forked from TrueCloudLab/frostfs-s3-gw
Move auth file to layer; add RSA keys
This commit is contained in:
parent
5254fd943b
commit
2a1a8aa379
4 changed files with 61 additions and 25 deletions
4
go.mod
4
go.mod
|
@ -30,6 +30,7 @@ require (
|
||||||
github.com/gogo/protobuf v1.3.1
|
github.com/gogo/protobuf v1.3.1
|
||||||
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6 // indirect
|
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6 // indirect
|
||||||
github.com/gomodule/redigo v2.0.0+incompatible
|
github.com/gomodule/redigo v2.0.0+incompatible
|
||||||
|
github.com/google/brotli/go/cbrotli v0.0.0-20200702174557-fc823290a76a
|
||||||
github.com/google/uuid v1.1.1
|
github.com/google/uuid v1.1.1
|
||||||
github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f // indirect
|
github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f // indirect
|
||||||
github.com/gorilla/handlers v1.4.2
|
github.com/gorilla/handlers v1.4.2
|
||||||
|
@ -41,7 +42,7 @@ require (
|
||||||
github.com/hashicorp/vault/api v1.0.4
|
github.com/hashicorp/vault/api v1.0.4
|
||||||
github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf
|
github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf
|
||||||
github.com/json-iterator/go v1.1.10
|
github.com/json-iterator/go v1.1.10
|
||||||
github.com/klauspost/compress v1.10.4
|
github.com/klauspost/compress v1.10.10
|
||||||
github.com/klauspost/cpuid v1.3.0
|
github.com/klauspost/cpuid v1.3.0
|
||||||
github.com/klauspost/pgzip v1.2.1
|
github.com/klauspost/pgzip v1.2.1
|
||||||
github.com/klauspost/readahead v1.3.1
|
github.com/klauspost/readahead v1.3.1
|
||||||
|
@ -111,5 +112,4 @@ require (
|
||||||
gopkg.in/olivere/elastic.v5 v5.0.80
|
gopkg.in/olivere/elastic.v5 v5.0.80
|
||||||
gopkg.in/yaml.v2 v2.2.8
|
gopkg.in/yaml.v2 v2.2.8
|
||||||
honnef.co/go/tools v0.0.1-2020.1.3 // indirect
|
honnef.co/go/tools v0.0.1-2020.1.3 // indirect
|
||||||
github.com/google/brotli/go/cbrotli v0.0.0-20200702174557-fc823290a76a
|
|
||||||
)
|
)
|
||||||
|
|
2
go.sum
2
go.sum
|
@ -298,6 +298,8 @@ github.com/klauspost/compress v1.9.4/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0
|
||||||
github.com/klauspost/compress v1.10.1/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
github.com/klauspost/compress v1.10.1/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||||
github.com/klauspost/compress v1.10.4 h1:jFzIFaf586tquEB5EhzQG0HwGNSlgAJpG53G6Ss11wc=
|
github.com/klauspost/compress v1.10.4 h1:jFzIFaf586tquEB5EhzQG0HwGNSlgAJpG53G6Ss11wc=
|
||||||
github.com/klauspost/compress v1.10.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
github.com/klauspost/compress v1.10.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||||
|
github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I=
|
||||||
|
github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||||
github.com/klauspost/cpuid v1.2.2 h1:1xAgYebNnsb9LKCdLOvFWtAxGU/33mjJtyOVbmUa0Us=
|
github.com/klauspost/cpuid v1.2.2 h1:1xAgYebNnsb9LKCdLOvFWtAxGU/33mjJtyOVbmUa0Us=
|
||||||
github.com/klauspost/cpuid v1.2.2/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
|
github.com/klauspost/cpuid v1.2.2/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
|
||||||
github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
|
github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
package neofs
|
|
||||||
|
|
||||||
import (
|
|
||||||
br "github.com/google/brotli/go/cbrotli"
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/service"
|
|
||||||
"github.com/pkg/errors"
|
|
||||||
)
|
|
||||||
|
|
||||||
func UnpackBearerToken(packedCredentials []byte) (service.BearerToken, error) {
|
|
||||||
// secretHash := packedCredentials[:32]
|
|
||||||
_ = packedCredentials[:32]
|
|
||||||
compressedKeyID := packedCredentials[32:]
|
|
||||||
keyID, err := br.Decode(compressedKeyID)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.Wrap(err, "failed to decompress key ID")
|
|
||||||
}
|
|
||||||
bearerToken := new(service.BearerTokenMsg)
|
|
||||||
if err = bearerToken.Unmarshal(keyID); err != nil {
|
|
||||||
return nil, errors.Wrap(err, "failed to unmarshal embedded bearer token")
|
|
||||||
}
|
|
||||||
// TODO
|
|
||||||
return bearerToken, nil
|
|
||||||
}
|
|
57
neofs/layer/auth.go
Normal file
57
neofs/layer/auth.go
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
package layer
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/rsa"
|
||||||
|
|
||||||
|
"github.com/klauspost/compress/zstd"
|
||||||
|
"github.com/nspcc-dev/neofs-api-go/service"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
type KeyPair struct {
|
||||||
|
PrivateKey *rsa.PrivateKey
|
||||||
|
PublicKey *rsa.PublicKey
|
||||||
|
}
|
||||||
|
|
||||||
|
type AuthCenter struct {
|
||||||
|
gatewayKeys KeyPair
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewAuthCenter() (*AuthCenter, error) {
|
||||||
|
var kp KeyPair
|
||||||
|
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
kp.PrivateKey = privateKey
|
||||||
|
kp.PublicKey = &privateKey.PublicKey
|
||||||
|
ac := &AuthCenter{
|
||||||
|
gatewayKeys: kp,
|
||||||
|
}
|
||||||
|
return ac, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ac *AuthCenter) PackBearerToken(bt service.BearerToken) ([]byte, error) {
|
||||||
|
// TODO
|
||||||
|
panic("unimplemented method")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ac *AuthCenter) UnpackBearerToken(packedCredentials []byte) (service.BearerToken, error) {
|
||||||
|
zstdDecoder, _ := zstd.NewReader(nil)
|
||||||
|
// secretHash := packedCredentials[:32]
|
||||||
|
_ = packedCredentials[:32]
|
||||||
|
compressedKeyID := packedCredentials[32:]
|
||||||
|
// Get an encrypted key.
|
||||||
|
var encryptedKeyID []byte
|
||||||
|
if _, err := zstdDecoder.DecodeAll(compressedKeyID, encryptedKeyID); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to decompress key ID")
|
||||||
|
}
|
||||||
|
// TODO: Decrypt the key ID.
|
||||||
|
var keyID []byte
|
||||||
|
bearerToken := new(service.BearerTokenMsg)
|
||||||
|
if err := bearerToken.Unmarshal(keyID); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to unmarshal embedded bearer token")
|
||||||
|
}
|
||||||
|
return bearerToken, nil
|
||||||
|
}
|
Loading…
Reference in a new issue