[#338] Remove redundant flag for session tokens in authmate

Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva 2022-01-31 21:40:00 +03:00 committed by Alex Vanin
parent 2b4638f6bb
commit 204835ace3
3 changed files with 24 additions and 37 deletions

View file

@ -59,8 +59,7 @@ type (
NeoFSKey *keys.PrivateKey NeoFSKey *keys.PrivateKey
GatesPublicKeys []*keys.PublicKey GatesPublicKeys []*keys.PublicKey
EACLRules []byte EACLRules []byte
ContextRules []byte SessionTokenRules []byte
SessionTkn bool
Lifetime time.Duration Lifetime time.Duration
AwsCliCredentialsFile string AwsCliCredentialsFile string
ContainerPolicies ContainerPolicies ContainerPolicies ContainerPolicies
@ -258,14 +257,6 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
a.log.Info("store bearer token into NeoFS", a.log.Info("store bearer token into NeoFS",
zap.Stringer("owner_tkn", oid)) zap.Stringer("owner_tkn", oid))
if !options.SessionTkn && len(options.ContextRules) > 0 {
_, err := w.Write([]byte("Warning: rules for session token were set but --create-session flag wasn't, " +
"so session token was not created\n"))
if err != nil {
return err
}
}
address, err := tokens. address, err := tokens.
New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()). New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()).
Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...) Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...)
@ -480,8 +471,8 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci
gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i]) gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i])
} }
if options.SessionTkn { if options.SessionTokenRules != nil {
sessionRules, err := buildContext(options.ContextRules) sessionRules, err := buildContext(options.SessionTokenRules)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to build context for session token: %w", err) return nil, fmt.Errorf("failed to build context for session token: %w", err)
} }

View file

@ -36,7 +36,6 @@ var (
accountAddressFlag string accountAddressFlag string
peerAddressFlag string peerAddressFlag string
eaclRulesFlag string eaclRulesFlag string
contextRulesFlag string
gateWalletPathFlag string gateWalletPathFlag string
gateAccountAddressFlag string gateAccountAddressFlag string
accessKeyIDFlag string accessKeyIDFlag string
@ -45,7 +44,7 @@ var (
gatesPublicKeysFlag cli.StringSlice gatesPublicKeysFlag cli.StringSlice
logEnabledFlag bool logEnabledFlag bool
logDebugEnabledFlag bool logDebugEnabledFlag bool
sessionTokenFlag bool sessionTokenFlag string
lifetimeFlag time.Duration lifetimeFlag time.Duration
containerPolicies string containerPolicies string
awcCliCredFile string awcCliCredFile string
@ -174,12 +173,6 @@ func issueSecret() *cli.Command {
Required: false, Required: false,
Destination: &eaclRulesFlag, Destination: &eaclRulesFlag,
}, },
&cli.StringFlag{
Name: "session-rules",
Usage: "rules for session token as plain json string",
Required: false,
Destination: &contextRulesFlag,
},
&cli.StringSliceFlag{ &cli.StringSliceFlag{
Name: "gate-public-key", Name: "gate-public-key",
Usage: "public 256r1 key of a gate (use flags repeatedly for multiple gates)", Usage: "public 256r1 key of a gate (use flags repeatedly for multiple gates)",
@ -198,12 +191,12 @@ func issueSecret() *cli.Command {
Required: false, Required: false,
Destination: &containerFriendlyName, Destination: &containerFriendlyName,
}, },
&cli.BoolFlag{ &cli.StringFlag{
Name: "create-session-token", Name: "session-token",
Usage: "create session token", Usage: "create session token with rules, if the rules are set as 'none', no session tokens will be created",
Required: false, Required: false,
Destination: &sessionTokenFlag, Destination: &sessionTokenFlag,
Value: false, Value: "",
}, },
&cli.DurationFlag{ &cli.DurationFlag{
Name: "lifetime", Name: "lifetime",
@ -276,9 +269,8 @@ It will be ceil rounded to the nearest amount of epoch.`,
NeoFSKey: key, NeoFSKey: key,
GatesPublicKeys: gatesPublicKeys, GatesPublicKeys: gatesPublicKeys,
EACLRules: getJSONRules(eaclRulesFlag), EACLRules: getJSONRules(eaclRulesFlag),
ContextRules: getJSONRules(contextRulesFlag), SessionTokenRules: getSessionRules(sessionTokenFlag),
ContainerPolicies: policies, ContainerPolicies: policies,
SessionTkn: sessionTokenFlag,
Lifetime: lifetimeFlag, Lifetime: lifetimeFlag,
AwsCliCredentialsFile: awcCliCredFile, AwsCliCredentialsFile: awcCliCredFile,
} }
@ -320,6 +312,13 @@ func getJSONRules(val string) []byte {
return []byte(val) return []byte(val)
} }
func getSessionRules(r string) []byte {
if r == "none" {
return nil
}
return getJSONRules(r)
}
func obtainSecret() *cli.Command { func obtainSecret() *cli.Command {
command := &cli.Command{ command := &cli.Command{
Name: "obtain-secret", Name: "obtain-secret",

View file

@ -97,8 +97,7 @@ parameter, but this way is **not recommended**.
The tokens are encrypted by a set of gateway keys, so you need to pass them as well. The tokens are encrypted by a set of gateway keys, so you need to pass them as well.
Creation of the bearer token is mandatory, while creation of the session token is Creation of the bearer token is mandatory, while creation of the session token is
optional. If you want to add the session token, you need to add a parameter optional.
`create-session-token`.
Rules for bearer token can be set via param `bearer-rules` (json-string and file path allowed), if it is not set, Rules for bearer token can be set via param `bearer-rules` (json-string and file path allowed), if it is not set,
it will be auto-generated with values: it will be auto-generated with values:
@ -128,9 +127,13 @@ it will be auto-generated with values:
} }
``` ```
Rules for session tokens can be set via param `session-rules` (json-string and file path allowed). With session token, there is 3 options:
* append `--session-token` parameter with your custom rules in json format (as a string or file path, see an example below)
If the parameter `session-rules` is not set, `authmate` creates and puts three session tokens: **NB!** If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
* append `--session-token` parameter with the value `none` -- no session token will be created
* skip the parameter and `authmate` will create and put session tokens with default rules:
``` ```
[ [
{ {
@ -151,11 +154,6 @@ If the parameter `session-rules` is not set, `authmate` creates and puts three s
] ]
``` ```
If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
If `session-rules` are set, but `create-session-token` is not, no session
token will be created.
Rules for mapping of `LocationConstraint` ([aws spec](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestBody)) Rules for mapping of `LocationConstraint` ([aws spec](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestBody))
to `PlacementPolicy` ([neofs spec](https://github.com/nspcc-dev/neofs-spec/blob/master/01-arch/02-policy.md)) to `PlacementPolicy` ([neofs spec](https://github.com/nspcc-dev/neofs-spec/blob/master/01-arch/02-policy.md))
can be set via param `container-policy` (json-string and file path allowed): can be set via param `container-policy` (json-string and file path allowed):
@ -174,8 +172,7 @@ $ ./neofs-authmate issue-secret --wallet wallet.json \
--bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \ --bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \
--gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \ --gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \
--gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \ --gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \
--create-session-token \ --session-token '[{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}]'
--session-rules '{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}'
--container-policy '{"rep-3": "REP 3"}' --container-policy '{"rep-3": "REP 3"}'
Enter password for wallet.json > Enter password for wallet.json >