TrueCloudLab/frostfs-mfa
16
0
Fork 2
generated from TrueCloudLab/basic
Code Issues 3 Pull requests 2 Projects Releases Packages Wiki Activity Actions

Add initial implementation of MFA library

Browse source 
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
Alexey Vanin 2025-03-13 11:57:16 +03:00
parent b0014df911
commit 1627ccb13c
12 changed files with 1471 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
Makefile Normal file
View file

@ -0,0 +1,34 @@
GOBIN ?= $(shell go env GOPATH)/bin
PROTOC_VERSION ?= 25.6
PROTOC_ARCH = linux-x86_64
PROTOC = ./bin/protoc/bin/protoc
UNAME = "$(shell uname)/$(shell uname -m)"
ifeq ($(UNAME), "Darwin/arm64")
PROTOC_ARCH = osx-aarch_64
endif
ifeq ($(UNAME), "Darwin/x86_64")
PROTOC_ARCH = osx-x86_64
endif
PROTOC_URL ?= "https://github.com/protocolbuffers/protobuf/releases/download/v$(PROTOC_VERSION)/protoc-$(PROTOC_VERSION)-$(PROTOC_ARCH).zip"
# Prepare binaries to generate protobuf files
.PHONY: protoc-bin
protoc-bin:
ifeq (,$(wildcard ./bin/protoc))
curl --create-dirs -o ./bin/protoc.zip -L'#' $(PROTOC_URL)
unzip ./bin/protoc.zip -d ./bin/protoc
rm -r ./bin/protoc.zip ./bin/protoc/include ./bin/protoc/readme.txt
endif
# Generate protobuf file
.PHONY: protoc
protoc: protoc-bin
@go list -f '{{.Path}}/...@{{.Version}}' -m google.golang.org/protobuf | xargs echo go install -v
@for f in `find . -type f -name '*.proto'`; do \
echo "> Processing $$f "; \
$(PROTOC) --experimental_editions --plugin=protoc-gen-go=$(GOBIN)/protoc-gen-go --go_out=. --go_opt=paths=source_relative $$f \
--plugin=protoc-gen-go-grpc=$(GOBIN)/protoc-gen-go-grpc --go-grpc_out=. --go-grpc_opt=require_unimplemented_servers=false,paths=source_relative $$f; \
done

48
go.mod Normal file
View file

@ -0,0 +1,48 @@
module git.frostfs.info/truecloudlab/frostfs-mfa
go 1.23.0
toolchain go1.24.1
require (
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20250212111929-d34e1329c824
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250310162458-a262a0038f7d
github.com/nspcc-dev/neo-go v0.106.3
github.com/pquerna/otp v1.4.0
github.com/stretchr/testify v1.10.0
go.uber.org/zap v1.27.0
golang.org/x/crypto v0.36.0
google.golang.org/protobuf v1.36.5
)
require (
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 // indirect
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 // indirect
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
github.com/mr-tron/base58 v1.2.0 // indirect
github.com/nspcc-dev/rfc6979 v0.2.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
go.opentelemetry.io/otel v1.31.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.28.0 // indirect
go.opentelemetry.io/otel/metric v1.31.0 // indirect
go.opentelemetry.io/otel/sdk v1.31.0 // indirect
go.opentelemetry.io/otel/trace v1.31.0 // indirect
go.opentelemetry.io/proto/otlp v1.3.1 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/net v0.30.0 // indirect
golang.org/x/sys v0.31.0 // indirect
golang.org/x/text v0.23.0 // indirect
google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
google.golang.org/grpc v1.69.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

103
go.sum Normal file
View file

@ -0,0 +1,103 @@
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk=
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU=
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20250212111929-d34e1329c824 h1:Mxw1c/8t96vFIUOffl28lFaHKi413oCBfLMGJmF9cFA=
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20250212111929-d34e1329c824/go.mod h1:kbwB4v2o6RyOfCo9kEFeUDZIX3LKhmS0yXPrtvzkQ1g=
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250310162458-a262a0038f7d h1:YrBjEkuc+q9RdqWmpxRL3DjYrO+9/YOYYIbeq0EVnQs=
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250310162458-a262a0038f7d/go.mod h1:aQpPWfG8oyfJ2X+FenPTJpSRWZjwcP5/RAtkW+/VEX8=
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
github.com/VictoriaMetrics/easyproto v0.1.4 h1:r8cNvo8o6sR4QShBXQd1bKw/VVLSQma/V2KhTBPf+Sc=
github.com/VictoriaMetrics/easyproto v0.1.4/go.mod h1:QlGlzaJnDfFd8Lk6Ci/fuLxfTo3/GThPs2KH23mv710=
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
github.com/nspcc-dev/neo-go v0.106.3 h1:HEyhgkjQY+HfBzotMJ12xx2VuOUphkngZ4kEkjvXDtE=
github.com/nspcc-dev/neo-go v0.106.3/go.mod h1:3vEwJ2ld12N7HRGCaH/l/7EwopplC/+8XdIdPDNmD/M=
github.com/nspcc-dev/rfc6979 v0.2.1 h1:8wWxkamHWFmO790GsewSoKUSJjVnL1fmdRpokU/RgRM=
github.com/nspcc-dev/rfc6979 v0.2.1/go.mod h1:Tk7h5kyUWkhjyO3zUgFFhy1v2vQv3BvQEntakdtqrWc=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY=
go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw=
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.28.0 h1:EVSnY9JbEEW92bEkIYOVMw4q1WJxIAGoFTrtYOzWuRQ=
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.28.0/go.mod h1:Ea1N1QQryNXpCD0I1fdLibBAIpQuBkznMmkdKrapk1Y=
go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE=
go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY=
go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc=
go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8=
go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys=
go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A=
go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 h1:DdoeryqhaXp1LtT/emMP1BRJPHHKFi5akj/nbx/zNTA=
google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

15
mfa/box.go Normal file
View file

@ -0,0 +1,15 @@
package mfa
import (
"google.golang.org/protobuf/proto"
)
// Marshal returns the wire-format of MFABox.
func (x *MFABox) Marshal() ([]byte, error) {
return proto.Marshal(x)
}
// Unmarshal parses the wire-format message and put data into MFABox.
func (x *MFABox) Unmarshal(data []byte) error {
return proto.Unmarshal(data, x)
}

130
mfa/device.go Normal file
View file

@ -0,0 +1,130 @@
package mfa
import (
"strconv"
"strings"
"time"
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
"github.com/pquerna/otp"
)
type (
// Device defines MFA Device metadata.
Device struct {
Namespace string
Name string
OID oid.ID
Meta map[string]string
}
// SecretDevice is an MFA device metadata with decoded OTP Key.
SecretDevice struct {
Device
Key *otp.Key
}
)
const (
FilePathKey = "FilePath"
OIDKey = "OID"
PathKey = "Path"
EnableDateKey = "EnableDate"
EnabledKey = "EnabledKey"
UserIDKey = "UserIDKey"
TagPrefix = "tag-"
)
// NewDevice returns new device metadata. Device is disabled by default.
func NewDevice(namespace, name, path string) *Device {
return &Device{
Namespace: namespace,
Name: name,
Meta: map[string]string{
EnabledKey: "false",
PathKey: path,
},
}
}
// String returns string representation of device.
func (d *Device) String() string {
return d.Namespace + "/" + d.Name
}
// EnableStatus returns true if device is enabled.
func (d *Device) EnableStatus() bool {
return d.Meta[EnabledKey] == "true"
}
// SetEnableStatus updates enable status of device.
// It does not modify enable date.
func (d *Device) SetEnableStatus(enabled bool) {
d.Meta[EnabledKey] = strconv.FormatBool(enabled)
}
// EnableDate returns date when device was enabled.
func (d *Device) EnableDate() *time.Time {
return dateFromString(d.Meta[EnableDateKey])
}
// SetEnableDate sets date when device was enabled.
// It is not affected by 'SetEnableStatus'.
func (d *Device) SetEnableDate(date *time.Time) {
d.Meta[EnableDateKey] = convertDate(date)
}
// SetUserID sets id of the device owner. Use neo wallet address representation.
func (d *Device) SetUserID(addr string) {
d.Meta[UserIDKey] = addr
}
// UserID returns id of the device owner.
func (d *Device) UserID() string {
return d.Meta[UserIDKey]
}
// AddTags adds new set of tags to the device.
// It does not remove existing set of tags.
func (d *Device) AddTags(tags [][2]string) {
for _, kv := range tags {
k, v := kv[0], kv[1]
d.Meta[TagPrefix+k] = v
}
}
// DeleteTags removes all tags with provided keys.
func (d *Device) DeleteTags(keys []string) {
for _, k := range keys {
delete(d.Meta, TagPrefix+k)
}
}
// Tags returns available set of tags of the device.
func (d *Device) Tags() map[string]string {
tags := make(map[string]string)
for k, v := range d.Meta {
if after, ok := strings.CutPrefix(k, TagPrefix); ok {
tags[after] = v
}
}
return tags
}
func convertDate(t *time.Time) string {
if t == nil {
return ""
}
return t.UTC().Format(time.RFC3339)
}
func dateFromString(timeString string) *time.Time {
var date *time.Time
enableD, err := time.Parse(time.RFC3339, timeString)
if err == nil {
date = &enableD
}
return date
}

8
mfa/errors.go Normal file
View file

@ -0,0 +1,8 @@
package mfa
import "errors"
var (
// ErrMFAEntityAlreadyExists returned during MFA device creation by MFA Manager.
ErrMFAEntityAlreadyExists = errors.New("mfa entity already exists")
)

410
mfa/mfa.go Normal file
View file

@ -0,0 +1,410 @@
package mfa
import (
"bytes"
"context"
"errors"
"fmt"
"strings"
"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/pquerna/otp"
"go.uber.org/zap"
)
type (
// Manager provides interface to manage MFA devices in FrostFS container.
// It should be provided with Storage interface to manage FrostFS objects
// and KeyStore interface to encode and decode OTP keys inside FrostFS
// objects.
Manager struct {
storage Storage
unlocker KeyStore
container cid.ID
logger *zap.Logger
}
// KeyStore is an interface for Manager to provide keys to encode and decode
// OTP keys of MFA devices.
KeyStore interface {
// PrivateKey returns private key of this Manager.
PrivateKey() *keys.PrivateKey
// PublicKeys returns list of public keys for all managers, including
// this Manager.
PublicKeys() []*keys.PublicKey
}
// Config contains parameters for Manager constructor.
Config struct {
Storage Storage
Unlocker KeyStore
Container cid.ID
Logger *zap.Logger
}
)
// NewManager creates new instance of Manager.
func NewManager(cfg Config) (*Manager, error) {
if cfg.Storage == nil {
return nil, errors.New("mfa storage is nil")
}
if cfg.Logger == nil {
return nil, errors.New("mfa logger is nil")
}
if cfg.Unlocker == nil {
return nil, errors.New("mfa key store is nil")
}
return &Manager{
storage: cfg.Storage,
container: cfg.Container,
unlocker: cfg.Unlocker,
logger: cfg.Logger,
}, nil
}
// CreateMFADevice creates new FrostFS object with encoded MFA device inside and stores it in MFA container.
func (m *Manager) CreateMFADevice(ctx context.Context, device SecretDevice) error {
ctx, span := tracing.StartSpanFromContext(ctx, "mfa.CreateMFADevice")
defer span.End()
filePath := getTreePath(device.Namespace, device.Name)
if _, err := m.storage.GetTreeNode(ctx, m.container, filePath); err == nil {
return ErrMFAEntityAlreadyExists // return well known error here
} else if !errors.Is(err, ErrTreeNodeNotFound) {
return fmt.Errorf("get mfa node '%s' to check: %w", filePath, err)
}
return m.putMFADevice(ctx, device)
}
// GetMFADevice returns decoded MFA device from MFA container.
func (m *Manager) GetMFADevice(ctx context.Context, ns, mfaName string) (*SecretDevice, error) {
ctx, span := tracing.StartSpanFromContext(ctx, "mfa.GetMFADevice")
defer span.End()
node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(ns, mfaName))
if err != nil {
return nil, fmt.Errorf("get mfa nodes: %w", err)
}
var objID oid.ID
if err = objID.DecodeString(node.Current.Meta[OIDKey]); err != nil {
return nil, fmt.Errorf("decode oid '%s': %w", node.Current.Meta[OIDKey], err)
}
var addr oid.Address
addr.SetContainer(m.container)
addr.SetObject(objID)
boxData, err := m.storage.GetObject(ctx, addr)
if err != nil {
return nil, fmt.Errorf("get object '%s': %w", addr.EncodeToString(), err)
}
mfaBox := new(MFABox)
if err = mfaBox.Unmarshal(boxData); err != nil {
return nil, fmt.Errorf("unmarshal box data: %w", err)
}
secrets, err := UnpackMFABox(mfaBox, m.unlocker.PrivateKey())
if err != nil {
return nil, fmt.Errorf("unpack mfa box: %w", err)
}
key, err := otp.NewKeyFromURL(secrets.URL())
if err != nil {
return nil, err
}
dev, err := newDevice(&node.Current)
if err != nil {
return nil, err
}
return &SecretDevice{
Device: *dev,
Key: key,
}, nil
}
// GetTinyMFADevice returns MFA device metadata without OTP key from the tree of MFA container.
func (m *Manager) GetTinyMFADevice(ctx context.Context, ns, mfaName string) (*Device, error) {
ctx, span := tracing.StartSpanFromContext(ctx, "mfa.GetTinyMFADevice")
defer span.End()
node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(ns, mfaName))
if err != nil {
return nil, fmt.Errorf("get mfa nodes: %w", err)
}
dev, err := newDevice(&node.Current)
if err != nil {
return nil, err
}
return dev, nil
}
// ListMFADevices lists all available MFA device metadata with specified device namespace from the tree of MFA container.
func (m *Manager) ListMFADevices(ctx context.Context, ns string) ([]*Device, error) {
ctx, span := tracing.StartSpanFromContext(ctx, "mfa.ListMFADevices")
defer span.End()
list, err := m.storage.GetTreeNodes(ctx, m.container, ns)
if err != nil {
return nil, err
}
return m.formDevices(list)
}
// ListAllMFADevices lists all available MFA device metadata from the tree of MFA container.
func (m *Manager) ListAllMFADevices(ctx context.Context) ([]*Device, error) {
ctx, span := tracing.StartSpanFromContext(ctx, "mfa.ListAllMFADevices")
defer span.End()
list, err := m.storage.GetTreeNodes(ctx, m.container, "")
if err != nil {
return nil, err
}
return m.formDevices(list)
}
// UpdateMFADevice updates MFA device metadata in the tree of MFA container.
func (m *Manager) UpdateMFADevice(ctx context.Context, device *Device) error {
ctx, span := tracing.StartSpanFromContext(ctx, "mfa.UpdateMFADevice")
defer span.End()
node, err := m.storage.SetTreeNode(ctx, m.container, getTreePath(device.Namespace, device.Name), device.Meta)
if err != nil {
return fmt.Errorf("set mfa tree node : %w", err)
}
m.deleteObjects(ctx, node.Old)
return nil
}
// DeleteMFADevice removes FrostFS object and metadata from the tree of MFA container related to device.
func (m *Manager) DeleteMFADevice(ctx context.Context, device *Device) error {
ctx, span := tracing.StartSpanFromContext(ctx, "mfa.DeleteMFADevice")
defer span.End()
meta := device.Meta
var objID oid.ID
if err := objID.DecodeString(meta[OIDKey]); err != nil {
return fmt.Errorf("decode oid '%s': %w", meta[OIDKey], err)
}
address := oid.Address{}
address.SetObject(objID)
address.SetContainer(m.container)
if err := m.storage.DeleteObject(ctx, address); err != nil {
return fmt.Errorf("failed to delete from storage: %w", err)
}
old, err := m.storage.DeleteTreeNode(ctx, m.container, getTreePath(device.Namespace, device.Name))
if err != nil {
m.deleteObjects(ctx, old)
return fmt.Errorf("failed to delete from tree: %w", err)
}
return nil
}
// RecipherDevice creates new FrostFS object with encoded OTP key for new set
// of public keys from KeyManager. If existing FrostFS object already contains
// all public keys from KeyManager, then does nothing.
func (m *Manager) RecipherDevice(ctx context.Context, dev *Device) error {
ctx, span := tracing.StartSpanFromContext(ctx, "mfa.RecipherDevice")
defer span.End()
node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(dev.Namespace, dev.Name))
if err != nil {
return fmt.Errorf("get mfa nodes: %w", err)
}
if dev.OID.EncodeToString() != node.Current.Meta[OIDKey] {
// This can happen in the following cases:
// * device was reciphered by other Manager
// * device was removed and newly created with the same name
// in both cases it must be already encrypted for new list of keys
return nil
}
var addr oid.Address
addr.SetContainer(m.container)
addr.SetObject(dev.OID)
boxData, err := m.storage.GetObject(ctx, addr)
if err != nil {
return fmt.Errorf("get object '%s': %w", addr.EncodeToString(), err)
}
mfaBox := new(MFABox)
if err = mfaBox.Unmarshal(boxData); err != nil {
return fmt.Errorf("unmarshal box data: %w", err)
}
newKeys := m.unlocker.PublicKeys()
oldKeys := mfaBox.GetUnlockers()
if equalKeys(newKeys, oldKeys) {
m.logger.Info("mfabox has already been reciphered",
zap.String("device", dev.String()),
zap.String("OID", dev.OID.EncodeToString()))
return nil
}
secrets, err := UnpackMFABox(mfaBox, m.unlocker.PrivateKey())
if err != nil {
return fmt.Errorf("unpack mfa box: %w", err)
}
key, err := otp.NewKeyFromURL(secrets.URL())
if err != nil {
return err
}
return m.putMFADevice(ctx, SecretDevice{
Device: *dev,
Key: key,
})
}
func (m *Manager) putMFADevice(ctx context.Context, device SecretDevice) error {
filePath := "/" + device.Namespace + "/" + device.Name
box, err := PackMFABox(device.Key, m.unlocker.PublicKeys())
if err != nil {
return fmt.Errorf("pack mfa box: %w", err)
}
boxData, err := box.Marshal()
if err != nil {
return fmt.Errorf("marshal mfa box: %w", err)
}
var owner user.ID
user.IDFromKey(&owner, m.unlocker.PrivateKey().PrivateKey.PublicKey)
objID, err := m.storage.CreateObject(ctx, PrmObjectCreate{
Container: m.container,
Owner: owner,
FilePath: filePath,
Payload: boxData,
})
if err != nil {
return fmt.Errorf("put mfa box object: %w", err)
}
meta := map[string]string{
FilePathKey: filePath,
OIDKey: objID.EncodeToString(),
}
for k, v := range device.Meta {
if k != FilePathKey && k != OIDKey {
meta[k] = v
}
}
node, err := m.storage.SetTreeNode(ctx, m.container, filePath, meta)
if err != nil {
return fmt.Errorf("set mfa tree node : %w", err)
}
m.deleteObjects(ctx, node.Old)
m.deleteObject(ctx, device.OID)
return nil
}
func (m *Manager) formDevices(list []*TreeNode) ([]*Device, error) {
res := make([]*Device, 0, len(list))
for _, item := range list {
dev, err := newDevice(item)
if err != nil {
m.logger.Warn("invalid mfa device tree node", zap.Error(err))
continue
}
res = append(res, dev)
}
return res, nil
}
func (m *Manager) deleteObjects(ctx context.Context, nodes []*TreeNode) {
var addr oid.Address
addr.SetContainer(m.container)
for _, node := range nodes {
var objID oid.ID
if err := objID.DecodeString(node.Meta[OIDKey]); err != nil {
m.logger.Warn("failed to decode old multinode oid", zap.String("oid", node.Meta[OIDKey]), zap.Error(err))
}
addr.SetObject(objID)
if err := m.storage.DeleteObject(ctx, addr); err != nil {
m.logger.Warn("failed to delete old multinode object", zap.String("address", addr.EncodeToString()), zap.Error(err))
}
}
}
func (m *Manager) deleteObject(ctx context.Context, objID oid.ID) {
if objID.Equals(oid.ID{}) {
return
}
var addr oid.Address
addr.SetContainer(m.container)
addr.SetObject(objID)
if err := m.storage.DeleteObject(ctx, addr); err != nil {
m.logger.Warn("failed to delete object", zap.String("address", addr.EncodeToString()), zap.Error(err))
}
}
func newDevice(node *TreeNode) (*Device, error) {
meta := node.Meta
filepathArr := strings.Split(meta[FilePathKey], "/")
if len(filepathArr) != 2 {
return nil, fmt.Errorf("invalid device filepath: '%s'", meta[FilePathKey])
}
var objID oid.ID
if err := objID.DecodeString(meta[OIDKey]); err != nil {
return nil, fmt.Errorf("decode oid '%s': %w", meta[OIDKey], err)
}
return &Device{
Namespace: filepathArr[0],
Name: filepathArr[1],
OID: objID,
Meta: meta,
}, nil
}
// equalKeys returns true if 'got' contains all public keys from 'expected' slice.
func equalKeys(expected []*keys.PublicKey, got []*Unlocker) bool {
loop:
for _, newKey := range expected {
for _, svcKey := range got {
if bytes.Equal(newKey.Bytes(), svcKey.GetPublicKey()) {
continue loop
}
}
return false
}
return true
}
func getTreePath(ns, mfaName string) string {
return ns + "/" + mfaName
}

289
mfa/mfabox.pb.go generated Normal file
View file

@ -0,0 +1,289 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.4
// protoc v4.25.6
// source: mfa/mfabox.proto
package mfa
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
unsafe "unsafe"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
// Unlocker is a message that contains encrypted key which has been used during
// encryption of 'Secrets' message in 'EncryptedSecrets' field of MFABox.
type Unlocker struct {
state protoimpl.MessageState `protogen:"open.v1"`
// PublicKeys is 33-byte ECDSA P-256 curve public key which identifies
// unlocker who can decrypt 'Secrets'.
PublicKey []byte `protobuf:"bytes,1,opt,name=PublicKey,json=publicKey" json:"PublicKey,omitempty"`
// EncryptedSecretsKey is a binary encoded encryption key of MFA Secrets,
// encrypted by ChaCha20-Poly1305 AEAD algorithm.
EncryptedSecretsKey []byte `protobuf:"bytes,2,opt,name=EncryptedSecretsKey,json=encryptedSecretsKey" json:"EncryptedSecretsKey,omitempty"`
// Salt for HKDF function to derive key for encryption of 'EncryptedSecreteKey'.
Salt []byte `protobuf:"bytes,3,opt,name=Salt,json=salt" json:"Salt,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *Unlocker) Reset() {
*x = Unlocker{}
mi := &file_mfa_mfabox_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *Unlocker) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*Unlocker) ProtoMessage() {}
func (x *Unlocker) ProtoReflect() protoreflect.Message {
mi := &file_mfa_mfabox_proto_msgTypes[0]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use Unlocker.ProtoReflect.Descriptor instead.
func (*Unlocker) Descriptor() ([]byte, []int) {
return file_mfa_mfabox_proto_rawDescGZIP(), []int{0}
}
func (x *Unlocker) GetPublicKey() []byte {
if x != nil {
return x.PublicKey
}
return nil
}
func (x *Unlocker) GetEncryptedSecretsKey() []byte {
if x != nil {
return x.EncryptedSecretsKey
}
return nil
}
func (x *Unlocker) GetSalt() []byte {
if x != nil {
return x.Salt
}
return nil
}
type MFABox struct {
state protoimpl.MessageState `protogen:"open.v1"`
// Unlockers are the set of messages contain key that has been used
// to encrypt 'Secrets' message in 'EncrytedSecrets' field.
Unlockers []*Unlocker `protobuf:"bytes,1,rep,name=Unlockers,json=unlockers" json:"Unlockers,omitempty"`
// ECDHPublicKey is 33-byte ECDSA P-256 curve key to derive
// unique encryption keys for every unlocker with ECDH algorithm
ECDHPublicKey []byte `protobuf:"bytes,2,opt,name=ECDHPublicKey,json=ecdhPublicKey" json:"ECDHPublicKey,omitempty"`
// EncryptedSecrets is a binary encoded 'Secrets' message, encrypted by
// ChaCha20-Poly1305 AEAD algorithm.
EncryptedSecrets []byte `protobuf:"bytes,3,opt,name=EncryptedSecrets,json=encryptedSecrets" json:"EncryptedSecrets,omitempty"`
// Salt for HKDF function to derive key for encryption of 'EncryptedSecrets'.
Salt []byte `protobuf:"bytes,4,opt,name=Salt,json=salt" json:"Salt,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *MFABox) Reset() {
*x = MFABox{}
mi := &file_mfa_mfabox_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *MFABox) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*MFABox) ProtoMessage() {}
func (x *MFABox) ProtoReflect() protoreflect.Message {
mi := &file_mfa_mfabox_proto_msgTypes[1]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use MFABox.ProtoReflect.Descriptor instead.
func (*MFABox) Descriptor() ([]byte, []int) {
return file_mfa_mfabox_proto_rawDescGZIP(), []int{1}
}
func (x *MFABox) GetUnlockers() []*Unlocker {
if x != nil {
return x.Unlockers
}
return nil
}
func (x *MFABox) GetECDHPublicKey() []byte {
if x != nil {
return x.ECDHPublicKey
}
return nil
}
func (x *MFABox) GetEncryptedSecrets() []byte {
if x != nil {
return x.EncryptedSecrets
}
return nil
}
func (x *MFABox) GetSalt() []byte {
if x != nil {
return x.Salt
}
return nil
}
// Secrets is a message that contains private data about MFA Device
type Secrets struct {
state protoimpl.MessageState `protogen:"open.v1"`
// MFAURL is a seed for virtual authenticator device.
// Format is described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format
MFAURL *string `protobuf:"bytes,2,opt,name=MFAURL,json=mfaURL" json:"MFAURL,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *Secrets) Reset() {
*x = Secrets{}
mi := &file_mfa_mfabox_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *Secrets) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*Secrets) ProtoMessage() {}
func (x *Secrets) ProtoReflect() protoreflect.Message {
mi := &file_mfa_mfabox_proto_msgTypes[2]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use Secrets.ProtoReflect.Descriptor instead.
func (*Secrets) Descriptor() ([]byte, []int) {
return file_mfa_mfabox_proto_rawDescGZIP(), []int{2}
}
func (x *Secrets) GetMFAURL() string {
if x != nil && x.MFAURL != nil {
return *x.MFAURL
}
return ""
}
var File_mfa_mfabox_proto protoreflect.FileDescriptor
var file_mfa_mfabox_proto_rawDesc = string([]byte{
0x0a, 0x10, 0x6d, 0x66, 0x61, 0x2f, 0x6d, 0x66, 0x61, 0x62, 0x6f, 0x78, 0x2e, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x12, 0x03, 0x6d, 0x66, 0x61, 0x22, 0x6e, 0x0a, 0x08, 0x55, 0x6e, 0x6c, 0x6f, 0x63,
0x6b, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
0x79, 0x12, 0x30, 0x0a, 0x13, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x53, 0x65,
0x63, 0x72, 0x65, 0x74, 0x73, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x13,
0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
0x4b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x53, 0x61, 0x6c, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28,
0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x22, 0x9b, 0x01, 0x0a, 0x06, 0x4d, 0x46, 0x41, 0x42,
0x6f, 0x78, 0x12, 0x2b, 0x0a, 0x09, 0x55, 0x6e, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x72, 0x73, 0x18,
0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x6d, 0x66, 0x61, 0x2e, 0x55, 0x6e, 0x6c, 0x6f,
0x63, 0x6b, 0x65, 0x72, 0x52, 0x09, 0x75, 0x6e, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x72, 0x73, 0x12,
0x24, 0x0a, 0x0d, 0x45, 0x43, 0x44, 0x48, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x65, 0x63, 0x64, 0x68, 0x50, 0x75, 0x62, 0x6c,
0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x10, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
0x65, 0x64, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52,
0x10, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
0x73, 0x12, 0x12, 0x0a, 0x04, 0x53, 0x61, 0x6c, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52,
0x04, 0x73, 0x61, 0x6c, 0x74, 0x22, 0x21, 0x0a, 0x07, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
0x12, 0x16, 0x0a, 0x06, 0x4d, 0x46, 0x41, 0x55, 0x52, 0x4c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x52, 0x06, 0x6d, 0x66, 0x61, 0x55, 0x52, 0x4c, 0x42, 0x06, 0x5a, 0x04, 0x2f, 0x6d, 0x66, 0x61,
0x62, 0x08, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x70, 0xe8, 0x07,
})
var (
file_mfa_mfabox_proto_rawDescOnce sync.Once
file_mfa_mfabox_proto_rawDescData []byte
)
func file_mfa_mfabox_proto_rawDescGZIP() []byte {
file_mfa_mfabox_proto_rawDescOnce.Do(func() {
file_mfa_mfabox_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mfa_mfabox_proto_rawDesc), len(file_mfa_mfabox_proto_rawDesc)))
})
return file_mfa_mfabox_proto_rawDescData
}
var file_mfa_mfabox_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
var file_mfa_mfabox_proto_goTypes = []any{
(*Unlocker)(nil), // 0: mfa.Unlocker
(*MFABox)(nil), // 1: mfa.MFABox
(*Secrets)(nil), // 2: mfa.Secrets
}
var file_mfa_mfabox_proto_depIdxs = []int32{
0, // 0: mfa.MFABox.Unlockers:type_name -> mfa.Unlocker
1, // [1:1] is the sub-list for method output_type
1, // [1:1] is the sub-list for method input_type
1, // [1:1] is the sub-list for extension type_name
1, // [1:1] is the sub-list for extension extendee
0, // [0:1] is the sub-list for field type_name
}
func init() { file_mfa_mfabox_proto_init() }
func file_mfa_mfabox_proto_init() {
if File_mfa_mfabox_proto != nil {
return
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_mfa_mfabox_proto_rawDesc), len(file_mfa_mfabox_proto_rawDesc)),
NumEnums: 0,
NumMessages: 3,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_mfa_mfabox_proto_goTypes,
DependencyIndexes: file_mfa_mfabox_proto_depIdxs,
MessageInfos: file_mfa_mfabox_proto_msgTypes,
}.Build()
File_mfa_mfabox_proto = out.File
file_mfa_mfabox_proto_goTypes = nil
file_mfa_mfabox_proto_depIdxs = nil
}

44
mfa/mfabox.proto Normal file
View file

@ -0,0 +1,44 @@
edition = "2023";
package mfa;
option go_package = "/mfa";
// Unlocker is a message that contains encrypted key which has been used during
// encryption of 'Secrets' message in 'EncryptedSecrets' field of MFABox.
message Unlocker {
// PublicKeys is 33-byte ECDSA P-256 curve public key which identifies
// unlocker who can decrypt 'Secrets'.
bytes PublicKey = 1 [json_name = "publicKey"];
// EncryptedSecretsKey is a binary encoded encryption key of MFA Secrets,
// encrypted by ChaCha20-Poly1305 AEAD algorithm.
bytes EncryptedSecretsKey = 2 [json_name = "encryptedSecretsKey"];
// Salt for HKDF function to derive key for encryption of 'EncryptedSecreteKey'.
bytes Salt = 3 [json_name = "salt"];
}
message MFABox {
// Unlockers are the set of messages contain key that has been used
// to encrypt 'Secrets' message in 'EncrytedSecrets' field.
repeated Unlocker Unlockers = 1 [json_name = "unlockers"];
// ECDHPublicKey is 33-byte ECDSA P-256 curve key to derive
// unique encryption keys for every unlocker with ECDH algorithm
bytes ECDHPublicKey = 2 [json_name = "ecdhPublicKey"];
// EncryptedSecrets is a binary encoded 'Secrets' message, encrypted by
// ChaCha20-Poly1305 AEAD algorithm.
bytes EncryptedSecrets = 3 [json_name = "encryptedSecrets"];
// Salt for HKDF function to derive key for encryption of 'EncryptedSecrets'.
bytes Salt = 4 [json_name = "salt"];
}
// Secrets is a message that contains private data about MFA Device
message Secrets {
// MFAURL is a seed for virtual authenticator device.
// Format is described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format
string MFAURL = 2 [json_name = "mfaURL"];
}

229
mfa/pack.go Normal file
View file

@ -0,0 +1,229 @@
package mfa
import (
"bytes"
"crypto/cipher"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/sha256"
"errors"
"fmt"
"io"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/pquerna/otp"
"golang.org/x/crypto/chacha20poly1305"
"golang.org/x/crypto/hkdf"
"google.golang.org/protobuf/proto"
)
const (
secretLength = 32
saltLength = 16
)
// PackMFABox encrypts OTP Key in a MFABox. Holders of unlocker private keys
// can unpack this object and decrypt OTP Key.
func PackMFABox(secret *otp.Key, unlockerKeys []*keys.PublicKey) (*MFABox, error) {
if len(unlockerKeys) == 0 {
return nil, errors.New("no unlocker keys provided")
}
// First step: generate encryption key and encrypt secret data with it.
secretUrl := secret.URL()
// prepare MFA secret for encryption
data, err := proto.Marshal(&Secrets{MFAURL: &secretUrl})
if err != nil {
return nil, fmt.Errorf("marshal secrets: %w", err)
}
// generate symmetric key to encrypt MFA secret
secretEncryptionKey, err := generateRandomBytes(secretLength)
if err != nil {
return nil, fmt.Errorf("generate secrets encryption key: %w", err)
}
// encrypt MFA secret with ChaCha20-Poly1305 AEAD algorithm
encryptedSecrets, hkdfsalt, err := encryptData(data, secretEncryptionKey)
if err != nil {
return nil, fmt.Errorf("encrypt secrets: %w", err)
}
// Second step: for each unlocker, encrypt secret encryption key, so
// each unlocker could decrypt encryption key and then decrypt MFA secret with it.
// generate ECDSA P-256 curve private key to derive unique encryption
// key for every unlocker with ECDH algorithm.
ecdhKey, err := keys.NewPrivateKey()
if err != nil {
return nil, fmt.Errorf("create private key for ECDH: %w", err)
}
unlockers := make([]*Unlocker, len(unlockerKeys))
for i := range unlockerKeys {
unlockers[i], err = packUnlocker(secretEncryptionKey, ecdhKey, unlockerKeys[i])
if err != nil {
return nil, fmt.Errorf("create unlocker: %w", err)
}
}
return &MFABox{
Unlockers: unlockers,
ECDHPublicKey: ecdhKey.PublicKey().Bytes(),
EncryptedSecrets: encryptedSecrets,
Salt: hkdfsalt,
}, nil
}
// UnpackMFABox decrypts OTP key using unlocker key.
func UnpackMFABox(box *MFABox, unlockerKey *keys.PrivateKey) (*otp.Key, error) {
unlockerPublicKey := unlockerKey.PublicKey().Bytes()
ecdhKey, err := keys.NewPublicKeyFromBytes(box.ECDHPublicKey, elliptic.P256())
if err != nil {
return nil, fmt.Errorf("parse ECDH key: %w", err)
}
// First step: find unlocker message for unlocker key
var suitableUnlocker *Unlocker
for _, unlocker := range box.Unlockers {
if bytes.Equal(unlockerPublicKey, unlocker.GetPublicKey()) {
suitableUnlocker = unlocker
break
}
}
if suitableUnlocker == nil {
return nil, fmt.Errorf("no unlocker for %x", unlockerPublicKey)
}
// Second step: decrypt encryption key of MFA secret
secretEncryptionKey, err := unpackUnlocker(suitableUnlocker, ecdhKey, unlockerKey)
if err != nil {
return nil, fmt.Errorf("unpack unlocker: %w", err)
}
// Third step: decrypt MFA secret
data, err := decryptData(box.EncryptedSecrets, secretEncryptionKey, box.Salt)
if err != nil {
return nil, fmt.Errorf("decrypt secrets: %w", err)
}
secrets := new(Secrets)
if err = proto.Unmarshal(data, secrets); err != nil {
return nil, fmt.Errorf("unmarshal secrets: %w", err)
}
key, err := otp.NewKeyFromURL(secrets.GetMFAURL())
if err != nil {
return nil, fmt.Errorf("parse OTP key: %w", err)
}
return key, nil
}
func packUnlocker(data []byte, ecdhKey *keys.PrivateKey, unlockerKey *keys.PublicKey) (*Unlocker, error) {
// derive unique encryption key for unlocker with ECDH algorithm
uniqueUnlockerKey, err := deriveECDH(ecdhKey, unlockerKey)
if err != nil {
return nil, fmt.Errorf("generate ECDH: %w", err)
}
// encrypt data based on unique encryption key
encryptedData, salt, err := encryptData(data, uniqueUnlockerKey)
return &Unlocker{
PublicKey: unlockerKey.Bytes(),
EncryptedSecretsKey: encryptedData,
Salt: salt,
}, err
}
func unpackUnlocker(unlocker *Unlocker, ecdhKey *keys.PublicKey, unlockerKey *keys.PrivateKey) ([]byte, error) {
// derive unique encryption key for unlocker with ECDH algorithm
uniqueUnlockerKey, err := deriveECDH(unlockerKey, ecdhKey)
if err != nil {
return nil, fmt.Errorf("generate ECDH: %w", err)
}
return decryptData(unlocker.EncryptedSecretsKey, uniqueUnlockerKey, unlocker.Salt)
}
func encryptData(data, encryptionKey []byte) (encryptedData []byte, salt []byte, err error) {
// generate salt for HKDF key derive function
salt, err = generateRandomBytes(saltLength)
if err != nil {
return nil, nil, fmt.Errorf("generate HKDF salt: %w", err)
}
// get ChaCha20-Poly1305 AEAD cipher based on
// a key derived from encryptionKey and random salt
enc, err := getCipher(encryptionKey, salt)
if err != nil {
return nil, nil, fmt.Errorf("prepare AEAD: %w", err)
}
// generate random nonce to encrypt data
nonce := make([]byte, enc.NonceSize())
_, err = rand.Read(nonce)
if err != nil {
return nil, nil, fmt.Errorf("generate random nonce: %w", err)
}
return enc.Seal(nonce, nonce, data, nil), salt, nil
}
func decryptData(encryptedData, encryptionKey, salt []byte) (data []byte, err error) {
// get ChaCha20-Poly1305 AEAD cipher based on
// a key derived from encryptionKey and random salt
dec, err := getCipher(encryptionKey, salt)
if err != nil {
return nil, fmt.Errorf("prepare AEAD: %w", err)
}
ld, ns := len(encryptedData), dec.NonceSize()
if ld < ns {
return nil, fmt.Errorf("data size %d, should be greater than nonce size %d", ld, ns)
}
nonce, cypher := encryptedData[:dec.NonceSize()], encryptedData[dec.NonceSize():]
return dec.Open(nil, nonce, cypher, nil)
}
func getCipher(secret, salt []byte) (cipher.AEAD, error) {
key, err := deriveHKDF(secret, salt)
if err != nil {
return nil, fmt.Errorf("derive key: %w", err)
}
return chacha20poly1305.NewX(key)
}
func deriveECDH(prv *keys.PrivateKey, pub *keys.PublicKey) ([]byte, error) {
prvECDH, err := prv.ECDH()
if err != nil {
return nil, fmt.Errorf("invalid ECDH private key: %w", err)
}
pubECDH, err := (*ecdsa.PublicKey)(pub).ECDH()
if err != nil {
return nil, fmt.Errorf("invalid ECDH public key: %w", err)
}
return prvECDH.ECDH(pubECDH)
}
func deriveHKDF(secret, salt []byte) ([]byte, error) {
hash := sha256.New
kdf := hkdf.New(hash, secret, salt, nil)
key := make([]byte, 32)
_, err := io.ReadFull(kdf, key)
return key, err
}
func generateRandomBytes(length int) ([]byte, error) {
b := make([]byte, length)
_, err := rand.Read(b)
return b, err
}

105
mfa/pack_test.go Normal file
View file

@ -0,0 +1,105 @@
package mfa
import (
"encoding/base64"
"encoding/hex"
"testing"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/pquerna/otp/totp"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/proto"
)
func TestPackUnpackBox(t *testing.T) {
unlockerKeys := generateKeys(t, 3)
unlockerPublicKeys := make([]*keys.PublicKey, len(unlockerKeys))
for i, key := range unlockerKeys {
unlockerPublicKeys[i] = key.PublicKey()
}
otpKey, err := totp.Generate(totp.GenerateOpts{
Issuer: "iam-" + hex.EncodeToString(unlockerPublicKeys[0].Bytes()),
AccountName: "NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM (devenv)",
})
require.NoError(t, err)
box, err := PackMFABox(otpKey, unlockerPublicKeys)
require.NoError(t, err)
// make sure secrets are encrypted
secrets := new(Secrets)
err = proto.Unmarshal(box.GetEncryptedSecrets(), secrets)
require.Error(t, err)
// make sure MFA secret encryption key is encrypted
_, err = decryptData(box.EncryptedSecrets, box.Unlockers[0].EncryptedSecretsKey, box.Salt)
require.Error(t, err)
for _, unlockerKey := range unlockerKeys {
otpKeyFromBox, err := UnpackMFABox(box, unlockerKey)
require.NoError(t, err)
require.Equal(t, otpKey.URL(), otpKeyFromBox.URL())
}
randomKey := generateKeys(t, 1)
_, err = UnpackMFABox(box, randomKey[0])
require.Error(t, err)
}
func TestProprietaryCompatibility(t *testing.T) {
for _, tc := range []struct {
binary string // base64 encoded MFA Box
otpURL string // secret
unlockerPrivateKeys []string // hex-encoded private keys
}{
{
// this is MFA box created with proprietary code with HKDF salt
binary: "Cn8KIQNSH3wIalCMX35hjaEV9sYCJYJ9QC1EFy1eTH/ZaTdaIxJIl6m1UcOuwmtkkcwIqLbX+DNiIvzkGw29YiWbyycvWh048nf4phBKXkzIMy7GXzKJz1n3BWV7q9QPezpLkjeU1Nn2u1czyXrnGhCJ7VGazNvBg50zsokWEXXWCn8KIQK/IVlNTlmdqA0+XxuUR5KjRvEOYVmyO9JjUMSGaFb0ERJIlmYTw2HcLvscJCLiLLGBh+lXRaFUOqCYgKwwT5G352cYJnMejeQ6QlIlzygHTn9N+RHvh4Hmy5Pt1SUik6hVvfil/9LsX8T0GhDHh7f4v3mjmSgU4T4mjX7lCn8KIQLnAI+bca1SzSSPtsp9n6k2+uC4pVPw4rY0eYKUu6fJ4hJI5Pb7qVzFMDQcTLxLrA0vIQ4DEnwGt78QMdZaHM4FqosIMO0C6TLoTUOyXSgK/scF785JEH0freFiOh+fR5OqQNCrLHMjzoL4GhA2xmq4WmFuRaToK9pm4B0YEiEDWC0ggRO0nfUoYBDO58amY6Y13Zs4h05gjLXIp23y8r4avwEoZqY9aG/sHlso1pRtMtSUJdFGpsONIQvhG3nnJHEy1vbDiVzmThK9Onn2huX5vGJ4iKZX8sj2pd9/yo+twqKA9osNQDlVnJikd5wapnPWKKxjAN22pIQC3TJV0AXJdtklg39YO9H0cz5r2ZDFTWOlCZdOnBxoDW3CyxUX+lQMA5GJ/v+zVPQpCu8no8z1NdLNbiIHI6Gn6e0hfSENMeizH3QvKLLaAqR7VUK3dHNAhyHquIe05xt28RImSnZewCIQf3et/IfqVLm8QU9kcfGIFA==",
otpURL: "otpauth://totp/iam-test:NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM?algorithm=SHA1&digits=6&issuer=iam-test&period=30&secret=2EIZ6JTGWBZHYEMTFQGTCWLUIGHMNU2S",
unlockerPrivateKeys: []string{
"b4e6b0cfd844f454a1cd0c726455356aa2120743d112805cfb05a67202b6a7a4",
"679f5eeab1a885ae7c8c2992149145265f46458cacc8191f6b6902aa7e7efdc8",
"e3ac3501472ab144dfc99d61b69e3fccc6ffa63519a728307624e9aa1e99350d",
},
},
{
// this is MFA box created with proprietary code without HKDF salt
binary: "Cm0KIQPjDLGDyyM2KTMx7JxNGYCcY+8V74wgFehEc10gxPde4RJIGWiM6mxo9q0EF8rp/pdFULNy9O+BQc89NIess3z5nSmWFFZxx7j/yKF22hRxLQYenxciHBC0PhbNGXoHG7H4q1a9rhlftcdbCm0KIQOxT6G7TamFLQnktNXXkPrVEXgO4w6yEJ7SQScsXc30EBJI7PSxnqIZmyufYiYkhmwhtP9OSziIA2mFbSz+Wwp45XLKkLYVsT+1Bvj2fKLPZdb5LIPielfRXZpoCrHo8jSDigFae5zxBfsSCm0KIQPEdTuOmmavHwgjPCCgh2ldCTNpubMNzcUc7zakNTDB9hJIl25dRwdxqdV1secWXnhlX6QGWOy8jIswE3MFP0mHhE5yy9jctpIhQKctOCtdsDdMZ081T72omxEc8wRdOK83/cE54P8G7cjPEiECRnc7bPPWVRZtcd5xc4Vvu4LXak16RwA09x4oKsYMB/MavwELRmMpyMwoFgixJrCdFg7PFML4SEb9LE2sj361psAS4kslwIDWMWMPJr110dtzMIL2wOl9AlfpHqHd6CRDhNIv5zOUTyvLSiFZbhC9l8mjEd672uBMlvkSZALOGTnsIigp31a1nDlbyuo9YuGddYGHVyg0tpN3RtHnklL/Bp3rdVGbjPqdo6stp8993syJ1+8mxAE0SvnN/AkuwMODlAHbtieoENVxZWHTtPX0FuFbv9v69I5Sm30RkuKqruPFlw==",
otpURL: "otpauth://totp/iam-test:NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM?algorithm=SHA1&digits=6&issuer=iam-test&period=30&secret=2EIZ6JTGWBZHYEMTFQGTCWLUIGHMNU2S",
unlockerPrivateKeys: []string{
"17cbdf19c6ebb8c8e7753c489ee7851bf6fe9d157f5dc382bd55a84547cfe050",
"a7b0d0e3e88f2dafa73606d39cadfcf18d1a91d606db70e95815f15b9bd34ea6",
"b7f93214f7897a863cd9e0bdc3dfb1d7bc1fa49672d5e930d7682b22e1341076",
},
},
} {
boxData, err := base64.StdEncoding.DecodeString(tc.binary)
require.NoError(t, err)
var box = new(MFABox)
require.NoError(t, box.Unmarshal(boxData))
for _, keyStr := range tc.unlockerPrivateKeys {
key, err := keys.NewPrivateKeyFromHex(keyStr)
require.NoError(t, err)
otpKey, err := UnpackMFABox(box, key)
require.NoError(t, err)
require.Equal(t, tc.otpURL, otpKey.URL())
}
}
}
func generateKeys(t *testing.T, n int) []*keys.PrivateKey {
var err error
res := make([]*keys.PrivateKey, n)
for i := 0; i < n; i++ {
res[i], err = keys.NewPrivateKey()
require.NoError(t, err)
}
return res
}

56
mfa/storage.go Normal file
View file

@ -0,0 +1,56 @@
package mfa
import (
"context"
"errors"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
)
type (
// Storage is an interface for Manager to manage FrostFS objects
// and metadata in tree service.
Storage interface {
// CreateObject creates new FrostFS object.
CreateObject(context.Context, PrmObjectCreate) (oid.ID, error)
// GetObject returns payload of FrostFS object.
GetObject(context.Context, oid.Address) ([]byte, error)
// DeleteObject deletes FrostFS object.
DeleteObject(context.Context, oid.Address) error
// SetTreeNode creates or updates specified tree node the tree service and returns updated data.
SetTreeNode(ctx context.Context, cnrID cid.ID, name string, meta map[string]string) (*TreeMultiNode, error)
// GetTreeNode returns data about latest and remaining versions of specified tree node.
// Must return 'ErrTreeNodeNotFound' if tree does not exist.
GetTreeNode(ctx context.Context, cnrID cid.ID, name string) (*TreeMultiNode, error)
// DeleteTreeNode removes all specified tree nodes from the tree and returns copy of it.
DeleteTreeNode(ctx context.Context, cnrID cid.ID, name string) ([]*TreeNode, error)
// GetTreeNodes returns all available tree nodes with specified prefix.
GetTreeNodes(ctx context.Context, cnrID cid.ID, prefix string) ([]*TreeNode, error)
}
// TreeNode contains metadata of node in the tree service.
TreeNode struct {
Meta map[string]string
}
// TreeMultiNode contains metadata of latest and all available versions
// of node in the tree service.
TreeMultiNode struct {
Current TreeNode
Old []*TreeNode
}
// PrmObjectCreate contains parameters to create new FrostFS object.
PrmObjectCreate struct {
Container cid.ID
Owner user.ID
FilePath string
Payload []byte
}
)
var (
ErrTreeNodeNotFound = errors.New("tree node not found")
)