[#1371] bearer: Upgrade SDK package

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2022-05-12 10:22:02 +03:00 committed by LeL
parent ae92074272
commit 3a188bb2e5
13 changed files with 78 additions and 85 deletions

View file

@ -3,11 +3,11 @@ package internal
import (
"io"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
"github.com/nspcc-dev/neofs-sdk-go/client"
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
addressSDK "github.com/nspcc-dev/neofs-sdk-go/object/address"
"github.com/nspcc-dev/neofs-sdk-go/session"
"github.com/nspcc-dev/neofs-sdk-go/token"
)
// here are small structures with public setters to share between parameter structures
@ -40,11 +40,11 @@ func (x *sessionTokenPrm) SetSessionToken(tok *session.Token) {
}
type bearerTokenPrm struct {
bearerToken *token.BearerToken
bearerToken *bearer.Token
}
// SetBearerToken sets the bearer token to be attached to the request.
func (x *bearerTokenPrm) SetBearerToken(tok *token.BearerToken) {
func (x *bearerTokenPrm) SetBearerToken(tok *bearer.Token) {
x.bearerToken = tok
}

View file

@ -13,10 +13,10 @@ import (
internalclient "github.com/nspcc-dev/neofs-node/cmd/neofs-cli/internal/client"
"github.com/nspcc-dev/neofs-node/pkg/network"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
"github.com/nspcc-dev/neofs-sdk-go/client"
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
"github.com/nspcc-dev/neofs-sdk-go/owner"
"github.com/nspcc-dev/neofs-sdk-go/token"
"github.com/spf13/cobra"
)
@ -101,9 +101,11 @@ func createToken(cmd *cobra.Command, _ []string) error {
return fmt.Errorf("can't parse recipient: %w", err)
}
b := token.NewBearerToken()
b.SetLifetime(exp, nvb, iat)
b.SetOwner(ownerID)
var b bearer.Token
b.SetExpiration(exp)
b.SetNotBefore(nvb)
b.SetIssuedAt(iat)
b.SetOwnerID(*ownerID)
eaclPath, _ := cmd.Flags().GetString(eaclFlag)
if eaclPath != "" {
@ -115,7 +117,7 @@ func createToken(cmd *cobra.Command, _ []string) error {
if err := json.Unmarshal(raw, table); err != nil {
return fmt.Errorf("can't parse extended ACL: %w", err)
}
b.SetEACLTable(table)
b.SetEACLTable(*table)
}
var data []byte
@ -123,11 +125,11 @@ func createToken(cmd *cobra.Command, _ []string) error {
toJSON, _ := cmd.Flags().GetBool(jsonFlag)
if toJSON {
data, err = json.Marshal(b)
} else {
data, err = b.Marshal(nil)
}
if err != nil {
return fmt.Errorf("can't mashal token: %w", err)
return fmt.Errorf("can't mashal token to JSON: %w", err)
}
} else {
data = b.Marshal()
}
out, _ := cmd.Flags().GetString(outFlag)

View file

@ -18,6 +18,7 @@ import (
objectV2 "github.com/nspcc-dev/neofs-api-go/v2/object"
internalclient "github.com/nspcc-dev/neofs-node/cmd/neofs-cli/internal/client"
sessionCli "github.com/nspcc-dev/neofs-node/cmd/neofs-cli/modules/session"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
"github.com/nspcc-dev/neofs-sdk-go/checksum"
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
"github.com/nspcc-dev/neofs-sdk-go/object"
@ -25,7 +26,6 @@ import (
oidSDK "github.com/nspcc-dev/neofs-sdk-go/object/id"
"github.com/nspcc-dev/neofs-sdk-go/owner"
"github.com/nspcc-dev/neofs-sdk-go/session"
"github.com/nspcc-dev/neofs-sdk-go/token"
"github.com/spf13/cobra"
)
@ -1056,7 +1056,7 @@ func marshalHeader(cmd *cobra.Command, hdr *object.Object) ([]byte, error) {
}
}
func getBearerToken(cmd *cobra.Command, flagname string) (*token.BearerToken, error) {
func getBearerToken(cmd *cobra.Command, flagname string) (*bearer.Token, error) {
path, err := cmd.Flags().GetString(flagname)
if err != nil || len(path) == 0 {
return nil, nil
@ -1067,7 +1067,7 @@ func getBearerToken(cmd *cobra.Command, flagname string) (*token.BearerToken, er
return nil, fmt.Errorf("can't read bearer token file: %w", err)
}
tok := token.NewBearerToken()
var tok bearer.Token
if err := tok.UnmarshalJSON(data); err != nil {
if err = tok.Unmarshal(data); err != nil {
return nil, fmt.Errorf("can't decode bearer token: %w", err)
@ -1078,7 +1078,7 @@ func getBearerToken(cmd *cobra.Command, flagname string) (*token.BearerToken, er
printVerbose("Using JSON encoded bearer token")
}
return tok, nil
return &tok, nil
}
func getObjectRange(cmd *cobra.Command, _ []string) {

View file

@ -17,10 +17,10 @@ import (
sessionCli "github.com/nspcc-dev/neofs-node/cmd/neofs-cli/modules/session"
"github.com/nspcc-dev/neofs-node/misc"
"github.com/nspcc-dev/neofs-node/pkg/network"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
"github.com/nspcc-dev/neofs-sdk-go/client"
"github.com/nspcc-dev/neofs-sdk-go/owner"
"github.com/nspcc-dev/neofs-sdk-go/session"
"github.com/nspcc-dev/neofs-sdk-go/token"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
@ -217,7 +217,7 @@ func prepareAPIClientWithKey(cmd *cobra.Command, key *ecdsa.PrivateKey, dst ...c
}
type bearerPrm interface {
SetBearerToken(prm *token.BearerToken)
SetBearerToken(prm *bearer.Token)
}
func prepareBearerPrm(cmd *cobra.Command, prm bearerPrm) {

View file

@ -10,7 +10,6 @@ import (
"strconv"
"time"
"github.com/nspcc-dev/neofs-api-go/v2/refs"
"github.com/nspcc-dev/neofs-node/pkg/util/keyer"
locodedb "github.com/nspcc-dev/neofs-node/pkg/util/locode/db"
airportsdb "github.com/nspcc-dev/neofs-node/pkg/util/locode/db/airports"
@ -18,8 +17,6 @@ import (
continentsdb "github.com/nspcc-dev/neofs-node/pkg/util/locode/db/continents/geojson"
csvlocode "github.com/nspcc-dev/neofs-node/pkg/util/locode/table/csv"
sdkstatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
"github.com/nspcc-dev/neofs-sdk-go/token"
"github.com/nspcc-dev/neofs-sdk-go/version"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
@ -296,10 +293,7 @@ func signBearerToken(cmd *cobra.Command, _ []string) {
key, err := getKey()
exitOnErr(cmd, err)
err = completeBearerToken(btok)
exitOnErr(cmd, err)
err = btok.SignToken(key)
err = btok.Sign(*key)
exitOnErr(cmd, err)
to := cmd.Flag("to").Value.String()
@ -310,8 +304,7 @@ func signBearerToken(cmd *cobra.Command, _ []string) {
data, err = btok.MarshalJSON()
exitOnErr(cmd, errf("can't JSON encode bearer token: %w", err))
} else {
data, err = btok.Marshal()
exitOnErr(cmd, errf("can't binary encode bearer token: %w", err))
data = btok.Marshal()
}
if len(to) == 0 {
@ -424,22 +417,6 @@ func processKeyer(cmd *cobra.Command, args []string) {
result.PrettyPrint(uncompressed, useHex)
}
func completeBearerToken(btok *token.BearerToken) error {
if v2 := btok.ToV2(); v2 != nil {
// set eACL table version, because it usually omitted
table := v2.GetBody().GetEACL()
var ver refs.Version
version.Current().WriteToV2(&ver)
table.SetVersion(&ver)
} else {
return errors.New("unsupported bearer token version")
}
return nil
}
func prettyPrintJSON(cmd *cobra.Command, data []byte) {
buf := new(bytes.Buffer)
if err := json.Indent(buf, data, "", " "); err != nil {

2
go.mod
View file

@ -19,7 +19,7 @@ require (
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect
github.com/nspcc-dev/neofs-api-go/v2 v2.12.1
github.com/nspcc-dev/neofs-contract v0.14.2
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220413075357-96892d7bc4a8
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220413082415-24d6c2221f6b
github.com/nspcc-dev/tzhash v1.5.2
github.com/panjf2000/ants/v2 v2.4.0
github.com/paulmach/orb v0.2.2

BIN
go.sum

Binary file not shown.

View file

@ -13,10 +13,10 @@ import (
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
v2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/v2"
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/bearer"
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
addressSDK "github.com/nspcc-dev/neofs-sdk-go/object/address"
"github.com/nspcc-dev/neofs-sdk-go/owner"
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/token"
)
// CheckerPrm groups parameters for Checker
@ -143,21 +143,21 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
reqInfo.CleanBearer()
}
var (
table *eaclSDK.Table
err error
)
var table eaclSDK.Table
if reqInfo.Bearer().Empty() {
table, err = c.eaclSrc.GetEACL(reqInfo.ContainerID())
bearerTok := reqInfo.Bearer()
if bearerTok == nil {
pTable, err := c.eaclSrc.GetEACL(reqInfo.ContainerID())
if err != nil {
if errors.Is(err, container.ErrEACLNotFound) {
return nil
}
return err
}
table = *pTable
} else {
table = reqInfo.Bearer().EACLTable()
table = bearerTok.EACLTable()
}
// if bearer token is not present, isValidBearer returns true
@ -195,7 +195,7 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
WithHeaderSource(
eaclV2.NewMessageHeaderSource(hdrSrcOpts...),
).
WithEACLTable(table),
WithEACLTable(&table),
)
if action != eaclSDK.ActionAllow {
@ -210,9 +210,8 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
token := reqInfo.Bearer()
// 0. Check if bearer token is present in reqInfo. It might be non nil
// empty structure.
if token == nil || token.Empty() {
// 0. Check if bearer token is present in reqInfo.
if token == nil {
return nil
}
@ -227,32 +226,35 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
}
// 3. Then check if container owner signed this token.
tokenIssuerKey := unmarshalPublicKey(token.Signature().Key())
if !isOwnerFromKey(reqInfo.ContainerOwner(), tokenIssuerKey) {
issuer, ok := token.Issuer()
if !ok {
panic("unexpected false return from Issuer method on signed bearer token")
}
if !issuer.Equal(reqInfo.ContainerOwner()) {
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
return errBearerNotSignedByOwner
}
// 4. Then check if request sender has rights to use this token.
tokenOwnerField := token.OwnerID()
if tokenOwnerField != nil { // see bearer token owner field description
tokenOwner := token.OwnerID()
requestSenderKey := unmarshalPublicKey(reqInfo.SenderKey())
if !isOwnerFromKey(tokenOwnerField, requestSenderKey) {
if !isOwnerFromKey(&tokenOwner, requestSenderKey) {
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
return errBearerInvalidOwner
}
}
return nil
}
func isValidLifetime(t *bearerSDK.BearerToken, epoch uint64) bool {
func isValidLifetime(t *bearerSDK.Token, epoch uint64) bool {
// The "exp" (expiration time) claim identifies the expiration time on
// or after which the JWT MUST NOT be accepted for processing.
// The "nbf" (not before) claim identifies the time before which the JWT
// MUST NOT be accepted for processing
// RFC 7519 sections 4.1.4, 4.1.5
return epoch >= t.NotBeforeTime() && epoch <= t.Expiration()
return epoch >= t.NotBefore() && epoch <= t.Expiration()
}
func isOwnerFromKey(id *owner.ID, key *keys.PublicKey) bool {

View file

@ -6,12 +6,12 @@ import (
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
sessionV2 "github.com/nspcc-dev/neofs-api-go/v2/session"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
containerIDSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
oidSDK "github.com/nspcc-dev/neofs-sdk-go/object/id"
"github.com/nspcc-dev/neofs-sdk-go/owner"
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/token"
)
// RequestInfo groups parsed version-independent (from SDK library)
@ -29,7 +29,7 @@ type RequestInfo struct {
senderKey []byte
bearer *bearerSDK.BearerToken // bearer token of request
bearer *bearer.Token // bearer token of request
srcRequest interface{}
}
@ -72,7 +72,7 @@ func (r *RequestInfo) CleanBearer() {
}
// Bearer returns bearer token of the request.
func (r RequestInfo) Bearer() *bearerSDK.BearerToken {
func (r RequestInfo) Bearer() *bearer.Token {
return r.bearer
}
@ -106,7 +106,7 @@ func (r RequestInfo) RequestRole() eaclSDK.Role {
type MetaWithToken struct {
vheader *sessionV2.RequestVerificationHeader
token *sessionSDK.Token
bearer *bearerSDK.BearerToken
bearer *bearer.Token
src interface{}
}

View file

@ -10,13 +10,13 @@ import (
objectV2 "github.com/nspcc-dev/neofs-api-go/v2/object"
refsV2 "github.com/nspcc-dev/neofs-api-go/v2/refs"
sessionV2 "github.com/nspcc-dev/neofs-api-go/v2/session"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
containerIDSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
oidSDK "github.com/nspcc-dev/neofs-sdk-go/object/id"
"github.com/nspcc-dev/neofs-sdk-go/owner"
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
"github.com/nspcc-dev/neofs-sdk-go/signature"
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/token"
)
func getContainerIDFromRequest(req interface{}) (id *containerIDSDK.ID, err error) {
@ -47,12 +47,20 @@ func getContainerIDFromRequest(req interface{}) (id *containerIDSDK.ID, err erro
// originalBearerToken goes down to original request meta header and fetches
// bearer token from there.
func originalBearerToken(header *sessionV2.RequestMetaHeader) *bearerSDK.BearerToken {
func originalBearerToken(header *sessionV2.RequestMetaHeader) *bearer.Token {
for header.GetOrigin() != nil {
header = header.GetOrigin()
}
return bearerSDK.NewBearerTokenFromV2(header.GetBearerToken())
tokV2 := header.GetBearerToken()
if tokV2 == nil {
return nil
}
var tok bearer.Token
tok.ReadFromV2(*tokV2)
return &tok
}
// originalSessionToken goes down to original request meta header and fetches

View file

@ -7,20 +7,23 @@ import (
acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
"github.com/nspcc-dev/neofs-api-go/v2/session"
sessiontest "github.com/nspcc-dev/neofs-api-go/v2/session/test"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
"github.com/nspcc-dev/neofs-sdk-go/eacl"
sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/token"
"github.com/stretchr/testify/require"
)
func TestOriginalTokens(t *testing.T) {
sToken := sessiontest.GenerateSessionToken(false)
bToken := acltest.GenerateBearerToken(false)
bTokenV2 := acltest.GenerateBearerToken(false)
var bToken bearer.Token
bToken.ReadFromV2(*bTokenV2)
for i := 0; i < 10; i++ {
metaHeaders := testGenerateMetaHeader(uint32(i), bToken, sToken)
metaHeaders := testGenerateMetaHeader(uint32(i), bTokenV2, sToken)
require.Equal(t, sessionSDK.NewTokenFromV2(sToken), originalSessionToken(metaHeaders), i)
require.Equal(t, bearerSDK.NewBearerTokenFromV2(bToken), originalBearerToken(metaHeaders), i)
require.Equal(t, &bToken, originalBearerToken(metaHeaders), i)
}
}

View file

@ -8,6 +8,7 @@ import (
"io"
coreclient "github.com/nspcc-dev/neofs-node/pkg/core/client"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
"github.com/nspcc-dev/neofs-sdk-go/client"
apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
@ -15,7 +16,6 @@ import (
addressSDK "github.com/nspcc-dev/neofs-sdk-go/object/address"
oidSDK "github.com/nspcc-dev/neofs-sdk-go/object/id"
"github.com/nspcc-dev/neofs-sdk-go/session"
"github.com/nspcc-dev/neofs-sdk-go/token"
)
type commonPrm struct {
@ -27,7 +27,7 @@ type commonPrm struct {
tokenSession *session.Token
tokenBearer *token.BearerToken
tokenBearer *bearer.Token
local bool
@ -65,7 +65,7 @@ func (x *commonPrm) SetSessionToken(tok *session.Token) {
// SetBearerToken sets bearer token to be attached to the request.
//
// By default token is not attached to the request.
func (x *commonPrm) SetBearerToken(tok *token.BearerToken) {
func (x *commonPrm) SetBearerToken(tok *bearer.Token) {
x.tokenBearer = tok
}

View file

@ -4,8 +4,8 @@ import (
"strconv"
"github.com/nspcc-dev/neofs-api-go/v2/session"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
sessionsdk "github.com/nspcc-dev/neofs-sdk-go/session"
"github.com/nspcc-dev/neofs-sdk-go/token"
)
// maxLocalTTL is maximum TTL for an operation to be considered local.
@ -18,7 +18,7 @@ type CommonPrm struct {
token *sessionsdk.Token
bearer *token.BearerToken
bearer *bearer.Token
ttl uint32
@ -67,7 +67,7 @@ func (p *CommonPrm) SessionToken() *sessionsdk.Token {
return nil
}
func (p *CommonPrm) BearerToken() *token.BearerToken {
func (p *CommonPrm) BearerToken() *bearer.Token {
if p != nil {
return p.bearer
}
@ -116,7 +116,8 @@ func CommonPrmFromV2(req interface {
}
if tok := meta.GetBearerToken(); tok != nil {
prm.bearer = token.NewBearerTokenFromV2(tok)
prm.bearer = new(bearer.Token)
prm.bearer.ReadFromV2(*tok)
}
for i := range xHdrs {