Malformed request: token is invalid at epoch doesn't fit to SessionTokenExpired #20

New issue

Closed

opened 2023-01-20 06:45:45 +00:00 by KirillovDenis · 1 comment

KirillovDenis commented 2023-01-20 06:45:45 +00:00 (Migrated from github.com)

Copy link

Using expired session token for object operations leads to apistatus.ServerInternal (status: code = 1024 message = malformed request: token is invalid at 5 epoch)) rather than apistatus.SessionTokenExpired

Additionally, is it ok to have alone ) in the end of error message ?
d4d2a8c865/pkg/services/object/acl/v2/service.go (L577-L578)

Expected Behavior

Expected api status SessionTokenExpired

Current Behavior

Current status ServerInternalError

Steps to Reproduce (for bugs)

1. Create bucket
2. Create object
3. Run the following test:

const devEnvPrivateKey = "1dd37fba80fec4e6a6f13fd708d8dcb3b29def768017052f6c930fa1c5d90bbb"

func TestTMPDEBUG(t *testing.T) {
	ctx := context.Background()

	key, err := keys.NewPrivateKeyFromHex(devEnvPrivateKey)
	require.NoError(t, err)

	var cl sdkClient.Client
	var prmInit sdkClient.PrmInit
	prmInit.SetDefaultPrivateKey(key.PrivateKey)

	cl.Init(prmInit)

	var prmDial sdkClient.PrmDial
	prmDial.SetServerURI("s01.frostfs.devenv:8080")
	prmDial.SetContext(ctx)

	err = cl.Dial(prmDial)
	require.NoError(t, err)

	var cnrID cid.ID
	err = cnrID.DecodeString("FrjgqGnj7f6J7bmieokw3oHtLWb2ef9k7oLQKyvdaxVC")
	require.NoError(t, err)

	var objID oid.ID
	err = objID.DecodeString("BtVoDQsNLdV5hURoECdDz3MBX5pqobAw332zvEkKh62C")
	require.NoError(t, err)

	exp := uint64(1)

	var prmSess sdkClient.PrmSessionCreate
	prmSess.SetExp(exp)

	sessRes, err := cl.SessionCreate(ctx, prmSess)
	require.NoError(t, err)

	var id uuid.UUID
	err = id.UnmarshalBinary(sessRes.ID())
	require.NoError(t, err)

	var authKey frostfsecdsa.PublicKey
	err = authKey.Decode(sessRes.PublicKey())
	require.NoError(t, err)

	var prm sdkClient.PrmObjectHead
	prm.FromContainer(cnrID)
	prm.ByID(objID)

	var stoken session.Object
	stoken.SetExp(exp)
	stoken.LimitByObjects(objID)
	stoken.BindContainer(cnrID)
	stoken.ForVerb(session.VerbObjectHead)
	stoken.SetAuthKey(&authKey)
	stoken.SetID(id)
	stoken.Issuer()

	err = stoken.Sign(key.PrivateKey)
	require.NoError(t, err)

	prm.WithinSession(stoken)

	res, err := cl.ObjectHead(ctx, prm)
	require.NoError(t, err)

	fmt.Println("status: ", res.Status())
	err = apistatus.ErrFromStatus(res.Status())
	fmt.Println("isErrSessionExpired: ", sdkClient.IsErrSessionExpired(err))
}

Context

Pool from SDK expects SessionTokenExpired to invalidate cache.

It seems the same problem there is in this branch

Your Environment

• Version used: v0.34.0-164-gd4d2a8c8
• Server setup and configuration: dev-env

@dansingjulia It's related to AccessDenied error in s3 tests

/cc @alexvanin @fyrchik

Using expired session token for object operations leads to `apistatus.ServerInternal` (`status: code = 1024 message = malformed request: token is invalid at 5 epoch)`) rather than `apistatus.SessionTokenExpired` Additionally, is it ok to have alone `)` in the end of error message ? https://github.com/TrueCloudLab/frostfs-node/blob/d4d2a8c8651cdd4da62571bb86bcbc019e3b48ae/pkg/services/object/acl/v2/service.go#L577-L578 ## Expected Behavior Expected api status `SessionTokenExpired` ## Current Behavior Current status `ServerInternalError` ## Steps to Reproduce (for bugs) 1. Create bucket 2. Create object 3. Run the following test: ```go const devEnvPrivateKey = "1dd37fba80fec4e6a6f13fd708d8dcb3b29def768017052f6c930fa1c5d90bbb" func TestTMPDEBUG(t *testing.T) { ctx := context.Background() key, err := keys.NewPrivateKeyFromHex(devEnvPrivateKey) require.NoError(t, err) var cl sdkClient.Client var prmInit sdkClient.PrmInit prmInit.SetDefaultPrivateKey(key.PrivateKey) cl.Init(prmInit) var prmDial sdkClient.PrmDial prmDial.SetServerURI("s01.frostfs.devenv:8080") prmDial.SetContext(ctx) err = cl.Dial(prmDial) require.NoError(t, err) var cnrID cid.ID err = cnrID.DecodeString("FrjgqGnj7f6J7bmieokw3oHtLWb2ef9k7oLQKyvdaxVC") require.NoError(t, err) var objID oid.ID err = objID.DecodeString("BtVoDQsNLdV5hURoECdDz3MBX5pqobAw332zvEkKh62C") require.NoError(t, err) exp := uint64(1) var prmSess sdkClient.PrmSessionCreate prmSess.SetExp(exp) sessRes, err := cl.SessionCreate(ctx, prmSess) require.NoError(t, err) var id uuid.UUID err = id.UnmarshalBinary(sessRes.ID()) require.NoError(t, err) var authKey frostfsecdsa.PublicKey err = authKey.Decode(sessRes.PublicKey()) require.NoError(t, err) var prm sdkClient.PrmObjectHead prm.FromContainer(cnrID) prm.ByID(objID) var stoken session.Object stoken.SetExp(exp) stoken.LimitByObjects(objID) stoken.BindContainer(cnrID) stoken.ForVerb(session.VerbObjectHead) stoken.SetAuthKey(&authKey) stoken.SetID(id) stoken.Issuer() err = stoken.Sign(key.PrivateKey) require.NoError(t, err) prm.WithinSession(stoken) res, err := cl.ObjectHead(ctx, prm) require.NoError(t, err) fmt.Println("status: ", res.Status()) err = apistatus.ErrFromStatus(res.Status()) fmt.Println("isErrSessionExpired: ", sdkClient.IsErrSessionExpired(err)) } ``` ## Context Pool from SDK expects `SessionTokenExpired` to [invalidate cache](https://github.com/TrueCloudLab/frostfs-sdk-go/blob/b2a37543d34da7f96d4e3d35c4e8da4bf1f43a00/pool/pool.go#L1877). It seems the same problem there is in [this branch](https://github.com/nspcc-dev/neofs-node/tree/support/v0.35) ## Your Environment <!-- Include as many relevant details about the environment you experienced the bug in --> * Version used: v0.34.0-164-gd4d2a8c8 * Server setup and configuration: dev-env @dansingjulia It's related to AccessDenied error in s3 tests /cc @alexvanin @fyrchik

fyrchik commented 2023-01-25 14:46:16 +00:00 (Migrated from github.com)

Copy link

Closed via #28 .

Closed via #28 .

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.42

support/v0.38

support/v0.37

support/v0.36

support/v0.34

support/v0.30

support/v0.27

v0.44.0-rc.3

v0.44.0-rc.2

v0.44.0-rc.1

v0.43.2

v0.43.1

v0.43.0

v0.42.15

v0.42.14

v0.42.13

v0.42.12

v0.42.11

v0.42.10

v0.42.9

v0.42.8

v0.42.7

v0.42.6

v0.42.5

v0.42.4

v0.42.3

v0.42.2

v0.42.1

v0.42.0

v0.42.0-rc.9

v0.42.0-rc.8

v0.42.0-rc.7

v0.38.9

v0.42.0-rc.6

v0.42.0-rc.5

v0.42.0-rc.4

v0.42.0-rc.3

v0.42.0-rc.2

v0.42.0-rc.1

v0.38.8

v0.41.0

v0.38.7

v0.40.0

v0.39.0

v0.38.6

v0.38.5

v0.38.4

v0.38.3

v0.38.2

v0.38.1

v0.38.0

v0.38.0-rc.2

v0.38.0-rc.1

v0.37.0

v0.37.0-rc.1

v0.36.0

v0.34.0

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

badger

Badger DB related issues

  

frostfs-adm

  

frostfs-cli

  

frostfs-ir

  

frostfs-lens

  

frostfs-node

  

good first issue

Good for newcomers

  

triage

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

badger

frostfs-adm

frostfs-cli

frostfs-ir

frostfs-lens

frostfs-node

good first issue

triage

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#20

No description provided.