View bearer token in human readable format #1498

New issue

Open

opened 2024-11-14 10:50:02 +00:00 by potyarkin · 2 comments

potyarkin commented 2024-11-14 10:50:02 +00:00

Member

Copy link

Is your feature request related to a problem? Please describe.

Bearer tokens are often saved in raw protobuf binary format, especially since frostfs-http-gw does not support JSON serialized tokens yet. This format is completely inaccessible for humans to review. Even JSON tokens contain base64 encoded protobuf binaries for access rule chains, making them hard to reason about.

Describe the solution you'd like

For my personal use I wrote a simple viewer tool that unpacks nested base64 chains and spits out indented JSON. May be we should add frostfs-cli bearer view that does something similar?

cmd/viewtoken/main.go (for those who do not have access to repo)

// Print human readable representation of binary FrostFS bearer token.
package main

import (
	"encoding/base64"
	"encoding/json"
	"fmt"
	"os"

	"git.frostfs.info/TrueCloudLab/frostfs-gw-cert/pkg/bearer"
	apeChain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
)

func main() {
	rc := 0
	for _, path := range os.Args[1:] {
		fmt.Fprintf(os.Stderr, "\n# %s\n", path)
		token, err := bearer.FromFile(path)
		if err != nil {
			fmt.Fprintln(os.Stderr, err)
			rc = 1
			continue
		}
		readable, err := makeHumanReadable(token)
		if err != nil {
			fmt.Fprintln(os.Stderr, err)
			rc = 1
			continue
		}
		fmt.Println(string(readable))
	}
	os.Exit(rc)
}

// Unpack deeply nested policy chains for humans to review
func makeHumanReadable(token any) ([]byte, error) {
	interimJson, err := json.Marshal(token)
	if err != nil {
		return nil, err
	}
	var interim map[string]any
	err = json.Unmarshal(interimJson, &interim)
	if err != nil {
		return nil, err
	}
	unpackChains(interim)
	return json.MarshalIndent(interim, "", "  ")
}

func unpackChains(token map[string]any) {
	chains, ok := get(token, "body", "apeOverride", "chains").([]any)
	if !ok || chains == nil {
		return
	}
	for index := range chains {
		packed, ok := chains[index].(map[string]any)
		if !ok {
			continue
		}
		encoded, ok := get(packed, "raw").(string)
		if !ok {
			continue
		}
		raw, err := base64.StdEncoding.DecodeString(encoded)
		if err != nil {
			continue
		}
		chain := new(apeChain.Chain)
		err = chain.DecodeBytes(raw)
		if err != nil {
			continue
		}
		set(packed, chain, "raw")
	}
}

func get(tree map[string]any, key ...string) any {
	if len(key) == 1 {
		return tree[key[0]]
	}
	if len(key) == 0 {
		return tree
	}
	var ok bool
	tree, ok = tree[key[0]].(map[string]any)
	if !ok {
		return nil
	}
	return get(tree, key[1:]...)
}

func set(tree map[string]any, value any, key ...string) {
	if len(key) == 1 {
		tree[key[0]] = value
	}
	if len(key) == 0 {
		return
	}
	var ok bool
	tree, ok = tree[key[0]].(map[string]any)
	if !ok {
		return
	}
	set(tree, value, key[1:]...)
}

Sample output from viewtoken tool

$ bin/viewtoken@linux-amd64 /tmp/bearer/rw-02aac9fcb56c933ffef20d7efac793ce77e4093e66b641a11a50ae45328fb52be3.token

# /tmp/bearer/rw-02aac9fcb56c933ffef20d7efac793ce77e4093e66b641a11a50ae45328fb52be3.token
{
  "body": {
    "allowImpersonate": false,
    "apeOverride": {
      "chains": [
        {
          "raw": {
            "ID": null,
            "Rules": [
              {
                "Status": "Allow",
                "Actions": {
                  "Inverted": false,
                  "Names": [
                    "SearchObject"
                  ]
                },
                "Resources": {
                  "Inverted": false,
                  "Names": [
                    "native:object/*"
                  ]
                },
                "Any": false,
                "Condition": null
              },
              {
                "Status": "Allow",
                "Actions": {
                  "Inverted": false,
                  "Names": [
                    "GetObject",
                    "HeadObject"
                  ]
                },
                "Resources": {
                  "Inverted": false,
                  "Names": [
                    "native:object/*"
                  ]
                },
                "Any": false,
                "Condition": [
                  {
                    "Op": "StringNotEquals",
                    "Kind": "Resource",
                    "Key": "ACME",
                    "Value": ""
                  }
                ]
              },
              {
                "Status": "Allow",
                "Actions": {
                  "Inverted": false,
                  "Names": [
                    "PutObject"
                  ]
                },
                "Resources": {
                  "Inverted": false,
                  "Names": [
                    "native:object/*"
                  ]
                },
                "Any": false,
                "Condition": [
                  {
                    "Op": "StringNotEquals",
                    "Kind": "Resource",
                    "Key": "ACME",
                    "Value": ""
                  }
                ]
              },
              {
                "Status": "Allow",
                "Actions": {
                  "Inverted": false,
                  "Names": [
                    "GetObject",
                    "HeadObject"
                  ]
                },
                "Resources": {
                  "Inverted": false,
                  "Names": [
                    "native:object/*"
                  ]
                },
                "Any": false,
                "Condition": [
                  {
                    "Op": "StringNotEquals",
                    "Kind": "Resource",
                    "Key": "CERTBOX-Recepient-02aac9fcb56c933ffef20d7efac793ce77e4093e66b641a11a50ae45328fb52be3",
                    "Value": ""
                  }
                ]
              },
              {
                "Status": "Allow",
                "Actions": {
                  "Inverted": false,
                  "Names": [
                    "PutObject"
                  ]
                },
                "Resources": {
                  "Inverted": false,
                  "Names": [
                    "native:object/*"
                  ]
                },
                "Any": false,
                "Condition": [
                  {
                    "Op": "StringNotEquals",
                    "Kind": "Resource",
                    "Key": "CERTBOX-Recepient-02aac9fcb56c933ffef20d7efac793ce77e4093e66b641a11a50ae45328fb52be3",
                    "Value": ""
                  }
                ]
              },
              {
                "Status": "Allow",
                "Actions": {
                  "Inverted": false,
                  "Names": [
                    "GetObject",
                    "HeadObject"
                  ]
                },
                "Resources": {
                  "Inverted": false,
                  "Names": [
                    "native:object/*"
                  ]
                },
                "Any": false,
                "Condition": [
                  {
                    "Op": "StringNotEquals",
                    "Kind": "Resource",
                    "Key": "CERTBOX-PeerList",
                    "Value": ""
                  }
                ]
              }
            ],
            "MatchType": "FirstMatch"
          }
        }
      ],
      "target": {
        "name": "A8wycwWu2sS3KgcJZeWHXjmvPgoYX3vSQ5aHxAHWTAHa",
        "type": "CONTAINER"
      }
    },
    "eaclTable": null,
    "lifetime": {
      "exp": "16533",
      "iat": "332",
      "nbf": "332"
    },
    "ownerID": {
      "value": "NXTYVxz19uWG3X7HGu5rzheAdTtT9GnG9A=="
    }
  },
  "signature": {
    "key": "A9HmdSzJqgzeUUu+exZ41aEehIZGKSAXfy2s7LUWCNuW",
    "scheme": "ECDSA_SHA512",
    "signature": "BKqAL1pk+PmzYkFGkZQ98rESwjq0AniE1YHK4SFCUzXC2gfOUHWHuspMWfElo3WiT/yLIOhKIxC3vX8QEfenFzg="
  }
}

My tool is not perfect:

• It's JSON is only for humans to read and pretty much invalid for any non-trivial deserialization. If we decide to implement frostfs-cli bearer view we should probably switch output to a bespoke key-value format to avoid implying any machine-readability (similar to how netinfo is printed).
• UX is basically non-existent

Describe alternatives you've considered

Keep things as they are and leave bearer tokens unreadable.

## Is your feature request related to a problem? Please describe. Bearer tokens are often saved in raw protobuf binary format, especially since frostfs-http-gw [does not support](https://git.frostfs.info/TrueCloudLab/frostfs-http-gw/issues/163) JSON serialized tokens yet. This format is completely inaccessible for humans to review. Even JSON tokens contain base64 encoded protobuf binaries for access rule chains, making them hard to reason about. ## Describe the solution you'd like For my personal use I wrote a simple [viewer tool](https://git.frostfs.info/potyarkin/frostfs-gw-cert/src/commit/cd508a41f6d39ef85af08fff2b85e5b802f67e49/cmd/viewtoken/main.go) that unpacks nested base64 chains and spits out indented JSON. May be we should add `frostfs-cli bearer view` that does something similar? <details><summary>cmd/viewtoken/main.go (for those who do not have access to repo)</summary><p> ```go // Print human readable representation of binary FrostFS bearer token. package main import ( "encoding/base64" "encoding/json" "fmt" "os" "git.frostfs.info/TrueCloudLab/frostfs-gw-cert/pkg/bearer" apeChain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" ) func main() { rc := 0 for _, path := range os.Args[1:] { fmt.Fprintf(os.Stderr, "\n# %s\n", path) token, err := bearer.FromFile(path) if err != nil { fmt.Fprintln(os.Stderr, err) rc = 1 continue } readable, err := makeHumanReadable(token) if err != nil { fmt.Fprintln(os.Stderr, err) rc = 1 continue } fmt.Println(string(readable)) } os.Exit(rc) } // Unpack deeply nested policy chains for humans to review func makeHumanReadable(token any) ([]byte, error) { interimJson, err := json.Marshal(token) if err != nil { return nil, err } var interim map[string]any err = json.Unmarshal(interimJson, &interim) if err != nil { return nil, err } unpackChains(interim) return json.MarshalIndent(interim, "", " ") } func unpackChains(token map[string]any) { chains, ok := get(token, "body", "apeOverride", "chains").([]any) if !ok || chains == nil { return } for index := range chains { packed, ok := chains[index].(map[string]any) if !ok { continue } encoded, ok := get(packed, "raw").(string) if !ok { continue } raw, err := base64.StdEncoding.DecodeString(encoded) if err != nil { continue } chain := new(apeChain.Chain) err = chain.DecodeBytes(raw) if err != nil { continue } set(packed, chain, "raw") } } func get(tree map[string]any, key ...string) any { if len(key) == 1 { return tree[key[0]] } if len(key) == 0 { return tree } var ok bool tree, ok = tree[key[0]].(map[string]any) if !ok { return nil } return get(tree, key[1:]...) } func set(tree map[string]any, value any, key ...string) { if len(key) == 1 { tree[key[0]] = value } if len(key) == 0 { return } var ok bool tree, ok = tree[key[0]].(map[string]any) if !ok { return } set(tree, value, key[1:]...) } ``` </p></details> <details><summary>Sample output from viewtoken tool</summary><p> ```console $ bin/viewtoken@linux-amd64 /tmp/bearer/rw-02aac9fcb56c933ffef20d7efac793ce77e4093e66b641a11a50ae45328fb52be3.token # /tmp/bearer/rw-02aac9fcb56c933ffef20d7efac793ce77e4093e66b641a11a50ae45328fb52be3.token { "body": { "allowImpersonate": false, "apeOverride": { "chains": [ { "raw": { "ID": null, "Rules": [ { "Status": "Allow", "Actions": { "Inverted": false, "Names": [ "SearchObject" ] }, "Resources": { "Inverted": false, "Names": [ "native:object/*" ] }, "Any": false, "Condition": null }, { "Status": "Allow", "Actions": { "Inverted": false, "Names": [ "GetObject", "HeadObject" ] }, "Resources": { "Inverted": false, "Names": [ "native:object/*" ] }, "Any": false, "Condition": [ { "Op": "StringNotEquals", "Kind": "Resource", "Key": "ACME", "Value": "" } ] }, { "Status": "Allow", "Actions": { "Inverted": false, "Names": [ "PutObject" ] }, "Resources": { "Inverted": false, "Names": [ "native:object/*" ] }, "Any": false, "Condition": [ { "Op": "StringNotEquals", "Kind": "Resource", "Key": "ACME", "Value": "" } ] }, { "Status": "Allow", "Actions": { "Inverted": false, "Names": [ "GetObject", "HeadObject" ] }, "Resources": { "Inverted": false, "Names": [ "native:object/*" ] }, "Any": false, "Condition": [ { "Op": "StringNotEquals", "Kind": "Resource", "Key": "CERTBOX-Recepient-02aac9fcb56c933ffef20d7efac793ce77e4093e66b641a11a50ae45328fb52be3", "Value": "" } ] }, { "Status": "Allow", "Actions": { "Inverted": false, "Names": [ "PutObject" ] }, "Resources": { "Inverted": false, "Names": [ "native:object/*" ] }, "Any": false, "Condition": [ { "Op": "StringNotEquals", "Kind": "Resource", "Key": "CERTBOX-Recepient-02aac9fcb56c933ffef20d7efac793ce77e4093e66b641a11a50ae45328fb52be3", "Value": "" } ] }, { "Status": "Allow", "Actions": { "Inverted": false, "Names": [ "GetObject", "HeadObject" ] }, "Resources": { "Inverted": false, "Names": [ "native:object/*" ] }, "Any": false, "Condition": [ { "Op": "StringNotEquals", "Kind": "Resource", "Key": "CERTBOX-PeerList", "Value": "" } ] } ], "MatchType": "FirstMatch" } } ], "target": { "name": "A8wycwWu2sS3KgcJZeWHXjmvPgoYX3vSQ5aHxAHWTAHa", "type": "CONTAINER" } }, "eaclTable": null, "lifetime": { "exp": "16533", "iat": "332", "nbf": "332" }, "ownerID": { "value": "NXTYVxz19uWG3X7HGu5rzheAdTtT9GnG9A==" } }, "signature": { "key": "A9HmdSzJqgzeUUu+exZ41aEehIZGKSAXfy2s7LUWCNuW", "scheme": "ECDSA_SHA512", "signature": "BKqAL1pk+PmzYkFGkZQ98rESwjq0AniE1YHK4SFCUzXC2gfOUHWHuspMWfElo3WiT/yLIOhKIxC3vX8QEfenFzg=" } } ```` </p></details> My tool is not perfect: - It's JSON is only for humans to read and pretty much invalid for any non-trivial deserialization. If we decide to implement `frostfs-cli bearer view` we should probably switch output to a bespoke key-value format to avoid implying any machine-readability (similar to how netinfo is printed). - UX is basically non-existent ## Describe alternatives you've considered Keep things as they are and leave bearer tokens unreadable.

potyarkin added the

enhancement

discussion

frostfs-cli

P3

triage

labels 2024-11-14 10:50:02 +00:00

a-savchuk commented 2024-11-14 10:56:29 +00:00

Member

Copy link

I wrote a simple viewer tool

The link you provided is broken. Could you please fix it?

> I wrote a simple viewer tool The link you provided is broken. Could you please fix it?

potyarkin commented 2024-11-14 11:00:08 +00:00

Author

Member

Copy link

The link you provided is broken. Could you please fix it?

It's a private repo. I've added you to access list, but the full code listing for the tool is also available in the collapsible section below the link.

> The link you provided is broken. Could you please fix it? It's a private repo. I've added you to access list, but the full code listing for the tool is also available in the collapsible section below the link.

👍 1

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.42

support/v0.38

support/v0.37

support/v0.36

support/v0.34

support/v0.30

support/v0.27

v0.44.0-rc.13

v0.44.0-rc.12

v0.44.0-rc.11

v0.42.16

v0.44.0-rc.10

v0.44.0-rc.9

v0.44.0-rc.8

v0.44.0-rc.7

v0.44.0-rc.6

v0.44.0-rc.5

v0.44.0-rc.4

v0.44.0-rc.3

v0.44.0-rc.2

v0.44.0-rc.1

v0.43.2

v0.43.1

v0.43.0

v0.42.15

v0.42.14

v0.42.13

v0.42.12

v0.42.11

v0.42.10

v0.42.9

v0.42.8

v0.42.7

v0.42.6

v0.42.5

v0.42.4

v0.42.3

v0.42.2

v0.42.1

v0.42.0

v0.42.0-rc.9

v0.42.0-rc.8

v0.42.0-rc.7

v0.38.9

v0.42.0-rc.6

v0.42.0-rc.5

v0.42.0-rc.4

v0.42.0-rc.3

v0.42.0-rc.2

v0.42.0-rc.1

v0.38.8

v0.41.0

v0.38.7

v0.40.0

v0.39.0

v0.38.6

v0.38.5

v0.38.4

v0.38.3

v0.38.2

v0.38.1

v0.38.0

v0.38.0-rc.2

v0.38.0-rc.1

v0.37.0

v0.37.0-rc.1

v0.36.0

v0.34.0

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

badger

Badger DB related issues

  

frostfs-adm

  

frostfs-cli

  

frostfs-ir

  

frostfs-lens

  

frostfs-node

  

good first issue

Good for newcomers

  

triage

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

badger

frostfs-adm

frostfs-cli

frostfs-ir

frostfs-lens

frostfs-node

good first issue

triage

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1498

No description provided.