diff --git a/authmate/authmate.go b/authmate/authmate.go index 37e921a0..eb71b8ea 100644 --- a/authmate/authmate.go +++ b/authmate/authmate.go @@ -59,8 +59,7 @@ type ( NeoFSKey *keys.PrivateKey GatesPublicKeys []*keys.PublicKey EACLRules []byte - ContextRules []byte - SessionTkn bool + SessionTokenRules []byte Lifetime time.Duration AwsCliCredentialsFile string ContainerPolicies ContainerPolicies @@ -258,14 +257,6 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr a.log.Info("store bearer token into NeoFS", zap.Stringer("owner_tkn", oid)) - if !options.SessionTkn && len(options.ContextRules) > 0 { - _, err := w.Write([]byte("Warning: rules for session token were set but --create-session flag wasn't, " + - "so session token was not created\n")) - if err != nil { - return err - } - } - address, err := tokens. New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()). Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...) @@ -480,8 +471,8 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i]) } - if options.SessionTkn { - sessionRules, err := buildContext(options.ContextRules) + if options.SessionTokenRules != nil { + sessionRules, err := buildContext(options.SessionTokenRules) if err != nil { return nil, fmt.Errorf("failed to build context for session token: %w", err) } diff --git a/cmd/authmate/main.go b/cmd/authmate/main.go index b1dd8914..cda41d5a 100644 --- a/cmd/authmate/main.go +++ b/cmd/authmate/main.go @@ -36,7 +36,6 @@ var ( accountAddressFlag string peerAddressFlag string eaclRulesFlag string - contextRulesFlag string gateWalletPathFlag string gateAccountAddressFlag string accessKeyIDFlag string @@ -45,7 +44,7 @@ var ( gatesPublicKeysFlag cli.StringSlice logEnabledFlag bool logDebugEnabledFlag bool - sessionTokenFlag bool + sessionTokenFlag string lifetimeFlag time.Duration containerPolicies string awcCliCredFile string @@ -174,12 +173,6 @@ func issueSecret() *cli.Command { Required: false, Destination: &eaclRulesFlag, }, - &cli.StringFlag{ - Name: "session-rules", - Usage: "rules for session token as plain json string", - Required: false, - Destination: &contextRulesFlag, - }, &cli.StringSliceFlag{ Name: "gate-public-key", Usage: "public 256r1 key of a gate (use flags repeatedly for multiple gates)", @@ -198,12 +191,12 @@ func issueSecret() *cli.Command { Required: false, Destination: &containerFriendlyName, }, - &cli.BoolFlag{ - Name: "create-session-token", - Usage: "create session token", + &cli.StringFlag{ + Name: "session-token", + Usage: "create session token with rules, if the rules are set as 'none', no session tokens will be created", Required: false, Destination: &sessionTokenFlag, - Value: false, + Value: "", }, &cli.DurationFlag{ Name: "lifetime", @@ -276,9 +269,8 @@ It will be ceil rounded to the nearest amount of epoch.`, NeoFSKey: key, GatesPublicKeys: gatesPublicKeys, EACLRules: getJSONRules(eaclRulesFlag), - ContextRules: getJSONRules(contextRulesFlag), + SessionTokenRules: getSessionRules(sessionTokenFlag), ContainerPolicies: policies, - SessionTkn: sessionTokenFlag, Lifetime: lifetimeFlag, AwsCliCredentialsFile: awcCliCredFile, } @@ -320,6 +312,13 @@ func getJSONRules(val string) []byte { return []byte(val) } +func getSessionRules(r string) []byte { + if r == "none" { + return nil + } + return getJSONRules(r) +} + func obtainSecret() *cli.Command { command := &cli.Command{ Name: "obtain-secret", diff --git a/docs/authmate.md b/docs/authmate.md index 918eb51b..a79a001a 100644 --- a/docs/authmate.md +++ b/docs/authmate.md @@ -97,8 +97,7 @@ parameter, but this way is **not recommended**. The tokens are encrypted by a set of gateway keys, so you need to pass them as well. Creation of the bearer token is mandatory, while creation of the session token is -optional. If you want to add the session token, you need to add a parameter -`create-session-token`. +optional. Rules for bearer token can be set via param `bearer-rules` (json-string and file path allowed), if it is not set, it will be auto-generated with values: @@ -128,9 +127,13 @@ it will be auto-generated with values: } ``` -Rules for session tokens can be set via param `session-rules` (json-string and file path allowed). +With session token, there is 3 options: +* append `--session-token` parameter with your custom rules in json format (as a string or file path, see an example below) -If the parameter `session-rules` is not set, `authmate` creates and puts three session tokens: +**NB!** If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules. + +* append `--session-token` parameter with the value `none` -- no session token will be created +* skip the parameter and `authmate` will create and put session tokens with default rules: ``` [ { @@ -151,11 +154,6 @@ If the parameter `session-rules` is not set, `authmate` creates and puts three s ] ``` -If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules. - -If `session-rules` are set, but `create-session-token` is not, no session -token will be created. - Rules for mapping of `LocationConstraint` ([aws spec](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestBody)) to `PlacementPolicy` ([neofs spec](https://github.com/nspcc-dev/neofs-spec/blob/master/01-arch/02-policy.md)) can be set via param `container-policy` (json-string and file path allowed): @@ -174,8 +172,7 @@ $ ./neofs-authmate issue-secret --wallet wallet.json \ --bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \ --gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \ --gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \ ---create-session-token \ ---session-rules '{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}' +--session-token '[{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}]' --container-policy '{"rep-3": "REP 3"}' Enter password for wallet.json >