TrueCloudLab/frostfs-node
19
1
Fork 27
Code Issues 91 Pull requests 6 Projects Releases 1 Activity Actions

Remove eACL leftovers, part 1 #1425

Merged
dstepanov-yadro merged 1 commit from fyrchik/frostfs-node:remove-leftovers into master 2024-10-26 11:30:27 +00:00
Conversation 0 Commits 1 Files changed 1 +6 -24
1 changed files with 6 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
pkg/services/tree/signature.go
View file

@ -15,7 +15,6 @@ import (
cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
)
@ -27,10 +26,6 @@ type message interface {
SetSignature(*Signature)
}
func eACLErr(op eacl.Operation, err error) error {
return fmt.Errorf("access to operation %s is denied by extended ACL check: %w", op, err)
}
var (
errBearerWrongContainer = errors.New("bearer token is created for another container")
errBearerSignature = errors.New("invalid bearer token signature")
@ -57,11 +52,9 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
return fmt.Errorf("can't get container %s: %w", cid, err)
}
eaclOp := eACLOp(op)
bt, err := parseBearer(rawBearer, cid, eaclOp)
bt, err := parseBearer(rawBearer, cid)
if err != nil {
return err
return fmt.Errorf("access to operation %s is denied: %w", op, err)
}
role, pubKey, err := roleAndPubKeyFromReq(cnr, req, bt)
@ -93,20 +86,20 @@ func (s *Service) isAuthorized(req message, op acl.Op) (bool, error) {
return false, nil
}
func parseBearer(rawBearer []byte, cid cidSDK.ID, eaclOp eacl.Operation) (*bearer.Token, error) {
func parseBearer(rawBearer []byte, cid cidSDK.ID) (*bearer.Token, error) {
if len(rawBearer) == 0 {
return nil, nil
}
bt := new(bearer.Token)
if err := bt.Unmarshal(rawBearer); err != nil {
return nil, eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
return nil, fmt.Errorf("invalid bearer token: %w", err)
}
if !bt.AssertContainer(cid) {
return nil, eACLErr(eaclOp, errBearerWrongContainer)
return nil, errBearerWrongContainer
}
if !bt.VerifySignature() {
return nil, eACLErr(eaclOp, errBearerSignature)
return nil, errBearerSignature
}
return bt, nil
}
@ -184,14 +177,3 @@ func roleAndPubKeyFromReq(cnr *core.Container, req message, bt *bearer.Token) (a
return role, pub, nil
}
func eACLOp(op acl.Op) eacl.Operation {
switch op {
case acl.OpObjectGet:
return eacl.OperationGet
case acl.OpObjectPut:
return eacl.OperationPut
default:
panic(fmt.Sprintf("unexpected tree service ACL operation: %s", op))
}
}