frostfs-node/pkg/services/object/acl/classifier.go
Alex Vanin cd34145969 [#73] Use request owner public key in eACL check
Classifier fetches public key of the request owner
and owner itself. Extended ACL check should rely on
this public key, because it might be extracted from
session token.

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
2020-10-05 18:02:37 +03:00

199 lines
4.7 KiB
Go

package acl
import (
"bytes"
"crypto/ecdsa"
"github.com/nspcc-dev/neofs-api-go/pkg"
acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
"github.com/nspcc-dev/neofs-api-go/pkg/container"
"github.com/nspcc-dev/neofs-api-go/pkg/netmap"
"github.com/nspcc-dev/neofs-api-go/pkg/owner"
"github.com/nspcc-dev/neofs-api-go/v2/session"
crypto "github.com/nspcc-dev/neofs-crypto"
core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
"github.com/pkg/errors"
)
type (
InnerRingFetcher interface {
InnerRingKeys() ([][]byte, error)
}
metaWithToken struct {
vheader *session.RequestVerificationHeader
token *session.SessionToken
}
SenderClassifier struct {
innerRing InnerRingFetcher
netmap core.Source
}
)
// fixme: update classifier constructor
func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
return SenderClassifier{
innerRing: ir,
netmap: nm,
}
}
func (c SenderClassifier) Classify(
req metaWithToken,
cid *container.ID,
cnr *container.Container) (acl.Role, []byte) {
if cid == nil {
// log there
return acl.RoleUnknown, nil
}
ownerID, ownerKey, err := requestOwner(req)
if err != nil || ownerID == nil || ownerKey == nil {
// log there
return acl.RoleUnknown, nil
}
ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
// todo: get owner from neofs.id if present
// if request owner is the same as container owner, return RoleUser
if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) {
return acl.RoleUser, ownerKeyInBytes
}
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
if err != nil {
// log there
return acl.RoleUnknown, nil
} else if isInnerRingNode {
return acl.RoleSystem, ownerKeyInBytes
}
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
if err != nil {
// log there
return acl.RoleUnknown, nil
} else if isContainerNode {
return acl.RoleSystem, ownerKeyInBytes
}
// if none of above, return RoleOthers
return acl.RoleOthers, ownerKeyInBytes
}
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {
if req.vheader == nil {
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil verification header")
}
// if session token is presented, use it as truth source
if req.token != nil {
body := req.token.GetBody()
if body == nil {
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at session token body")
}
signature := req.token.GetSignature()
if signature == nil {
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at signature")
}
return owner.NewIDFromV2(body.GetOwnerID()), crypto.UnmarshalPublicKey(signature.GetKey()), nil
}
// otherwise get original body signature
bodySignature := originalBodySignature(req.vheader)
if bodySignature == nil {
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at body signature")
}
key := crypto.UnmarshalPublicKey(bodySignature.GetKey())
neo3wallet, err := owner.NEO3WalletFromPublicKey(key)
if err != nil {
return nil, nil, errors.Wrap(err, "can't create neo3 wallet")
}
// form user from public key
user := new(owner.ID)
user.SetNeo3Wallet(neo3wallet)
return user, key, nil
}
func originalBodySignature(v *session.RequestVerificationHeader) *pkg.Signature {
if v == nil {
return nil
}
for v.GetOrigin() != nil {
v = v.GetOrigin()
}
return pkg.NewSignatureFromV2(v.GetBodySignature())
}
func (c SenderClassifier) isInnerRingKey(owner []byte) (bool, error) {
innerRingKeys, err := c.innerRing.InnerRingKeys()
if err != nil {
return false, err
}
// if request owner key in the inner ring list, return RoleSystem
for i := range innerRingKeys {
if bytes.Equal(innerRingKeys[i], owner) {
return true, nil
}
}
return false, nil
}
func (c SenderClassifier) isContainerKey(
owner, cid []byte,
cnr *container.Container) (bool, error) {
// first check current netmap
nm, err := core.GetLatestNetworkMap(c.netmap)
if err != nil {
return false, err
}
in, err := lookupKeyInContainer(nm, owner, cid, cnr)
if err != nil {
return false, err
} else if in {
return true, nil
}
// then check previous netmap, this can happen in-between epoch change
// when node migrates data from last epoch container
nm, err = core.GetPreviousNetworkMap(c.netmap)
if err != nil {
return false, err
}
return lookupKeyInContainer(nm, owner, cid, cnr)
}
func lookupKeyInContainer(
nm *netmap.Netmap,
owner, cid []byte,
cnr *container.Container) (bool, error) {
cnrNodes, err := nm.GetContainerNodes(cnr.GetPlacementPolicy(), cid)
if err != nil {
return false, err
}
flatCnrNodes := cnrNodes.Flatten() // we need single array to iterate on
for i := range flatCnrNodes {
if bytes.Equal(flatCnrNodes[i].InfoV2.GetPublicKey(), owner) {
return true, nil
}
}
return false, nil
}