EliChin/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#8] Switch outer code to using the new auth scheme

Browse source 
* Removed CLI flag for RSA key
* Passed through peers to auth center to be able to independently interact with a NeoFS node
* Added flag and loader for curve25519 (private) key

Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
This commit is contained in:
Pavel Korotkov 2020-08-06 14:56:40 +03:00
parent 490254c69e
commit c972682430
3 changed files with 28 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
auth/center.go
View file

@ -188,3 +188,17 @@ func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
request.Body = ioutil.NopCloser(bytes.NewReader(payload)) request.Body = ioutil.NopCloser(bytes.NewReader(payload))
return bytes.NewReader(payload), nil return bytes.NewReader(payload), nil
} }
func LoadGateAuthPrivateKey(path string) (hcs.X25519PrivateKey, error) {
bytes, err := ioutil.ReadFile(path)
if err != nil {
return nil, err
}
// FIXME: Rework when DecodeKeysFromBytes will arrive.
key := string(bytes)
privateKey, _, err := hcs.DecodeKeys(&key, nil)
if err != nil {
return nil, err
}
return privateKey, nil
}

23
cmd/gate/app-settings.go
View file

@ -4,7 +4,6 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/rsa"
"fmt" "fmt"
"io" "io"
"os" "os"
@ -58,7 +57,7 @@ const ( // settings
// Keys // Keys
cfgNeoFSPrivateKey = "neofs-ecdsa-key" cfgNeoFSPrivateKey = "neofs-ecdsa-key"
cfgUserAuthPrivateKey = "userauth-rsa-key" cfgGateAuthPrivateKey = "gate-auth-key"
// HTTPS/TLS // HTTPS/TLS
cfgTLSKeyFile = "tls.key_file" cfgTLSKeyFile = "tls.key_file"
@ -92,11 +91,10 @@ type empty int
func (empty) Read([]byte) (int, error) { return 0, io.EOF } func (empty) Read([]byte) (int, error) { return 0, io.EOF }
func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) { func fetchAuthCenter(l *zap.Logger, v *viper.Viper, peers []pool.Peer) (*auth.Center, error) {
var ( var (
err error err error
neofsPrivateKey *ecdsa.PrivateKey neofsPrivateKey *ecdsa.PrivateKey
userAuthPrivateKey *rsa.PrivateKey
) )
switch nfspk := v.GetString(cfgNeoFSPrivateKey); nfspk { switch nfspk := v.GetString(cfgNeoFSPrivateKey); nfspk {
case generated: case generated:
@ -110,16 +108,17 @@ func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) {
return nil, errors.Wrap(err, "could not load NeoFS private key") return nil, errors.Wrap(err, "could not load NeoFS private key")
} }
} }
uapk := v.GetString(cfgUserAuthPrivateKey) gapk := v.GetString(cfgGateAuthPrivateKey)
userAuthPrivateKey, err = auth.ReadRSAPrivateKeyFromPEMFile(uapk) gateAuthPrivateKey, err := auth.LoadGateAuthPrivateKey(gapk)
if err != nil { if err != nil {
return nil, errors.Wrapf(err, "could not load UserAuth private key %q", uapk) return nil, errors.Wrapf(err, "could not load gate auth private key %q", gapk)
} }
center, err := auth.NewCenter(l) // NB: Maybe choose a peer more smarter.
center, err := auth.NewCenter(l, peers[0].Address)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to create auth center") return nil, errors.Wrap(err, "failed to create auth center")
} }
center.SetUserAuthKeys(userAuthPrivateKey) center.SetUserAuthKeys(gateAuthPrivateKey)
if err = center.SetNeoFSKeys(neofsPrivateKey); err != nil { if err = center.SetNeoFSKeys(neofsPrivateKey); err != nil {
return nil, err return nil, err
} }
@ -168,7 +167,7 @@ func newSettings() *viper.Viper {
version := flags.BoolP("version", "v", false, "show version") version := flags.BoolP("version", "v", false, "show version")
flags.String(cfgNeoFSPrivateKey, generated, fmt.Sprintf(`set value to hex string, WIF string, or path to NeoFS private key file (use "%s" to generate key)`, generated)) flags.String(cfgNeoFSPrivateKey, generated, fmt.Sprintf(`set value to hex string, WIF string, or path to NeoFS private key file (use "%s" to generate key)`, generated))
flags.String(cfgUserAuthPrivateKey, "", "set path to file with private key to use in auth scheme") flags.String(cfgGateAuthPrivateKey, "", "set path to file with auth (curve25519) private key to use in auth scheme")
flags.Bool(cfgGRPCVerbose, false, "set debug mode of gRPC connections") flags.Bool(cfgGRPCVerbose, false, "set debug mode of gRPC connections")
flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "set gRPC request timeout") flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "set gRPC request timeout")

7
cmd/gate/app.go
View file

@ -59,12 +59,11 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
maxClientsCount = defaultMaxClientsCount maxClientsCount = defaultMaxClientsCount
maxClientsDeadline = defaultMaxClientsDeadline maxClientsDeadline = defaultMaxClientsDeadline
) )
peers := fetchPeers(l, v)
center, err := fetchAuthCenter(l, v) center, err := fetchAuthCenter(l, v, peers)
if err != nil { if err != nil {
l.Fatal("failed to initialize auth center", zap.Error(err)) l.Fatal("failed to initialize auth center", zap.Error(err))
} }
key = center.GetNeoFSPrivateKey() key = center.GetNeoFSPrivateKey()
if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) { if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) {
@ -95,7 +94,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
ConnectTimeout: v.GetDuration(cfgConnectTimeout), ConnectTimeout: v.GetDuration(cfgConnectTimeout),
RequestTimeout: v.GetDuration(cfgRequestTimeout), RequestTimeout: v.GetDuration(cfgRequestTimeout),
Peers: fetchPeers(l, v), Peers: peers,
Logger: l, Logger: l,
PrivateKey: key, PrivateKey: key,