forked from TrueCloudLab/frostfs-s3-gw
[#8] Switch outer code to using the new auth scheme
* Removed CLI flag for RSA key * Passed through peers to auth center to be able to independently interact with a NeoFS node * Added flag and loader for curve25519 (private) key Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
This commit is contained in:
Pavel Korotkov
parent
490254c69e
commit
c972682430
3 changed files with 28 additions and 16 deletions
|
|
@ -188,3 +188,17 @@ func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
|
|||
request.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
||||
return bytes.NewReader(payload), nil
|
||||
}
|
||||
|
||||
func LoadGateAuthPrivateKey(path string) (hcs.X25519PrivateKey, error) {
|
||||
bytes, err := ioutil.ReadFile(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// FIXME: Rework when DecodeKeysFromBytes will arrive.
|
||||
key := string(bytes)
|
||||
privateKey, _, err := hcs.DecodeKeys(&key, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return privateKey, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ import (
|
|||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
|
|
@ -58,7 +57,7 @@ const ( // settings
|
|||
|
||||
// Keys
|
||||
cfgNeoFSPrivateKey = "neofs-ecdsa-key"
|
||||
cfgUserAuthPrivateKey = "userauth-rsa-key"
|
||||
cfgGateAuthPrivateKey = "gate-auth-key"
|
||||
|
||||
// HTTPS/TLS
|
||||
cfgTLSKeyFile = "tls.key_file"
|
||||
|
|
@ -92,11 +91,10 @@ type empty int
|
|||
|
||||
func (empty) Read([]byte) (int, error) { return 0, io.EOF }
|
||||
|
||||
func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) {
|
||||
func fetchAuthCenter(l *zap.Logger, v *viper.Viper, peers []pool.Peer) (*auth.Center, error) {
|
||||
var (
|
||||
err error
|
||||
neofsPrivateKey *ecdsa.PrivateKey
|
||||
userAuthPrivateKey *rsa.PrivateKey
|
||||
err error
|
||||
neofsPrivateKey *ecdsa.PrivateKey
|
||||
)
|
||||
switch nfspk := v.GetString(cfgNeoFSPrivateKey); nfspk {
|
||||
case generated:
|
||||
|
|
@ -110,16 +108,17 @@ func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*auth.Center, error) {
|
|||
return nil, errors.Wrap(err, "could not load NeoFS private key")
|
||||
}
|
||||
}
|
||||
uapk := v.GetString(cfgUserAuthPrivateKey)
|
||||
userAuthPrivateKey, err = auth.ReadRSAPrivateKeyFromPEMFile(uapk)
|
||||
gapk := v.GetString(cfgGateAuthPrivateKey)
|
||||
gateAuthPrivateKey, err := auth.LoadGateAuthPrivateKey(gapk)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "could not load UserAuth private key %q", uapk)
|
||||
return nil, errors.Wrapf(err, "could not load gate auth private key %q", gapk)
|
||||
}
|
||||
center, err := auth.NewCenter(l)
|
||||
// NB: Maybe choose a peer more smarter.
|
||||
center, err := auth.NewCenter(l, peers[0].Address)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "failed to create auth center")
|
||||
}
|
||||
center.SetUserAuthKeys(userAuthPrivateKey)
|
||||
center.SetUserAuthKeys(gateAuthPrivateKey)
|
||||
if err = center.SetNeoFSKeys(neofsPrivateKey); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -168,7 +167,7 @@ func newSettings() *viper.Viper {
|
|||
version := flags.BoolP("version", "v", false, "show version")
|
||||
|
||||
flags.String(cfgNeoFSPrivateKey, generated, fmt.Sprintf(`set value to hex string, WIF string, or path to NeoFS private key file (use "%s" to generate key)`, generated))
|
||||
flags.String(cfgUserAuthPrivateKey, "", "set path to file with private key to use in auth scheme")
|
||||
flags.String(cfgGateAuthPrivateKey, "", "set path to file with auth (curve25519) private key to use in auth scheme")
|
||||
|
||||
flags.Bool(cfgGRPCVerbose, false, "set debug mode of gRPC connections")
|
||||
flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "set gRPC request timeout")
|
||||
|
|
|
|||
|
|
@ -59,12 +59,11 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
|
|||
maxClientsCount = defaultMaxClientsCount
|
||||
maxClientsDeadline = defaultMaxClientsDeadline
|
||||
)
|
||||
|
||||
center, err := fetchAuthCenter(l, v)
|
||||
peers := fetchPeers(l, v)
|
||||
center, err := fetchAuthCenter(l, v, peers)
|
||||
if err != nil {
|
||||
l.Fatal("failed to initialize auth center", zap.Error(err))
|
||||
}
|
||||
|
||||
key = center.GetNeoFSPrivateKey()
|
||||
|
||||
if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) {
|
||||
|
|
@ -95,7 +94,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
|
|||
ConnectTimeout: v.GetDuration(cfgConnectTimeout),
|
||||
RequestTimeout: v.GetDuration(cfgRequestTimeout),
|
||||
|
||||
Peers: fetchPeers(l, v),
|
||||
Peers: peers,
|
||||
|
||||
Logger: l,
|
||||
PrivateKey: key,
|
||||
|
|
|
|||
Loading…
Reference in a new issue