From c9726824302ea90c491f9c5167b43dae1db8e022 Mon Sep 17 00:00:00 2001 From: Pavel Korotkov Date: Thu, 6 Aug 2020 14:56:40 +0300 Subject: [PATCH] [#8] Switch outer code to using the new auth scheme * Removed CLI flag for RSA key * Passed through peers to auth center to be able to independently interact with a NeoFS node * Added flag and loader for curve25519 (private) key Signed-off-by: Pavel Korotkov --- auth/center.go | 14 ++++++++++++++ cmd/gate/app-settings.go | 23 +++++++++++------------ cmd/gate/app.go | 7 +++---- 3 files changed, 28 insertions(+), 16 deletions(-) diff --git a/auth/center.go b/auth/center.go index c8f8bfad0..4c2dcae8a 100644 --- a/auth/center.go +++ b/auth/center.go @@ -188,3 +188,17 @@ func readAndKeepBody(request *http.Request) (*bytes.Reader, error) { request.Body = ioutil.NopCloser(bytes.NewReader(payload)) return bytes.NewReader(payload), nil } + +func LoadGateAuthPrivateKey(path string) (hcs.X25519PrivateKey, error) { + bytes, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + // FIXME: Rework when DecodeKeysFromBytes will arrive. + key := string(bytes) + privateKey, _, err := hcs.DecodeKeys(&key, nil) + if err != nil { + return nil, err + } + return privateKey, nil +} diff --git a/cmd/gate/app-settings.go b/cmd/gate/app-settings.go index 40f3b6533..b37499971 100644 --- a/cmd/gate/app-settings.go +++ b/cmd/gate/app-settings.go @@ -4,7 +4,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "fmt" "io" "os" @@ -58,7 +57,7 @@ const ( // settings // Keys cfgNeoFSPrivateKey = "neofs-ecdsa-key" - cfgUserAuthPrivateKey = "userauth-rsa-key" + cfgGateAuthPrivateKey = "gate-auth-key" // HTTPS/TLS cfgTLSKeyFile = "tls.key_file" @@ -92,11 +91,10 @@ type empty int func (empty) Read([]byte) (int, error) { return 0, io.EOF } -func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) { +func fetchAuthCenter(l *zap.Logger, v *viper.Viper, peers []pool.Peer) (*auth.Center, error) { var ( - err error - neofsPrivateKey *ecdsa.PrivateKey - userAuthPrivateKey *rsa.PrivateKey + err error + neofsPrivateKey *ecdsa.PrivateKey ) switch nfspk := v.GetString(cfgNeoFSPrivateKey); nfspk { case generated: @@ -110,16 +108,17 @@ func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) { return nil, errors.Wrap(err, "could not load NeoFS private key") } } - uapk := v.GetString(cfgUserAuthPrivateKey) - userAuthPrivateKey, err = auth.ReadRSAPrivateKeyFromPEMFile(uapk) + gapk := v.GetString(cfgGateAuthPrivateKey) + gateAuthPrivateKey, err := auth.LoadGateAuthPrivateKey(gapk) if err != nil { - return nil, errors.Wrapf(err, "could not load UserAuth private key %q", uapk) + return nil, errors.Wrapf(err, "could not load gate auth private key %q", gapk) } - center, err := auth.NewCenter(l) + // NB: Maybe choose a peer more smarter. + center, err := auth.NewCenter(l, peers[0].Address) if err != nil { return nil, errors.Wrap(err, "failed to create auth center") } - center.SetUserAuthKeys(userAuthPrivateKey) + center.SetUserAuthKeys(gateAuthPrivateKey) if err = center.SetNeoFSKeys(neofsPrivateKey); err != nil { return nil, err } @@ -168,7 +167,7 @@ func newSettings() *viper.Viper { version := flags.BoolP("version", "v", false, "show version") flags.String(cfgNeoFSPrivateKey, generated, fmt.Sprintf(`set value to hex string, WIF string, or path to NeoFS private key file (use "%s" to generate key)`, generated)) - flags.String(cfgUserAuthPrivateKey, "", "set path to file with private key to use in auth scheme") + flags.String(cfgGateAuthPrivateKey, "", "set path to file with auth (curve25519) private key to use in auth scheme") flags.Bool(cfgGRPCVerbose, false, "set debug mode of gRPC connections") flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "set gRPC request timeout") diff --git a/cmd/gate/app.go b/cmd/gate/app.go index da9bc5f21..043d58e2d 100644 --- a/cmd/gate/app.go +++ b/cmd/gate/app.go @@ -59,12 +59,11 @@ func newApp(l *zap.Logger, v *viper.Viper) *App { maxClientsCount = defaultMaxClientsCount maxClientsDeadline = defaultMaxClientsDeadline ) - - center, err := fetchAuthCenter(l, v) + peers := fetchPeers(l, v) + center, err := fetchAuthCenter(l, v, peers) if err != nil { l.Fatal("failed to initialize auth center", zap.Error(err)) } - key = center.GetNeoFSPrivateKey() if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) { @@ -95,7 +94,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App { ConnectTimeout: v.GetDuration(cfgConnectTimeout), RequestTimeout: v.GetDuration(cfgRequestTimeout), - Peers: fetchPeers(l, v), + Peers: peers, Logger: l, PrivateKey: key,