Move user auth procedure to S3 API router; activate overall setting bearer tokens in neofs objects

cmd/gate/app.go

@@ -199,13 +199,12 @@ func (a *App) Server(ctx context.Context) {
 	router := newS3Router()
 
 	// Attach app-specific routes:
-	attachNewUserAuth(router, a.center, a.log)
 	attachHealthy(router, a.cli)
 	attachMetrics(router, a.cfg, a.log)
 	attachProfiler(router, a.cfg, a.log)
 
 	// Attach S3 API:
-	api.Attach(router, a.maxClients, a.api)
+	api.Attach(router, a.maxClients, a.api, a.center, a.log)
 
 	// Use mux.Router as http.Handler
 	srv.Handler = router

neofs/api/router.go

@@ -4,7 +4,9 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	"github.com/minio/minio/auth"
 	"github.com/minio/minio/neofs/metrics"
+	"go.uber.org/zap"
 )
 
 type (
@@ -89,8 +91,10 @@ const (
 	mimeXML mimeType = "application/xml"
 )
 
-func Attach(r *mux.Router, m MaxClients, h Handler) {
+func Attach(r *mux.Router, m MaxClients, h Handler, center *auth.Center, log *zap.Logger) {
 	api := r.PathPrefix(SlashSeparator).Subrouter()
+	// Attach user authentication for all S3 routes.
+	AttachUserAuth(api, center, log)
 
 	bucket := api.PathPrefix("/{bucket}").Subrouter()
 

neofs/api/user-auth.go

@@ -1,4 +1,4 @@
-package main
+package api
 
 import (
 	"net/http"
@@ -8,19 +8,17 @@ import (
 	"go.uber.org/zap"
 )
 
-func attachNewUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) {
+func AttachUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) {
 	uamw := func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			bearerToken, err := center.AuthenticationPassed(r)
 			if err != nil {
 				log.Error("failed to pass authentication", zap.Error(err))
-				// TODO: Handle any auth error by rejecting request.
+				WriteErrorResponse(r.Context(), w, getAPIError(ErrAccessDenied), r.URL)
 			}
 			h.ServeHTTP(w, r.WithContext(auth.SetBearerToken(r.Context(), bearerToken)))
 
 		})
 	}
-	// TODO: should not be used for all routes,
-	//       only for API
 	router.Use(uamw)
 }

neofs/layer/neofs-container.go

@@ -15,8 +15,8 @@ import (
 func (n *neofsObject) containerList(ctx context.Context) ([]refs.CID, error) {
 	req := new(container.ListRequest)
 	req.OwnerID = n.owner
-	req.SetTTL(service.SingleForwardingTTL)
 	req.SetVersion(APIVersion)
+	req.SetTTL(service.SingleForwardingTTL)
 	req.SetBearer(auth.GetBearerToken(ctx))
 
 	err := service.SignRequestData(n.key, req)

neofs/layer/neofs-object.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"time"
 
+	auth "github.com/minio/minio/auth"
 	"github.com/nspcc-dev/neofs-api-go/object"
 	"github.com/nspcc-dev/neofs-api-go/query"
 	"github.com/nspcc-dev/neofs-api-go/refs"
@@ -69,8 +70,9 @@ func (n *neofsObject) objectSearchContainer(ctx context.Context, cid refs.CID) (
 	req.Query = queryBinary
 	req.QueryVersion = 1
 	req.ContainerID = cid
-	req.SetTTL(service.SingleForwardingTTL)
 	req.SetVersion(APIVersion)
+	req.SetTTL(service.SingleForwardingTTL)
+	req.SetBearer(auth.GetBearerToken(ctx))
 	req.SetToken(token)
 
 	err = service.SignRequestData(n.key, req)
@@ -153,8 +155,9 @@ func (n *neofsObject) objectFindID(ctx context.Context, cid refs.CID, name strin
 	req.Query = queryBinary
 	req.QueryVersion = 1
 	req.ContainerID = cid
-	req.SetTTL(service.SingleForwardingTTL)
 	req.SetVersion(APIVersion)
+	req.SetTTL(service.SingleForwardingTTL)
+	req.SetBearer(auth.GetBearerToken(ctx))
 	req.SetToken(token)
 
 	err = service.SignRequestData(n.key, req)
@@ -229,8 +232,9 @@ func (n *neofsObject) objectHead(ctx context.Context, addr refs.Address) (*objec
 	req := new(object.HeadRequest)
 	req.Address = addr
 	req.FullHeaders = true
-	req.SetTTL(service.SingleForwardingTTL)
 	req.SetVersion(APIVersion)
+	req.SetTTL(service.SingleForwardingTTL)
+	req.SetBearer(auth.GetBearerToken(ctx))
 	req.SetToken(token)
 
 	err = service.SignRequestData(n.key, req)
@@ -271,8 +275,9 @@ func (n *neofsObject) objectGet(ctx context.Context, p getParams) (*object.Objec
 	//       object.GetRange() response message become gRPC stream.
 	req := new(object.GetRequest)
 	req.Address = p.addr
-	req.SetTTL(service.SingleForwardingTTL)
 	req.SetVersion(APIVersion)
+	req.SetTTL(service.SingleForwardingTTL)
+	req.SetBearer(auth.GetBearerToken(ctx))
 	req.SetToken(token)
 
 	err = service.SignRequestData(n.key, req)
@@ -391,8 +396,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec
 	}
 
 	req := object.MakePutRequestHeader(obj)
-	req.SetTTL(service.SingleForwardingTTL)
 	req.SetVersion(APIVersion)
+	req.SetTTL(service.SingleForwardingTTL)
+	req.SetBearer(auth.GetBearerToken(ctx))
 	req.SetToken(token)
 
 	err = service.SignRequestData(n.key, req)
@@ -419,8 +425,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec
 
 		if read > 0 {
 			req := object.MakePutRequestChunk(readBuffer[:read])
-			req.SetTTL(service.SingleForwardingTTL)
 			req.SetVersion(APIVersion)
+			req.SetTTL(service.SingleForwardingTTL)
+			req.SetBearer(auth.GetBearerToken(ctx))
 
 			err = service.SignRequestData(n.key, req)
 			if err != nil {
@@ -493,8 +500,9 @@ func (n *neofsObject) storageGroupPut(ctx context.Context, p sgParams) (*object.
 	sg.SetStorageGroup(new(storagegroup.StorageGroup))
 
 	req := object.MakePutRequestHeader(sg)
-	req.SetTTL(service.SingleForwardingTTL)
 	req.SetVersion(APIVersion)
+	req.SetTTL(service.SingleForwardingTTL)
+	req.SetBearer(auth.GetBearerToken(ctx))
 	req.SetToken(token)
 
 	err = service.SignRequestData(n.key, req)
@@ -529,8 +537,9 @@ func (n *neofsObject) objectDelete(ctx context.Context, p delParams) error {
 	req := new(object.DeleteRequest)
 	req.Address = p.addr
 	req.OwnerID = n.owner
-	req.SetTTL(service.SingleForwardingTTL)
 	req.SetVersion(APIVersion)
+	req.SetTTL(service.SingleForwardingTTL)
+	req.SetBearer(auth.GetBearerToken(ctx))
 	req.SetToken(token)
 
 	err = service.SignRequestData(n.key, req)