Syncronize token expiration behaviour between session key storage and SDK #1229

New issue

Closed

opened 2024-07-04 15:21:33 +00:00 by alexvanin · 0 comments

alexvanin commented 2024-07-04 15:21:33 +00:00

Owner

Copy link

Expected Behavior

Session token considered expired at the same epoch on client and server side.

SDK declares that token is declined, when current epoch is strictly greater than token expiration epoch.

// Client side using SDK
var tok session.Object
tok.SetExp(10)
tok.ExpiredAt(10) // returns false, token is valid at epoch 10

Current Behavior

Session key storage uses greater or equal comparison to check expiration.

if pToken.ExpiredAt() <= s.networkState.CurrentEpoch() {
	return nil, new(apistatus.SessionTokenExpired)
}

Possible Solution

Use the same comparison in Node and SDK.

Steps to Reproduce (for bugs)

1. Run FrostFS environment and find out current epoch, e.g. 99
2. Create session token with expiration epoch 100 and save it in file

	resp, err := cli.SessionCreate(ctx, PrmSessionCreate{
		Expiration: 100,
		Key:        &k.PrivateKey,
	})
	require.NoError(t, err)

	var (
		pubk frostfsecdsa.PublicKey
		id   uuid.UUID
	)
	require.NoError(t, id.UnmarshalBinary(resp.id))
	require.NoError(t, pubk.Decode(resp.sessionKey))

	var s session.Object
	s.SetAuthKey(&pubk)
	s.SetExp(100)
	s.SetID(id)
	s.ForVerb(session.VerbObjectPut)
	s.BindContainer(cnrID)
	require.NoError(t, s.Sign(k.PrivateKey))

	data, err := s.MarshalJSON()
	require.NoError(t, err)
	require.NoError(t, os.WriteFile("./session", data, 0777))

3. Tick new epoch 99 -> 100
4. Read token and make sure it is considered valid by SDK

	data, err := os.ReadFile("./session")
	require.NoError(t, err)

	var s session.Object
	require.NoError(t, s.UnmarshalJSON(data))
	require.False(t, s.ExpiredAt(100)) // pass

5. Try to upload new object. Error occurs because key storage removed expired token, even though it is not quite expired.

	var putHeader object.Object
	putHeader.SetContainerID(cnrID)
	putHeader.SetOwnerID(u)

	objectWriter, err := cli.ObjectPutInit(ctx, PrmObjectPutInit{
		Session: &s,
		Key:     &k.PrivateKey,
	})
	require.NoError(t, err)

	ok := objectWriter.WriteHeader(ctx, putHeader)
	require.True(t, ok)

	objectWriter.WritePayloadChunk(ctx, payload)
	r, err := objectWriter.Close(ctx)
	require.NoError(t, err) // status: code = 4096 message = session token not found

Context

SDK Pool component tries to update token with 1 epoch before expiration, but with this issue it tries to update at the exact expiration epoch, which produce some session token not found and session token is expired errors on client side.

Regression

Don't think so.

Your Environment

frostfs-node v0.38.6

## Expected Behavior Session token considered expired at the same epoch on client and server side. SDK declares that token is declined, when current epoch is strictly greater than token expiration epoch. ```go // Client side using SDK var tok session.Object tok.SetExp(10) tok.ExpiredAt(10) // returns false, token is valid at epoch 10 ``` ## Current Behavior Session key storage uses greater _or equal_ comparison to [check expiration](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/cfd5e3d40371cb3e26c0637e3773135d7bfd0058/pkg/services/object/util/key.go#L70). ```go if pToken.ExpiredAt() <= s.networkState.CurrentEpoch() { return nil, new(apistatus.SessionTokenExpired) } ``` ## Possible Solution Use the same comparison in Node and SDK. ## Steps to Reproduce (for bugs) 1. Run FrostFS environment and find out current epoch, e.g. 99 2. Create session token with expiration epoch 100 and save it in file ```go resp, err := cli.SessionCreate(ctx, PrmSessionCreate{ Expiration: 100, Key: &k.PrivateKey, }) require.NoError(t, err) var ( pubk frostfsecdsa.PublicKey id uuid.UUID ) require.NoError(t, id.UnmarshalBinary(resp.id)) require.NoError(t, pubk.Decode(resp.sessionKey)) var s session.Object s.SetAuthKey(&pubk) s.SetExp(100) s.SetID(id) s.ForVerb(session.VerbObjectPut) s.BindContainer(cnrID) require.NoError(t, s.Sign(k.PrivateKey)) data, err := s.MarshalJSON() require.NoError(t, err) require.NoError(t, os.WriteFile("./session", data, 0777)) ``` 3. Tick new epoch 99 -> 100 4. Read token and make sure it is considered valid by SDK ```go data, err := os.ReadFile("./session") require.NoError(t, err) var s session.Object require.NoError(t, s.UnmarshalJSON(data)) require.False(t, s.ExpiredAt(100)) // pass ``` 5. Try to upload new object. Error occurs because key storage removed expired token, even though it is not quite expired. ```go var putHeader object.Object putHeader.SetContainerID(cnrID) putHeader.SetOwnerID(u) objectWriter, err := cli.ObjectPutInit(ctx, PrmObjectPutInit{ Session: &s, Key: &k.PrivateKey, }) require.NoError(t, err) ok := objectWriter.WriteHeader(ctx, putHeader) require.True(t, ok) objectWriter.WritePayloadChunk(ctx, payload) r, err := objectWriter.Close(ctx) require.NoError(t, err) // status: code = 4096 message = session token not found ``` ## Context SDK Pool component tries to update token with 1 epoch before expiration, but with this issue it tries to update at the exact expiration epoch, which produce some `session token not found` and `session token is expired` errors on client side. ## Regression Don't think so. ## Your Environment frostfs-node v0.38.6

alexvanin added the

bug

triage

labels 2024-07-04 15:21:33 +00:00

aarifullin was assigned by fyrchik 2024-07-05 06:31:46 +00:00

aarifullin referenced this issue from a pull request that will close it, 2024-07-05 08:52:59 +00:00

util: Fix session token expiration check #1230

fyrchik closed this issue 2024-07-08 08:15:59 +00:00

fyrchik referenced this issue from a commit 2024-07-08 08:16:04 +00:00

[#1229] util: Fix session token expiration check

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.42

support/v0.38

support/v0.37

support/v0.36

support/v0.34

support/v0.30

support/v0.27

v0.44.0-rc.13

v0.44.0-rc.12

v0.44.0-rc.11

v0.42.16

v0.44.0-rc.10

v0.44.0-rc.9

v0.44.0-rc.8

v0.44.0-rc.7

v0.44.0-rc.6

v0.44.0-rc.5

v0.44.0-rc.4

v0.44.0-rc.3

v0.44.0-rc.2

v0.44.0-rc.1

v0.43.2

v0.43.1

v0.43.0

v0.42.15

v0.42.14

v0.42.13

v0.42.12

v0.42.11

v0.42.10

v0.42.9

v0.42.8

v0.42.7

v0.42.6

v0.42.5

v0.42.4

v0.42.3

v0.42.2

v0.42.1

v0.42.0

v0.42.0-rc.9

v0.42.0-rc.8

v0.42.0-rc.7

v0.38.9

v0.42.0-rc.6

v0.42.0-rc.5

v0.42.0-rc.4

v0.42.0-rc.3

v0.42.0-rc.2

v0.42.0-rc.1

v0.38.8

v0.41.0

v0.38.7

v0.40.0

v0.39.0

v0.38.6

v0.38.5

v0.38.4

v0.38.3

v0.38.2

v0.38.1

v0.38.0

v0.38.0-rc.2

v0.38.0-rc.1

v0.37.0

v0.37.0-rc.1

v0.36.0

v0.34.0

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

badger

Badger DB related issues

  

frostfs-adm

  

frostfs-cli

  

frostfs-ir

  

frostfs-lens

  

frostfs-node

  

good first issue

Good for newcomers

  

triage

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

badger

frostfs-adm

frostfs-cli

frostfs-ir

frostfs-lens

frostfs-node

good first issue

triage

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

aarifullin

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1229

No description provided.