[#1425] services/tree: Remove eACL mentions from bearer token parsing errors
All checks were successful
DCO action / DCO (pull_request) Successful in 4m45s
Tests and linters / Run gofumpt (pull_request) Successful in 4m47s
Tests and linters / Staticcheck (pull_request) Successful in 6m5s
Tests and linters / Lint (pull_request) Successful in 6m43s
Vulncheck / Vulncheck (pull_request) Successful in 6m47s
Build / Build Components (pull_request) Successful in 6m59s
Tests and linters / gopls check (pull_request) Successful in 8m32s
Tests and linters / Tests with -race (pull_request) Successful in 9m5s
Tests and linters / Tests (pull_request) Successful in 9m24s
Pre-commit hooks / Pre-commit (pull_request) Successful in 1m28s
All checks were successful
DCO action / DCO (pull_request) Successful in 4m45s
Tests and linters / Run gofumpt (pull_request) Successful in 4m47s
Tests and linters / Staticcheck (pull_request) Successful in 6m5s
Tests and linters / Lint (pull_request) Successful in 6m43s
Vulncheck / Vulncheck (pull_request) Successful in 6m47s
Build / Build Components (pull_request) Successful in 6m59s
Tests and linters / gopls check (pull_request) Successful in 8m32s
Tests and linters / Tests with -race (pull_request) Successful in 9m5s
Tests and linters / Tests (pull_request) Successful in 9m24s
Pre-commit hooks / Pre-commit (pull_request) Successful in 1m28s
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
This commit is contained in:
parent
02bb7159a5
commit
1134760271
SSH key fingerprint:
SHA256:m/TTwCzjnRkXgnzEx9X92ccxy1CcVeinOgDb3NPWWmg
1 changed files with 6 additions and 24 deletions
|
|
@ -15,7 +15,6 @@ import (
|
||||||
cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
|
frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
|
||||||
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||||
)
|
)
|
||||||
|
|
@ -27,10 +26,6 @@ type message interface {
|
||||||
SetSignature(*Signature)
|
SetSignature(*Signature)
|
||||||
}
|
}
|
||||||
|
|
||||||
func eACLErr(op eacl.Operation, err error) error {
|
|
||||||
return fmt.Errorf("access to operation %s is denied by extended ACL check: %w", op, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
var (
|
var (
|
||||||
errBearerWrongContainer = errors.New("bearer token is created for another container")
|
errBearerWrongContainer = errors.New("bearer token is created for another container")
|
||||||
errBearerSignature = errors.New("invalid bearer token signature")
|
errBearerSignature = errors.New("invalid bearer token signature")
|
||||||
|
|
@ -57,11 +52,9 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
|
||||||
return fmt.Errorf("can't get container %s: %w", cid, err)
|
return fmt.Errorf("can't get container %s: %w", cid, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
eaclOp := eACLOp(op)
|
bt, err := parseBearer(rawBearer, cid)
|
||||||
|
|
||||||
bt, err := parseBearer(rawBearer, cid, eaclOp)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return fmt.Errorf("access to operation %s is denied: %w", op, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
role, pubKey, err := roleAndPubKeyFromReq(cnr, req, bt)
|
role, pubKey, err := roleAndPubKeyFromReq(cnr, req, bt)
|
||||||
|
|
@ -93,20 +86,20 @@ func (s *Service) isAuthorized(req message, op acl.Op) (bool, error) {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseBearer(rawBearer []byte, cid cidSDK.ID, eaclOp eacl.Operation) (*bearer.Token, error) {
|
func parseBearer(rawBearer []byte, cid cidSDK.ID) (*bearer.Token, error) {
|
||||||
if len(rawBearer) == 0 {
|
if len(rawBearer) == 0 {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
bt := new(bearer.Token)
|
bt := new(bearer.Token)
|
||||||
if err := bt.Unmarshal(rawBearer); err != nil {
|
if err := bt.Unmarshal(rawBearer); err != nil {
|
||||||
return nil, eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
|
return nil, fmt.Errorf("invalid bearer token: %w", err)
|
||||||
}
|
}
|
||||||
if !bt.AssertContainer(cid) {
|
if !bt.AssertContainer(cid) {
|
||||||
return nil, eACLErr(eaclOp, errBearerWrongContainer)
|
return nil, errBearerWrongContainer
|
||||||
}
|
}
|
||||||
if !bt.VerifySignature() {
|
if !bt.VerifySignature() {
|
||||||
return nil, eACLErr(eaclOp, errBearerSignature)
|
return nil, errBearerSignature
|
||||||
}
|
}
|
||||||
return bt, nil
|
return bt, nil
|
||||||
}
|
}
|
||||||
|
|
@ -184,14 +177,3 @@ func roleAndPubKeyFromReq(cnr *core.Container, req message, bt *bearer.Token) (a
|
||||||
|
|
||||||
return role, pub, nil
|
return role, pub, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func eACLOp(op acl.Op) eacl.Operation {
|
|
||||||
switch op {
|
|
||||||
case acl.OpObjectGet:
|
|
||||||
return eacl.OperationGet
|
|
||||||
case acl.OpObjectPut:
|
|
||||||
return eacl.OperationPut
|
|
||||||
default:
|
|
||||||
panic(fmt.Sprintf("unexpected tree service ACL operation: %s", op))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue