package ape import ( "context" "crypto/ecdsa" "errors" "fmt" objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object" aperequest "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/request" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/router" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" ) type checkerImpl struct { chainRouter policyengine.ChainRouter headerProvider HeaderProvider frostFSIDClient frostfsidcore.SubjectProvider nm netmap.Source st netmap.State cnrSource container.Source nodePK []byte } func NewChecker(chainRouter policyengine.ChainRouter, headerProvider HeaderProvider, frostFSIDClient frostfsidcore.SubjectProvider, nm netmap.Source, st netmap.State, cnrSource container.Source, nodePK []byte) Checker { return &checkerImpl{ chainRouter: chainRouter, headerProvider: headerProvider, frostFSIDClient: frostFSIDClient, nm: nm, st: st, cnrSource: cnrSource, nodePK: nodePK, } } type Prm struct { Namespace string Container cid.ID // Object ID is omitted for some methods. Object *oid.ID // If Header is set, then object attributes and properties will be parsed from // a request/response's header. Header *objectV2.Header // Method must be represented only as a constant represented in native schema. Method string // Role must be representedonly as a constant represented in native schema. Role string // An encoded sender's public key string. SenderKey string // An encoded container's owner user ID. ContainerOwner user.ID // If SoftAPECheck is set to true, then NoRuleFound is interpreted as allow. SoftAPECheck bool // If true, object headers will not retrieved from storage engine. WithoutHeaderRequest bool // The request's bearer token. It is used in order to check APE overrides with the token. BearerToken *bearer.Token } var ( errMissingOID = errors.New("object ID is not set") errInvalidTargetType = errors.New("bearer token defines non-container target override") errBearerExpired = errors.New("bearer token has expired") errBearerInvalidSignature = errors.New("bearer token has invalid signature") errBearerInvalidContainerID = errors.New("bearer token was created for another container") errBearerNotSignedByOwner = errors.New("bearer token is not signed by the container owner") errBearerInvalidOwner = errors.New("bearer token owner differs from the request sender") ) // isValidBearer checks whether bearer token was correctly signed by authorized // entity. This method might be defined on whole ACL service because it will // require fetching current epoch to check lifetime. func isValidBearer(token *bearer.Token, ownerCnr user.ID, containerID cid.ID, publicKey *keys.PublicKey, st netmap.State) error { if token == nil { return nil } // 1. First check token lifetime. Simplest verification. if token.InvalidAt(st.CurrentEpoch()) { return errBearerExpired } // 2. Then check if bearer token is signed correctly. if !token.VerifySignature() { return errBearerInvalidSignature } // 3. Then check if container is either empty or equal to the container in the request. apeOverride := token.APEOverride() if apeOverride.Target.TargetType != ape.TargetTypeContainer { return errInvalidTargetType } var targetCnr cid.ID err := targetCnr.DecodeString(apeOverride.Target.Name) if err != nil { return fmt.Errorf("invalid cid format: %s", apeOverride.Target.Name) } if !containerID.Equals(targetCnr) { return errBearerInvalidContainerID } // 4. Then check if container owner signed this token. if !bearer.ResolveIssuer(*token).Equals(ownerCnr) { return errBearerNotSignedByOwner } // 5. Then check if request sender has rights to use this token. var usrSender user.ID user.IDFromKey(&usrSender, (ecdsa.PublicKey)(*publicKey)) if !token.AssertUser(usrSender) { return errBearerInvalidOwner } return nil } // CheckAPE checks if a request or a response is permitted creating an ape request and passing // it to chain router. func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error { // APE check is ignored for some inter-node requests. if prm.Role == nativeschema.PropertyValueContainerRoleContainer { return nil } else if prm.Role == nativeschema.PropertyValueContainerRoleIR { switch prm.Method { case nativeschema.MethodGetObject, nativeschema.MethodHeadObject, nativeschema.MethodSearchObject, nativeschema.MethodRangeObject, nativeschema.MethodHashObject: return nil default: } } r, err := c.newAPERequest(ctx, prm) if err != nil { return fmt.Errorf("failed to create ape request: %w", err) } pub, err := keys.NewPublicKeyFromString(prm.SenderKey) if err != nil { return err } groups, err := aperequest.Groups(c.frostFSIDClient, pub) if err != nil { return fmt.Errorf("failed to get group ids: %w", err) } // Policy contract keeps group related chains as namespace-group pair. for i := range groups { groups[i] = fmt.Sprintf("%s:%s", prm.Namespace, groups[i]) } if prm.BearerToken != nil && !prm.BearerToken.Impersonate() { if err := isValidBearer(prm.BearerToken, prm.ContainerOwner, prm.Container, pub, c.st); err != nil { return fmt.Errorf("bearer token validation error: %w", err) } btRouter, err := router.SingleUseRouterWithBearerTokenChains([]bearer.APEOverride{prm.BearerToken.APEOverride()}) if err != nil { return err } status, found, err := btRouter.IsAllowed(apechain.Ingress, policyengine.NewRequestTargetWithContainer(prm.Container.EncodeToString()), r) if err != nil { return err } if found && status == apechain.Allow { return nil } if status != apechain.NoRuleFound { return fmt.Errorf("bearer token: method %s: %s", prm.Method, status) } } rt := policyengine.NewRequestTargetExtended(prm.Namespace, prm.Container.EncodeToString(), fmt.Sprintf("%s:%s", prm.Namespace, pub.Address()), groups) status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, rt, r) if err != nil { return err } if !ruleFound && prm.SoftAPECheck || status == apechain.Allow { return nil } return fmt.Errorf("method %s: %s", prm.Method, status) }