cd34145969
Classifier fetches public key of the request owner and owner itself. Extended ACL check should rely on this public key, because it might be extracted from session token. Signed-off-by: Alex Vanin <alexey@nspcc.ru>
199 lines
4.7 KiB
Go
199 lines
4.7 KiB
Go
package acl
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/ecdsa"
|
|
|
|
"github.com/nspcc-dev/neofs-api-go/pkg"
|
|
acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/container"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/netmap"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/owner"
|
|
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
|
core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
type (
|
|
InnerRingFetcher interface {
|
|
InnerRingKeys() ([][]byte, error)
|
|
}
|
|
|
|
metaWithToken struct {
|
|
vheader *session.RequestVerificationHeader
|
|
token *session.SessionToken
|
|
}
|
|
|
|
SenderClassifier struct {
|
|
innerRing InnerRingFetcher
|
|
netmap core.Source
|
|
}
|
|
)
|
|
|
|
// fixme: update classifier constructor
|
|
func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
|
|
return SenderClassifier{
|
|
innerRing: ir,
|
|
netmap: nm,
|
|
}
|
|
}
|
|
|
|
func (c SenderClassifier) Classify(
|
|
req metaWithToken,
|
|
cid *container.ID,
|
|
cnr *container.Container) (acl.Role, []byte) {
|
|
|
|
if cid == nil {
|
|
// log there
|
|
return acl.RoleUnknown, nil
|
|
}
|
|
|
|
ownerID, ownerKey, err := requestOwner(req)
|
|
if err != nil || ownerID == nil || ownerKey == nil {
|
|
// log there
|
|
return acl.RoleUnknown, nil
|
|
}
|
|
|
|
ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
|
|
|
|
// todo: get owner from neofs.id if present
|
|
|
|
// if request owner is the same as container owner, return RoleUser
|
|
if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) {
|
|
return acl.RoleUser, ownerKeyInBytes
|
|
}
|
|
|
|
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
|
if err != nil {
|
|
// log there
|
|
return acl.RoleUnknown, nil
|
|
} else if isInnerRingNode {
|
|
return acl.RoleSystem, ownerKeyInBytes
|
|
}
|
|
|
|
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
|
if err != nil {
|
|
// log there
|
|
return acl.RoleUnknown, nil
|
|
} else if isContainerNode {
|
|
return acl.RoleSystem, ownerKeyInBytes
|
|
}
|
|
|
|
// if none of above, return RoleOthers
|
|
return acl.RoleOthers, ownerKeyInBytes
|
|
}
|
|
|
|
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {
|
|
if req.vheader == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil verification header")
|
|
}
|
|
|
|
// if session token is presented, use it as truth source
|
|
if req.token != nil {
|
|
body := req.token.GetBody()
|
|
if body == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at session token body")
|
|
}
|
|
|
|
signature := req.token.GetSignature()
|
|
if signature == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at signature")
|
|
}
|
|
|
|
return owner.NewIDFromV2(body.GetOwnerID()), crypto.UnmarshalPublicKey(signature.GetKey()), nil
|
|
}
|
|
|
|
// otherwise get original body signature
|
|
bodySignature := originalBodySignature(req.vheader)
|
|
if bodySignature == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at body signature")
|
|
}
|
|
|
|
key := crypto.UnmarshalPublicKey(bodySignature.GetKey())
|
|
neo3wallet, err := owner.NEO3WalletFromPublicKey(key)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "can't create neo3 wallet")
|
|
}
|
|
|
|
// form user from public key
|
|
user := new(owner.ID)
|
|
user.SetNeo3Wallet(neo3wallet)
|
|
|
|
return user, key, nil
|
|
}
|
|
|
|
func originalBodySignature(v *session.RequestVerificationHeader) *pkg.Signature {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
for v.GetOrigin() != nil {
|
|
v = v.GetOrigin()
|
|
}
|
|
|
|
return pkg.NewSignatureFromV2(v.GetBodySignature())
|
|
}
|
|
|
|
func (c SenderClassifier) isInnerRingKey(owner []byte) (bool, error) {
|
|
innerRingKeys, err := c.innerRing.InnerRingKeys()
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
// if request owner key in the inner ring list, return RoleSystem
|
|
for i := range innerRingKeys {
|
|
if bytes.Equal(innerRingKeys[i], owner) {
|
|
return true, nil
|
|
}
|
|
}
|
|
|
|
return false, nil
|
|
}
|
|
|
|
func (c SenderClassifier) isContainerKey(
|
|
owner, cid []byte,
|
|
cnr *container.Container) (bool, error) {
|
|
|
|
// first check current netmap
|
|
nm, err := core.GetLatestNetworkMap(c.netmap)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
in, err := lookupKeyInContainer(nm, owner, cid, cnr)
|
|
if err != nil {
|
|
return false, err
|
|
} else if in {
|
|
return true, nil
|
|
}
|
|
|
|
// then check previous netmap, this can happen in-between epoch change
|
|
// when node migrates data from last epoch container
|
|
nm, err = core.GetPreviousNetworkMap(c.netmap)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return lookupKeyInContainer(nm, owner, cid, cnr)
|
|
}
|
|
|
|
func lookupKeyInContainer(
|
|
nm *netmap.Netmap,
|
|
owner, cid []byte,
|
|
cnr *container.Container) (bool, error) {
|
|
|
|
cnrNodes, err := nm.GetContainerNodes(cnr.GetPlacementPolicy(), cid)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
flatCnrNodes := cnrNodes.Flatten() // we need single array to iterate on
|
|
for i := range flatCnrNodes {
|
|
if bytes.Equal(flatCnrNodes[i].InfoV2.GetPublicKey(), owner) {
|
|
return true, nil
|
|
}
|
|
}
|
|
|
|
return false, nil
|
|
}
|