69 commits

Author	SHA1	Message	Date
Dmitrii Stepanov	7429553266	[#1437] node: Fix contextcheck linter ... Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2024-11-13 10:36:10 +03:00
Dmitrii Stepanov	6db46257c0	[#1437] node: Use ctx for logging ... Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2024-11-13 10:36:07 +03:00
Evgenii Stratonikov	c82c753e9f	[#1480] objsvc: Remove useless stream wrappers ... Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2024-11-08 12:01:14 +00:00
Evgenii Stratonikov	f666898e5d	[#1480] objsvc: Remove EACL checks ... Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2024-11-08 12:01:14 +00:00
Evgenii Stratonikov	b1a31281e4	[#1480] ape: Remove SoftAPECheck flag ... Previous release was EACL-compatible. Starting from now all EACL should've been migrated to APE chains. Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2024-11-08 12:01:14 +00:00
Airat Arifullin	9b13a18aac	[#1479] go.mod: Bump frostfs-sdk-go version ... * Update version within go.mod; * Fix deprecated frostfs-api-go/v2 package and use frostfs-sdk-go/api instead. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-11-08 10:43:19 +03:00
Evgenii Stratonikov	7ac0852364	[#1459] .golangci.yml: Add intrange linter, fix issues ... Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2024-10-30 15:18:22 +00:00
Ekaterina Lebedeva	a685fcdc96	[#1317] go.mod: Use range over int ... Since Go 1.22 a "for" statement with a "range" clause is able to iterate through integer values from zero to an upper limit. gopatch script: @@ var i, e expression @@ -for i := 0; i <= e - 1; i++ { +for i := range e { ... } @@ var i, e expression @@ -for i := 0; i <= e; i++ { +for i := range e + 1 { ... } @@ var i, e expression @@ -for i := 0; i < e; i++ { +for i := range e { ... } Signed-off-by: Ekaterina Lebedeva <ekaterina.lebedeva@yadro.com>	2024-09-03 13:00:54 +03:00
Airat Arifullin	eeab417dcf	[#1307] object: Add APE check for Patch handler ... Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-08-16 14:13:09 +00:00
Airat Arifullin	e890f1b4b1	[#1307] object: Implement Patch method ... Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-08-16 14:13:09 +00:00
Airat Arifullin	a4a1c3f18b	[#1307] go.mod: Bump frostfs-sdk-go/frostfs-api-go/v2 versions ... * Also, resolve dependencies and conflicts for object service by creating stub for `Patch` method. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-08-16 14:13:09 +00:00
Airat Arifullin	04a3f891fd	[#1157] object: Make APE checker use Bearer-token's APE overrides ... Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-06-07 12:11:11 +00:00
Ekaterina Lebedeva	e07869a8cf	[#1100] Remove unused fields ... Signed-off-by: Ekaterina Lebedeva <ekaterina.lebedeva@yadro.com>	2024-05-06 10:14:36 +03:00
Evgenii Stratonikov	71789676d5	[#1114] aclsvc: Add tests for request ownership ... Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2024-05-02 11:57:39 +03:00
aarifullin	6959e617c4	[#1047] object: Set container owner ID property to ape request ... * Introduce ContainerOwner field in RequestContext. * Set ContainerOwner in aclv2 middleware. * Set PropertyKeyContainerOwnerID for object ape request. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-03-18 15:39:50 +00:00
Airat Arifullin	7cc368e188	[#986] object: Introduce soft ape checks ... * Soft APE check means that APE should allow request even it gets status NoRuleFound for a request. Otherwise, it is interpreted as Deny. * Soft APE check is performed if basic ACL mask is not set. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-02-28 19:05:57 +00:00
Airat Arifullin	a5446bc17d	[#952] object: Pass namespace within context in ACL service ... Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-02-02 14:48:11 +03:00
Airat Arifullin	5be2af881a	[#934] container: Make container APE middleware read namespaces ... * Those methods that can access already existing containers and thus can get container properties should read namespace from Zone property. If Zone is not set, take a namespace for root. * Otherwise, define namespaces by owner ID via frostfs-id contract. * Improve unit-tests, consider more cases. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-02-01 17:38:24 +00:00
Airat Arifullin	c8baf76fae	[#872] object: Introduce APE middlewar for object service ... Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2024-01-12 18:41:35 +03:00
aarifullin	3534d6d05b	[#794] objectsvc: Return accidentally removed acl checks for Head ... Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2023-11-08 17:13:58 +03:00
Airat Arifullin	66848d3288	[#770] cli: Add methods to work with APE rules via control svc ... * Add methods to frostfs-cli * Implement rpc in control service Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2023-11-08 13:34:03 +00:00
Airat Arifullin	8e11ef46b8	[#770] object: Introduce ape chain checker for object svc ... * Introduce Request type converted from RequestInfo type to implement policy-engine's Request interface * Implement basic ape checker to check if a request is permitted to be performed * Make put handlers use APE checker instead EACL Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>	2023-11-08 13:34:03 +00:00
Dmitrii Stepanov	79088baa06	[#772] node: Apply gofumpt ... Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-10-31 17:03:03 +03:00
Dmitrii Stepanov	55b82e744b	[#529] objectcore: Use common sender classifier ... Use common sender classifier for ACL service and format validator. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-08-29 10:33:06 +03:00
Alejandro Lopez	5b7e4a51b7	[#481] Update frostfs-sdk-go and error pointer receivers ... Signed-off-by: Alejandro Lopez <a.lopez@yadro.com>	2023-08-09 10:26:53 +00:00
Airat Arifullin	b3695411d9	[#553] eacl: Fix bug with casting to ObjectAccessDenied error ... Signed-off-by: Airat Arifullin a.arifullin@yadro.com	2023-08-02 07:22:48 +00:00
Dmitrii Stepanov	70a1081988	[#294] aclsvcv2: Refactor service constructor ... Pass required deps as args. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-07-12 07:42:10 +00:00
Dmitrii Stepanov	7b76527759	[#486] node: Add PutSingle wrappers ... Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-07-10 15:49:21 +03:00
Evgenii Stratonikov	8a4e250dae	[#468] *: replace outdated TODO crypto-related links ... Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2023-06-28 12:13:20 +00:00
Alex Vanin	c04f6c5e59	[#229] acl: Allow Impersonate ... Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2023-04-26 10:23:33 +03:00
Evgenii Stratonikov	0e31c12e63	[#240] logs: Move log messages to constants ... Drop duplicate entities. Format entities. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com> Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2023-04-14 05:06:09 +00:00
Evgenii Stratonikov	08769f413f	Revert "[#135] acl: Add tracing spans" ... This reverts commit b2ca730547.	2023-04-12 16:54:13 +03:00
Dmitrii Stepanov	b2ca730547	[#135] acl: Add tracing spans ... Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-04-12 06:52:00 +00:00
Dmitrii Stepanov	4941926c9d	[#207] aclsvc: Drop outdated tag ... Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-04-04 13:22:14 +00:00
Dmitrii Stepanov	585415fa92	[#207] aclsvc: Refactor send checker ... Resolve funlen linter for putStreamBasicChecker.Send method. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-04-04 13:22:14 +00:00
Dmitrii Stepanov	27bdddc48f	[#199] putsvc: Refactor put object ... Resolve containedctx linter for streamer and remote target Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-04-03 15:58:11 +00:00
Dmitrii Stepanov	97c36ed3ec	[#148] linter: Add funlen linter ... Long functions are hard to understand and source of errors Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>	2023-03-21 09:54:41 +03:00
Alex Vanin	20de74a505	Rename package name ... Due to source code relocation from GitHub. Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2023-03-07 16:38:26 +03:00
Alejandro Lopez	cb5468abb8	[#66] node: Replace interface{} with any ... Signed-off-by: Alejandro Lopez <a.lopez@yadro.com>	2023-02-21 16:47:07 +03:00
Stanislav Bogatyrev	cb016d53a6	[#1] Fix comments and error messages ... Signed-off-by: Stanislav Bogatyrev <s.bogatyrev@yadro.com>	2023-02-06 17:41:14 +03:00
Evgenii Stratonikov	0d8366f475	[#2207] object/acl: Return status error for expired session token ... Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>	2023-01-25 15:31:47 +03:00
Pavel Karpy	923f84722a	Move to frostfs-node ... Signed-off-by: Pavel Karpy <p.karpy@yadro.com>	2022-12-28 15:04:29 +03:00
Pavel Karpy	481b48b942	[#2028] node: Check session token's NBF and IAT ... ACL service did not check "Not Valid Before" and "Issued At" claims. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>	2022-11-19 11:01:04 +03:00
Pavel Karpy	aadd2ad050	[#2028] node: Do not wrap malformed request errors ... After presenting request statuses on the API level, all the errors are unwrapped before sending to the caller side. It led to a losing invalid request's context. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>	2022-11-19 11:01:04 +03:00
Pavel Karpy	f037022a7a	[#1770] logger: Refactor Logger component ... Make it store its internal `zap.Logger`'s level. Also, make all the components to accept internal `logger.Logger` instead of `zap.Logger`; it will simplify future refactor. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>	2022-10-12 18:11:05 +03:00
Leonard Lyubich	807c0a1321	[#1859] services/object: Do not session check relation in PUT ... It doesn't make sense to check object relation in session check of `ObjectService.Put` RPC which has been spawned by `ObjectService.Delete` with session. Session issuer can't predict identifier of the tombstone object to be created. Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com>	2022-10-10 20:09:47 +03:00
Leonard Lyubich	e54b52ec03	[#1420] object/acl: Fix correlation of object session to request ... In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com>	2022-10-07 10:34:38 +03:00
Leonard Lyubich	c165d1a9b5	[#1556] Upgrade NeoFS SDK Go with changed container API ... Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>	2022-07-05 11:26:06 +03:00
Leonard Lyubich	305dd7598f	[#1533] acl: Upgrade NeoFS SDK Go with refactored basic ACL ... Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>	2022-06-25 13:57:21 +03:00
Leonard Lyubich	b67974a8d3	[#xxx] Upgrade NeoFS SDK Go with changed container sessions ... After recent changes in NeoFS SDK Go library session tokens aren't embedded into `container.Container` and `eacl.Table` structures. Group value, session token and signature in a structure for container and eACL. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>	2022-06-22 16:38:57 +03:00