frostfs-node

Commit Graph

Author	SHA1	Message	Date
Leonard Lyubich	ead4513feb	[#525 ] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>	2021-05-27 17:07:20 +03:00
Leonard Lyubich	ac2d347884	[#505 ] ir/container: Check key-to-owner mapping in key ownership check Owner identifier can be calculated from public key. If it matches, no additional verification of key ownership is required. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>	2021-05-25 16:35:52 +03:00
Leonard Lyubich	5287c194e5	[#505 ] ir/container: Replace key ownership check into a separate method Method of key ownership verification is going to be reused by the handlers of the other events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>	2021-05-25 16:35:52 +03:00

Author

SHA1

Message

Date

Leonard Lyubich

ead4513feb

[#525 ] ir/container: Verify operations with session token

Session token can be presented `Put`, `Delete` and `SetEACL` notification
events. IR should consider this case as issuing a power of attorney to a
third party. Thus, checking the eligibility for an operation should be
complicated:

 - token owner should be the owner of the related container;
 - the intent must be signed with a session key;
 - the power of attorney must be signed by the owner of the container.

Omitted checks (TBD):

 - session token should have container session context;
 - the verb of the context should correspond to the operation.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>

2021-05-27 17:07:20 +03:00

Leonard Lyubich

ac2d347884

[#505 ] ir/container: Check key-to-owner mapping in key ownership check

Owner identifier can be calculated from public key. If it matches, no
additional verification of key ownership is required.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>

2021-05-25 16:35:52 +03:00

Leonard Lyubich

5287c194e5

[#505 ] ir/container: Replace key ownership check into a separate method

Method of key ownership verification is going to be reused by the handlers
of the other events.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>

2021-05-25 16:35:52 +03:00

3 Commits (25d87809c8cd19969273087a8d0971c445ad38d4)