forked from TrueCloudLab/frostfs-node
cd34145969
Classifier fetches public key of the request owner and owner itself. Extended ACL check should rely on this public key, because it might be extracted from session token. Signed-off-by: Alex Vanin <alexey@nspcc.ru>
199 lines
4.7 KiB
Go
199 lines
4.7 KiB
Go
package acl
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/ecdsa"
|
|
|
|
"github.com/nspcc-dev/neofs-api-go/pkg"
|
|
acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/container"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/netmap"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/owner"
|
|
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
|
core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
type (
|
|
InnerRingFetcher interface {
|
|
InnerRingKeys() ([][]byte, error)
|
|
}
|
|
|
|
metaWithToken struct {
|
|
vheader *session.RequestVerificationHeader
|
|
token *session.SessionToken
|
|
}
|
|
|
|
SenderClassifier struct {
|
|
innerRing InnerRingFetcher
|
|
netmap core.Source
|
|
}
|
|
)
|
|
|
|
// fixme: update classifier constructor
|
|
func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
|
|
return SenderClassifier{
|
|
innerRing: ir,
|
|
netmap: nm,
|
|
}
|
|
}
|
|
|
|
func (c SenderClassifier) Classify(
|
|
req metaWithToken,
|
|
cid *container.ID,
|
|
cnr *container.Container) (acl.Role, []byte) {
|
|
|
|
if cid == nil {
|
|
// log there
|
|
return acl.RoleUnknown, nil
|
|
}
|
|
|
|
ownerID, ownerKey, err := requestOwner(req)
|
|
if err != nil || ownerID == nil || ownerKey == nil {
|
|
// log there
|
|
return acl.RoleUnknown, nil
|
|
}
|
|
|
|
ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
|
|
|
|
// todo: get owner from neofs.id if present
|
|
|
|
// if request owner is the same as container owner, return RoleUser
|
|
if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) {
|
|
return acl.RoleUser, ownerKeyInBytes
|
|
}
|
|
|
|
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
|
if err != nil {
|
|
// log there
|
|
return acl.RoleUnknown, nil
|
|
} else if isInnerRingNode {
|
|
return acl.RoleSystem, ownerKeyInBytes
|
|
}
|
|
|
|
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
|
if err != nil {
|
|
// log there
|
|
return acl.RoleUnknown, nil
|
|
} else if isContainerNode {
|
|
return acl.RoleSystem, ownerKeyInBytes
|
|
}
|
|
|
|
// if none of above, return RoleOthers
|
|
return acl.RoleOthers, ownerKeyInBytes
|
|
}
|
|
|
|
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {
|
|
if req.vheader == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil verification header")
|
|
}
|
|
|
|
// if session token is presented, use it as truth source
|
|
if req.token != nil {
|
|
body := req.token.GetBody()
|
|
if body == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at session token body")
|
|
}
|
|
|
|
signature := req.token.GetSignature()
|
|
if signature == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at signature")
|
|
}
|
|
|
|
return owner.NewIDFromV2(body.GetOwnerID()), crypto.UnmarshalPublicKey(signature.GetKey()), nil
|
|
}
|
|
|
|
// otherwise get original body signature
|
|
bodySignature := originalBodySignature(req.vheader)
|
|
if bodySignature == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at body signature")
|
|
}
|
|
|
|
key := crypto.UnmarshalPublicKey(bodySignature.GetKey())
|
|
neo3wallet, err := owner.NEO3WalletFromPublicKey(key)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "can't create neo3 wallet")
|
|
}
|
|
|
|
// form user from public key
|
|
user := new(owner.ID)
|
|
user.SetNeo3Wallet(neo3wallet)
|
|
|
|
return user, key, nil
|
|
}
|
|
|
|
func originalBodySignature(v *session.RequestVerificationHeader) *pkg.Signature {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
for v.GetOrigin() != nil {
|
|
v = v.GetOrigin()
|
|
}
|
|
|
|
return pkg.NewSignatureFromV2(v.GetBodySignature())
|
|
}
|
|
|
|
func (c SenderClassifier) isInnerRingKey(owner []byte) (bool, error) {
|
|
innerRingKeys, err := c.innerRing.InnerRingKeys()
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
// if request owner key in the inner ring list, return RoleSystem
|
|
for i := range innerRingKeys {
|
|
if bytes.Equal(innerRingKeys[i], owner) {
|
|
return true, nil
|
|
}
|
|
}
|
|
|
|
return false, nil
|
|
}
|
|
|
|
func (c SenderClassifier) isContainerKey(
|
|
owner, cid []byte,
|
|
cnr *container.Container) (bool, error) {
|
|
|
|
// first check current netmap
|
|
nm, err := core.GetLatestNetworkMap(c.netmap)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
in, err := lookupKeyInContainer(nm, owner, cid, cnr)
|
|
if err != nil {
|
|
return false, err
|
|
} else if in {
|
|
return true, nil
|
|
}
|
|
|
|
// then check previous netmap, this can happen in-between epoch change
|
|
// when node migrates data from last epoch container
|
|
nm, err = core.GetPreviousNetworkMap(c.netmap)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return lookupKeyInContainer(nm, owner, cid, cnr)
|
|
}
|
|
|
|
func lookupKeyInContainer(
|
|
nm *netmap.Netmap,
|
|
owner, cid []byte,
|
|
cnr *container.Container) (bool, error) {
|
|
|
|
cnrNodes, err := nm.GetContainerNodes(cnr.GetPlacementPolicy(), cid)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
flatCnrNodes := cnrNodes.Flatten() // we need single array to iterate on
|
|
for i := range flatCnrNodes {
|
|
if bytes.Equal(flatCnrNodes[i].InfoV2.GetPublicKey(), owner) {
|
|
return true, nil
|
|
}
|
|
}
|
|
|
|
return false, nil
|
|
}
|