[#8] Switch outer code to using the new auth scheme

* Removed CLI flag for RSA key
* Passed through peers to auth center to be able to independently interact with a NeoFS node
* Added flag and loader for curve25519 (private) key

Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
This commit is contained in:
Pavel Korotkov 2020-08-06 14:56:40 +03:00
parent 490254c69e
commit c972682430
3 changed files with 28 additions and 16 deletions

View file

@ -188,3 +188,17 @@ func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
request.Body = ioutil.NopCloser(bytes.NewReader(payload))
return bytes.NewReader(payload), nil
}
func LoadGateAuthPrivateKey(path string) (hcs.X25519PrivateKey, error) {
bytes, err := ioutil.ReadFile(path)
if err != nil {
return nil, err
}
// FIXME: Rework when DecodeKeysFromBytes will arrive.
key := string(bytes)
privateKey, _, err := hcs.DecodeKeys(&key, nil)
if err != nil {
return nil, err
}
return privateKey, nil
}

View file

@ -4,7 +4,6 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"fmt"
"io"
"os"
@ -58,7 +57,7 @@ const ( // settings
// Keys
cfgNeoFSPrivateKey = "neofs-ecdsa-key"
cfgUserAuthPrivateKey = "userauth-rsa-key"
cfgGateAuthPrivateKey = "gate-auth-key"
// HTTPS/TLS
cfgTLSKeyFile = "tls.key_file"
@ -92,11 +91,10 @@ type empty int
func (empty) Read([]byte) (int, error) { return 0, io.EOF }
func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) {
func fetchAuthCenter(l *zap.Logger, v *viper.Viper, peers []pool.Peer) (*auth.Center, error) {
var (
err error
neofsPrivateKey *ecdsa.PrivateKey
userAuthPrivateKey *rsa.PrivateKey
err error
neofsPrivateKey *ecdsa.PrivateKey
)
switch nfspk := v.GetString(cfgNeoFSPrivateKey); nfspk {
case generated:
@ -110,16 +108,17 @@ func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) {
return nil, errors.Wrap(err, "could not load NeoFS private key")
}
}
uapk := v.GetString(cfgUserAuthPrivateKey)
userAuthPrivateKey, err = auth.ReadRSAPrivateKeyFromPEMFile(uapk)
gapk := v.GetString(cfgGateAuthPrivateKey)
gateAuthPrivateKey, err := auth.LoadGateAuthPrivateKey(gapk)
if err != nil {
return nil, errors.Wrapf(err, "could not load UserAuth private key %q", uapk)
return nil, errors.Wrapf(err, "could not load gate auth private key %q", gapk)
}
center, err := auth.NewCenter(l)
// NB: Maybe choose a peer more smarter.
center, err := auth.NewCenter(l, peers[0].Address)
if err != nil {
return nil, errors.Wrap(err, "failed to create auth center")
}
center.SetUserAuthKeys(userAuthPrivateKey)
center.SetUserAuthKeys(gateAuthPrivateKey)
if err = center.SetNeoFSKeys(neofsPrivateKey); err != nil {
return nil, err
}
@ -168,7 +167,7 @@ func newSettings() *viper.Viper {
version := flags.BoolP("version", "v", false, "show version")
flags.String(cfgNeoFSPrivateKey, generated, fmt.Sprintf(`set value to hex string, WIF string, or path to NeoFS private key file (use "%s" to generate key)`, generated))
flags.String(cfgUserAuthPrivateKey, "", "set path to file with private key to use in auth scheme")
flags.String(cfgGateAuthPrivateKey, "", "set path to file with auth (curve25519) private key to use in auth scheme")
flags.Bool(cfgGRPCVerbose, false, "set debug mode of gRPC connections")
flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "set gRPC request timeout")

View file

@ -59,12 +59,11 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
maxClientsCount = defaultMaxClientsCount
maxClientsDeadline = defaultMaxClientsDeadline
)
center, err := fetchAuthCenter(l, v)
peers := fetchPeers(l, v)
center, err := fetchAuthCenter(l, v, peers)
if err != nil {
l.Fatal("failed to initialize auth center", zap.Error(err))
}
key = center.GetNeoFSPrivateKey()
if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) {
@ -95,7 +94,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
ConnectTimeout: v.GetDuration(cfgConnectTimeout),
RequestTimeout: v.GetDuration(cfgRequestTimeout),
Peers: fetchPeers(l, v),
Peers: peers,
Logger: l,
PrivateKey: key,