[#372] Check parameters before creating container
Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
parent
02f4524d67
commit
52f0af0ccc
2 changed files with 41 additions and 22 deletions
|
@ -230,16 +230,7 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
|
||||||
lifetime.Exp = lifetime.Iat + epochLifetime
|
lifetime.Exp = lifetime.Iat + epochLifetime
|
||||||
}
|
}
|
||||||
|
|
||||||
idOwner := owner.NewIDFromPublicKey(&options.NeoFSKey.PrivateKey.PublicKey)
|
gatesData, err := createTokens(options, lifetime)
|
||||||
|
|
||||||
a.log.Info("check container or create", zap.Stringer("cid", options.Container.ID),
|
|
||||||
zap.String("friendly_name", options.Container.FriendlyName),
|
|
||||||
zap.String("placement_policy", options.Container.PlacementPolicy))
|
|
||||||
if id, err = a.checkContainer(ctx, options.Container, idOwner); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
gatesData, err := createTokens(options, lifetime, id)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -251,6 +242,15 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
|
||||||
|
|
||||||
box.ContainerPolicy = policies
|
box.ContainerPolicy = policies
|
||||||
|
|
||||||
|
idOwner := owner.NewIDFromPublicKey(&options.NeoFSKey.PrivateKey.PublicKey)
|
||||||
|
|
||||||
|
a.log.Info("check container or create", zap.Stringer("cid", options.Container.ID),
|
||||||
|
zap.String("friendly_name", options.Container.FriendlyName),
|
||||||
|
zap.String("placement_policy", options.Container.PlacementPolicy))
|
||||||
|
if id, err = a.checkContainer(ctx, options.Container, idOwner); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
a.log.Info("store bearer token into NeoFS",
|
a.log.Info("store bearer token into NeoFS",
|
||||||
zap.Stringer("owner_tkn", idOwner))
|
zap.Stringer("owner_tkn", idOwner))
|
||||||
|
|
||||||
|
@ -318,7 +318,7 @@ func (a *Agent) ObtainSecret(ctx context.Context, w io.Writer, options *ObtainSe
|
||||||
return enc.Encode(or)
|
return enc.Encode(or)
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) {
|
func buildEACLTable(eaclTable []byte) (*eacl.Table, error) {
|
||||||
table := eacl.NewTable()
|
table := eacl.NewTable()
|
||||||
if len(eaclTable) != 0 {
|
if len(eaclTable) != 0 {
|
||||||
return table, table.UnmarshalJSON(eaclTable)
|
return table, table.UnmarshalJSON(eaclTable)
|
||||||
|
@ -332,7 +332,6 @@ func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) {
|
||||||
// matcher := eacl.MatchStringEqual
|
// matcher := eacl.MatchStringEqual
|
||||||
// record.AddFilter(from eacl.FilterHeaderType, matcher eacl.Match, name string, value string)
|
// record.AddFilter(from eacl.FilterHeaderType, matcher eacl.Match, name string, value string)
|
||||||
eacl.AddFormedTarget(record, eacl.RoleOthers)
|
eacl.AddFormedTarget(record, eacl.RoleOthers)
|
||||||
table.SetCID(cid)
|
|
||||||
table.AddRecord(record)
|
table.AddRecord(record)
|
||||||
|
|
||||||
return table, nil
|
return table, nil
|
||||||
|
@ -437,10 +436,10 @@ func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOp
|
||||||
return sessionTokens, nil
|
return sessionTokens, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *cid.ID) ([]*accessbox.GateData, error) {
|
func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions) ([]*accessbox.GateData, error) {
|
||||||
gates := make([]*accessbox.GateData, len(options.GatesPublicKeys))
|
gates := make([]*accessbox.GateData, len(options.GatesPublicKeys))
|
||||||
|
|
||||||
table, err := buildEACLTable(cid, options.EACLRules)
|
table, err := buildEACLTable(options.EACLRules)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to build eacl table: %w", err)
|
return nil, fmt.Errorf("failed to build eacl table: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -271,6 +271,16 @@ It will be ceil rounded to the nearest amount of epoch.`,
|
||||||
return cli.Exit(fmt.Sprintf("couldn't parse container policy: %s", err.Error()), 6)
|
return cli.Exit(fmt.Sprintf("couldn't parse container policy: %s", err.Error()), 6)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bearerRules, err := getJSONRules(eaclRulesFlag)
|
||||||
|
if err != nil {
|
||||||
|
return cli.Exit(fmt.Sprintf("couldn't parse 'bearer-rules' flag: %s", err.Error()), 7)
|
||||||
|
}
|
||||||
|
|
||||||
|
sessionRules, err := getSessionRules(sessionTokenFlag)
|
||||||
|
if err != nil {
|
||||||
|
return cli.Exit(fmt.Sprintf("couldn't parse 'session-token' flag: %s", err.Error()), 8)
|
||||||
|
}
|
||||||
|
|
||||||
issueSecretOptions := &authmate.IssueSecretOptions{
|
issueSecretOptions := &authmate.IssueSecretOptions{
|
||||||
Container: authmate.ContainerOptions{
|
Container: authmate.ContainerOptions{
|
||||||
ID: containerID,
|
ID: containerID,
|
||||||
|
@ -279,8 +289,8 @@ It will be ceil rounded to the nearest amount of epoch.`,
|
||||||
},
|
},
|
||||||
NeoFSKey: key,
|
NeoFSKey: key,
|
||||||
GatesPublicKeys: gatesPublicKeys,
|
GatesPublicKeys: gatesPublicKeys,
|
||||||
EACLRules: getJSONRules(eaclRulesFlag),
|
EACLRules: bearerRules,
|
||||||
SessionTokenRules: getSessionRules(sessionTokenFlag),
|
SessionTokenRules: sessionRules,
|
||||||
ContainerPolicies: policies,
|
ContainerPolicies: policies,
|
||||||
Lifetime: lifetimeFlag,
|
Lifetime: lifetimeFlag,
|
||||||
AwsCliCredentialsFile: awcCliCredFile,
|
AwsCliCredentialsFile: awcCliCredFile,
|
||||||
|
@ -315,17 +325,27 @@ func parsePolicies(val string) (authmate.ContainerPolicies, error) {
|
||||||
return policies, nil
|
return policies, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getJSONRules(val string) []byte {
|
func getJSONRules(val string) ([]byte, error) {
|
||||||
|
if val == "" {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
data := []byte(val)
|
||||||
|
if json.Valid(data) {
|
||||||
|
return data, nil
|
||||||
|
}
|
||||||
|
|
||||||
if data, err := os.ReadFile(val); err == nil {
|
if data, err := os.ReadFile(val); err == nil {
|
||||||
return data
|
if json.Valid(data) {
|
||||||
|
return data, nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return []byte(val)
|
return nil, fmt.Errorf("coudln't read json file or its content is invalid")
|
||||||
}
|
}
|
||||||
|
|
||||||
func getSessionRules(r string) []byte {
|
func getSessionRules(r string) ([]byte, error) {
|
||||||
if r == "none" {
|
if r == "none" {
|
||||||
return nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
return getJSONRules(r)
|
return getJSONRules(r)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue