TrueCloudLab
/
frostfs-node
18
1
Fork 20
Code Issues 89 Pull Requests 6 Actions Releases Activity
4,609 Commits
7 Branches
19 Tags
47 MiB
Commit Graph

174 Commits (498f9955eacab62c0995676245860333796d5d5f)

Author SHA1 Message Date
Airat Arifullin 6959e617c4 [#1047] object: Set container owner ID property to ape request 
* Introduce ContainerOwner field in RequestContext.
* Set ContainerOwner in aclv2 middleware.
* Set PropertyKeyContainerOwnerID for object ape request.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-03-18 15:39:50 +00:00
Airat Arifullin 7cc368e188 [#986] object: Introduce soft ape checks 
* Soft APE check means that APE should allow request even
  it gets status NoRuleFound for a request. Otherwise,
  it is interpreted as Deny.
* Soft APE check is performed if basic ACL mask is not set.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-02-28 19:05:57 +00:00
Airat Arifullin a5446bc17d [#952] object: Pass namespace within context in ACL service
DCO action / DCO (pull_request) Successful in 6m23s Details
Vulncheck / Vulncheck (pull_request) Successful in 7m3s Details
Build / Build Components (1.21) (pull_request) Successful in 8m21s Details
Build / Build Components (1.20) (pull_request) Successful in 8m31s Details
Tests and linters / Staticcheck (pull_request) Successful in 11m1s Details
Tests and linters / Lint (pull_request) Successful in 11m26s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 12m51s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 13m14s Details
Tests and linters / Tests with -race (pull_request) Successful in 13m31s Details 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-02-02 14:48:11 +03:00
Airat Arifullin 5be2af881a [#934] container: Make container APE middleware read namespaces 
* Those methods that can access already existing containers and thus
  can get container properties should read namespace from Zone
  property. If Zone is not set, take a namespace for root.
* Otherwise, define namespaces by owner ID via frostfs-id contract.
* Improve unit-tests, consider more cases.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-02-01 17:38:24 +00:00
Airat Arifullin c8baf76fae [#872] object: Introduce APE middlewar for object service
DCO action / DCO (pull_request) Successful in 2m4s Details
Vulncheck / Vulncheck (pull_request) Successful in 3m12s Details
Build / Build Components (1.21) (pull_request) Successful in 4m1s Details
Build / Build Components (1.20) (pull_request) Successful in 4m13s Details
Tests and linters / Staticcheck (pull_request) Successful in 4m3s Details
Tests and linters / Lint (pull_request) Successful in 8m7s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 8m14s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 8m18s Details
Tests and linters / Tests with -race (pull_request) Successful in 8m24s Details 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-01-12 18:41:35 +03:00
Airat Arifullin bdd43f6211 [#869] object: Pass just CID to chain router 
* Do not convert CID from request to native-schema resource
  format - this step is unneccessary for APE.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2023-12-14 11:01:20 +00:00
Airat Arifullin 0f45e3d344 [#804] ape: Implement boltdb storage for local overrides
DCO action / DCO (pull_request) Successful in 2m10s Details
Vulncheck / Vulncheck (pull_request) Successful in 3m26s Details
Build / Build Components (1.20) (pull_request) Successful in 5m41s Details
Build / Build Components (1.21) (pull_request) Successful in 5m44s Details
Tests and linters / Staticcheck (pull_request) Successful in 7m10s Details
Tests and linters / Lint (pull_request) Successful in 8m14s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 14m24s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 14m41s Details
Tests and linters / Tests with -race (pull_request) Successful in 14m38s Details 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2023-12-07 19:08:41 +03:00
Airat Arifullin e361e017f3 [#842] control: Pass target instead resource name 
* Update policy-engine package version in go.mod, go.sum.
* Refactor CheckIfRequestPermitted: pass container target
  instead container ID.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2023-12-07 14:21:55 +00:00
Dmitrii Stepanov c516c7c5f4 [#821] node: Pass user.ID by value
DCO action / DCO (pull_request) Successful in 3m45s Details
Build / Build Components (1.21) (pull_request) Successful in 5m18s Details
Build / Build Components (1.20) (pull_request) Successful in 5m28s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 7m30s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 7m42s Details
Tests and linters / Lint (pull_request) Successful in 8m25s Details
Vulncheck / Vulncheck (pull_request) Successful in 9m22s Details
Tests and linters / Staticcheck (pull_request) Successful in 10m57s Details
Tests and linters / Tests with -race (pull_request) Successful in 16m53s Details 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-11-23 10:21:07 +03:00
Airat Arifullin 4d5be5ccb5 [#811] ape: Update policy-engine module version and rebase
DCO action / DCO (pull_request) Successful in 4m23s Details
Vulncheck / Vulncheck (pull_request) Successful in 5m31s Details
Build / Build Components (1.21) (pull_request) Successful in 7m33s Details
Build / Build Components (1.20) (pull_request) Successful in 7m40s Details
Tests and linters / Staticcheck (pull_request) Successful in 8m22s Details
Tests and linters / Lint (pull_request) Successful in 9m23s Details
Tests and linters / Tests with -race (pull_request) Successful in 11m20s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 11m32s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 11m41s Details 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2023-11-16 11:31:37 +03:00
Dmitrii Stepanov 9133b4389e [#788] objectsvc: Fix formatting (gofumpt)
DCO action / DCO (pull_request) Successful in 3m19s Details
Vulncheck / Vulncheck (pull_request) Successful in 3m40s Details
Build / Build Components (1.21) (pull_request) Successful in 4m17s Details
Build / Build Components (1.20) (pull_request) Successful in 4m32s Details
Tests and linters / Staticcheck (pull_request) Successful in 4m46s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 5m9s Details
Tests and linters / Lint (pull_request) Successful in 5m28s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 5m24s Details
Tests and linters / Tests with -race (pull_request) Successful in 7m38s Details 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-11-09 10:27:32 +03:00
Airat Arifullin 3534d6d05b [#794] objectsvc: Return accidentally removed acl checks for Head
DCO action / DCO (pull_request) Successful in 1m42s Details
Vulncheck / Vulncheck (pull_request) Successful in 3m23s Details
Build / Build Components (1.21) (pull_request) Successful in 4m22s Details
Build / Build Components (1.20) (pull_request) Successful in 5m44s Details
Tests and linters / Staticcheck (pull_request) Successful in 6m3s Details
Tests and linters / Lint (pull_request) Successful in 6m35s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 8m32s Details
Tests and linters / Tests with -race (pull_request) Successful in 8m47s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 8m54s Details 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2023-11-08 17:13:58 +03:00
Airat Arifullin 66848d3288 [#770] cli: Add methods to work with APE rules via control svc 
* Add methods to frostfs-cli
* Implement rpc in control service

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2023-11-08 13:34:03 +00:00
Airat Arifullin 8e11ef46b8 [#770] object: Introduce ape chain checker for object svc 
* Introduce Request type converted from RequestInfo type
  to implement policy-engine's Request interface
* Implement basic ape checker to check if a request is
  permitted to be performed
* Make put handlers use APE checker instead EACL

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2023-11-08 13:34:03 +00:00
Dmitrii Stepanov 79088baa06 [#772] node: Apply gofumpt 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-10-31 17:03:03 +03:00
Anton Nikiforov aeeb8193d2 [#676] node: Fix header source creation when checking eacl
DCO action / DCO (pull_request) Successful in 2m55s Details
Build / Build Components (1.20) (pull_request) Successful in 4m53s Details
Vulncheck / Vulncheck (pull_request) Successful in 4m36s Details
Tests and linters / Staticcheck (pull_request) Successful in 6m35s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 7m7s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 7m47s Details
Tests and linters / Tests with -race (pull_request) Failing after 10m7s Details
Build / Build Components (1.21) (pull_request) Successful in 11m3s Details
Tests and linters / Lint (pull_request) Successful in 17m34s Details 
Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
 2023-09-06 17:06:54 +03:00
Dmitrii Stepanov 55b82e744b [#529] objectcore: Use common sender classifier
DCO action / DCO (pull_request) Successful in 2m19s Details
Vulncheck / Vulncheck (pull_request) Successful in 3m5s Details
Build / Build Components (1.21) (pull_request) Successful in 4m8s Details
Build / Build Components (1.20) (pull_request) Successful in 4m24s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 4m57s Details
Tests and linters / Staticcheck (pull_request) Successful in 4m43s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 5m2s Details
Tests and linters / Lint (pull_request) Successful in 5m21s Details
Tests and linters / Tests with -race (pull_request) Successful in 6m17s Details 
Use common sender classifier for ACL service and format validator.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-08-29 10:33:06 +03:00
Alejandro Lopez 5b7e4a51b7 [#481] Update frostfs-sdk-go and error pointer receivers 
Signed-off-by: Alejandro Lopez <a.lopez@yadro.com>
 2023-08-09 10:26:53 +00:00
Airat Arifullin b3695411d9 [#553] eacl: Fix bug with casting to ObjectAccessDenied error 
Signed-off-by: Airat Arifullin a.arifullin@yadro.com
 2023-08-02 07:22:48 +00:00
Dmitrii Stepanov 70a1081988 [#294] aclsvcv2: Refactor service constructor 
Pass required deps as args.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-07-12 07:42:10 +00:00
Dmitrii Stepanov 18d8898b00 [#294] aclsvc: Refactor service constructor 
Pass required deps as args.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-07-12 07:42:10 +00:00
Dmitrii Stepanov 61541eaec2 [#294] aclsvc: Refactor checker constructor 
Pass required deps as args.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-07-12 07:42:10 +00:00
Dmitrii Stepanov 7b76527759 [#486] node: Add PutSingle wrappers 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-07-10 15:49:21 +03:00
Alexander Chuprov 033eaf77e1 [#496] node: Fix linter importas
Build / Build Components (1.20) (pull_request) Successful in 3m52s Details
Build / Build Components (1.19) (pull_request) Successful in 4m1s Details
ci/woodpecker/pr/pre-commit Pipeline was successful Details
Tests and linters / Tests with -race (pull_request) Successful in 5m36s Details
Tests and linters / Tests (1.20) (pull_request) Successful in 5m55s Details
Tests and linters / Lint (pull_request) Successful in 14m40s Details
Tests and linters / Tests (1.19) (pull_request) Successful in 15m29s Details
ci/woodpecker/push/pre-commit Pipeline was successful Details 
Standardize the alias of the
import frostfs-sdk-go/object as objectSDK.

Signed-off-by: Alexander Chuprov <a.chuprov@yadro.com>
 2023-07-06 15:36:41 +03:00
Evgenii Stratonikov 8a4e250dae [#468] *: replace outdated TODO crypto-related links
ci/woodpecker/push/pre-commit Pipeline was successful Details 
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
 2023-06-28 12:13:20 +00:00
Alexey Vanin c04f6c5e59 [#229] acl: Allow Impersonate 
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
 2023-04-26 10:23:33 +03:00
Evgenii Stratonikov 0e31c12e63 [#240] logs: Move log messages to constants 
Drop duplicate entities.
Format entities.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
 2023-04-14 05:06:09 +00:00
Evgenii Stratonikov 08769f413f Revert "[#135] acl: Add tracing spans" 
This reverts commit b2ca730547.
 2023-04-12 16:54:13 +03:00
Dmitrii Stepanov b2ca730547 [#135] acl: Add tracing spans 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-04-12 06:52:00 +00:00
Dmitrii Stepanov 0920d848d0 [#135] get-object: Add tracing spans 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-04-12 06:52:00 +00:00
Dmitrii Stepanov 4941926c9d [#207] aclsvc: Drop outdated tag
ci/woodpecker/push/pre-commit Pipeline was successful Details 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-04-04 13:22:14 +00:00
Dmitrii Stepanov 585415fa92 [#207] aclsvc: Refactor send checker 
Resolve funlen linter for putStreamBasicChecker.Send method.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-04-04 13:22:14 +00:00
Dmitrii Stepanov 9ef790f782 [#207] aclsvc: Refactor object headers read 
Resolve funlen linter for readObjectHeaders method.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-04-04 13:22:13 +00:00
Dmitrii Stepanov cd33a57f44 [#207] aclsvc: Refactor EACL check 
Resolve funlen linter for CheckEACL method.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-04-04 13:22:13 +00:00
Dmitrii Stepanov 27bdddc48f [#199] putsvc: Refactor put object 
Resolve containedctx linter for streamer and remote target

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-04-03 15:58:11 +00:00
Dmitrii Stepanov 97c36ed3ec [#148] linter: Add funlen linter 
Long functions are hard to understand and source of errors

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2023-03-21 09:54:41 +03:00
Alexey Vanin 20de74a505 Rename package name 
Due to source code relocation from GitHub.

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
 2023-03-07 16:38:26 +03:00
Alejandro Lopez cb5468abb8 [#66] node: Replace interface{} with any 
Signed-off-by: Alejandro Lopez <a.lopez@yadro.com>
 2023-02-21 16:47:07 +03:00
Stanislav Bogatyrev cb016d53a6 [#1] Fix comments and error messages 
Signed-off-by: Stanislav Bogatyrev <s.bogatyrev@yadro.com>
 2023-02-06 17:41:14 +03:00
Evgenii Stratonikov 0d8366f475 [#2207] object/acl: Return status error for expired session token 
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
 2023-01-25 15:31:47 +03:00
Pavel Karpy 923f84722a Move to frostfs-node 
Signed-off-by: Pavel Karpy <p.karpy@yadro.com>
 2022-12-28 15:04:29 +03:00
Pavel Karpy 481b48b942 [#2028] node: Check session token's NBF and IAT 
ACL service did not check "Not Valid Before" and "Issued At" claims.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
 2022-11-19 11:01:04 +03:00
Pavel Karpy aadd2ad050 [#2028] node: Do not wrap malformed request errors 
After presenting request statuses on the API level, all the errors are
unwrapped before sending to the caller side. It led to a losing invalid
request's context.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
 2022-11-19 11:01:04 +03:00
Pavel Karpy f037022a7a [#1770] logger: Refactor `Logger` component 
Make it store its internal `zap.Logger`'s level. Also, make all the
components to accept internal `logger.Logger` instead of `zap.Logger`; it
will simplify future refactor.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
 2022-10-12 18:11:05 +03:00
Leonard Lyubich 807c0a1321 [#1859] services/object: Do not session check relation in PUT 
It doesn't make sense to check object relation in session check of
`ObjectService.Put` RPC which has been spawned by `ObjectService.Delete`
with session. Session issuer can't predict identifier of the tombstone
object to be created.

Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com>
 2022-10-10 20:09:47 +03:00
Leonard Lyubich e54b52ec03 [#1420] object/acl: Fix correlation of object session to request 
In previous implementation of `neofs-node` app object session was not
checked for substitution of the object related to it. Also, for access
checks, the session object was substituted instead of the one from the
request. This, on the one hand, made it possible to inherit the session
from the parent object for authorization for certain actions. On the
other hand, it covered the mentioned object substitution, which is a
critical vulnerability.

Next changes are applied to processing of all Object service requests:
 - check if object session relates to the requested object
 - use requested object in access checks.

Disclosed problem of object context inheritance will be solved within

Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com>
 2022-10-07 10:34:38 +03:00
Pavel Karpy 4f18893d9b [#1628] node: Move common `EACLSource` interface to `core` pkg 
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
 2022-09-13 10:33:50 +03:00
Pavel Karpy c2918fce3a [#1645] node: Support `EACL_NOT_FOUND` status 
Remove internal `ErrEACLNotFound` error.
Also, update `neofs-api-go` and `neofs-sdk-go` libraries.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
 2022-08-01 20:45:36 +03:00
Pavel Karpy 589a54805d [#1618] node: Use OID/CID from the request in eACL checks 
Also, try to fetch object header info from the local storage to find as much
object info as possible for the requests which do not assume returning
object header as a response.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
 2022-07-25 09:41:11 +03:00
Evgenii Stratonikov 0504c3e0c6 [#1266] object/acl: Check bearer token container ID 
If the container ID is not nil and not equal to the container ID in the
request, consider bearer token invalid.

See also nspcc-dev/neofs-api#207.

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
 2022-07-12 12:25:02 +03:00