From 89cd2ad4637f9802ec277d78503e2c68b54cafc7 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Wed, 21 Oct 2020 16:11:18 +0300 Subject: [PATCH] [#106] Process bearer token in ACL service If bearer token is presented in the request then check if it is a valid one and then use it to process extended ACL checks. Signed-off-by: Alex Vanin --- pkg/services/object/acl/acl.go | 79 ++++++++++++++++++++++- pkg/services/object/acl/classifier.go | 2 + pkg/services/object/acl/eacl/types.go | 11 ++++ pkg/services/object/acl/eacl/validator.go | 23 +++++-- 4 files changed, 107 insertions(+), 8 deletions(-) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 4a29883d3..5966ac5d1 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -8,8 +8,12 @@ import ( acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl" "github.com/nspcc-dev/neofs-api-go/pkg/container" "github.com/nspcc-dev/neofs-api-go/pkg/owner" + "github.com/nspcc-dev/neofs-api-go/util/signature" + bearer "github.com/nspcc-dev/neofs-api-go/v2/acl" "github.com/nspcc-dev/neofs-api-go/v2/object" "github.com/nspcc-dev/neofs-api-go/v2/session" + v2signature "github.com/nspcc-dev/neofs-api-go/v2/signature" + crypto "github.com/nspcc-dev/neofs-crypto" core "github.com/nspcc-dev/neofs-node/pkg/core/container" "github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore" "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl" @@ -54,6 +58,8 @@ type ( cid *container.ID senderKey []byte + + bearer *bearer.BearerToken // bearer token of request } ) @@ -123,6 +129,7 @@ func (b Service) Get( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: request.GetMetaHeader().GetSessionToken(), + bearer: request.GetMetaHeader().GetBearerToken(), } reqInfo, err := b.findRequestInfo(req, cid, acl.OperationGet) @@ -167,6 +174,7 @@ func (b Service) Head( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: request.GetMetaHeader().GetSessionToken(), + bearer: request.GetMetaHeader().GetBearerToken(), } reqInfo, err := b.findRequestInfo(req, cid, acl.OperationHead) @@ -204,6 +212,7 @@ func (b Service) Search( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: request.GetMetaHeader().GetSessionToken(), + bearer: request.GetMetaHeader().GetBearerToken(), } reqInfo, err := b.findRequestInfo(req, cid, acl.OperationSearch) @@ -233,6 +242,7 @@ func (b Service) Delete( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: request.GetMetaHeader().GetSessionToken(), + bearer: request.GetMetaHeader().GetBearerToken(), } reqInfo, err := b.findRequestInfo(req, cid, acl.OperationDelete) @@ -261,6 +271,7 @@ func (b Service) GetRange( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: request.GetMetaHeader().GetSessionToken(), + bearer: request.GetMetaHeader().GetBearerToken(), } reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRange) @@ -290,6 +301,7 @@ func (b Service) GetRangeHash( req := metaWithToken{ vheader: request.GetVerificationHeader(), token: request.GetMetaHeader().GetSessionToken(), + bearer: request.GetMetaHeader().GetBearerToken(), } reqInfo, err := b.findRequestInfo(req, cid, acl.OperationRangeHash) @@ -327,6 +339,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error { req := metaWithToken{ vheader: request.GetVerificationHeader(), token: part.GetHeader().GetSessionToken(), + bearer: request.GetMetaHeader().GetBearerToken(), } reqInfo, err := p.source.findRequestInfo(req, cid, acl.OperationPut) @@ -411,6 +424,9 @@ func (b Service) findRequestInfo( // otherwise the request would not pass validation info.senderKey = key + // add bearer token if it is present in request + info.bearer = req.bearer + return info, nil } @@ -499,6 +515,11 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool { return true } + // if bearer token is not present, isValidBearer returns true + if !isValidBearer(reqInfo) { + return false + } + hdrSrcOpts := make([]eaclV2.Option, 0, 2) hdrSrcOpts = append(hdrSrcOpts, eaclV2.WithLocalObjectStorage(cfg.localStorage)) @@ -516,7 +537,8 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool { WithSenderKey(reqInfo.senderKey). WithHeaderSource( eaclV2.NewMessageHeaderSource(hdrSrcOpts...), - ), + ). + WithBearerToken(reqInfo.bearer), ) return action == acl.ActionAllow @@ -575,3 +597,58 @@ func eACLErr(info requestInfo) error { failedCheckTyp: "extended ACL", } } + +// isValidBearer returns true if bearer token correctly signed by authorized +// entity. This method might be define on whole ACL service because it will +// require to fetch current epoch to check lifetime. +func isValidBearer(reqInfo requestInfo) bool { + token := reqInfo.bearer + + // 0. Check if bearer token is present in reqInfo. It might be non nil + // empty structure. + if token == nil || (token.GetBody() == nil && token.GetSignature() == nil) { + return true + } + + // 1. First check if bearer token is signed correctly. + signWrapper := v2signature.StableMarshalerWrapper{SM: token.GetBody()} + if err := signature.VerifyDataWithSource(signWrapper, func() (key, sig []byte) { + tokenSignature := token.GetSignature() + return tokenSignature.GetKey(), tokenSignature.GetSign() + }); err != nil { + return false // invalid signature + } + + // 2. Then check if container owner signed this token. + tokenIssuerKey := crypto.UnmarshalPublicKey(token.GetSignature().GetKey()) + tokenIssuerWallet, err := owner.NEO3WalletFromPublicKey(tokenIssuerKey) + if err != nil { + return false + } + // here we compare `owner.ID -> wallet` with `wallet <- publicKey` + // consider making equal method on owner.ID structure + // we can compare .String() version of owners but don't think it is good idea + // binary comparison is better but MarshalBinary is more expensive + if !bytes.Equal(reqInfo.owner.ToV2().GetValue(), tokenIssuerWallet.Bytes()) { + // todo: in this case we can issue all owner keys from neofs.id and check once again + return false + } + + // 3. Then check if request sender has rights to use this token. + tokenOwnerField := token.GetBody().GetOwnerID() + if tokenOwnerField != nil { // see bearer token owner field description + requestSenderKey := crypto.UnmarshalPublicKey(reqInfo.senderKey) + requestSenderWallet, err := owner.NEO3WalletFromPublicKey(requestSenderKey) + if err != nil { + return false + } + // the same issue as above + if !bytes.Equal(tokenOwnerField.GetValue(), requestSenderWallet.Bytes()) { + return false + } + } + + // todo: 4. Then check token lifetime. + + return true +} diff --git a/pkg/services/object/acl/classifier.go b/pkg/services/object/acl/classifier.go index 444aef703..9700f6068 100644 --- a/pkg/services/object/acl/classifier.go +++ b/pkg/services/object/acl/classifier.go @@ -10,6 +10,7 @@ import ( "github.com/nspcc-dev/neofs-api-go/pkg/netmap" "github.com/nspcc-dev/neofs-api-go/pkg/owner" "github.com/nspcc-dev/neofs-api-go/util/signature" + bearer "github.com/nspcc-dev/neofs-api-go/v2/acl" "github.com/nspcc-dev/neofs-api-go/v2/session" v2signature "github.com/nspcc-dev/neofs-api-go/v2/signature" crypto "github.com/nspcc-dev/neofs-crypto" @@ -25,6 +26,7 @@ type ( metaWithToken struct { vheader *session.RequestVerificationHeader token *session.SessionToken + bearer *bearer.BearerToken } SenderClassifier struct { diff --git a/pkg/services/object/acl/eacl/types.go b/pkg/services/object/acl/eacl/types.go index 709572475..c2ec8ac8d 100644 --- a/pkg/services/object/acl/eacl/types.go +++ b/pkg/services/object/acl/eacl/types.go @@ -3,6 +3,7 @@ package eacl import ( "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl" "github.com/nspcc-dev/neofs-api-go/pkg/container" + bearer "github.com/nspcc-dev/neofs-api-go/v2/acl" ) // Storage is the interface that wraps @@ -43,6 +44,8 @@ type ValidationUnit struct { hdrSrc TypedHeaderSource key []byte + + bearer *bearer.BearerToken } func (u *ValidationUnit) WithContainerID(v *container.ID) *ValidationUnit { @@ -84,3 +87,11 @@ func (u *ValidationUnit) WithSenderKey(v []byte) *ValidationUnit { return u } + +func (u *ValidationUnit) WithBearerToken(bearer *bearer.BearerToken) *ValidationUnit { + if u != nil { + u.bearer = bearer + } + + return u +} diff --git a/pkg/services/object/acl/eacl/validator.go b/pkg/services/object/acl/eacl/validator.go index a047d8610..1315836ed 100644 --- a/pkg/services/object/acl/eacl/validator.go +++ b/pkg/services/object/acl/eacl/validator.go @@ -55,14 +55,23 @@ func NewValidator(opts ...Option) *Validator { // // If no matching table entry is found, ActionAllow is returned. func (v *Validator) CalculateAction(unit *ValidationUnit) eacl.Action { - // get eACL table by container ID - table, err := v.storage.GetEACL(unit.cid) - if err != nil { - v.logger.Error("could not get eACL table", - zap.String("error", err.Error()), - ) + var ( + err error + table *eacl.Table + ) - return eacl.ActionUnknown + if unit.bearer != nil { + table = eacl.NewTableFromV2(unit.bearer.GetBody().GetEACL()) + } else { + // get eACL table by container ID + table, err = v.storage.GetEACL(unit.cid) + if err != nil { + v.logger.Error("could not get eACL table", + zap.String("error", err.Error()), + ) + + return eacl.ActionUnknown + } } return tableAction(unit, table)