diff --git a/auth/center.go b/auth/center.go
index 966177cc..84b95c62 100644
--- a/auth/center.go
+++ b/auth/center.go
@@ -1,34 +1,83 @@
package auth
import (
+ "crypto/ecdsa"
+ "crypto/rand"
+ "crypto/rsa"
"crypto/sha256"
+ "crypto/x509"
+ "encoding/pem"
+ "io/ioutil"
"github.com/klauspost/compress/zstd"
+ "github.com/nspcc-dev/neofs-api-go/refs"
"github.com/nspcc-dev/neofs-api-go/service"
+ crypto "github.com/nspcc-dev/neofs-crypto"
"github.com/pkg/errors"
)
// Center is a central app's authentication/authorization management unit.
type Center struct {
- enclave *secureEnclave
zstdEncoder *zstd.Encoder
zstdDecoder *zstd.Decoder
+ neofsKeys struct {
+ PrivateKey *ecdsa.PrivateKey
+ PublicKey *ecdsa.PublicKey
+ }
+ ownerID refs.OwnerID
+ wifString string
+ userAuthKeys struct {
+ PrivateKey *rsa.PrivateKey
+ PublicKey *rsa.PublicKey
+ }
}
// NewCenter creates an instance of AuthCenter.
-func NewCenter(pathToRSAKey, pathToECDSAKey string) (*Center, error) {
+func NewCenter() *Center {
zstdEncoder, _ := zstd.NewWriter(nil)
zstdDecoder, _ := zstd.NewReader(nil)
- enclave, err := newSecureEnclave(pathToRSAKey, pathToECDSAKey)
- if err != nil {
- return nil, errors.Wrap(err, "failed to create secure enclave")
- }
- center := &Center{
- enclave: enclave,
+ return &Center{
zstdEncoder: zstdEncoder,
zstdDecoder: zstdDecoder,
}
- return center, nil
+}
+
+func (center *Center) SetNeoFSKeys(key *ecdsa.PrivateKey) error {
+ publicKey := &key.PublicKey
+ oid, err := refs.NewOwnerID(publicKey)
+ if err != nil {
+ return errors.Wrap(err, "failed to get OwnerID")
+ }
+ center.neofsKeys.PrivateKey = key
+ wif, err := crypto.WIFEncode(key)
+ if err != nil {
+ return errors.Wrap(err, "failed to get WIF string from given key")
+ }
+ center.neofsKeys.PublicKey = publicKey
+ center.ownerID = oid
+ center.wifString = wif
+ return nil
+}
+
+func (center *Center) GetNeoFSKeyPrivateKey() *ecdsa.PrivateKey {
+ return center.neofsKeys.PrivateKey
+}
+
+func (center *Center) GetNeoFSKeyPublicKey() *ecdsa.PublicKey {
+ return center.neofsKeys.PublicKey
+}
+
+func (center *Center) GetOwnerID() refs.OwnerID {
+ return center.ownerID
+}
+
+func (center *Center) GetWIFString() string {
+ return center.wifString
+}
+
+func (center *Center) SetUserAuthKeys(key *rsa.PrivateKey) {
+ center.userAuthKeys.PrivateKey = key
+ center.userAuthKeys.PublicKey = &key.PublicKey
}
func (center *Center) PackBearerToken(bearerToken *service.BearerTokenMsg) ([]byte, error) {
@@ -36,7 +85,7 @@ func (center *Center) PackBearerToken(bearerToken *service.BearerTokenMsg) ([]by
if err != nil {
return nil, errors.Wrap(err, "failed to marshal bearer token")
}
- encryptedKeyID, err := center.enclave.Encrypt(gateUserAuthKey, center.compress(data))
+ encryptedKeyID, err := encrypt(center.userAuthKeys.PublicKey, center.compress(data))
if err != nil {
return nil, errors.Wrap(err, "")
}
@@ -49,7 +98,7 @@ func (center *Center) UnpackBearerToken(packedBearerToken []byte) (*service.Bear
if err != nil {
return nil, errors.Wrap(err, "failed to decompress key ID")
}
- keyID, err := center.enclave.Decrypt(gateUserAuthKey, encryptedKeyID)
+ keyID, err := decrypt(center.userAuthKeys.PrivateKey, encryptedKeyID)
if err != nil {
return nil, errors.Wrap(err, "failed to decrypt key ID")
}
@@ -76,8 +125,32 @@ func (center *Center) decompress(data []byte) ([]byte, error) {
return decompressedData, nil
}
+func encrypt(key *rsa.PublicKey, data []byte) ([]byte, error) {
+ return rsa.EncryptOAEP(sha256.New(), rand.Reader, key, data, []byte{})
+}
+
+func decrypt(key *rsa.PrivateKey, data []byte) ([]byte, error) {
+ return rsa.DecryptOAEP(sha256.New(), rand.Reader, key, data, []byte{})
+}
+
func sha256Hash(data []byte) []byte {
hash := sha256.New()
hash.Write(data)
return hash.Sum(nil)
}
+
+func ReadRSAPrivateKeyFromPEMFile(filePath string) (*rsa.PrivateKey, error) {
+ kbs, err := ioutil.ReadFile(filePath)
+ if err != nil {
+ return nil, errors.Wrapf(err, "failed to read file %s", filePath)
+ }
+ pemBlock, _ := pem.Decode(kbs)
+ if pemBlock == nil {
+ return nil, errors.Errorf("failed to decode PEM data from file %s", filePath)
+ }
+ rsaKey, err := x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
+ if err != nil {
+ return nil, errors.Wrapf(err, "failed to parse private key bytes from pem data from file %s", filePath)
+ }
+ return rsaKey, nil
+}
diff --git a/auth/enclave.go b/auth/enclave.go
deleted file mode 100644
index 16113fbf..00000000
--- a/auth/enclave.go
+++ /dev/null
@@ -1,130 +0,0 @@
-package auth
-
-import (
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rand"
- "crypto/rsa"
- "crypto/sha256"
- "crypto/x509"
- "encoding/pem"
- "io/ioutil"
- "os"
-
- "github.com/pkg/errors"
-)
-
-const (
- gatewayEncryptionKeySize = 4096
-)
-
-const (
- _ encryptionKeyName = iota
- // Indicates that the key is used to encrypt
- // a bearer token to pass auth procedure.
- gateUserAuthKey
-)
-
-const (
- _ signatureKeyName = iota
- // Indicates that the key is a NeoFS ECDSA key.
- gateNeoFSECDSAKey
- // Indicates that the key is a NeoFS Ed25519 key.
- gateNeoFSEd25519Key
-)
-
-type (
- signatureKeyName byte
- encryptionKeyName byte
-)
-
-type (
- signatureKeyPair struct {
- PrivateKey *ecdsa.PrivateKey
- PublicKey *ecdsa.PublicKey
- }
-
- encryptionKeyPair struct {
- PrivateKey *rsa.PrivateKey
- PublicKey *rsa.PublicKey
- }
-)
-
-type secureEnclave struct {
- signatureKeys map[signatureKeyName]signatureKeyPair
- encryptionKeys map[encryptionKeyName]encryptionKeyPair
-}
-
-func newSecureEnclave(pathToRSAKey, pathToECDSAKey string) (*secureEnclave, error) {
- var (
- rsaKey *rsa.PrivateKey
- ecdsaKey *ecdsa.PrivateKey
- )
- if key1bs, err := ioutil.ReadFile(pathToRSAKey); err != nil {
- // No file found.
- if os.IsNotExist(err) {
- if rsaKey, err = rsa.GenerateKey(rand.Reader, gatewayEncryptionKeySize); err != nil {
- return nil, errors.Wrap(err, "failed to generate RSA key")
- }
- key1bs := x509.MarshalPKCS1PrivateKey(rsaKey)
- data := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: key1bs})
- if err := ioutil.WriteFile(pathToRSAKey, data, 0o600); err != nil {
- return nil, errors.Wrapf(err, "failed to write file %s", pathToRSAKey)
- }
- } else {
- return nil, errors.Wrapf(err, "failed to open file %s", pathToRSAKey)
- }
- } else {
- pemBlock, _ := pem.Decode(key1bs)
- if pemBlock == nil {
- return nil, errors.Errorf("failed to decode PEM data from file %s", pathToRSAKey)
- }
- rsaKey, err = x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
- if err != nil {
- return nil, errors.Wrapf(err, "failed to parse private key bytes from pem data from file %s", pathToRSAKey)
- }
- }
- if key2bs, err := ioutil.ReadFile(pathToECDSAKey); err != nil {
- // No file found.
- if os.IsNotExist(err) {
- if ecdsaKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader); err != nil {
- return nil, errors.Wrap(err, "failed to generate ECDSA key")
- }
- key2bs, err := x509.MarshalECPrivateKey(ecdsaKey)
- if err != nil {
- return nil, errors.New("failed to marshal ECDSA private key")
- }
- data := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: key2bs})
- if err := ioutil.WriteFile(pathToECDSAKey, data, 0o600); err != nil {
- return nil, errors.Wrapf(err, "failed to write file %s", pathToECDSAKey)
- }
- } else {
- return nil, errors.Wrapf(err, "failed to open file %s", pathToECDSAKey)
- }
- } else {
- pemBlock, _ := pem.Decode(key2bs)
- if pemBlock == nil {
- return nil, errors.Errorf("failed to decode PEM data from file %s", pathToECDSAKey)
- }
- ecdsaKey, err = x509.ParseECPrivateKey(pemBlock.Bytes)
- if err != nil {
- return nil, errors.Wrapf(err, "failed to parse private key bytes from pem data from file %s", pathToECDSAKey)
- }
- }
- return &secureEnclave{
- encryptionKeys: map[encryptionKeyName]encryptionKeyPair{
- gateUserAuthKey: {rsaKey, &rsaKey.PublicKey},
- },
- signatureKeys: map[signatureKeyName]signatureKeyPair{
- gateNeoFSECDSAKey: {ecdsaKey, &ecdsaKey.PublicKey},
- },
- }, nil
-}
-
-func (se *secureEnclave) Encrypt(keyName encryptionKeyName, data []byte) ([]byte, error) {
- return rsa.EncryptOAEP(sha256.New(), rand.Reader, se.encryptionKeys[keyName].PublicKey, data, []byte{})
-}
-
-func (se *secureEnclave) Decrypt(keyName encryptionKeyName, data []byte) ([]byte, error) {
- return rsa.DecryptOAEP(sha256.New(), rand.Reader, se.encryptionKeys[keyName].PrivateKey, data, []byte{})
-}
diff --git a/cmd/gate/app-settings.go b/cmd/gate/app-settings.go
index da3089ff..98422939 100644
--- a/cmd/gate/app-settings.go
+++ b/cmd/gate/app-settings.go
@@ -4,6 +4,7 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
+ "crypto/rsa"
"fmt"
"io"
"os"
@@ -11,19 +12,18 @@ import (
"strings"
"time"
+ s3auth "github.com/minio/minio/auth"
"github.com/minio/minio/neofs/pool"
+ "github.com/pkg/errors"
"github.com/minio/minio/misc"
- "github.com/nspcc-dev/neofs-api-go/refs"
crypto "github.com/nspcc-dev/neofs-crypto"
"github.com/spf13/pflag"
"github.com/spf13/viper"
"go.uber.org/zap"
)
-type empty int
-
const (
devNull = empty(0)
generated = "generated"
@@ -55,7 +55,11 @@ const ( // settings
cfgKeepaliveTimeout = "keepalive.timeout"
cfgKeepalivePermitWithoutStream = "keepalive.permit_without_stream"
- // HTTPS/TLS:
+ // Keys
+ cfgNeoFSPrivateKey = "neofs-ecdsa-key"
+ cfgUserAuthPrivateKey = "userauth-rsa-key"
+
+ // HTTPS/TLS
cfgTLSKeyFile = "tls.key_file"
cfgTLSCertFile = "tls.cert_file"
@@ -66,8 +70,7 @@ const ( // settings
cfgRebalanceTimer = "rebalance_timer"
// gRPC
- cfgGRPCVerbose = "verbose"
- cfgGRPCPrivateKey = "key"
+ cfgGRPCVerbose = "verbose"
// Metrics / Profiler / Web
cfgEnableMetrics = "metrics"
@@ -80,33 +83,37 @@ const ( // settings
cfgApplicationBuildTime = "app.build_time"
)
+type empty int
+
func (empty) Read([]byte) (int, error) { return 0, io.EOF }
-func fetchKey(l *zap.Logger, v *viper.Viper) *ecdsa.PrivateKey {
- switch val := v.GetString("key"); val {
+func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*s3auth.Center, error) {
+ var (
+ err error
+ neofsPrivateKey *ecdsa.PrivateKey
+ userAuthPrivateKey *rsa.PrivateKey
+ )
+ switch nfspk := v.GetString(cfgNeoFSPrivateKey); nfspk {
case generated:
- key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+ neofsPrivateKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
- l.Fatal("could not generate private key", zap.Error(err))
+ return nil, errors.Wrap(err, "could not generate NeoFS private key")
}
-
- id, err := refs.NewOwnerID(&key.PublicKey)
- l.Info("generate new key",
- zap.Stringer("key", id),
- zap.Error(err))
-
- return key
-
default:
- key, err := crypto.LoadPrivateKey(val)
+ neofsPrivateKey, err = crypto.LoadPrivateKey(nfspk)
if err != nil {
- l.Fatal("could not load private key",
- zap.String("key", v.GetString("key")),
- zap.Error(err))
+ return nil, errors.Wrap(err, "could not load NeoFS private key")
}
-
- return key
}
+ uapk := v.GetString(cfgUserAuthPrivateKey)
+ userAuthPrivateKey, err = s3auth.ReadRSAPrivateKeyFromPEMFile(uapk)
+ if err != nil {
+ return nil, errors.Wrap(err, "could not load UserAuth private key")
+ }
+ center := s3auth.NewCenter()
+ center.SetUserAuthKeys(userAuthPrivateKey)
+ center.SetNeoFSKeys(neofsPrivateKey)
+ return center, nil
}
func fetchPeers(l *zap.Logger, v *viper.Viper) []pool.Peer {
@@ -145,22 +152,23 @@ func newSettings() *viper.Viper {
flags.SortFlags = false
flags.Bool(cfgEnableProfiler, false, "enable pprof")
- flags.Bool(cfgEnableMetrics, false, "enable prometheus")
+ flags.Bool(cfgEnableMetrics, false, "enable prometheus metrics")
help := flags.BoolP("help", "h", false, "show help")
version := flags.BoolP("version", "v", false, "show version")
- flags.String(cfgGRPCPrivateKey, generated, `"`+generated+`" to generate key, path to private key file, hex string or wif`)
+ flags.String(cfgNeoFSPrivateKey, generated, fmt.Sprintf(`set value to hex string, WIF string, or path to NeoFS private key file (use "%s" to generate key)`, generated))
+ flags.String(cfgUserAuthPrivateKey, "", "set path to file with private key to use in auth scheme")
- flags.Bool(cfgGRPCVerbose, false, "debug gRPC connections")
- flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "gRPC request timeout")
- flags.Duration(cfgConnectTimeout, defaultConnectTimeout, "gRPC connect timeout")
- flags.Duration(cfgRebalanceTimer, defaultRebalanceTimer, "gRPC connection rebalance timer")
+ flags.Bool(cfgGRPCVerbose, false, "set debug mode of gRPC connections")
+ flags.Duration(cfgRequestTimeout, defaultRequestTimeout, "set gRPC request timeout")
+ flags.Duration(cfgConnectTimeout, defaultConnectTimeout, "set gRPC connect timeout")
+ flags.Duration(cfgRebalanceTimer, defaultRebalanceTimer, "set gRPC connection rebalance timer")
- ttl := flags.DurationP(cfgConnectionTTL, "t", defaultTTL, "gRPC connection time to live")
+ ttl := flags.DurationP(cfgConnectionTTL, "t", defaultTTL, "set gRPC connection time to live")
- flags.String(cfgListenAddress, "0.0.0.0:8080", "S3 Gateway listen address")
- peers := flags.StringArrayP("peers", "p", nil, "NeoFS nodes")
+ flags.String(cfgListenAddress, "0.0.0.0:8080", "set address to listen")
+ peers := flags.StringArrayP("peers", "p", nil, "set NeoFS nodes")
// set prefers:
v.Set(cfgApplicationName, misc.ApplicationName)
diff --git a/cmd/gate/app.go b/cmd/gate/app.go
index a5c4021c..317b1d2b 100644
--- a/cmd/gate/app.go
+++ b/cmd/gate/app.go
@@ -7,13 +7,12 @@ import (
"os"
"time"
+ s3auth "github.com/minio/minio/auth"
minio "github.com/minio/minio/legacy"
"github.com/minio/minio/legacy/config"
"github.com/minio/minio/neofs/layer"
"github.com/minio/minio/neofs/pool"
"github.com/minio/minio/pkg/auth"
- "github.com/nspcc-dev/neofs-api-go/refs"
- crypto "github.com/nspcc-dev/neofs-crypto"
"github.com/spf13/viper"
"go.uber.org/zap"
"google.golang.org/grpc/keepalive"
@@ -21,11 +20,12 @@ import (
type (
App struct {
- cli pool.Pool
- log *zap.Logger
- cfg *viper.Viper
- tls *tlsConfig
- obj minio.ObjectLayer
+ center *s3auth.Center
+ cli pool.Pool
+ log *zap.Logger
+ cfg *viper.Viper
+ tls *tlsConfig
+ obj minio.ObjectLayer
conTimeout time.Duration
reqTimeout time.Duration
@@ -44,21 +44,22 @@ type (
func newApp(l *zap.Logger, v *viper.Viper) *App {
var (
- err error
- wif string
- cli pool.Pool
- tls *tlsConfig
- uid refs.OwnerID
- obj minio.ObjectLayer
-
- key = fetchKey(l, v)
-
- reBalance = defaultRebalanceTimer
-
+ err error
+ cli pool.Pool
+ tls *tlsConfig
+ obj minio.ObjectLayer
+ reBalance = defaultRebalanceTimer
conTimeout = defaultConnectTimeout
reqTimeout = defaultRequestTimeout
)
+ center, err := fetchAuthCenter(l, v)
+ if err != nil {
+ l.Fatal("failed to initialize auth center", zap.Error(err))
+ }
+ uid := center.GetOwnerID()
+ wif := center.GetWIFString()
+
if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) {
tls = &tlsConfig{
KeyFile: v.GetString(cfgTLSKeyFile),
@@ -82,7 +83,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
Peers: fetchPeers(l, v),
Logger: l,
- PrivateKey: key,
+ PrivateKey: center.GetNeoFSKeyPrivateKey(),
GRPCLogger: gRPCLogger(l),
GRPCVerbose: v.GetBool(cfgGRPCVerbose),
@@ -95,8 +96,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
}
if cli, err = pool.New(poolConfig); err != nil {
- l.Fatal("could not prepare pool connections",
- zap.Error(err))
+ l.Fatal("could not prepare pool connections", zap.Error(err))
}
{ // should establish connection with NeoFS Storage Nodes
@@ -112,42 +112,27 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
}
{ // should prepare object layer
- if uid, err = refs.NewOwnerID(&key.PublicKey); err != nil {
- l.Fatal("could not fetch OwnerID",
- zap.Error(err))
- }
-
- if wif, err = crypto.WIFEncode(key); err != nil {
- l.Fatal("could not encode key to WIF",
- zap.Error(err))
- }
-
{ // Temporary solution, to resolve problems with MinIO GW access/secret keys:
if err = os.Setenv(config.EnvAccessKey, uid.String()); err != nil {
- l.Fatal("could not set "+config.EnvAccessKey,
- zap.Error(err))
+ l.Fatal("could not set "+config.EnvAccessKey, zap.Error(err))
} else if err = os.Setenv(config.EnvSecretKey, wif); err != nil {
- l.Fatal("could not set "+config.EnvSecretKey,
- zap.Error(err))
+ l.Fatal("could not set "+config.EnvSecretKey, zap.Error(err))
}
-
- l.Info("used credentials",
- zap.String("AccessKey", uid.String()),
- zap.String("SecretKey", wif))
+ l.Info("used credentials", zap.String("AccessKey", uid.String()), zap.String("SecretKey", wif))
}
if obj, err = layer.NewLayer(cli, l, auth.Credentials{AccessKey: uid.String(), SecretKey: wif}); err != nil {
- l.Fatal("could not prepare ObjectLayer",
- zap.Error(err))
+ l.Fatal("could not prepare ObjectLayer", zap.Error(err))
}
}
return &App{
- cli: cli,
- log: l,
- cfg: v,
- obj: obj,
- tls: tls,
+ center: center,
+ cli: cli,
+ log: l,
+ cfg: v,
+ obj: obj,
+ tls: tls,
webDone: make(chan struct{}, 1),
wrkDone: make(chan struct{}, 1),