[#338] Remove redundant flag for session tokens in authmate

Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva 2022-01-31 21:40:00 +03:00 committed by Alex Vanin
parent 2b4638f6bb
commit 204835ace3
3 changed files with 24 additions and 37 deletions

View file

@ -59,8 +59,7 @@ type (
NeoFSKey *keys.PrivateKey
GatesPublicKeys []*keys.PublicKey
EACLRules []byte
ContextRules []byte
SessionTkn bool
SessionTokenRules []byte
Lifetime time.Duration
AwsCliCredentialsFile string
ContainerPolicies ContainerPolicies
@ -258,14 +257,6 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
a.log.Info("store bearer token into NeoFS",
zap.Stringer("owner_tkn", oid))
if !options.SessionTkn && len(options.ContextRules) > 0 {
_, err := w.Write([]byte("Warning: rules for session token were set but --create-session flag wasn't, " +
"so session token was not created\n"))
if err != nil {
return err
}
}
address, err := tokens.
New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()).
Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...)
@ -480,8 +471,8 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci
gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i])
}
if options.SessionTkn {
sessionRules, err := buildContext(options.ContextRules)
if options.SessionTokenRules != nil {
sessionRules, err := buildContext(options.SessionTokenRules)
if err != nil {
return nil, fmt.Errorf("failed to build context for session token: %w", err)
}

View file

@ -36,7 +36,6 @@ var (
accountAddressFlag string
peerAddressFlag string
eaclRulesFlag string
contextRulesFlag string
gateWalletPathFlag string
gateAccountAddressFlag string
accessKeyIDFlag string
@ -45,7 +44,7 @@ var (
gatesPublicKeysFlag cli.StringSlice
logEnabledFlag bool
logDebugEnabledFlag bool
sessionTokenFlag bool
sessionTokenFlag string
lifetimeFlag time.Duration
containerPolicies string
awcCliCredFile string
@ -174,12 +173,6 @@ func issueSecret() *cli.Command {
Required: false,
Destination: &eaclRulesFlag,
},
&cli.StringFlag{
Name: "session-rules",
Usage: "rules for session token as plain json string",
Required: false,
Destination: &contextRulesFlag,
},
&cli.StringSliceFlag{
Name: "gate-public-key",
Usage: "public 256r1 key of a gate (use flags repeatedly for multiple gates)",
@ -198,12 +191,12 @@ func issueSecret() *cli.Command {
Required: false,
Destination: &containerFriendlyName,
},
&cli.BoolFlag{
Name: "create-session-token",
Usage: "create session token",
&cli.StringFlag{
Name: "session-token",
Usage: "create session token with rules, if the rules are set as 'none', no session tokens will be created",
Required: false,
Destination: &sessionTokenFlag,
Value: false,
Value: "",
},
&cli.DurationFlag{
Name: "lifetime",
@ -276,9 +269,8 @@ It will be ceil rounded to the nearest amount of epoch.`,
NeoFSKey: key,
GatesPublicKeys: gatesPublicKeys,
EACLRules: getJSONRules(eaclRulesFlag),
ContextRules: getJSONRules(contextRulesFlag),
SessionTokenRules: getSessionRules(sessionTokenFlag),
ContainerPolicies: policies,
SessionTkn: sessionTokenFlag,
Lifetime: lifetimeFlag,
AwsCliCredentialsFile: awcCliCredFile,
}
@ -320,6 +312,13 @@ func getJSONRules(val string) []byte {
return []byte(val)
}
func getSessionRules(r string) []byte {
if r == "none" {
return nil
}
return getJSONRules(r)
}
func obtainSecret() *cli.Command {
command := &cli.Command{
Name: "obtain-secret",

View file

@ -97,8 +97,7 @@ parameter, but this way is **not recommended**.
The tokens are encrypted by a set of gateway keys, so you need to pass them as well.
Creation of the bearer token is mandatory, while creation of the session token is
optional. If you want to add the session token, you need to add a parameter
`create-session-token`.
optional.
Rules for bearer token can be set via param `bearer-rules` (json-string and file path allowed), if it is not set,
it will be auto-generated with values:
@ -128,9 +127,13 @@ it will be auto-generated with values:
}
```
Rules for session tokens can be set via param `session-rules` (json-string and file path allowed).
With session token, there is 3 options:
* append `--session-token` parameter with your custom rules in json format (as a string or file path, see an example below)
If the parameter `session-rules` is not set, `authmate` creates and puts three session tokens:
**NB!** If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
* append `--session-token` parameter with the value `none` -- no session token will be created
* skip the parameter and `authmate` will create and put session tokens with default rules:
```
[
{
@ -151,11 +154,6 @@ If the parameter `session-rules` is not set, `authmate` creates and puts three s
]
```
If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
If `session-rules` are set, but `create-session-token` is not, no session
token will be created.
Rules for mapping of `LocationConstraint` ([aws spec](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestBody))
to `PlacementPolicy` ([neofs spec](https://github.com/nspcc-dev/neofs-spec/blob/master/01-arch/02-policy.md))
can be set via param `container-policy` (json-string and file path allowed):
@ -174,8 +172,7 @@ $ ./neofs-authmate issue-secret --wallet wallet.json \
--bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \
--gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \
--gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \
--create-session-token \
--session-rules '{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}'
--session-token '[{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}]'
--container-policy '{"rep-3": "REP 3"}'
Enter password for wallet.json >