Airat Arifullin
6959e617c4
[ #1047 ] object: Set container owner ID property to ape request
...
* Introduce ContainerOwner field in RequestContext.
* Set ContainerOwner in aclv2 middleware.
* Set PropertyKeyContainerOwnerID for object ape request.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-03-18 15:39:50 +00:00
Airat Arifullin
7cc368e188
[ #986 ] object: Introduce soft ape checks
...
* Soft APE check means that APE should allow request even
it gets status NoRuleFound for a request. Otherwise,
it is interpreted as Deny.
* Soft APE check is performed if basic ACL mask is not set.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-02-28 19:05:57 +00:00
Airat Arifullin
a5446bc17d
[ #952 ] object: Pass namespace within context in ACL service
...
DCO action / DCO (pull_request) Successful in 6m23s
Details
Vulncheck / Vulncheck (pull_request) Successful in 7m3s
Details
Build / Build Components (1.21) (pull_request) Successful in 8m21s
Details
Build / Build Components (1.20) (pull_request) Successful in 8m31s
Details
Tests and linters / Staticcheck (pull_request) Successful in 11m1s
Details
Tests and linters / Lint (pull_request) Successful in 11m26s
Details
Tests and linters / Tests (1.20) (pull_request) Successful in 12m51s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 13m14s
Details
Tests and linters / Tests with -race (pull_request) Successful in 13m31s
Details
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-02-02 14:48:11 +03:00
Airat Arifullin
5be2af881a
[ #934 ] container: Make container APE middleware read namespaces
...
* Those methods that can access already existing containers and thus
can get container properties should read namespace from Zone
property. If Zone is not set, take a namespace for root.
* Otherwise, define namespaces by owner ID via frostfs-id contract.
* Improve unit-tests, consider more cases.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-02-01 17:38:24 +00:00
Airat Arifullin
c8baf76fae
[ #872 ] object: Introduce APE middlewar for object service
...
DCO action / DCO (pull_request) Successful in 2m4s
Details
Vulncheck / Vulncheck (pull_request) Successful in 3m12s
Details
Build / Build Components (1.21) (pull_request) Successful in 4m1s
Details
Build / Build Components (1.20) (pull_request) Successful in 4m13s
Details
Tests and linters / Staticcheck (pull_request) Successful in 4m3s
Details
Tests and linters / Lint (pull_request) Successful in 8m7s
Details
Tests and linters / Tests (1.20) (pull_request) Successful in 8m14s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 8m18s
Details
Tests and linters / Tests with -race (pull_request) Successful in 8m24s
Details
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-01-12 18:41:35 +03:00
Airat Arifullin
3534d6d05b
[ #794 ] objectsvc: Return accidentally removed acl checks for Head
...
DCO action / DCO (pull_request) Successful in 1m42s
Details
Vulncheck / Vulncheck (pull_request) Successful in 3m23s
Details
Build / Build Components (1.21) (pull_request) Successful in 4m22s
Details
Build / Build Components (1.20) (pull_request) Successful in 5m44s
Details
Tests and linters / Staticcheck (pull_request) Successful in 6m3s
Details
Tests and linters / Lint (pull_request) Successful in 6m35s
Details
Tests and linters / Tests (1.20) (pull_request) Successful in 8m32s
Details
Tests and linters / Tests with -race (pull_request) Successful in 8m47s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 8m54s
Details
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2023-11-08 17:13:58 +03:00
Airat Arifullin
66848d3288
[ #770 ] cli: Add methods to work with APE rules via control svc
...
* Add methods to frostfs-cli
* Implement rpc in control service
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2023-11-08 13:34:03 +00:00
Airat Arifullin
8e11ef46b8
[ #770 ] object: Introduce ape chain checker for object svc
...
* Introduce Request type converted from RequestInfo type
to implement policy-engine's Request interface
* Implement basic ape checker to check if a request is
permitted to be performed
* Make put handlers use APE checker instead EACL
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2023-11-08 13:34:03 +00:00
Dmitrii Stepanov
79088baa06
[ #772 ] node: Apply gofumpt
...
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-10-31 17:03:03 +03:00
Dmitrii Stepanov
55b82e744b
[ #529 ] objectcore: Use common sender classifier
...
DCO action / DCO (pull_request) Successful in 2m19s
Details
Vulncheck / Vulncheck (pull_request) Successful in 3m5s
Details
Build / Build Components (1.21) (pull_request) Successful in 4m8s
Details
Build / Build Components (1.20) (pull_request) Successful in 4m24s
Details
Tests and linters / Tests (1.20) (pull_request) Successful in 4m57s
Details
Tests and linters / Staticcheck (pull_request) Successful in 4m43s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 5m2s
Details
Tests and linters / Lint (pull_request) Successful in 5m21s
Details
Tests and linters / Tests with -race (pull_request) Successful in 6m17s
Details
Use common sender classifier for ACL service and format validator.
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-08-29 10:33:06 +03:00
Alejandro Lopez
5b7e4a51b7
[ #481 ] Update frostfs-sdk-go and error pointer receivers
...
Signed-off-by: Alejandro Lopez <a.lopez@yadro.com>
2023-08-09 10:26:53 +00:00
Airat Arifullin
b3695411d9
[ #553 ] eacl: Fix bug with casting to ObjectAccessDenied error
...
Signed-off-by: Airat Arifullin a.arifullin@yadro.com
2023-08-02 07:22:48 +00:00
Dmitrii Stepanov
70a1081988
[ #294 ] aclsvcv2: Refactor service constructor
...
Pass required deps as args.
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-07-12 07:42:10 +00:00
Dmitrii Stepanov
7b76527759
[ #486 ] node: Add PutSingle wrappers
...
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-07-10 15:49:21 +03:00
Evgenii Stratonikov
8a4e250dae
[ #468 ] *: replace outdated TODO crypto-related links
...
ci/woodpecker/push/pre-commit Pipeline was successful
Details
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
2023-06-28 12:13:20 +00:00
Alexey Vanin
c04f6c5e59
[ #229 ] acl: Allow Impersonate
...
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
2023-04-26 10:23:33 +03:00
Evgenii Stratonikov
0e31c12e63
[ #240 ] logs: Move log messages to constants
...
Drop duplicate entities.
Format entities.
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
2023-04-14 05:06:09 +00:00
Evgenii Stratonikov
08769f413f
Revert "[ #135 ] acl: Add tracing spans"
...
This reverts commit b2ca730547
.
2023-04-12 16:54:13 +03:00
Dmitrii Stepanov
b2ca730547
[ #135 ] acl: Add tracing spans
...
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-04-12 06:52:00 +00:00
Dmitrii Stepanov
4941926c9d
[ #207 ] aclsvc: Drop outdated tag
...
ci/woodpecker/push/pre-commit Pipeline was successful
Details
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-04-04 13:22:14 +00:00
Dmitrii Stepanov
585415fa92
[ #207 ] aclsvc: Refactor send checker
...
Resolve funlen linter for putStreamBasicChecker.Send method.
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-04-04 13:22:14 +00:00
Dmitrii Stepanov
27bdddc48f
[ #199 ] putsvc: Refactor put object
...
Resolve containedctx linter for streamer and remote target
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-04-03 15:58:11 +00:00
Dmitrii Stepanov
97c36ed3ec
[ #148 ] linter: Add funlen linter
...
Long functions are hard to understand and source of errors
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-03-21 09:54:41 +03:00
Alexey Vanin
20de74a505
Rename package name
...
Due to source code relocation from GitHub.
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
2023-03-07 16:38:26 +03:00
Alejandro Lopez
cb5468abb8
[ #66 ] node: Replace interface{} with any
...
Signed-off-by: Alejandro Lopez <a.lopez@yadro.com>
2023-02-21 16:47:07 +03:00
Stanislav Bogatyrev
cb016d53a6
[ #1 ] Fix comments and error messages
...
Signed-off-by: Stanislav Bogatyrev <s.bogatyrev@yadro.com>
2023-02-06 17:41:14 +03:00
Evgenii Stratonikov
0d8366f475
[ #2207 ] object/acl: Return status error for expired session token
...
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
2023-01-25 15:31:47 +03:00
Pavel Karpy
923f84722a
Move to frostfs-node
...
Signed-off-by: Pavel Karpy <p.karpy@yadro.com>
2022-12-28 15:04:29 +03:00
Pavel Karpy
481b48b942
[ #2028 ] node: Check session token's NBF and IAT
...
ACL service did not check "Not Valid Before" and "Issued At" claims.
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-11-19 11:01:04 +03:00
Pavel Karpy
aadd2ad050
[ #2028 ] node: Do not wrap malformed request errors
...
After presenting request statuses on the API level, all the errors are
unwrapped before sending to the caller side. It led to a losing invalid
request's context.
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-11-19 11:01:04 +03:00
Pavel Karpy
f037022a7a
[ #1770 ] logger: Refactor `Logger` component
...
Make it store its internal `zap.Logger`'s level. Also, make all the
components to accept internal `logger.Logger` instead of `zap.Logger`; it
will simplify future refactor.
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-10-12 18:11:05 +03:00
Leonard Lyubich
807c0a1321
[ #1859 ] services/object: Do not session check relation in PUT
...
It doesn't make sense to check object relation in session check of
`ObjectService.Put` RPC which has been spawned by `ObjectService.Delete`
with session. Session issuer can't predict identifier of the tombstone
object to be created.
Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com>
2022-10-10 20:09:47 +03:00
Leonard Lyubich
e54b52ec03
[ #1420 ] object/acl: Fix correlation of object session to request
...
In previous implementation of `neofs-node` app object session was not
checked for substitution of the object related to it. Also, for access
checks, the session object was substituted instead of the one from the
request. This, on the one hand, made it possible to inherit the session
from the parent object for authorization for certain actions. On the
other hand, it covered the mentioned object substitution, which is a
critical vulnerability.
Next changes are applied to processing of all Object service requests:
- check if object session relates to the requested object
- use requested object in access checks.
Disclosed problem of object context inheritance will be solved within
Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com>
2022-10-07 10:34:38 +03:00
Leonard Lyubich
c165d1a9b5
[ #1556 ] Upgrade NeoFS SDK Go with changed container API
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-07-05 11:26:06 +03:00
Leonard Lyubich
305dd7598f
[ #1533 ] acl: Upgrade NeoFS SDK Go with refactored basic ACL
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-06-25 13:57:21 +03:00
Leonard Lyubich
b67974a8d3
[#xxx] Upgrade NeoFS SDK Go with changed container sessions
...
After recent changes in NeoFS SDK Go library session tokens aren't
embedded into `container.Container` and `eacl.Table` structures.
Group value, session token and signature in a structure for container
and eACL.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-06-22 16:38:57 +03:00
Leonard Lyubich
21d2f8f861
[ #1513 ] Upgrade NeoFS SDK Go with changed `netmap` package
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-06-17 15:53:18 +03:00
Evgenii Stratonikov
bbf8b8e74d
[ #1494 ] services/object: Do not ignore bearer token decode errors
...
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2022-06-15 12:26:10 +03:00
Leonard Lyubich
1c30414a6c
[ #1454 ] Upgrade NeoFS SDK Go module with new IDs
...
Core changes:
* avoid package-colliding variable naming
* avoid using pointers to IDs where unnecessary
* avoid using `idSDK` import alias pattern
* use `EncodeToString` for protocol string calculation and `String` for
printing
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-06-01 17:41:45 +03:00
Leonard Lyubich
2bcc0051ab
[ #1423 ] session: Get session issuer from token structure
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-05-27 15:45:33 +03:00
Leonard Lyubich
4c8ec20e32
[ #1423 ] session: Upgrade SDK package
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-05-27 15:45:33 +03:00
Pavel Karpy
57c5fccc8c
[ #1428 ] node/acl: Make OID optional
...
Not all the NeoFS requests must contain OID in their bodies (or must NOT
contain them at all). Do not pass object address in helper functions, pass
CID and OID separately instead.
Also, fixed NPE in the ACL service: updated SDK library brought errors
when working with `Put` and `Search` requests without OID fields.
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-05-25 12:11:03 +03:00
Pavel Karpy
d69eb2aaf3
[ #1428 ] node/acl: Make container ID as required param
...
Change pointer to value in request information since requests could not
exist without container ID.
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-05-25 12:11:03 +03:00
Leonard Lyubich
bb25ecbd15
[ #1400 ] owner: Upgrade SDK package
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-05-23 15:33:14 +03:00
Leonard Lyubich
aeb9884218
[ #1389 ] crypto: Upgrade SDK package
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-05-19 10:12:14 +03:00
Leonard Lyubich
f15e6e888f
[ #1377 ] oid, cid: Upgrade SDK package
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-05-16 15:33:22 +03:00
Leonard Lyubich
3a188bb2e5
[ #1371 ] bearer: Upgrade SDK package
...
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-05-12 15:16:17 +03:00
Evgenii Stratonikov
ff1912aa2a
services/acl: check session token expiration epoch
...
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2022-03-31 15:37:29 +03:00
Alex Vanin
7ed84d1755
[ #1278 ] acl: Return netmap.Source interface
...
Application can provide cached netmap source in this case.
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
2022-03-30 14:22:12 +03:00
Evgenii Stratonikov
2848001dfb
[ #1246 ] object/acl: Return more concise description for eACL errors
...
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2022-03-21 19:20:01 +03:00