aarifullin/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Issues Pull requests Projects Releases Packages Wiki Activity

Upgrade NeoFS SDK Go to v1.0.0-rc.4 and NeoFS API Go to v2.12.2

Browse source 
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2022-06-03 17:12:55 +03:00 committed by LeL
parent c41d9c3fbe
commit 72708296cc
5 changed files with 20 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
cmd/neofs-cli/modules/bearer/create.go
View file

@ -103,10 +103,10 @@ func createToken(cmd *cobra.Command, _ []string) error {
} }
var b bearer.Token var b bearer.Token
b.SetExpiration(exp) b.SetExp(exp)
b.SetNotBefore(nvb) b.SetNbf(nvb)
b.SetIssuedAt(iat) b.SetIat(iat)
b.SetOwnerID(ownerID) b.ForUser(ownerID)
eaclPath, _ := cmd.Flags().GetString(eaclFlag) eaclPath, _ := cmd.Flags().GetString(eaclFlag)
if eaclPath != "" { if eaclPath != "" {

4
go.mod
View file

@ -17,9 +17,9 @@ require (
github.com/nspcc-dev/hrw v1.0.9 github.com/nspcc-dev/hrw v1.0.9
github.com/nspcc-dev/neo-go v0.98.3 github.com/nspcc-dev/neo-go v0.98.3
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2-0.20220530190258-c82dcf7e1610 github.com/nspcc-dev/neofs-api-go/v2 v2.12.2
github.com/nspcc-dev/neofs-contract v0.15.1 github.com/nspcc-dev/neofs-contract v0.15.1
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220531091404-82d762f536a3 github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4
github.com/nspcc-dev/tzhash v1.5.2 github.com/nspcc-dev/tzhash v1.5.2
github.com/panjf2000/ants/v2 v2.4.0 github.com/panjf2000/ants/v2 v2.4.0
github.com/paulmach/orb v0.2.2 github.com/paulmach/orb v0.2.2

BIN
go.sum
View file

Binary file not shown.

4
pkg/innerring/processors/container/common.go
View file

@ -158,10 +158,6 @@ func (cp *Processor) checkTokenLifetime(token session.Container) error {
return fmt.Errorf("could not read current epoch: %w", err) return fmt.Errorf("could not read current epoch: %w", err)
} }
if token.ExpiredAt(curEpoch) {
return fmt.Errorf("token is expired at %d", curEpoch)
}
if token.InvalidAt(curEpoch) { if token.InvalidAt(curEpoch) {
return fmt.Errorf("token is not valid at %d", curEpoch) return fmt.Errorf("token is not valid at %d", curEpoch)
} }

34
pkg/services/object/acl/acl.go
View file

@ -14,6 +14,7 @@ import (
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2" eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
v2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/v2" v2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/v2"
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/bearer" bearerSDK "github.com/nspcc-dev/neofs-sdk-go/bearer"
neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl" eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
"github.com/nspcc-dev/neofs-sdk-go/user" "github.com/nspcc-dev/neofs-sdk-go/user"
) )
@ -218,31 +219,33 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
} }
// 1. First check token lifetime. Simplest verification. // 1. First check token lifetime. Simplest verification.
if !isValidLifetime(token, st.CurrentEpoch()) { if token.InvalidAt(st.CurrentEpoch()) {
return errBearerExpired return errBearerExpired
} }
// 2. Then check if bearer token is signed correctly. // 2. Then check if bearer token is signed correctly.
if err := token.VerifySignature(); err != nil { if !token.VerifySignature() {
return errBearerInvalidSignature return errBearerInvalidSignature
} }
// 3. Then check if container owner signed this token. // 3. Then check if container owner signed this token.
issuer, ok := token.Issuer() if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) {
if !ok {
panic("unexpected false return from Issuer method on signed bearer token")
}
if !issuer.Equals(ownerCnr) {
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again // TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
return errBearerNotSignedByOwner return errBearerNotSignedByOwner
} }
// 4. Then check if request sender has rights to use this token. // 4. Then check if request sender has rights to use this token.
tokenOwner := token.OwnerID() var keySender neofsecdsa.PublicKey
requestSenderKey := unmarshalPublicKey(reqInfo.SenderKey())
if !isOwnerFromKey(tokenOwner, requestSenderKey) { err := keySender.Decode(reqInfo.SenderKey())
if err != nil {
return fmt.Errorf("decode sender public key: %w", err)
}
var usrSender user.ID
user.IDFromKey(&usrSender, ecdsa.PublicKey(keySender))
if !token.AssertUser(usrSender) {
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again // TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
return errBearerInvalidOwner return errBearerInvalidOwner
} }
@ -250,15 +253,6 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
return nil return nil
} }
func isValidLifetime(t *bearerSDK.Token, epoch uint64) bool {
// The "exp" (expiration time) claim identifies the expiration time on
// or after which the JWT MUST NOT be accepted for processing.
// The "nbf" (not before) claim identifies the time before which the JWT
// MUST NOT be accepted for processing
// RFC 7519 sections 4.1.4, 4.1.5
return epoch >= t.NotBefore() && epoch <= t.Expiration()
}
func isOwnerFromKey(id user.ID, key *keys.PublicKey) bool { func isOwnerFromKey(id user.ID, key *keys.PublicKey) bool {
if key == nil { if key == nil {
return false return false