package object import ( "context" "crypto/ecdsa" "fmt" "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/util" ) type SignService struct { key *ecdsa.PrivateKey sigSvc *util.SignService svc ServiceServer } type searchStreamSigner struct { SearchStream sigSvc *util.SignService nonEmptyResp bool // set on first Send call } type getStreamSigner struct { GetObjectStream sigSvc *util.SignService } type putStreamSigner struct { sigSvc *util.SignService stream PutObjectStream err error } type getRangeStreamSigner struct { GetObjectRangeStream sigSvc *util.SignService } func NewSignService(key *ecdsa.PrivateKey, svc ServiceServer) *SignService { return &SignService{ key: key, sigSvc: util.NewUnarySignService(key), svc: svc, } } func (s *getStreamSigner) Send(resp *object.GetResponse) error { return s.send(resp, nil) } func (s *getStreamSigner) send(resp *object.GetResponse, err error) error { if err := s.sigSvc.SignResponse(resp, err); err != nil { return err } return s.GetObjectStream.Send(resp) } func (s *SignService) Get(req *object.GetRequest, stream GetObjectStream) error { if err := s.sigSvc.VerifyRequest(req); err != nil { resp := new(object.GetResponse) _ = s.sigSvc.SignResponse(resp, err) return stream.Send(resp) } w := &getStreamSigner{ GetObjectStream: stream, sigSvc: s.sigSvc, } if err := s.svc.Get(req, w); err != nil { return w.send(new(object.GetResponse), err) } return nil } func (s *putStreamSigner) Send(ctx context.Context, req *object.PutRequest) error { if s.err = s.sigSvc.VerifyRequest(req); s.err != nil { return util.ErrAbortStream } if s.err = s.stream.Send(ctx, req); s.err != nil { return util.ErrAbortStream } return nil } func (s *putStreamSigner) CloseAndRecv(ctx context.Context) (resp *object.PutResponse, err error) { if s.err != nil { err = s.err resp = new(object.PutResponse) } else { resp, err = s.stream.CloseAndRecv(ctx) if err != nil { return nil, fmt.Errorf("could not close stream and receive response: %w", err) } } return resp, s.sigSvc.SignResponse(resp, err) } func (s *SignService) Put() (PutObjectStream, error) { stream, err := s.svc.Put() if err != nil { return nil, fmt.Errorf("could not create Put object streamer: %w", err) } return &putStreamSigner{ stream: stream, sigSvc: s.sigSvc, }, nil } func (s *SignService) Head(ctx context.Context, req *object.HeadRequest) (*object.HeadResponse, error) { if err := s.sigSvc.VerifyRequest(req); err != nil { resp := new(object.HeadResponse) return resp, s.sigSvc.SignResponse(resp, err) } resp, err := util.EnsureNonNilResponse(s.svc.Head(ctx, req)) return resp, s.sigSvc.SignResponse(resp, err) } func (s *SignService) PutSingle(ctx context.Context, req *object.PutSingleRequest) (*object.PutSingleResponse, error) { req.GetBody().SetMarshalData(req.GetBody().StableMarshal(nil)) if err := s.sigSvc.VerifyRequest(req); err != nil { resp := new(object.PutSingleResponse) return resp, s.sigSvc.SignResponse(resp, err) } resp, err := util.EnsureNonNilResponse(s.svc.PutSingle(ctx, req)) return resp, s.sigSvc.SignResponse(resp, err) } func (s *searchStreamSigner) Send(resp *object.SearchResponse) error { s.nonEmptyResp = true return s.send(resp, nil) } func (s *searchStreamSigner) send(resp *object.SearchResponse, err error) error { if err := s.sigSvc.SignResponse(resp, err); err != nil { return err } return s.SearchStream.Send(resp) } func (s *SignService) Search(req *object.SearchRequest, stream SearchStream) error { if err := s.sigSvc.VerifyRequest(req); err != nil { resp := new(object.SearchResponse) _ = s.sigSvc.SignResponse(resp, err) return stream.Send(resp) } ss := &searchStreamSigner{ SearchStream: stream, sigSvc: s.sigSvc, } err := s.svc.Search(req, ss) if err != nil || !ss.nonEmptyResp { // The higher component does not write any response in the case of an empty result (which is correct). // With the introduction of status returns at least one answer must be signed and sent to the client. // This approach is supported by clients who do not know how to work with statuses (one could make // a switch according to the protocol version from the request, but the costs of sending an empty // answer can be neglected due to the gradual refusal to use the "old" clients). return ss.send(new(object.SearchResponse), err) } return nil } func (s *SignService) Delete(ctx context.Context, req *object.DeleteRequest) (*object.DeleteResponse, error) { if err := s.sigSvc.VerifyRequest(req); err != nil { resp := new(object.DeleteResponse) return resp, s.sigSvc.SignResponse(resp, err) } resp, err := util.EnsureNonNilResponse(s.svc.Delete(ctx, req)) return resp, s.sigSvc.SignResponse(resp, err) } func (s *getRangeStreamSigner) Send(resp *object.GetRangeResponse) error { return s.send(resp, nil) } func (s *getRangeStreamSigner) send(resp *object.GetRangeResponse, err error) error { if err := s.sigSvc.SignResponse(resp, err); err != nil { return err } return s.GetObjectRangeStream.Send(resp) } func (s *SignService) GetRange(req *object.GetRangeRequest, stream GetObjectRangeStream) error { if err := s.sigSvc.VerifyRequest(req); err != nil { resp := new(object.GetRangeResponse) _ = s.sigSvc.SignResponse(resp, err) return stream.Send(resp) } w := &getRangeStreamSigner{ GetObjectRangeStream: stream, sigSvc: s.sigSvc, } if err := s.svc.GetRange(req, w); err != nil { return w.send(new(object.GetRangeResponse), err) } return nil } func (s *SignService) GetRangeHash(ctx context.Context, req *object.GetRangeHashRequest) (*object.GetRangeHashResponse, error) { if err := s.sigSvc.VerifyRequest(req); err != nil { resp := new(object.GetRangeHashResponse) return resp, s.sigSvc.SignResponse(resp, err) } resp, err := util.EnsureNonNilResponse(s.svc.GetRangeHash(ctx, req)) return resp, s.sigSvc.SignResponse(resp, err) }