||||
Owner: ownerSession,
|
Owner: tok.Issuer(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -87,11 +87,9 @@ func (p *Streamer) initTarget(prm *PutInitPrm) error {
|
||||||
var sessionInfo *util.SessionInfo
|
var sessionInfo *util.SessionInfo
|
||||||
|
|
||||||
if sToken != nil {
|
if sToken != nil {
|
||||||
ownerSession, _ := prm.common.SessionOwner()
|
|
||||||
|
|
||||||
sessionInfo = &util.SessionInfo{
|
sessionInfo = &util.SessionInfo{
|
||||||
ID: sToken.ID(),
|
ID: sToken.ID(),
|
||||||
Owner: ownerSession,
|
Owner: sToken.Issuer(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -88,11 +88,9 @@ func (c *clientWrapper) searchObjects(exec *execCtx, info client.NodeInfo) ([]oi
|
||||||
var sessionInfo *util.SessionInfo
|
var sessionInfo *util.SessionInfo
|
||||||
|
|
||||||
if tok := exec.prm.common.SessionToken(); tok != nil {
|
if tok := exec.prm.common.SessionToken(); tok != nil {
|
||||||
ownerSession, _ := exec.prm.common.SessionOwner()
|
|
||||||
|
|
||||||
sessionInfo = &util.SessionInfo{
|
sessionInfo = &util.SessionInfo{
|
||||||
ID: tok.ID(),
|
ID: tok.ID(),
|
||||||
Owner: ownerSession,
|
Owner: tok.Issuer(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,14 +1,12 @@
|
||||||
package util
|
package util
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/bearer"
|
"github.com/nspcc-dev/neofs-sdk-go/bearer"
|
||||||
sessionsdk "github.com/nspcc-dev/neofs-sdk-go/session"
|
sessionsdk "github.com/nspcc-dev/neofs-sdk-go/session"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/user"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// maxLocalTTL is maximum TTL for an operation to be considered local.
|
// maxLocalTTL is maximum TTL for an operation to be considered local.
|
||||||
|
@ -26,8 +24,6 @@ type CommonPrm struct {
|
||||||
ttl uint32
|
ttl uint32
|
||||||
|
|
||||||
xhdrs []string
|
xhdrs []string
|
||||||
|
|
||||||
ownerSession user.ID
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// TTL returns TTL for new requests.
|
// TTL returns TTL for new requests.
|
||||||
|
@ -72,14 +68,6 @@ func (p *CommonPrm) SessionToken() *sessionsdk.Object {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *CommonPrm) SessionOwner() (user.ID, bool) {
|
|
||||||
if p != nil && p.token != nil {
|
|
||||||
return p.ownerSession, true
|
|
||||||
}
|
|
||||||
|
|
||||||
return user.ID{}, false
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *CommonPrm) BearerToken() *bearer.Token {
|
func (p *CommonPrm) BearerToken() *bearer.Token {
|
||||||
if p != nil {
|
if p != nil {
|
||||||
return p.bearer
|
return p.bearer
|
||||||
|
@ -117,19 +105,8 @@ func CommonPrmFromV2(req interface {
|
||||||
|
|
||||||
var tokenSession *sessionsdk.Object
|
var tokenSession *sessionsdk.Object
|
||||||
var err error
|
var err error
|
||||||
var ownerSession user.ID
|
|
||||||
|
|
||||||
if tokenSessionV2 := meta.GetSessionToken(); tokenSessionV2 != nil {
|
if tokenSessionV2 := meta.GetSessionToken(); tokenSessionV2 != nil {
|
||||||
ownerSessionV2 := tokenSessionV2.GetBody().GetOwnerID()
|
|
||||||
if ownerSessionV2 == nil {
|
|
||||||
return nil, errors.New("missing session owner")
|
|
||||||
}
|
|
||||||
|
|
||||||
err = ownerSession.ReadFromV2(*ownerSessionV2)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("invalid session token: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
tokenSession = new(sessionsdk.Object)
|
tokenSession = new(sessionsdk.Object)
|
||||||
|
|
||||||
err = tokenSession.ReadFromV2(*tokenSessionV2)
|
err = tokenSession.ReadFromV2(*tokenSessionV2)
|
||||||
|
@ -142,11 +119,10 @@ func CommonPrmFromV2(req interface {
|
||||||
ttl := meta.GetTTL()
|
ttl := meta.GetTTL()
|
||||||
|
|
||||||
prm := &CommonPrm{
|
prm := &CommonPrm{
|
||||||
local: ttl <= maxLocalTTL,
|
local: ttl <= maxLocalTTL,
|
||||||
token: tokenSession,
|
token: tokenSession,
|
||||||
ttl: ttl - 1, // decrease TTL for new requests
|
ttl: ttl - 1, // decrease TTL for new requests
|
||||||
xhdrs: make([]string, 0, 2*len(xHdrs)),
|
xhdrs: make([]string, 0, 2*len(xHdrs)),
|
||||||
ownerSession: ownerSession,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if tok := meta.GetBearerToken(); tok != nil {
|
if tok := meta.GetBearerToken(); tok != nil {
|
||||||
|
|
Loading…
Reference in a new issue