From bd3620dabcc80cee98ec1f06367d2b9204baad37 Mon Sep 17 00:00:00 2001 From: Pavel Pogodaev Date: Tue, 21 Jan 2025 15:08:34 +0300 Subject: [PATCH] [#604] Add support of MFADelete argument and x-amz-mfa header Signed-off-by: Pavel Pogodaev --- api/cache/cache_test.go | 5 +- api/data/info.go | 22 +- api/errors/errors.go | 9 +- api/handler/api.go | 5 +- api/handler/delete.go | 50 ++++ api/handler/handlers_test.go | 5 +- api/handler/put.go | 11 +- api/handler/util.go | 14 ++ api/handler/versioning.go | 45 +++- api/headers.go | 1 + api/layer/locking_test.go | 7 +- api/layer/system_object.go | 5 +- api/layer/versioning_test.go | 22 +- cmd/s3-gw/app.go | 44 +++- cmd/s3-gw/app_settings.go | 21 ++ config/config.env | 1 + config/config.yaml | 7 + creds/accessbox/accessbox.pb.go | 10 +- docs/configuration.md | 8 + go.mod | 37 +-- go.sum | 85 ++++--- internal/frostfs/mfa.go | 429 ++++++++++++++++++++++++++++++++ internal/logs/logs.go | 9 + internal/unlocker/unlocker.go | 25 ++ pkg/service/tree/tree.go | 20 +- pkg/service/tree/tree_test.go | 5 +- 26 files changed, 814 insertions(+), 88 deletions(-) create mode 100644 internal/frostfs/mfa.go create mode 100644 internal/unlocker/unlocker.go diff --git a/api/cache/cache_test.go b/api/cache/cache_test.go index 36230d93..70e128a0 100644 --- a/api/cache/cache_test.go +++ b/api/cache/cache_test.go @@ -173,7 +173,10 @@ func TestSettingsCacheType(t *testing.T) { cache := NewSystemCache(DefaultSystemConfig(logger)) key := "key" - settings := &data.BucketSettings{Versioning: data.VersioningEnabled} + settings := &data.BucketSettings{Versioning: data.Versioning{ + VersioningStatus: data.VersioningEnabled, + MFADeleteStatus: data.MFADeleteEnabled, + }} err := cache.PutSettings(key, settings) require.NoError(t, err) diff --git a/api/data/info.go b/api/data/info.go index 9dd17cbd..a6e9077f 100644 --- a/api/data/info.go +++ b/api/data/info.go @@ -20,6 +20,9 @@ const ( VersioningUnversioned = "Unversioned" VersioningEnabled = "Enabled" VersioningSuspended = "Suspended" + + MFADeleteDisabled = "Disabled" + MFADeleteEnabled = "Enabled" ) type ( @@ -55,12 +58,19 @@ type ( // BucketSettings stores settings such as versioning. BucketSettings struct { - Versioning string + Versioning Versioning LockConfiguration *ObjectLockConfiguration CannedACL string OwnerKey *keys.PublicKey } + // Versioning stores bucket versioning settings. + Versioning struct { + VersioningStatus string + MFADeleteStatus string + MFASerialNumber string + } + // CORSConfiguration stores CORS configuration of a request. CORSConfiguration struct { XMLName xml.Name `xml:"http://s3.amazonaws.com/doc/2006-03-01/ CORSConfiguration" json:"-"` @@ -130,15 +140,19 @@ func (o *ObjectInfo) ETag(md5Enabled bool) string { } func (b BucketSettings) Unversioned() bool { - return b.Versioning == VersioningUnversioned + return b.Versioning.VersioningStatus == VersioningUnversioned } func (b BucketSettings) VersioningEnabled() bool { - return b.Versioning == VersioningEnabled + return b.Versioning.VersioningStatus == VersioningEnabled } func (b BucketSettings) VersioningSuspended() bool { - return b.Versioning == VersioningSuspended + return b.Versioning.VersioningStatus == VersioningSuspended +} + +func (b BucketSettings) MFADeleteEnabled() bool { + return b.Versioning.MFADeleteStatus == MFADeleteEnabled } func Quote(val string) string { diff --git a/api/errors/errors.go b/api/errors/errors.go index 27ac5669..b7e49c6c 100644 --- a/api/errors/errors.go +++ b/api/errors/errors.go @@ -142,6 +142,7 @@ const ( ErrInvalidTagDirective // Add new error codes here. ErrNotSupported + ErrMFAAuthNeeded // SSE-S3 related API errors. ErrInvalidEncryptionMethod @@ -286,7 +287,7 @@ const ( ErrPostPolicyConditionInvalidFormat - //CORS configuration errors. + // CORS configuration errors. ErrCORSUnsupportedMethod ErrCORSWildcardExposeHeaders @@ -387,6 +388,12 @@ var errorCodes = errorCodeMap{ Description: "Access Denied.", HTTPStatusCode: http.StatusForbidden, }, + ErrMFAAuthNeeded: { + ErrCode: ErrMFAAuthNeeded, + Code: "AccessDenied", + Description: "Mfa Authentication must be used for this request", + HTTPStatusCode: http.StatusForbidden, + }, ErrAccessControlListNotSupported: { ErrCode: ErrAccessControlListNotSupported, Code: "AccessControlListNotSupported", diff --git a/api/handler/api.go b/api/handler/api.go index 19e2c4e8..b463ded4 100644 --- a/api/handler/api.go +++ b/api/handler/api.go @@ -14,6 +14,7 @@ import ( cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" + "git.frostfs.info/pogpp/mfa" "go.uber.org/zap" ) @@ -24,6 +25,7 @@ type ( cfg Config ape APE frostfsid FrostFSID + mfa *mfa.Manager } // Config contains data which handler needs to keep. @@ -68,7 +70,7 @@ const ( var _ api.Handler = (*handler)(nil) // New creates new api.Handler using given logger and client. -func New(log *zap.Logger, obj *layer.Layer, cfg Config, storage APE, ffsid FrostFSID) (api.Handler, error) { +func New(log *zap.Logger, obj *layer.Layer, cfg Config, storage APE, ffsid FrostFSID, mfaMgr *mfa.Manager) (api.Handler, error) { switch { case obj == nil: return nil, errors.New("empty FrostFS Object Layer") @@ -86,6 +88,7 @@ func New(log *zap.Logger, obj *layer.Layer, cfg Config, storage APE, ffsid Frost cfg: cfg, ape: storage, frostfsid: ffsid, + mfa: mfaMgr, }, nil } diff --git a/api/handler/delete.go b/api/handler/delete.go index a83242c8..ca189692 100644 --- a/api/handler/delete.go +++ b/api/handler/delete.go @@ -14,6 +14,7 @@ import ( apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" + "github.com/pquerna/otp/totp" ) // limitation of AWS https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjects.html @@ -81,6 +82,26 @@ func (h *handler) DeleteObjectHandler(w http.ResponseWriter, r *http.Request) { return } + if len(versionID) > 0 && bktSettings.MFADeleteEnabled() { + serialNumber, token, err := h.getMFAHeader(r) + if err != nil { + h.logAndSendError(ctx, w, "could not get mfa header", reqInfo, err) + return + } + + device, err := h.mfa.GetMFADevice(ctx, reqInfo.Namespace, nameFromArn(serialNumber)) + if err != nil { + h.logAndSendError(ctx, w, "could not get mfa device", reqInfo, err) + return + } + + validate := totp.Validate(token, device.Key.Secret()) + if !validate { + h.logAndSendError(ctx, w, "could not validate token", reqInfo, fmt.Errorf("mfa Authentication must be used for this request")) + return + } + } + networkInfo, err := h.obj.GetNetworkInfo(ctx) if err != nil { h.logAndSendError(ctx, w, "could not get network info", reqInfo, err) @@ -181,6 +202,26 @@ func (h *handler) DeleteMultipleObjectsHandler(w http.ResponseWriter, r *http.Re return } + if haveVersionedObjects(requested.Objects) && bktSettings.MFADeleteEnabled() { + serialNumber, token, err := h.getMFAHeader(r) + if err != nil { + h.logAndSendError(ctx, w, "could not get mfa header", reqInfo, err) + return + } + + device, err := h.mfa.GetMFADevice(ctx, reqInfo.Namespace, nameFromArn(serialNumber)) + if err != nil { + h.logAndSendError(ctx, w, "could not get mfa device", reqInfo, err) + return + } + + validate := totp.Validate(token, device.Key.Secret()) + if !validate { + h.logAndSendError(ctx, w, "could not validate token", reqInfo, fmt.Errorf("mfa Authentication must be used for this request")) + return + } + } + networkInfo, err := h.obj.GetNetworkInfo(ctx) if err != nil { h.logAndSendError(ctx, w, "could not get network info", reqInfo, err) @@ -280,3 +321,12 @@ func (h *handler) DeleteBucketHandler(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusNoContent) } + +func haveVersionedObjects(objects []ObjectIdentifier) bool { + for _, o := range objects { + if len(o.VersionID) > 0 { + return true + } + } + return false +} diff --git a/api/handler/handlers_test.go b/api/handler/handlers_test.go index 78de4393..9d4c7162 100644 --- a/api/handler/handlers_test.go +++ b/api/handler/handlers_test.go @@ -437,7 +437,10 @@ func createTestBucketWithLock(hc *handlerContext, bktName string, conf *data.Obj sp := &layer.PutSettingsParams{ BktInfo: bktInfo, Settings: &data.BucketSettings{ - Versioning: data.VersioningEnabled, + Versioning: data.Versioning{ + VersioningStatus: data.VersioningEnabled, + MFADeleteStatus: data.MFADeleteDisabled, + }, LockConfiguration: conf, OwnerKey: key.PublicKey(), }, diff --git a/api/handler/put.go b/api/handler/put.go index 3e5e287f..b7052e93 100644 --- a/api/handler/put.go +++ b/api/handler/put.go @@ -840,14 +840,17 @@ func (h *handler) createBucketHandlerPolicy(w http.ResponseWriter, r *http.Reque sp := &layer.PutSettingsParams{ BktInfo: bktInfo, Settings: &data.BucketSettings{ - CannedACL: cannedACL, - OwnerKey: key, - Versioning: data.VersioningUnversioned, + CannedACL: cannedACL, + OwnerKey: key, + Versioning: data.Versioning{ + VersioningStatus: data.VersioningUnversioned, + MFADeleteStatus: data.MFADeleteDisabled, + }, }, } if p.ObjectLockEnabled { - sp.Settings.Versioning = data.VersioningEnabled + sp.Settings.Versioning.VersioningStatus = data.VersioningEnabled } err = retryer.MakeWithRetry(ctx, func() error { diff --git a/api/handler/util.go b/api/handler/util.go index 7d12af0b..a9ec020a 100644 --- a/api/handler/util.go +++ b/api/handler/util.go @@ -138,3 +138,17 @@ func parseRange(s string) (*layer.RangeParams, error) { End: values[1], }, nil } + +func nameFromArn(arn string) string { + pts := strings.Split(arn, "/") + return pts[len(pts)-1] +} + +func (h *handler) getMFAHeader(r *http.Request) (string, string, error) { + parts := strings.Split(r.Header.Get(api.AmzMFA), " ") + if len(parts) != 2 { + return "", "", fmt.Errorf("%w: invalid mfa header", apierr.GetAPIError(apierr.ErrMFAAuthNeeded)) + } + + return parts[0], parts[1], nil +} diff --git a/api/handler/versioning.go b/api/handler/versioning.go index bf9c895c..f433e156 100644 --- a/api/handler/versioning.go +++ b/api/handler/versioning.go @@ -7,6 +7,7 @@ import ( "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware" + "github.com/pquerna/otp/totp" ) func (h *handler) PutBucketVersioningHandler(w http.ResponseWriter, r *http.Request) { @@ -31,14 +32,47 @@ func (h *handler) PutBucketVersioningHandler(w http.ResponseWriter, r *http.Requ return } + // settings pointer is stored in the cache, so modify a copy of the settings + newSettings := *settings + + if len(configuration.MfaDelete) > 0 { + serialNumber, token, err := h.getMFAHeader(r) + if err != nil { + h.logAndSendError(ctx, w, "invalid x-amz-mfa header", reqInfo, errors.GetAPIError(errors.ErrBadRequest)) + return + } + + name := nameFromArn(serialNumber) + device, err := h.mfa.GetMFADevice(ctx, reqInfo.Namespace, name) + if err != nil { + h.logAndSendError(ctx, w, "get mfa device", reqInfo, err) + return + } + + ok := totp.Validate(token, device.Key.Secret()) + if !ok { + h.logAndSendError(ctx, w, "validation error", reqInfo, nil) + return + } + + switch configuration.MfaDelete { + case data.MFADeleteEnabled: + newSettings.Versioning.MFADeleteStatus = data.MFADeleteEnabled + newSettings.Versioning.MFASerialNumber = serialNumber + case data.MFADeleteDisabled: + newSettings.Versioning.MFADeleteStatus = data.MFADeleteDisabled + default: + h.logAndSendError(ctx, w, "failed to get mfa configuration", reqInfo, nil) + return + } + } + if configuration.Status != data.VersioningEnabled && configuration.Status != data.VersioningSuspended { h.logAndSendError(ctx, w, "invalid versioning configuration", reqInfo, errors.GetAPIError(errors.ErrMalformedXML)) return } - // settings pointer is stored in the cache, so modify a copy of the settings - newSettings := *settings - newSettings.Versioning = configuration.Status + newSettings.Versioning.VersioningStatus = configuration.Status p := &layer.PutSettingsParams{ BktInfo: bktInfo, @@ -80,7 +114,10 @@ func (h *handler) GetBucketVersioningHandler(w http.ResponseWriter, r *http.Requ func formVersioningConfiguration(settings *data.BucketSettings) *VersioningConfiguration { res := &VersioningConfiguration{} if !settings.Unversioned() { - res.Status = settings.Versioning + res.Status = settings.Versioning.VersioningStatus + } + if settings.MFADeleteEnabled() { + res.MfaDelete = "Enabled" } return res diff --git a/api/headers.go b/api/headers.go index c877b4b5..9d36d2e8 100644 --- a/api/headers.go +++ b/api/headers.go @@ -15,6 +15,7 @@ const ( AmzCopySource = "X-Amz-Copy-Source" AmzCopySourceRange = "X-Amz-Copy-Source-Range" AmzDate = "X-Amz-Date" + AmzMFA = "X-Amz-Mfa" LastModified = "Last-Modified" Date = "Date" diff --git a/api/layer/locking_test.go b/api/layer/locking_test.go index 56cb8107..5de3f7e4 100644 --- a/api/layer/locking_test.go +++ b/api/layer/locking_test.go @@ -12,8 +12,11 @@ import ( func TestObjectLockAttributes(t *testing.T) { tc := prepareContext(t) err := tc.layer.PutBucketSettings(tc.ctx, &PutSettingsParams{ - BktInfo: tc.bktInfo, - Settings: &data.BucketSettings{Versioning: data.VersioningEnabled}, + BktInfo: tc.bktInfo, + Settings: &data.BucketSettings{Versioning: data.Versioning{ + VersioningStatus: data.VersioningEnabled, + MFADeleteStatus: data.MFADeleteDisabled, + }}, }) require.NoError(t, err) diff --git a/api/layer/system_object.go b/api/layer/system_object.go index da8eb943..31b38536 100644 --- a/api/layer/system_object.go +++ b/api/layer/system_object.go @@ -216,7 +216,10 @@ func (n *Layer) GetBucketSettings(ctx context.Context, bktInfo *data.BucketInfo) if !errors.Is(err, tree.ErrNodeNotFound) { return nil, err } - settings = &data.BucketSettings{Versioning: data.VersioningUnversioned} + settings = &data.BucketSettings{Versioning: data.Versioning{ + VersioningStatus: data.VersioningUnversioned, + MFADeleteStatus: data.MFADeleteDisabled, + }} n.reqLogger(ctx).Debug(logs.BucketSettingsNotFoundUseDefaults, logs.TagField(logs.TagDatapath)) } diff --git a/api/layer/versioning_test.go b/api/layer/versioning_test.go index 12e1e27a..8c55a6a6 100644 --- a/api/layer/versioning_test.go +++ b/api/layer/versioning_test.go @@ -196,8 +196,11 @@ func prepareContext(t *testing.T, cachesConfig ...*CachesConfig) *testContext { func TestSimpleVersioning(t *testing.T) { tc := prepareContext(t) err := tc.layer.PutBucketSettings(tc.ctx, &PutSettingsParams{ - BktInfo: tc.bktInfo, - Settings: &data.BucketSettings{Versioning: data.VersioningEnabled}, + BktInfo: tc.bktInfo, + Settings: &data.BucketSettings{Versioning: data.Versioning{ + VersioningStatus: data.VersioningEnabled, + MFADeleteStatus: data.MFADeleteDisabled, + }}, }) require.NoError(t, err) @@ -234,7 +237,10 @@ func TestSimpleNoVersioning(t *testing.T) { func TestVersioningDeleteObject(t *testing.T) { tc := prepareContext(t) - settings := &data.BucketSettings{Versioning: data.VersioningEnabled} + settings := &data.BucketSettings{Versioning: data.Versioning{ + VersioningStatus: data.VersioningEnabled, + MFADeleteStatus: data.MFADeleteDisabled, + }} err := tc.layer.PutBucketSettings(tc.ctx, &PutSettingsParams{ BktInfo: tc.bktInfo, Settings: settings, @@ -256,7 +262,10 @@ func TestGetUnversioned(t *testing.T) { objContent := []byte("content obj1 v1") objInfo := tc.putObject(objContent) - settings := &data.BucketSettings{Versioning: data.VersioningUnversioned} + settings := &data.BucketSettings{Versioning: data.Versioning{ + VersioningStatus: data.VersioningUnversioned, + MFADeleteStatus: data.MFADeleteDisabled, + }} err := tc.layer.PutBucketSettings(tc.ctx, &PutSettingsParams{ BktInfo: tc.bktInfo, Settings: settings, @@ -270,7 +279,10 @@ func TestGetUnversioned(t *testing.T) { func TestVersioningDeleteSpecificObjectVersion(t *testing.T) { tc := prepareContext(t) - settings := &data.BucketSettings{Versioning: data.VersioningEnabled} + settings := &data.BucketSettings{Versioning: data.Versioning{ + VersioningStatus: data.VersioningEnabled, + MFADeleteStatus: data.MFADeleteDisabled, + }} err := tc.layer.PutBucketSettings(tc.ctx, &PutSettingsParams{ BktInfo: tc.bktInfo, Settings: settings, diff --git a/cmd/s3-gw/app.go b/cmd/s3-gw/app.go index 6323115f..211dcea3 100644 --- a/cmd/s3-gw/app.go +++ b/cmd/s3-gw/app.go @@ -37,6 +37,7 @@ import ( "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/services" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs" internalnet "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/net" + "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/unlocker" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/version" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/wallet" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/metrics" @@ -48,6 +49,7 @@ import ( "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool" treepool "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool/tree" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user" + "git.frostfs.info/pogpp/mfa" "github.com/go-chi/chi/v5/middleware" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/panjf2000/ants/v2" @@ -645,7 +647,7 @@ func (s *appSettings) TombstoneLifetime() uint64 { func (a *App) initAPI(ctx context.Context) { a.initLayer(ctx) - a.initHandler() + a.initHandler(ctx) } func (a *App) initMetrics() { @@ -1188,15 +1190,51 @@ func getFrostfsIDCacheConfig(v *viper.Viper, l *zap.Logger) *cache.Config { return cacheCfg } -func (a *App) initHandler() { +func (a *App) initHandler(ctx context.Context) { var err error - a.api, err = handler.New(a.log, a.obj, a.settings, a.policyStorage, a.frostfsid) + var mfaCnrInfo *data.BucketInfo + if a.config().IsSet(cfgContainersMFA) { + mfaCnrInfo, err = a.fetchContainerInfo(ctx, cfgContainersMFA) + if err != nil { + a.log.Fatal(logs.CouldNotFetchMFAContainerInfo, zap.Error(err)) + } + } + + mfaConfig, err := a.fetchMFAConfig(mfaCnrInfo.CID) + if err != nil { + a.log.Fatal(logs.CouldNotInitMFAClient, zap.Error(err)) + } + + manager, err := mfa.NewManager(mfaConfig) + if err != nil { + a.log.Fatal(logs.CouldNotInitMFAClient, zap.Error(err)) + } + + a.api, err = handler.New(a.log, a.obj, a.settings, a.policyStorage, a.frostfsid, manager) if err != nil { a.log.Fatal(logs.CouldNotInitializeAPIHandler, zap.Error(err), logs.TagField(logs.TagApp)) } } +func (a *App) fetchMFAConfig(id cid.ID) (mfa.Config, error) { + mfaFrostFS := frostfs.NewMFAFrostFS(frostfs.MFAFrostFSConfig{ + Pool: a.pool, + TreePool: a.treePool, + Key: a.key, + Logger: a.log, + }) + + config := mfa.Config{ + Storage: mfaFrostFS, + Unlocker: unlocker.NewUnlocker(a.key, fetchIAMServices(a.config())), + Container: id, + Logger: a.log, + } + + return config, nil +} + func (a *App) getServer(address string) Server { for i := range a.servers { if a.servers[i].Address() == address { diff --git a/cmd/s3-gw/app_settings.go b/cmd/s3-gw/app_settings.go index 884a116a..1157b3c6 100644 --- a/cmd/s3-gw/app_settings.go +++ b/cmd/s3-gw/app_settings.go @@ -21,6 +21,7 @@ import ( "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/version" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool" + "github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/spf13/pflag" "github.com/spf13/viper" "go.uber.org/zap" @@ -222,6 +223,10 @@ const ( cfgContainersCORS = "containers.cors" cfgContainersLifecycle = "containers.lifecycle" cfgContainersAccessBox = "containers.accessbox" + cfgContainersMFA = "containers.mfa" + + // IAM. + cfgIAMKeys = "iam_services" // Multinet. cfgMultinetEnabled = "multinet.enabled" @@ -902,6 +907,22 @@ func fetchMultinetConfig(v *viper.Viper, logger *zap.Logger) (cfg internalnet.Co return } +func fetchIAMServices(v *viper.Viper) []*keys.PublicKey { + var res []*keys.PublicKey + for i := 0; ; i++ { + key := cfgIAMKeys + "." + strconv.Itoa(i) + value := v.GetString(key) + + fromString, err := keys.NewPublicKeyFromString(value) + if err != nil { + break + } + + res = append(res, fromString) + } + return res +} + func fetchTracingAttributes(v *viper.Viper) (map[string]string, error) { attributes := make(map[string]string) for i := 0; ; i++ { diff --git a/config/config.env b/config/config.env index 28b1c7b7..f7196e6a 100644 --- a/config/config.env +++ b/config/config.env @@ -269,6 +269,7 @@ S3_GW_RETRY_STRATEGY=exponential # Containers properties S3_GW_CONTAINERS_CORS=AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj S3_GW_CONTAINERS_LIFECYCLE=AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj +S3_GW_CONTAINERS_MFA=HV9h4zbp7Dti2VXef2oFSsBSRyJUR6NfMeswuv12fjZu # Multinet properties # Enable multinet support diff --git a/config/config.yaml b/config/config.yaml index d9630e09..68e0769a 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -318,6 +318,13 @@ retry: containers: cors: AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj lifecycle: AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj + mfa: HV9h4zbp7Dti2VXef2oFSsBSRyJUR6NfMeswuv12fjZu + +# Public keys of known IAM services +iam_services: + - 02b3622bf4017bdfe317c58aed5f4c753f206b7db896046fa7d774bbc4bf7f8dc2 + - 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf + - 031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a # Multinet properties multinet: diff --git a/creds/accessbox/accessbox.pb.go b/creds/accessbox/accessbox.pb.go index 0dc9be37..c8d37eeb 100644 --- a/creds/accessbox/accessbox.pb.go +++ b/creds/accessbox/accessbox.pb.go @@ -330,7 +330,7 @@ func file_creds_accessbox_accessbox_proto_rawDescGZIP() []byte { } var file_creds_accessbox_accessbox_proto_msgTypes = make([]protoimpl.MessageInfo, 4) -var file_creds_accessbox_accessbox_proto_goTypes = []any{ +var file_creds_accessbox_accessbox_proto_goTypes = []interface{}{ (*AccessBox)(nil), // 0: accessbox.AccessBox (*Tokens)(nil), // 1: accessbox.Tokens (*AccessBox_Gate)(nil), // 2: accessbox.AccessBox.Gate @@ -352,7 +352,7 @@ func file_creds_accessbox_accessbox_proto_init() { return } if !protoimpl.UnsafeEnabled { - file_creds_accessbox_accessbox_proto_msgTypes[0].Exporter = func(v any, i int) any { + file_creds_accessbox_accessbox_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*AccessBox); i { case 0: return &v.state @@ -364,7 +364,7 @@ func file_creds_accessbox_accessbox_proto_init() { return nil } } - file_creds_accessbox_accessbox_proto_msgTypes[1].Exporter = func(v any, i int) any { + file_creds_accessbox_accessbox_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Tokens); i { case 0: return &v.state @@ -376,7 +376,7 @@ func file_creds_accessbox_accessbox_proto_init() { return nil } } - file_creds_accessbox_accessbox_proto_msgTypes[2].Exporter = func(v any, i int) any { + file_creds_accessbox_accessbox_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*AccessBox_Gate); i { case 0: return &v.state @@ -388,7 +388,7 @@ func file_creds_accessbox_accessbox_proto_init() { return nil } } - file_creds_accessbox_accessbox_proto_msgTypes[3].Exporter = func(v any, i int) any { + file_creds_accessbox_accessbox_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*AccessBox_ContainerPolicy); i { case 0: return &v.state diff --git a/docs/configuration.md b/docs/configuration.md index 42d5e021..e9c00d62 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -230,6 +230,11 @@ allowed_access_key_id_prefixes: reconnect_interval: 1m source_ip_header: "Source-Ip" + +iam_services: + - 02b3622bf4017bdfe317c58aed5f4c753f206b7db896046fa7d774bbc4bf7f8dc2 + - 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf + - 031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a ``` | Parameter | Type | SIGHUP reload | Default value | Description | @@ -248,6 +253,7 @@ source_ip_header: "Source-Ip" | `allowed_access_key_id_prefixes` | `[]string` | no | | List of allowed `AccessKeyID` prefixes which S3 GW serve. If the parameter is omitted, all `AccessKeyID` will be accepted. | | `reconnect_interval` | `duration` | no | `1m` | Listeners reconnection interval. | | `source_ip_header` | `string` | yes | | Custom header to retrieve Source IP. | +| `iam_services` | `[]string` | no | | List of public keys of know IAM services. | ### `wallet` section @@ -857,6 +863,7 @@ containers: cors: AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj lifecycle: AZjLTXfK4vs4ovxMic2xEJKSymMNLqdwq9JT64ASFCRj accessbox: ExnA1gSY3kzgomi2wJxNyWo1ytWv9VAKXRE55fNXEPL2 + mfa: HV9h4zbp7Dti2VXef2oFSsBSRyJUR6NfMeswuv12fjZu ``` | Parameter | Type | SIGHUP reload | Default value | Description | @@ -864,6 +871,7 @@ containers: | `cors` | `string` | no | | Container name for CORS configurations. If not set, container of the bucket is used. | | `lifecycle` | `string` | no | | Container name for lifecycle configurations. If not set, container of the bucket is used. | | `accessbox` | `string` | no | | Container name to lookup accessbox if custom aws credentials is used. If not set, custom credentials are not supported. | +| `mfa` | `string` | no | | Container name for virtual MFA devices. If not set, MFADeleteBucket are not supported. | # `vhs` section diff --git a/go.mod b/go.mod index 797656ac..07e9bcd6 100644 --- a/go.mod +++ b/go.mod @@ -4,11 +4,12 @@ go 1.22 require ( git.frostfs.info/TrueCloudLab/frostfs-contract v0.20.1-0.20241022094040-5f956751d48b - git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241112082307-f17779933e88 + git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241210155057-ec6f88033795 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250130095343-593dd77d841a git.frostfs.info/TrueCloudLab/multinet v0.0.0-20241015075604-6cb0d80e0972 git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240822104152-a3bc3099bd5b git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02 + git.frostfs.info/pogpp/mfa v0.0.0-20250218131940-8276d0a0f422 github.com/aws/aws-sdk-go-v2 v1.34.0 github.com/aws/aws-sdk-go-v2/config v1.27.32 github.com/aws/aws-sdk-go-v2/credentials v1.17.31 @@ -21,25 +22,26 @@ require ( github.com/mr-tron/base58 v1.2.0 github.com/nspcc-dev/neo-go v0.106.3 github.com/panjf2000/ants/v2 v2.5.0 - github.com/prometheus/client_golang v1.19.0 - github.com/prometheus/client_model v0.5.0 + github.com/pquerna/otp v1.4.0 + github.com/prometheus/client_golang v1.20.2 + github.com/prometheus/client_model v0.6.1 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.15.0 github.com/ssgreg/journald v1.0.0 github.com/stretchr/testify v1.9.0 github.com/trailofbits/go-fuzz-utils v0.0.0-20230413173806-58c38daa3cb4 - github.com/urfave/cli/v2 v2.27.2 + github.com/urfave/cli/v2 v2.27.4 go.opentelemetry.io/otel v1.31.0 go.opentelemetry.io/otel/trace v1.31.0 go.uber.org/zap v1.27.0 golang.org/x/crypto v0.31.0 - golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 + golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 golang.org/x/net v0.30.0 golang.org/x/sys v0.28.0 golang.org/x/text v0.21.0 google.golang.org/grpc v1.69.2 - google.golang.org/protobuf v1.36.1 + google.golang.org/protobuf v1.36.4 gopkg.in/natefinch/lumberjack.v2 v2.2.1 ) @@ -64,23 +66,25 @@ require ( github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.6 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.30.6 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/golang/snappy v0.0.1 // indirect - github.com/gorilla/websocket v1.5.1 // indirect + github.com/gorilla/websocket v1.5.3 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/holiman/uint256 v1.2.4 // indirect + github.com/holiman/uint256 v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/ipfs/go-cid v0.0.7 // indirect github.com/josharian/intern v1.0.0 // indirect + github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/cpuid/v2 v2.2.6 // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect @@ -92,14 +96,15 @@ require ( github.com/multiformats/go-multibase v0.2.0 // indirect github.com/multiformats/go-multihash v0.2.3 // indirect github.com/multiformats/go-varint v0.0.7 // indirect - github.com/nspcc-dev/go-ordered-json v0.0.0-20240301084351-0246b013f8b2 // indirect - github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20240727093519-1a48f1ce43ec // indirect - github.com/nspcc-dev/rfc6979 v0.2.1 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/nspcc-dev/go-ordered-json v0.0.0-20240830112754-291b000d1f3b // indirect + github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20241212130705-ea0a6114d2d6 // indirect + github.com/nspcc-dev/rfc6979 v0.2.3 // indirect github.com/pelletier/go-toml/v2 v2.0.6 // indirect github.com/pierrec/lz4 v2.6.1+incompatible // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/prometheus/common v0.48.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/spaolacci/murmur3 v1.1.0 // indirect github.com/spf13/afero v1.9.3 // indirect @@ -108,8 +113,8 @@ require ( github.com/subosito/gotenv v1.4.2 // indirect github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954 // indirect github.com/twmb/murmur3 v1.1.8 // indirect - github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect - go.etcd.io/bbolt v1.3.9 // indirect + github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect + go.etcd.io/bbolt v1.3.11 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.28.0 // indirect diff --git a/go.sum b/go.sum index 3cccb9c3..0f61be87 100644 --- a/go.sum +++ b/go.sum @@ -40,8 +40,8 @@ git.frostfs.info/TrueCloudLab/frostfs-contract v0.20.1-0.20241022094040-5f956751 git.frostfs.info/TrueCloudLab/frostfs-contract v0.20.1-0.20241022094040-5f956751d48b/go.mod h1:5fSm/l5xSjGWqsPUffSdboiGFUHa7y/1S0fvxzQowN8= git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk= git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU= -git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241112082307-f17779933e88 h1:9bvBDLApbbO5sXBKdODpE9tzy3HV99nXxkDWNn22rdI= -git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241112082307-f17779933e88/go.mod h1:kbwB4v2o6RyOfCo9kEFeUDZIX3LKhmS0yXPrtvzkQ1g= +git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241210155057-ec6f88033795 h1:pYKLvVL9N7/613LnVaAU4cKnyVpjVX3dNyMIjN7fHCA= +git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241210155057-ec6f88033795/go.mod h1:kbwB4v2o6RyOfCo9kEFeUDZIX3LKhmS0yXPrtvzkQ1g= git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250130095343-593dd77d841a h1:Ud+3zz4WP9HPxEQxDPJZPpiPdm30nDNSKucsWP9L54M= git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250130095343-593dd77d841a/go.mod h1:aQpPWfG8oyfJ2X+FenPTJpSRWZjwcP5/RAtkW+/VEX8= git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc= @@ -56,6 +56,8 @@ git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjq git.frostfs.info/TrueCloudLab/tzhash v1.8.0/go.mod h1:dhY+oy274hV8wGvGL4MwwMpdL3GYvaX1a8GQZQHvlF8= git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02 h1:HeY8n27VyPRQe49l/fzyVMkWEB2fsLJYKp64pwA7tz4= git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02/go.mod h1:rQFJJdEOV7KbbMtQYR2lNfiZk+ONRDJSbMCTWxKt8Fw= +git.frostfs.info/pogpp/mfa v0.0.0-20250218131940-8276d0a0f422 h1:hlosvbK58mGvqZQaOiczizrp2Mc02ZslbZ6zcBsjGTQ= +git.frostfs.info/pogpp/mfa v0.0.0-20250218131940-8276d0a0f422/go.mod h1:Sgy1rVN/AkpZI2xfzQLjkTWjR1qVoCIxxAvxv8svKdg= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/VictoriaMetrics/easyproto v0.1.4 h1:r8cNvo8o6sR4QShBXQd1bKw/VVLSQma/V2KhTBPf+Sc= @@ -104,6 +106,8 @@ github.com/bits-and-blooms/bitset v1.8.0 h1:FD+XqgOZDUxxZ8hzoBFuV9+cGWY9CslN6d5M github.com/bits-and-blooms/bitset v1.8.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw= github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -125,8 +129,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -211,8 +215,8 @@ github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= -github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY= -github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= +github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= +github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= @@ -221,8 +225,8 @@ github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/holiman/uint256 v1.2.4 h1:jUc4Nk8fm9jZabQuqr2JzednajVmBpC+oiTiXZJEApU= -github.com/holiman/uint256 v1.2.4/go.mod h1:EOMSn4q6Nyt9P6efbI3bueV4e1b3dGlUCXeiRV4ng7E= +github.com/holiman/uint256 v1.3.1 h1:JfTzmih28bittyHM8z360dCjIA9dbPIBlcTI6lmctQs= +github.com/holiman/uint256 v1.3.1/go.mod h1:EOMSn4q6Nyt9P6efbI3bueV4e1b3dGlUCXeiRV4ng7E= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -235,6 +239,8 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/cpuid/v2 v2.2.6 h1:ndNyv040zDGIDh8thGkXYjnFtiN02M1PVVF+JE/48xc= github.com/klauspost/cpuid/v2 v2.2.6/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= @@ -245,6 +251,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= @@ -280,16 +288,18 @@ github.com/multiformats/go-multihash v0.2.3/go.mod h1:dXgKXCXjBzdscBLk9JkjINiEsC github.com/multiformats/go-varint v0.0.5/go.mod h1:3Ls8CIEsrijN6+B7PbrXRPxHRPuXSrVKRY101jdMZYE= github.com/multiformats/go-varint v0.0.7 h1:sWSGR+f/eu5ABZA2ZpYKBILXTTs9JWpdEM/nEGOHFS8= github.com/multiformats/go-varint v0.0.7/go.mod h1:r8PUYw/fD/SjBCiKOoDlGF6QawOELpZAu9eioSos/OU= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/nspcc-dev/dbft v0.2.0 h1:sDwsQES600OSIMncV176t2SX5OvB14lzeOAyKFOkbMI= github.com/nspcc-dev/dbft v0.2.0/go.mod h1:oFE6paSC/yfFh9mcNU6MheMGOYXK9+sPiRk3YMoz49o= -github.com/nspcc-dev/go-ordered-json v0.0.0-20240301084351-0246b013f8b2 h1:mD9hU3v+zJcnHAVmHnZKt3I++tvn30gBj2rP2PocZMk= -github.com/nspcc-dev/go-ordered-json v0.0.0-20240301084351-0246b013f8b2/go.mod h1:U5VfmPNM88P4RORFb6KSUVBdJBDhlqggJZYGXGPxOcc= +github.com/nspcc-dev/go-ordered-json v0.0.0-20240830112754-291b000d1f3b h1:DRG4cRqIOmI/nUPggMgR92Jxt63Lxsuz40m5QpdvYXI= +github.com/nspcc-dev/go-ordered-json v0.0.0-20240830112754-291b000d1f3b/go.mod h1:d3cUseu4Asxfo9/QA/w4TtGjM0AbC9ynyab+PfH+Bso= github.com/nspcc-dev/neo-go v0.106.3 h1:HEyhgkjQY+HfBzotMJ12xx2VuOUphkngZ4kEkjvXDtE= github.com/nspcc-dev/neo-go v0.106.3/go.mod h1:3vEwJ2ld12N7HRGCaH/l/7EwopplC/+8XdIdPDNmD/M= -github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20240727093519-1a48f1ce43ec h1:vDrbVXF2+2uP0RlkZmem3QYATcXCu9BzzGGCNsNcK7Q= -github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20240727093519-1a48f1ce43ec/go.mod h1:/vrbWSHc7YS1KSYhVOyyeucXW/e+1DkVBOgnBEXUCeY= -github.com/nspcc-dev/rfc6979 v0.2.1 h1:8wWxkamHWFmO790GsewSoKUSJjVnL1fmdRpokU/RgRM= -github.com/nspcc-dev/rfc6979 v0.2.1/go.mod h1:Tk7h5kyUWkhjyO3zUgFFhy1v2vQv3BvQEntakdtqrWc= +github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20241212130705-ea0a6114d2d6 h1:rTnsU+Y/bP1bLN/SNWmOKEexmSeniMQe5bOJxXNbXgg= +github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20241212130705-ea0a6114d2d6/go.mod h1:kVLzmbeJJdbIPF2bUYhD8YppIiLXnRQj5yqNZvzbOL0= +github.com/nspcc-dev/rfc6979 v0.2.3 h1:QNVykGZ3XjFwM/88rGfV3oj4rKNBy+nYI6jM7q19hDI= +github.com/nspcc-dev/rfc6979 v0.2.3/go.mod h1:q3sCL1Ed7homjqYK8KmFSzEmm+7Ngyo7PePbZanhaDE= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -309,15 +319,17 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= -github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= +github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg= +github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg= +github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE= -github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= @@ -345,6 +357,7 @@ github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpE github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -361,16 +374,16 @@ github.com/trailofbits/go-fuzz-utils v0.0.0-20230413173806-58c38daa3cb4 h1:GpfJ7 github.com/trailofbits/go-fuzz-utils v0.0.0-20230413173806-58c38daa3cb4/go.mod h1:f3jBhpWvuZmue0HZK52GzRHJOYHYSILs/c8+K2S/J+o= github.com/twmb/murmur3 v1.1.8 h1:8Yt9taO/WN3l08xErzjeschgZU2QSrwm1kclYq+0aRg= github.com/twmb/murmur3 v1.1.8/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ= -github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI= -github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM= -github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw= -github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk= +github.com/urfave/cli/v2 v2.27.4 h1:o1owoI+02Eb+K107p27wEX9Bb8eqIoZCfLXloLUSWJ8= +github.com/urfave/cli/v2 v2.27.4/go.mod h1:m4QzxcD2qpra4z7WhzEGn74WZLViBnMpb1ToCAKdGRQ= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI= -go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE= +go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0= +go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -422,8 +435,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= -golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= +golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA= +golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -447,8 +460,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -612,8 +625,8 @@ golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -714,8 +727,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= -google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM= +google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= diff --git a/internal/frostfs/mfa.go b/internal/frostfs/mfa.go new file mode 100644 index 00000000..655e3de4 --- /dev/null +++ b/internal/frostfs/mfa.go @@ -0,0 +1,429 @@ +package frostfs + +import ( + "bytes" + "context" + "errors" + "fmt" + "io" + "strings" + + "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs" + "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware" + "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs" + apitree "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/tree" + cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" + oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" + "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool" + treepool "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool/tree" + "git.frostfs.info/pogpp/mfa" + "github.com/nspcc-dev/neo-go/pkg/crypto/keys" + "go.uber.org/zap" +) + +// MFAFrostFS is a mediator which implements mfa.Storage through pool.Pool and treepool.Pool. +type MFAFrostFS struct { + frostFS *FrostFS + treePool *treepool.Pool + log *zap.Logger +} + +func (m *MFAFrostFS) CreateObject(ctx context.Context, create mfa.PrmObjectCreate) (oid.ID, error) { + object, err := m.frostFS.CreateObject(ctx, frostfs.PrmObjectCreate{ + Container: create.Container, + Payload: bytes.NewReader(create.Payload), + Filepath: create.FilePath, + PayloadSize: uint64(len(create.Payload)), + WithoutHomomorphicHash: true, + }) + if err != nil { + return [32]byte{}, err + } + return object.ObjectID, nil +} + +func (m *MFAFrostFS) DeleteObject(ctx context.Context, address oid.Address) error { + prm := frostfs.PrmObjectDelete{ + Container: address.Container(), + Object: address.Object(), + } + + return m.frostFS.DeleteObject(ctx, prm) +} + +func (m *MFAFrostFS) SetTreeNode(ctx context.Context, cnrID cid.ID, name string, meta map[string]string) (*mfa.TreeMultiNode, error) { + if len(name) == 0 { + return nil, errors.New("tree node name must not be empty") + } + + path := pathFromName(name) + meta[fileNameKey] = path[len(path)-1] + + multiNode, err := m.getTreeNode(ctx, cnrID, path) + isErrNotFound := errors.Is(err, mfa.ErrTreeNodeNotFound) + if err != nil && !isErrNotFound { + return nil, fmt.Errorf("couldn't get node to check: %w", err) + } + + if isErrNotFound { + prmAdd := treepool.AddNodeByPathParams{ + CID: cnrID, + TreeID: mfaTreeName, + Path: path[:len(path)-1], + Meta: meta, + PathAttribute: fileNameKey, + } + + if _, err = m.treePool.AddNodeByPath(ctx, prmAdd); err != nil { + return nil, fmt.Errorf("add node by path: %w", err) + } + + return &mfa.TreeMultiNode{Current: mfa.TreeNode{Meta: meta}}, nil + } + + node := multiNode.Latest() + prmMove := treepool.MoveNodeParams{ + CID: cnrID, + TreeID: mfaTreeName, + NodeID: node.ID, + ParentID: node.ParentID, + Meta: meta, + } + + if err = m.treePool.MoveNode(ctx, prmMove); err != nil { + return nil, fmt.Errorf("move node: %w", err) + } + + mfaMultiNode := &mfa.TreeMultiNode{Current: mfa.TreeNode{Meta: meta}} + for _, old := range m.cleanOldNodes(ctx, multiNode.Old(), cnrID) { + mfaMultiNode.Old = append(mfaMultiNode.Old, &mfa.TreeNode{Meta: old.Meta}) + } + + return mfaMultiNode, nil +} + +func (m *MFAFrostFS) GetTreeNode(ctx context.Context, cnrID cid.ID, name string) (*mfa.TreeMultiNode, error) { + multiNode, err := m.getTreeNode(ctx, cnrID, pathFromName(name)) + if err != nil { + return nil, fmt.Errorf("couldn't get node: %w", err) + } + + return multiNode.ToMFAMultiNode(), nil +} + +func (m *MFAFrostFS) DeleteTreeNode(ctx context.Context, cnrID cid.ID, name string) ([]*mfa.TreeNode, error) { + multiNode, err := m.getTreeNode(ctx, cnrID, pathFromName(name)) + if err != nil { + return nil, fmt.Errorf("couldn't get node: %w", err) + } + + res := make([]*mfa.TreeNode, 0, len(multiNode.nodes)) + for _, node := range m.cleanOldNodes(ctx, multiNode.nodes, cnrID) { + res = append(res, &mfa.TreeNode{Meta: node.Meta}) + } + + if len(res) != len(multiNode.nodes) { + return res, fmt.Errorf("couldn't remove all mfa multi nodes '%s'", name) + } + + return res, nil +} + +func (m *MFAFrostFS) GetTreeNodes(ctx context.Context, cnrID cid.ID, prefix string) ([]*mfa.TreeNode, error) { + rootID := []uint64{0} + if len(prefix) != 0 { + var err error + rootID, err = m.getPrefixNodeID(ctx, cnrID, pathFromName(prefix)) + if err != nil { + if errors.Is(err, mfa.ErrTreeNodeNotFound) { + return nil, nil + } + return nil, err + } + } + + prm := treepool.GetSubTreeParams{ + CID: cnrID, + TreeID: mfaTreeName, + RootID: rootID, + } + + subTreeCli, err := m.treePool.GetSubTree(ctx, prm) // todo use streaming https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/issues/561 + if err != nil { + return nil, err + } + + allNodes, err := subTreeCli.ReadAll() + if err != nil { + return nil, err + } + + unique := filterUnique(allNodes) + res := make([]*mfa.TreeNode, 0, len(unique)) + for _, v := range unique { + if isIntermediate(v.GetMeta()) { + continue + } + meta := make(map[string]string, len(v.GetMeta())) + for _, kv := range v.GetMeta() { + meta[kv.GetKey()] = string(kv.GetValue()) + } + res = append(res, &mfa.TreeNode{Meta: meta}) + } + + return res, nil +} + +func filterUnique(allNodes []*apitree.GetSubTreeResponseBody) map[string]*apitree.GetSubTreeResponseBody { + res := make(map[string]*apitree.GetSubTreeResponseBody, len(allNodes)) + for _, node := range allNodes { + var name string + for _, kv := range node.GetMeta() { + if kv.GetKey() == fileNameKey { + name = string(kv.GetValue()) + } + } + + data, ok := res[name] + if !ok || getMaxTimestamp(data.GetTimestamp()) < getMaxTimestamp(node.GetTimestamp()) { + res[name] = node + } + } + + return res +} + +func getMaxTimestamp(timestamps []uint64) uint64 { + var maxTimestamp uint64 + + for _, timestamp := range timestamps { + if timestamp > maxTimestamp { + maxTimestamp = timestamp + } + } + + return maxTimestamp +} + +type MFAFrostFSConfig struct { + Pool *pool.Pool + TreePool *treepool.Pool + Key *keys.PrivateKey + Logger *zap.Logger +} + +type treeNode struct { + ID uint64 + ParentID uint64 + TimeStamp uint64 + Meta map[string]string +} + +type multiSystemNode struct { + // the first element is latest + nodes []*treeNode +} + +const ( + fileNameKey = "FileName" + mfaTreeName = "mfa" +) + +// NewMFAFrostFS creates new MFAFrostFS using provided pool.Pool. +func NewMFAFrostFS(cfg MFAFrostFSConfig) *MFAFrostFS { + return &MFAFrostFS{ + frostFS: NewFrostFS(cfg.Pool, cfg.Key), + treePool: cfg.TreePool, + log: cfg.Logger, + } +} + +func (m *MFAFrostFS) GetObject(ctx context.Context, addr oid.Address) ([]byte, error) { + res, err := m.frostFS.GetObject(ctx, frostfs.PrmObjectGet{ + Container: addr.Container(), + Object: addr.Object(), + }) + if err != nil { + return nil, err + } + + defer func() { + if closeErr := res.Payload.Close(); closeErr != nil { + middleware.GetReqLog(ctx).Warn(logs.CloseMFAObjectPayload, zap.Error(closeErr)) + } + }() + + return io.ReadAll(res.Payload) +} + +func (m *MFAFrostFS) getTreeNode(ctx context.Context, cnrID cid.ID, path []string) (*multiSystemNode, error) { + prmGetNodes := treepool.GetNodesParams{ + CID: cnrID, + TreeID: mfaTreeName, + Path: path, + PathAttribute: fileNameKey, + LatestOnly: true, + AllAttrs: true, + } + + nodes, err := m.treePool.GetNodes(ctx, prmGetNodes) + if err != nil { + if errors.Is(err, treepool.ErrNodeNotFound) { + return nil, fmt.Errorf("%s: %s", "mfa.ErrTreeNodeNotFound", err.Error()) + // return nil, fmt.Errorf("%w: %s", mfa.ErrTreeNodeNotFound, err.Error()) + } + return nil, fmt.Errorf("get nodes: %w", err) + } + + if len(nodes) == 0 { + return nil, mfa.ErrTreeNodeNotFound + } + if len(nodes) != 1 { + m.log.Warn(logs.FoundMultiNode, zap.Strings("path", path)) + } + + return newMultiNode(nodes) +} + +func (m *MFAFrostFS) cleanOldNodes(ctx context.Context, nodes []*treeNode, cnrID cid.ID) []*treeNode { + res := make([]*treeNode, 0, len(nodes)) + + for _, node := range nodes { + if err := m.removeTreeNode(ctx, cnrID, node.ID); err != nil { + m.log.Warn(logs.FailedToRemoveOldTreeMultiNodes, zap.String("FileName", node.Meta[fileNameKey]), zap.Uint64("id", node.ID)) + } else { + res = append(res, node) + } + } + + return res +} + +func (m *MFAFrostFS) removeTreeNode(ctx context.Context, cnrID cid.ID, nodeID uint64) error { + prmRemoveNode := treepool.RemoveNodeParams{ + CID: cnrID, + TreeID: mfaTreeName, + NodeID: nodeID, + } + + err := m.treePool.RemoveNode(ctx, prmRemoveNode) + if err != nil { + if errors.Is(err, treepool.ErrNodeNotFound) { + return fmt.Errorf("%w: %s", mfa.ErrTreeNodeNotFound, err.Error()) + } + return fmt.Errorf("remove node: %w", err) + } + + return nil +} + +func (m *MFAFrostFS) getPrefixNodeID(ctx context.Context, cnrID cid.ID, prefixPath []string) ([]uint64, error) { + p := treepool.GetNodesParams{ + CID: cnrID, + TreeID: mfaTreeName, + Path: prefixPath, + LatestOnly: false, + AllAttrs: true, + } + + nodes, err := m.treePool.GetNodes(ctx, p) + if err != nil { + if errors.Is(err, treepool.ErrNodeNotFound) { + return nil, fmt.Errorf("%w: %s", mfa.ErrTreeNodeNotFound, err.Error()) + } + return nil, err + } + + var intermediateNodes []uint64 + for _, node := range nodes { + if isIntermediate(node.GetMeta()) { + intermediateNodes = append(intermediateNodes, node.GetNodeID()) + } + } + + if len(intermediateNodes) == 0 { + return nil, treepool.ErrNodeNotFound + } + + return intermediateNodes, nil +} + +func isIntermediate(meta []*apitree.KeyValue) bool { + if len(meta) != 1 { + return false + } + + return meta[0].GetKey() == fileNameKey +} + +func newMultiNode(nodes []*apitree.GetNodeByPathResponseInfo) (*multiSystemNode, error) { + var ( + err error + index int + maxTimestamp uint64 + ) + + if len(nodes) == 0 { + return nil, errors.New("multi node must have at least one node") + } + + treeNodes := make([]*treeNode, len(nodes)) + + for i, node := range nodes { + if treeNodes[i] = newTreeNode(node); err != nil { + return nil, fmt.Errorf("parse tree node response: %w", err) + } + + if maxTimestamp < node.GetTimestamp() { + index = i + maxTimestamp = node.GetTimestamp() + } + } + + treeNodes[0], treeNodes[index] = treeNodes[index], treeNodes[0] + + return &multiSystemNode{ + nodes: treeNodes, + }, nil +} + +func (m *multiSystemNode) ToMFAMultiNode() *mfa.TreeMultiNode { + res := &mfa.TreeMultiNode{ + Current: mfa.TreeNode{Meta: m.nodes[0].Meta}, + Old: make([]*mfa.TreeNode, len(m.nodes[1:])), + } + + for i, node := range m.nodes[1:] { + res.Old[i] = &mfa.TreeNode{Meta: node.Meta} + } + + return res +} + +func newTreeNode(nodeInfo *apitree.GetNodeByPathResponseInfo) *treeNode { + tNode := &treeNode{ + ID: nodeInfo.GetNodeID(), + ParentID: nodeInfo.GetParentID(), + TimeStamp: nodeInfo.GetTimestamp(), + Meta: make(map[string]string, len(nodeInfo.GetMeta())), + } + + for _, kv := range nodeInfo.GetMeta() { + tNode.Meta[kv.GetKey()] = string(kv.GetValue()) + } + + return tNode +} + +func (m *multiSystemNode) Old() []*treeNode { + return m.nodes[1:] +} + +func (m *multiSystemNode) Latest() *treeNode { + return m.nodes[0] +} + +// pathFromName splits name by '/'. +func pathFromName(name string) []string { + return strings.Split(name, "/") +} diff --git a/internal/logs/logs.go b/internal/logs/logs.go index 539d28b3..a27e2aaa 100644 --- a/internal/logs/logs.go +++ b/internal/logs/logs.go @@ -125,6 +125,8 @@ const ( FailedToParseAddressInTreeNode = "failed to parse object addr in tree node" UnexpectedMultiNodeIDsInSubTreeMultiParts = "unexpected multi node ids in sub tree multi parts" FoundSeveralSystemNodes = "found several system nodes" + CouldNotFetchMFAContainerInfo = "couldn't fetch mfa container info" + CouldNotInitMFAClient = "couldn't init MFA client" BucketLifecycleNodeHasMultipleIDs = "bucket lifecycle node has multiple ids" UploadPart = "upload part" FailedToSubmitTaskToPool = "failed to submit task to pool" @@ -228,3 +230,10 @@ const ( FailedToReadHTTPBody = "failed to read http body" FailedToProcessHTTPBody = "failed to process http body" ) + +// IAM Logs. +const ( + FoundMultiNode = "found multi node" + CloseMFAObjectPayload = "close MFA object payload" + FailedToRemoveOldTreeMultiNodes = "failed to remove old tree multi nodes" +) diff --git a/internal/unlocker/unlocker.go b/internal/unlocker/unlocker.go new file mode 100644 index 00000000..b7f268ef --- /dev/null +++ b/internal/unlocker/unlocker.go @@ -0,0 +1,25 @@ +package unlocker + +import ( + "github.com/nspcc-dev/neo-go/pkg/crypto/keys" +) + +type Unlocker struct { + appKey *keys.PrivateKey + iamKeys []*keys.PublicKey +} + +func NewUnlocker(key *keys.PrivateKey, pubKeys []*keys.PublicKey) Unlocker { + return Unlocker{ + appKey: key, + iamKeys: pubKeys, + } +} + +func (u Unlocker) PrivateKey() *keys.PrivateKey { + return u.appKey +} + +func (u Unlocker) PublicKeys() []*keys.PublicKey { + return u.iamKeys +} diff --git a/pkg/service/tree/tree.go b/pkg/service/tree/tree.go index e9e6d216..7b316b5a 100644 --- a/pkg/service/tree/tree.go +++ b/pkg/service/tree/tree.go @@ -89,6 +89,8 @@ var ( const ( versioningKV = "Versioning" + mfaDeleteEnabledKV = "MFADelete" + mfaSerialNumberKV = "SerialNumber" cannedACLKV = "cannedACL" ownerKeyKV = "ownerKey" lockConfigurationKV = "LockConfiguration" @@ -500,9 +502,20 @@ func (c *Tree) GetSettingsNode(ctx context.Context, bktInfo *data.BucketInfo) (* node := multiNode.Latest() - settings := &data.BucketSettings{Versioning: data.VersioningUnversioned} + settings := &data.BucketSettings{Versioning: data.Versioning{ + VersioningStatus: data.VersioningUnversioned, + MFADeleteStatus: data.MFADeleteDisabled, + }} if versioningValue, ok := node.Get(versioningKV); ok { - settings.Versioning = versioningValue + settings.Versioning.VersioningStatus = versioningValue + } + if mfaDeleteValue, ok := node.Get(mfaDeleteEnabledKV); ok { + settings.Versioning.MFADeleteStatus = mfaDeleteValue + if settings.MFADeleteEnabled() { + if mfaSerialNumberValue, ok := node.Get(mfaSerialNumberKV); ok { + settings.Versioning.MFASerialNumber = mfaSerialNumberValue + } + } } if lockConfigurationValue, ok := node.Get(lockConfigurationKV); ok { @@ -1795,7 +1808,8 @@ func metaFromSettings(settings *data.BucketSettings) map[string]string { results := make(map[string]string, 3) results[FileNameKey] = settingsFileName - results[versioningKV] = settings.Versioning + results[versioningKV] = settings.Versioning.VersioningStatus + results[mfaDeleteEnabledKV] = settings.Versioning.MFADeleteStatus results[lockConfigurationKV] = encodeLockConfiguration(settings.LockConfiguration) results[cannedACLKV] = settings.CannedACL if settings.OwnerKey != nil { diff --git a/pkg/service/tree/tree_test.go b/pkg/service/tree/tree_test.go index 5b7b6656..e4af5d36 100644 --- a/pkg/service/tree/tree_test.go +++ b/pkg/service/tree/tree_test.go @@ -119,7 +119,10 @@ func TestTreeServiceSettings(t *testing.T) { require.NoError(t, err) settings := &data.BucketSettings{ - Versioning: "Versioning", + Versioning: data.Versioning{ + VersioningStatus: data.VersioningEnabled, + MFADeleteStatus: data.MFADeleteDisabled, + }, LockConfiguration: &data.ObjectLockConfiguration{ ObjectLockEnabled: "Enabled", Rule: &data.ObjectLockRule{