Compare commits

...

3 commits

Author SHA1 Message Date
Alex Vanin
a1e17ea1f2 [#193] pool: Return copy of session token in cache
To avoid side effects after token re-sign.

Signed-off-by: Alex Vanin <alexey@nspcc.ru>

(cherry picked from commit 2104945f9e)
2022-04-06 12:13:00 +03:00
Alex Vanin
129012748e [#193] pool: Add test to check side effects in token cache
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
(cherry picked from commit f38a24e8b5)
2022-04-06 12:12:52 +03:00
Denis Kirillov
0367c83f5a [#191] pool: use bearer token
Signed-off-by: Denis Kirillov <denis@nspcc.ru>
2022-04-06 10:32:01 +03:00
4 changed files with 119 additions and 1 deletions

View file

@ -26,6 +26,9 @@ func NewCache() (*SessionCache, error) {
return &SessionCache{cache: cache}, nil return &SessionCache{cache: cache}, nil
} }
// Get returns a copy of the session token from the cache without signature
// and context related fields. Returns nil if token is missing in the cache.
// It is safe to modify and re-sign returned session token.
func (c *SessionCache) Get(key string) *session.Token { func (c *SessionCache) Get(key string) *session.Token {
valueRaw, ok := c.cache.Get(key) valueRaw, ok := c.cache.Get(key)
if !ok { if !ok {
@ -35,7 +38,13 @@ func (c *SessionCache) Get(key string) *session.Token {
value := valueRaw.(*cacheValue) value := valueRaw.(*cacheValue)
value.atime = time.Now() value.atime = time.Now()
return value.token if value.token == nil {
return nil
}
res := copySessionTokenWithoutSignatureAndContext(*value.token)
return &res
} }
func (c *SessionCache) GetAccessTime(key string) (time.Time, bool) { func (c *SessionCache) GetAccessTime(key string) (time.Time, bool) {

View file

@ -4,6 +4,9 @@ import (
"testing" "testing"
"time" "time"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/nspcc-dev/neofs-sdk-go/session"
sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
@ -29,3 +32,32 @@ func TestSessionCache_GetAccessTime(t *testing.T) {
require.True(t, ok) require.True(t, ok)
require.NotEqual(t, t1, t3) require.NotEqual(t, t1, t3)
} }
func TestSessionCache_GetUnmodifiedToken(t *testing.T) {
const key = "Foo"
target := sessiontest.Token()
pk, err := keys.NewPrivateKey()
require.NoError(t, err)
check := func(t *testing.T, tok *session.Token, extra string) {
require.Empty(t, tok.Signature().Sign(), extra)
require.Nil(t, tok.Context(), extra)
}
cache, err := NewCache()
require.NoError(t, err)
cache.Put(key, target)
value := cache.Get(key)
check(t, value, "before sign")
err = value.Sign(&pk.PrivateKey)
require.NoError(t, err)
octx := sessiontest.ObjectContext()
value.SetContext(octx)
value = cache.Get(key)
check(t, value, "after sign")
}

View file

@ -807,6 +807,10 @@ func (p *Pool) DeleteObject(ctx context.Context, addr address.Address, opts ...C
prm.ByID(*obj) prm.ByID(*obj)
} }
if cfg.btoken != nil {
prm.WithBearerToken(*cfg.btoken)
}
prm.UseKey(*cc.key) prm.UseKey(*cc.key)
return p.callWithRetry(&cc, func() error { return p.callWithRetry(&cc, func() error {
@ -862,6 +866,10 @@ func (p *Pool) GetObject(ctx context.Context, addr address.Address, opts ...Call
prm.ByID(*obj) prm.ByID(*obj)
} }
if cfg.btoken != nil {
prm.WithBearerToken(*cfg.btoken)
}
var res ResGetObject var res ResGetObject
err = p.callWithRetry(&cc, func() error { err = p.callWithRetry(&cc, func() error {
@ -914,6 +922,10 @@ func (p *Pool) HeadObject(ctx context.Context, addr address.Address, opts ...Cal
prm.ByID(*obj) prm.ByID(*obj)
} }
if cfg.btoken != nil {
prm.WithBearerToken(*cfg.btoken)
}
prm.UseKey(*cc.key) prm.UseKey(*cc.key)
var obj object.Object var obj object.Object
@ -979,6 +991,10 @@ func (p *Pool) ObjectRange(ctx context.Context, addr address.Address, off, ln ui
prm.ByID(*obj) prm.ByID(*obj)
} }
if cfg.btoken != nil {
prm.WithBearerToken(*cfg.btoken)
}
var res ResObjectRange var res ResObjectRange
err = p.callWithRetry(&cc, func() error { err = p.callWithRetry(&cc, func() error {
@ -1037,6 +1053,10 @@ func (p *Pool) SearchObjects(ctx context.Context, idCnr cid.ID, filters object.S
prm.InContainer(idCnr) prm.InContainer(idCnr)
prm.SetFilters(filters) prm.SetFilters(filters)
if cfg.btoken != nil {
prm.WithBearerToken(*cfg.btoken)
}
var cc callContextWithRetry var cc callContextWithRetry
cc.Context = ctx cc.Context = ctx
@ -1277,3 +1297,30 @@ func newAddressFromCnrID(cnrID *cid.ID) *address.Address {
addr.SetContainerID(cnrID) addr.SetContainerID(cnrID)
return addr return addr
} }
func copySessionTokenWithoutSignatureAndContext(from session.Token) (to session.Token) {
to.SetIat(from.Iat())
to.SetExp(from.Exp())
to.SetNbf(from.Nbf())
sessionTokenID := make([]byte, len(from.ID()))
copy(sessionTokenID, from.ID())
to.SetID(sessionTokenID)
sessionTokenKey := make([]byte, len(from.SessionKey()))
copy(sessionTokenKey, from.SessionKey())
to.SetSessionKey(sessionTokenKey)
var sessionTokenOwner owner.ID
buf, err := from.OwnerID().Marshal()
if err != nil {
panic(err) // should never happen
}
err = sessionTokenOwner.Unmarshal(buf)
if err != nil {
panic(err) // should never happen
}
to.SetOwnerID(&sessionTokenOwner)
return to
}

View file

@ -19,6 +19,7 @@ import (
"github.com/nspcc-dev/neofs-sdk-go/object/address" "github.com/nspcc-dev/neofs-sdk-go/object/address"
"github.com/nspcc-dev/neofs-sdk-go/owner" "github.com/nspcc-dev/neofs-sdk-go/owner"
"github.com/nspcc-dev/neofs-sdk-go/session" "github.com/nspcc-dev/neofs-sdk-go/session"
sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"go.uber.org/zap" "go.uber.org/zap"
) )
@ -590,3 +591,32 @@ func TestWaitPresence(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
}) })
} }
func TestCopySessionTokenWithoutSignatureAndContext(t *testing.T) {
from := sessiontest.SignedToken()
to := copySessionTokenWithoutSignatureAndContext(*from)
require.Equal(t, from.Nbf(), to.Nbf())
require.Equal(t, from.Exp(), to.Exp())
require.Equal(t, from.Iat(), to.Iat())
require.Equal(t, from.ID(), to.ID())
require.Equal(t, from.OwnerID().String(), to.OwnerID().String())
require.Equal(t, from.SessionKey(), to.SessionKey())
require.Empty(t, to.Signature().Sign())
require.Empty(t, to.Signature().Key())
t.Run("empty object context", func(t *testing.T) {
octx := sessiontest.ObjectContext()
from.SetContext(octx)
to = copySessionTokenWithoutSignatureAndContext(*from)
require.Nil(t, to.Context())
})
t.Run("empty container context", func(t *testing.T) {
cctx := sessiontest.ContainerContext()
from.SetContext(cctx)
to = copySessionTokenWithoutSignatureAndContext(*from)
require.Nil(t, to.Context())
})
}