forked from TrueCloudLab/frostfs-s3-gw
[#8] Switch outer code to using the new auth scheme
* Removed CLI flag for RSA key * Passed through peers to auth center to be able to independently interact with a NeoFS node * Added flag and loader for curve25519 (private) key Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
This commit is contained in:
parent
490254c69e
commit
c972682430
3 changed files with 28 additions and 16 deletions
|
@ -188,3 +188,17 @@ func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
|
||||||
request.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
request.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
||||||
return bytes.NewReader(payload), nil
|
return bytes.NewReader(payload), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func LoadGateAuthPrivateKey(path string) (hcs.X25519PrivateKey, error) {
|
||||||
|
bytes, err := ioutil.ReadFile(path)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
// FIXME: Rework when DecodeKeysFromBytes will arrive.
|
||||||
|
key := string(bytes)
|
||||||
|
privateKey, _, err := hcs.DecodeKeys(&key, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return privateKey, nil
|
||||||
|
}
|
||||||
|
|
|
@ -4,7 +4,6 @@ import (
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
"crypto/elliptic"
|
"crypto/elliptic"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/rsa"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"os"
|
"os"
|
||||||
|
@ -58,7 +57,7 @@ const ( // settings
|
||||||
|
|
||||||
// Keys
|
// Keys
|
||||||
cfgNeoFSPrivateKey = "neofs-ecdsa-key"
|
cfgNeoFSPrivateKey = "neofs-ecdsa-key"
|
||||||
cfgUserAuthPrivateKey = "userauth-rsa-key"
|
cfgGateAuthPrivateKey = "gate-auth-key"
|
||||||
|
|
||||||
// HTTPS/TLS
|
// HTTPS/TLS
|
||||||
cfgTLSKeyFile = "tls.key_file"
|
cfgTLSKeyFile = "tls.key_file"
|
||||||
|
@ -92,11 +91,10 @@ type empty int
|
||||||
|
|
||||||
func (empty) Read([]byte) (int, error) { return 0, io.EOF }
|
func (empty) Read([]byte) (int, error) { return 0, io.EOF }
|
||||||
|
|
||||||
func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) {
|
func fetchAuthCenter(l *zap.Logger, v *viper.Viper, peers []pool.Peer) (*auth.Center, error) {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
neofsPrivateKey *ecdsa.PrivateKey
|
neofsPrivateKey *ecdsa.PrivateKey
|
||||||
userAuthPrivateKey *rsa.PrivateKey
|
|
||||||
)
|
)
|
||||||
switch nfspk := v.GetString(cfgNeoFSPrivateKey); nfspk {
|
switch nfspk := v.GetString(cfgNeoFSPrivateKey); nfspk {
|
||||||
case generated:
|
case generated:
|
||||||
|
@ -110,16 +108,17 @@ func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) {
|
||||||
return nil, errors.Wrap(err, "could not load NeoFS private key")
|
return nil, errors.Wrap(err, "could not load NeoFS private key")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
uapk := v.GetString(cfgUserAuthPrivateKey)
|
gapk := v.GetString(cfgGateAuthPrivateKey)
|
||||||
userAuthPrivateKey, err = auth.ReadRSAPrivateKeyFromPEMFile(uapk)
|
gateAuthPrivateKey, err := auth.LoadGateAuthPrivateKey(gapk)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrapf(err, "could not load UserAuth private key %q", uapk)
|
return nil, errors.Wrapf(err, "could not load gate auth private key %q", gapk)
|
||||||
}
|
}
|
||||||
center, err := auth.NewCenter(l)
|
// NB: Maybe choose a peer more smarter.
|
||||||
|
center, err := auth.NewCenter(l, peers[0].Address)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to create auth center")
|
return nil, errors.Wrap(err, "failed to create auth center")
|
||||||
}
|
}
|
||||||
center.SetUserAuthKeys(userAuthPrivateKey)
|
center.SetUserAuthKeys(gateAuthPrivateKey)
|
||||||
if err = center.SetNeoFSKeys(neofsPrivateKey); err != nil {
|
if err = center.SetNeoFSKeys(neofsPrivateKey); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -168,7 +167,7 @@ func newSettings() *viper.Viper {
|
||||||
version := flags.BoolP("version", "v", false, "show version")
|
version := flags.BoolP("version", "v", false, "show version")
|
||||||
|
|
||||||
flags.String(cfgNeoFSPrivateKey, generated, fmt.Sprintf(`set value to hex string, WIF string, or path to NeoFS private key file (use "%s" to generate key)`, generated))
|
flags.String(cfgNeoFSPrivateKey, generated, fmt.Sprintf(`set value to hex string, WIF string, or path to NeoFS private key file (use "%s" to generate key)`, generated))
|
||||||
flags.String(cfgUserAuthPrivateKey, "", "set path to file with private key to use in auth scheme")
|
flags.String(cfgGateAuthPrivateKey, "", "set path to file with auth (curve25519) private key to use in auth scheme")
|
||||||
|
|
||||||
flags.Bool(cfgGRPCVerbose, false, "set debug mode of gRPC connections")
|
flags.Bool(cfgGRPCVerbose, false, "set debug mode of gRPC connections")
|
||||||
flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "set gRPC request timeout")
|
flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "set gRPC request timeout")
|
||||||
|
|
|
@ -59,12 +59,11 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
|
||||||
maxClientsCount = defaultMaxClientsCount
|
maxClientsCount = defaultMaxClientsCount
|
||||||
maxClientsDeadline = defaultMaxClientsDeadline
|
maxClientsDeadline = defaultMaxClientsDeadline
|
||||||
)
|
)
|
||||||
|
peers := fetchPeers(l, v)
|
||||||
center, err := fetchAuthCenter(l, v)
|
center, err := fetchAuthCenter(l, v, peers)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
l.Fatal("failed to initialize auth center", zap.Error(err))
|
l.Fatal("failed to initialize auth center", zap.Error(err))
|
||||||
}
|
}
|
||||||
|
|
||||||
key = center.GetNeoFSPrivateKey()
|
key = center.GetNeoFSPrivateKey()
|
||||||
|
|
||||||
if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) {
|
if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) {
|
||||||
|
@ -95,7 +94,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
|
||||||
ConnectTimeout: v.GetDuration(cfgConnectTimeout),
|
ConnectTimeout: v.GetDuration(cfgConnectTimeout),
|
||||||
RequestTimeout: v.GetDuration(cfgRequestTimeout),
|
RequestTimeout: v.GetDuration(cfgRequestTimeout),
|
||||||
|
|
||||||
Peers: fetchPeers(l, v),
|
Peers: peers,
|
||||||
|
|
||||||
Logger: l,
|
Logger: l,
|
||||||
PrivateKey: key,
|
PrivateKey: key,
|
||||||
|
|
Loading…
Reference in a new issue