[#372] Check parameters before creating container

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
Denis Kirillov 2022-03-11 12:59:52 +03:00 committed by Kirillov Denis
parent 02f4524d67
commit 52f0af0ccc
2 changed files with 41 additions and 22 deletions

View file

@ -230,16 +230,7 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
lifetime.Exp = lifetime.Iat + epochLifetime lifetime.Exp = lifetime.Iat + epochLifetime
} }
idOwner := owner.NewIDFromPublicKey(&options.NeoFSKey.PrivateKey.PublicKey) gatesData, err := createTokens(options, lifetime)
a.log.Info("check container or create", zap.Stringer("cid", options.Container.ID),
zap.String("friendly_name", options.Container.FriendlyName),
zap.String("placement_policy", options.Container.PlacementPolicy))
if id, err = a.checkContainer(ctx, options.Container, idOwner); err != nil {
return err
}
gatesData, err := createTokens(options, lifetime, id)
if err != nil { if err != nil {
return err return err
} }
@ -251,6 +242,15 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
box.ContainerPolicy = policies box.ContainerPolicy = policies
idOwner := owner.NewIDFromPublicKey(&options.NeoFSKey.PrivateKey.PublicKey)
a.log.Info("check container or create", zap.Stringer("cid", options.Container.ID),
zap.String("friendly_name", options.Container.FriendlyName),
zap.String("placement_policy", options.Container.PlacementPolicy))
if id, err = a.checkContainer(ctx, options.Container, idOwner); err != nil {
return err
}
a.log.Info("store bearer token into NeoFS", a.log.Info("store bearer token into NeoFS",
zap.Stringer("owner_tkn", idOwner)) zap.Stringer("owner_tkn", idOwner))
@ -318,7 +318,7 @@ func (a *Agent) ObtainSecret(ctx context.Context, w io.Writer, options *ObtainSe
return enc.Encode(or) return enc.Encode(or)
} }
func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) { func buildEACLTable(eaclTable []byte) (*eacl.Table, error) {
table := eacl.NewTable() table := eacl.NewTable()
if len(eaclTable) != 0 { if len(eaclTable) != 0 {
return table, table.UnmarshalJSON(eaclTable) return table, table.UnmarshalJSON(eaclTable)
@ -332,7 +332,6 @@ func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) {
// matcher := eacl.MatchStringEqual // matcher := eacl.MatchStringEqual
// record.AddFilter(from eacl.FilterHeaderType, matcher eacl.Match, name string, value string) // record.AddFilter(from eacl.FilterHeaderType, matcher eacl.Match, name string, value string)
eacl.AddFormedTarget(record, eacl.RoleOthers) eacl.AddFormedTarget(record, eacl.RoleOthers)
table.SetCID(cid)
table.AddRecord(record) table.AddRecord(record)
return table, nil return table, nil
@ -437,10 +436,10 @@ func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOp
return sessionTokens, nil return sessionTokens, nil
} }
func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *cid.ID) ([]*accessbox.GateData, error) { func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions) ([]*accessbox.GateData, error) {
gates := make([]*accessbox.GateData, len(options.GatesPublicKeys)) gates := make([]*accessbox.GateData, len(options.GatesPublicKeys))
table, err := buildEACLTable(cid, options.EACLRules) table, err := buildEACLTable(options.EACLRules)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to build eacl table: %w", err) return nil, fmt.Errorf("failed to build eacl table: %w", err)
} }

View file

@ -271,6 +271,16 @@ It will be ceil rounded to the nearest amount of epoch.`,
return cli.Exit(fmt.Sprintf("couldn't parse container policy: %s", err.Error()), 6) return cli.Exit(fmt.Sprintf("couldn't parse container policy: %s", err.Error()), 6)
} }
bearerRules, err := getJSONRules(eaclRulesFlag)
if err != nil {
return cli.Exit(fmt.Sprintf("couldn't parse 'bearer-rules' flag: %s", err.Error()), 7)
}
sessionRules, err := getSessionRules(sessionTokenFlag)
if err != nil {
return cli.Exit(fmt.Sprintf("couldn't parse 'session-token' flag: %s", err.Error()), 8)
}
issueSecretOptions := &authmate.IssueSecretOptions{ issueSecretOptions := &authmate.IssueSecretOptions{
Container: authmate.ContainerOptions{ Container: authmate.ContainerOptions{
ID: containerID, ID: containerID,
@ -279,8 +289,8 @@ It will be ceil rounded to the nearest amount of epoch.`,
}, },
NeoFSKey: key, NeoFSKey: key,
GatesPublicKeys: gatesPublicKeys, GatesPublicKeys: gatesPublicKeys,
EACLRules: getJSONRules(eaclRulesFlag), EACLRules: bearerRules,
SessionTokenRules: getSessionRules(sessionTokenFlag), SessionTokenRules: sessionRules,
ContainerPolicies: policies, ContainerPolicies: policies,
Lifetime: lifetimeFlag, Lifetime: lifetimeFlag,
AwsCliCredentialsFile: awcCliCredFile, AwsCliCredentialsFile: awcCliCredFile,
@ -315,17 +325,27 @@ func parsePolicies(val string) (authmate.ContainerPolicies, error) {
return policies, nil return policies, nil
} }
func getJSONRules(val string) []byte { func getJSONRules(val string) ([]byte, error) {
if data, err := os.ReadFile(val); err == nil { if val == "" {
return data return nil, nil
}
data := []byte(val)
if json.Valid(data) {
return data, nil
} }
return []byte(val) if data, err := os.ReadFile(val); err == nil {
if json.Valid(data) {
return data, nil
}
}
return nil, fmt.Errorf("coudln't read json file or its content is invalid")
} }
func getSessionRules(r string) []byte { func getSessionRules(r string) ([]byte, error) {
if r == "none" { if r == "none" {
return nil return nil, nil
} }
return getJSONRules(r) return getJSONRules(r)
} }