[#755] innerring: Check container owner namespace
All checks were successful
Vulncheck / Vulncheck (pull_request) Successful in 1m12s
DCO action / DCO (pull_request) Successful in 2m43s
Build / Build Components (1.21) (pull_request) Successful in 4m8s
Build / Build Components (1.20) (pull_request) Successful in 4m18s
Tests and linters / Staticcheck (pull_request) Successful in 4m19s
Tests and linters / Lint (pull_request) Successful in 5m30s
Tests and linters / Tests (1.20) (pull_request) Successful in 12m2s
Tests and linters / Tests (1.21) (pull_request) Successful in 12m24s
Tests and linters / Tests with -race (pull_request) Successful in 13m4s

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
Dmitrii Stepanov 2023-11-20 17:03:19 +03:00
parent 1cd2bfe51a
commit a3ef7b58b4
6 changed files with 218 additions and 20 deletions

View file

@ -20,6 +20,7 @@ import (
balanceClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/balance" balanceClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/balance"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/container" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/container"
frostfsClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/frostfs" frostfsClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/frostfs"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/frostfsid"
nmClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/netmap" nmClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event"
control "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/ir" control "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/ir"
@ -249,7 +250,7 @@ func (s *Server) initAlphabetProcessor(cfg *viper.Viper) error {
return err return err
} }
func (s *Server) initContainerProcessor(cfg *viper.Viper, cnrClient *container.Client) error { func (s *Server) initContainerProcessor(cfg *viper.Viper, cnrClient *container.Client, frostfsIDClient *frostfsid.Client) error {
// container processor // container processor
containerProcessor, err := cont.New(&cont.Params{ containerProcessor, err := cont.New(&cont.Params{
Log: s.log, Log: s.log,
@ -258,6 +259,7 @@ func (s *Server) initContainerProcessor(cfg *viper.Viper, cnrClient *container.C
AlphabetState: s, AlphabetState: s,
ContainerClient: cnrClient, ContainerClient: cnrClient,
MorphClient: cnrClient.Morph(), MorphClient: cnrClient.Morph(),
FrostFSIDClient: frostfsIDClient,
NetworkState: s.netmapClient, NetworkState: s.netmapClient,
}) })
if err != nil { if err != nil {
@ -365,6 +367,7 @@ func (s *Server) initGRPCServer(cfg *viper.Viper) error {
type serverMorphClients struct { type serverMorphClients struct {
CnrClient *container.Client CnrClient *container.Client
FrostFSIDClient *frostfsid.Client
FrostFSClient *frostfsClient.Client FrostFSClient *frostfsClient.Client
} }
@ -397,6 +400,11 @@ func (s *Server) initClientsFromMorph() (*serverMorphClients, error) {
return nil, err return nil, err
} }
result.FrostFSIDClient, err = frostfsid.NewFromMorph(s.morphClient, s.contracts.frostfsID, fee)
if err != nil {
return nil, err
}
result.FrostFSClient, err = frostfsClient.NewFromMorph(s.mainnetClient, s.contracts.frostfs, result.FrostFSClient, err = frostfsClient.NewFromMorph(s.mainnetClient, s.contracts.frostfs,
s.feeConfig.MainChainFee(), frostfsClient.TryNotary(), frostfsClient.AsAlphabet()) s.feeConfig.MainChainFee(), frostfsClient.TryNotary(), frostfsClient.AsAlphabet())
if err != nil { if err != nil {
@ -426,7 +434,7 @@ func (s *Server) initProcessors(cfg *viper.Viper, morphClients *serverMorphClien
return err return err
} }
err = s.initContainerProcessor(cfg, morphClients.CnrClient) err = s.initContainerProcessor(cfg, morphClients.CnrClient, morphClients.FrostFSIDClient)
if err != nil { if err != nil {
return err return err
} }

View file

@ -3,9 +3,11 @@ package container
import ( import (
"crypto/ecdsa" "crypto/ecdsa"
"encoding/hex" "encoding/hex"
"fmt"
"testing" "testing"
"time" "time"
frostfsidclient "git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
cntClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/container" cntClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/container"
containerEvent "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event/container" containerEvent "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event/container"
@ -42,6 +44,7 @@ func TestPutEvent(t *testing.T) {
NetworkState: nst, NetworkState: nst,
ContainerClient: &testContainerClient{}, ContainerClient: &testContainerClient{},
MorphClient: mc, MorphClient: mc,
FrostFSIDClient: &testFrostFSIDClient{},
}) })
require.NoError(t, err, "failed to create processor") require.NoError(t, err, "failed to create processor")
@ -102,6 +105,7 @@ func TestDeleteEvent(t *testing.T) {
NetworkState: nst, NetworkState: nst,
ContainerClient: cc, ContainerClient: cc,
MorphClient: mc, MorphClient: mc,
FrostFSIDClient: &testFrostFSIDClient{},
}) })
require.NoError(t, err, "failed to create processor") require.NoError(t, err, "failed to create processor")
@ -173,6 +177,7 @@ func TestSetEACLEvent(t *testing.T) {
NetworkState: nst, NetworkState: nst,
ContainerClient: cc, ContainerClient: cc,
MorphClient: mc, MorphClient: mc,
FrostFSIDClient: &testFrostFSIDClient{},
}) })
require.NoError(t, err, "failed to create processor") require.NoError(t, err, "failed to create processor")
@ -316,3 +321,9 @@ func (c *testMorphClient) NotarySignAndInvokeTX(mainTx *transaction.Transaction)
c.transactions = append(c.transactions, mainTx) c.transactions = append(c.transactions, mainTx)
return nil return nil
} }
type testFrostFSIDClient struct{}
func (c *testFrostFSIDClient) GetSubject(addr util.Uint160) (*frostfsidclient.Subject, error) {
return nil, fmt.Errorf("subject not found")
}

View file

@ -2,6 +2,7 @@ package container
import ( import (
"fmt" "fmt"
"strings"
"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs" "git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event"
@ -10,6 +11,7 @@ import (
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
"github.com/nspcc-dev/neo-go/pkg/network/payload" "github.com/nspcc-dev/neo-go/pkg/network/payload"
"github.com/nspcc-dev/neo-go/pkg/util"
"go.uber.org/zap" "go.uber.org/zap"
) )
@ -88,7 +90,7 @@ func (cp *Processor) checkPutContainer(ctx *putContainerContext) error {
} }
// check native name and zone // check native name and zone
err = checkNNS(ctx, cnr) err = cp.checkNNS(ctx, cnr)
if err != nil { if err != nil {
return fmt.Errorf("NNS: %w", err) return fmt.Errorf("NNS: %w", err)
} }
@ -157,7 +159,7 @@ func (cp *Processor) checkDeleteContainer(e containerEvent.Delete) error {
return nil return nil
} }
func checkNNS(ctx *putContainerContext, cnr containerSDK.Container) error { func (cp *Processor) checkNNS(ctx *putContainerContext, cnr containerSDK.Container) error {
// fetch domain info // fetch domain info
ctx.d = containerSDK.ReadDomain(cnr) ctx.d = containerSDK.ReadDomain(cnr)
@ -175,6 +177,25 @@ func checkNNS(ctx *putContainerContext, cnr containerSDK.Container) error {
} }
} }
namespace, hasNamespace := strings.CutSuffix(ctx.d.Zone(), ".ns")
if !hasNamespace {
return nil
}
addr, err := util.Uint160DecodeBytesBE(cnr.Owner().WalletBytes()[1 : 1+util.Uint160Size])
if err != nil {
return fmt.Errorf("could not get container owner address: %w", err)
}
subject, err := cp.frostFSIDClient.GetSubject(addr)
if err != nil {
return fmt.Errorf("could not get subject from FrostfsID contract: %w", err)
}
if subject.Namespace != namespace {
return fmt.Errorf("container and owner namespaces do not match")
}
return nil return nil
} }

View file

@ -4,6 +4,7 @@ import (
"errors" "errors"
"fmt" "fmt"
frostfsidclient "git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs" "git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"
containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring/metrics" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring/metrics"
@ -32,6 +33,10 @@ type (
NotarySignAndInvokeTX(mainTx *transaction.Transaction) error NotarySignAndInvokeTX(mainTx *transaction.Transaction) error
} }
FrostFSIDClient interface {
GetSubject(addr util.Uint160) (*frostfsidclient.Subject, error)
}
// Processor of events produced by container contract in the sidechain. // Processor of events produced by container contract in the sidechain.
Processor struct { Processor struct {
log *logger.Logger log *logger.Logger
@ -41,6 +46,7 @@ type (
cnrClient ContClient // notary must be enabled cnrClient ContClient // notary must be enabled
morphClient MorphClient morphClient MorphClient
netState NetworkState netState NetworkState
frostFSIDClient FrostFSIDClient
} }
// Params of the processor constructor. // Params of the processor constructor.
@ -52,6 +58,7 @@ type (
ContainerClient ContClient ContainerClient ContClient
MorphClient MorphClient MorphClient MorphClient
NetworkState NetworkState NetworkState NetworkState
FrostFSIDClient FrostFSIDClient
} }
) )
@ -86,6 +93,8 @@ func New(p *Params) (*Processor, error) {
return nil, errors.New("ir/container: Morph client is not set") return nil, errors.New("ir/container: Morph client is not set")
case p.NetworkState == nil: case p.NetworkState == nil:
return nil, errors.New("ir/container: network state is not set") return nil, errors.New("ir/container: network state is not set")
case p.FrostFSIDClient == nil:
return nil, errors.New("ir/container: FrostFSID client is not set")
} }
p.Log.Debug(logs.ContainerContainerWorkerPool, zap.Int("size", p.PoolSize)) p.Log.Debug(logs.ContainerContainerWorkerPool, zap.Int("size", p.PoolSize))
@ -108,6 +117,7 @@ func New(p *Params) (*Processor, error) {
cnrClient: p.ContainerClient, cnrClient: p.ContainerClient,
netState: p.NetworkState, netState: p.NetworkState,
morphClient: p.MorphClient, morphClient: p.MorphClient,
frostFSIDClient: p.FrostFSIDClient,
}, nil }, nil
} }

View file

@ -0,0 +1,31 @@
package frostfsid
import (
"fmt"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
"github.com/nspcc-dev/neo-go/pkg/util"
)
// Client is a wrapper over StaticClient
// which makes calls with the names and arguments
// of the FrostFS ID contract.
//
// Working client must be created via constructor New.
// Using the Client that has been created with new(Client)
// expression (or just declaring a Client variable) is unsafe
// and can lead to panic.
type Client struct {
client *client.StaticClient // static FrostFS ID contract client
}
// NewFromMorph wraps client to work with FrostFS ID contract.
func NewFromMorph(cli *client.Client, contract util.Uint160, fee fixedn.Fixed8) (*Client, error) {
sc, err := client.NewStatic(cli, contract, fee, client.TryNotary(), client.AsAlphabet())
if err != nil {
return nil, fmt.Errorf("could not create client of FrostFS ID contract: %w", err)
}
return &Client{client: sc}, nil
}

View file

@ -0,0 +1,117 @@
package frostfsid
import (
"errors"
"fmt"
frostfsidclient "git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
"github.com/nspcc-dev/neo-go/pkg/util"
"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
)
const methodGetSubject = "getSubject"
func (c *Client) GetSubject(addr util.Uint160) (*frostfsidclient.Subject, error) {
prm := client.TestInvokePrm{}
prm.SetMethod(methodGetSubject)
prm.SetArgs(addr)
res, err := c.client.TestInvoke(prm)
if err != nil {
return nil, fmt.Errorf("could not perform test invocation (%s): %w", methodGetSubject, err)
}
subj, err := parseSubject(res)
if err != nil {
return nil, fmt.Errorf("could not parse test invocation result (%s): %w", methodGetSubject, err)
}
return subj, nil
}
// parseSubject from https://git.frostfs.info/TrueCloudLab/frostfs-contract/src/commit/dd5919348da9731f24504e7bc485516c2ba5f11c/frostfsid/client/client.go#L592
func parseSubject(structArr []stackitem.Item) (*frostfsidclient.Subject, error) {
if len(structArr) < 5 {
return nil, errors.New("invalid response subject struct")
}
var (
err error
subj frostfsidclient.Subject
)
subj.PrimaryKey, err = unwrap.PublicKey(makeValidRes(structArr[0]))
if err != nil {
return nil, err
}
if !structArr[1].Equals(stackitem.Null{}) {
subj.AdditionalKeys, err = unwrap.ArrayOfPublicKeys(makeValidRes(structArr[1]))
if err != nil {
return nil, err
}
}
if !structArr[2].Equals(stackitem.Null{}) {
subj.Namespace, err = unwrap.UTF8String(makeValidRes(structArr[2]))
if err != nil {
return nil, err
}
}
if !structArr[3].Equals(stackitem.Null{}) {
subj.Name, err = unwrap.UTF8String(makeValidRes(structArr[3]))
if err != nil {
return nil, err
}
}
subj.KV, err = parseMap(structArr[4])
if err != nil {
return nil, err
}
return &subj, nil
}
func makeValidRes(item stackitem.Item) (*result.Invoke, error) {
return &result.Invoke{
Stack: []stackitem.Item{item},
State: vmstate.Halt.String(),
}, nil
}
func parseMap(item stackitem.Item) (map[string]string, error) {
if item.Equals(stackitem.Null{}) {
return nil, nil
}
metaMap, err := unwrap.Map(makeValidRes(item))
if err != nil {
return nil, err
}
meta, ok := metaMap.Value().([]stackitem.MapElement)
if !ok {
return nil, errors.New("invalid map type")
}
res := make(map[string]string, len(meta))
for _, element := range meta {
key, err := element.Key.TryBytes()
if err != nil {
return nil, err
}
val, err := element.Value.TryBytes()
if err != nil {
return nil, err
}
res[string(key)] = string(val)
}
return res, nil
}