[#9999] writer: Sign EC parts with node's private key

As EC put request may be processed only by container node, so sign requests with current node private to not to perform APE checks. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2024-10-28 15:44:47 +03:00 · 2024-10-28 15:44:47 +03:00 · 28a0f66c4a
commit 28a0f66c4a
parent bc8d79ddf9
3 changed files with 23 additions and 2 deletions
--- a/pkg/services/object/common/writer/ec.go
+++ b/pkg/services/object/common/writer/ec.go
@ -37,6 +37,8 @@ type ECWriter struct {

 	ObjectMeta      object.ContentMeta
 	ObjectMetaValid bool
+
+	remoteRequestSignKey *ecdsa.PrivateKey
 }

 func (e *ECWriter) WriteObject(ctx context.Context, obj *objectSDK.Object) error {
@ -60,6 +62,14 @@ func (e *ECWriter) WriteObject(ctx context.Context, obj *objectSDK.Object) error
 		e.ObjectMetaValid = true
 	}

+	restoreTokens := e.CommonPrm.ForgetTokens()
+	defer restoreTokens()
+	// As request executed on container node, so sign request with container key.
+	e.remoteRequestSignKey, err = e.Config.KeyStorage.GetKey(nil)
+	if err != nil {
+		return err
+	}
+
 	if obj.ECHeader() != nil {
 		return e.writeECPart(ctx, obj)
 	}
@ -338,7 +348,7 @@ func (e *ECWriter) writePartRemote(ctx context.Context, obj *objectSDK.Object, n
 	client.NodeInfoFromNetmapElement(&clientNodeInfo, node)

 	remoteTaget := remoteWriter{
-		privateKey:        e.Key,
+		privateKey:        e.remoteRequestSignKey,
 		clientConstructor: e.Config.ClientConstructor,
 		commonPrm:         e.CommonPrm,
 		nodeInfo:          clientNodeInfo,
--- a/pkg/services/object/common/writer/ec_test.go
+++ b/pkg/services/object/common/writer/ec_test.go
@ -14,6 +14,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/client"
 	netmapcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/network"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/util"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object_manager/placement"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
@ -127,6 +128,8 @@ func TestECWriter(t *testing.T) {

 	ownerKey, err := keys.NewPrivateKey()
 	require.NoError(t, err)
+	nodeKey, err := keys.NewPrivateKey()
+	require.NoError(t, err)

 	pool, err := ants.NewPool(4, ants.WithNonblocking(true))
 	require.NoError(t, err)
@ -141,6 +144,7 @@ func TestECWriter(t *testing.T) {
 			RemotePool:        pool,
 			Logger:            log,
 			ClientConstructor: clientConstructor{vectors: ns},
+			KeyStorage:        util.NewKeyStorage(&nodeKey.PrivateKey, nil, nil),
 		},
 		PlacementOpts: append(
 			[]placement.Option{placement.UseBuilder(builder), placement.ForContainer(cnr)},
--- a/pkg/services/object/util/prm.go
+++ b/pkg/services/object/util/prm.go
@ -100,11 +100,18 @@ func (p *CommonPrm) SetNetmapLookupDepth(v uint64) {

 // ForgetTokens forgets all the tokens read from the request's
 // meta information before.
-func (p *CommonPrm) ForgetTokens() {
+func (p *CommonPrm) ForgetTokens() func() {
 	if p != nil {
+		tk := p.token
+		br := p.bearer
 		p.token = nil
 		p.bearer = nil
+		return func() {
+			p.token = tk
+			p.bearer = br
+		}
 	}
+	return func() {}
 }

 func CommonPrmFromV2(req interface {