forked from TrueCloudLab/frostfs-node
[#57] services/object: Sign requests with session key
Use key storage in object services in order to sign requests with private session key within user session. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
68178b8d74
commit
88459963fb
15 changed files with 89 additions and 65 deletions
|
@ -115,7 +115,7 @@ loop:
|
|||
}
|
||||
} else {
|
||||
header = &remoteHeader{
|
||||
key: h.key,
|
||||
keyStorage: h.keyStorage,
|
||||
node: addr,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2,24 +2,29 @@ package headsvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/client"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/core/object"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/network"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/util"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
type remoteHeader struct {
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *util.KeyStorage
|
||||
|
||||
node *network.Address
|
||||
}
|
||||
|
||||
func (h *remoteHeader) head(ctx context.Context, prm *Prm, handler func(*object.Object)) error {
|
||||
key, err := h.keyStorage.GetKey(prm.common.SessionToken())
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "(%T) could not receive private key", h)
|
||||
}
|
||||
|
||||
addr := h.node.NetAddr()
|
||||
|
||||
c, err := client.New(h.key,
|
||||
c, err := client.New(key,
|
||||
client.WithAddress(addr),
|
||||
)
|
||||
if err != nil {
|
||||
|
@ -35,6 +40,7 @@ func (h *remoteHeader) head(ctx context.Context, prm *Prm, handler func(*object.
|
|||
|
||||
hdr, err := c.GetObjectHeader(ctx, p,
|
||||
client.WithTTL(1), // FIXME: use constant
|
||||
client.WithSession(prm.common.SessionToken()),
|
||||
)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "(%T) could not head object in %s", h, addr)
|
||||
|
|
|
@ -2,7 +2,6 @@ package headsvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
|
||||
objectSDK "github.com/nspcc-dev/neofs-api-go/pkg/object"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/core/container"
|
||||
|
@ -10,6 +9,7 @@ import (
|
|||
"github.com/nspcc-dev/neofs-node/pkg/core/object"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/network"
|
||||
objutil "github.com/nspcc-dev/neofs-node/pkg/services/object/util"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/util"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
@ -25,7 +25,7 @@ type Service struct {
|
|||
type Option func(*cfg)
|
||||
|
||||
type cfg struct {
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *objutil.KeyStorage
|
||||
|
||||
localStore *localstore.Storage
|
||||
|
||||
|
@ -92,9 +92,9 @@ func (s *Service) Head(ctx context.Context, prm *Prm) (*Response, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
func WithKey(v *ecdsa.PrivateKey) Option {
|
||||
func WithKeyStorage(v *objutil.KeyStorage) Option {
|
||||
return func(c *cfg) {
|
||||
c.key = v
|
||||
c.keyStorage = v
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -2,11 +2,12 @@ package putsvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/client"
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/token"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/core/object"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/network"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/util"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/services/object_manager/transformer"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
@ -16,7 +17,9 @@ type remoteTarget struct {
|
|||
|
||||
ctx context.Context
|
||||
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *util.KeyStorage
|
||||
|
||||
token *token.SessionToken
|
||||
|
||||
addr *network.Address
|
||||
|
||||
|
@ -30,9 +33,14 @@ func (t *remoteTarget) WriteHeader(obj *object.RawObject) error {
|
|||
}
|
||||
|
||||
func (t *remoteTarget) Close() (*transformer.AccessIdentifiers, error) {
|
||||
key, err := t.keyStorage.GetKey(t.token)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "(%T) could not receive private key", t)
|
||||
}
|
||||
|
||||
addr := t.addr.NetAddr()
|
||||
|
||||
c, err := client.New(t.key,
|
||||
c, err := client.New(key,
|
||||
client.WithAddress(addr),
|
||||
)
|
||||
if err != nil {
|
||||
|
|
|
@ -2,14 +2,13 @@ package putsvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
|
||||
"github.com/nspcc-dev/neofs-node/pkg/core/container"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/core/object"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/network"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/services/session/storage"
|
||||
objutil "github.com/nspcc-dev/neofs-node/pkg/services/object/util"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/util"
|
||||
)
|
||||
|
||||
|
@ -24,12 +23,10 @@ type Service struct {
|
|||
type Option func(*cfg)
|
||||
|
||||
type cfg struct {
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *objutil.KeyStorage
|
||||
|
||||
maxSizeSrc MaxSizeSource
|
||||
|
||||
tokenStore *storage.TokenStore
|
||||
|
||||
localStore *localstore.Storage
|
||||
|
||||
cnrSrc container.Source
|
||||
|
@ -69,9 +66,9 @@ func (p *Service) Put(ctx context.Context) (*Streamer, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
func WithKey(v *ecdsa.PrivateKey) Option {
|
||||
func WithKeyStorage(v *objutil.KeyStorage) Option {
|
||||
return func(c *cfg) {
|
||||
c.key = v
|
||||
c.keyStorage = v
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -81,12 +78,6 @@ func WithMaxSizeSource(v MaxSizeSource) Option {
|
|||
}
|
||||
}
|
||||
|
||||
func WithTokenStorage(v *storage.TokenStore) Option {
|
||||
return func(c *cfg) {
|
||||
c.tokenStore = v
|
||||
}
|
||||
}
|
||||
|
||||
func WithLocalStorage(v *localstore.Storage) Option {
|
||||
return func(c *cfg) {
|
||||
c.localStore = v
|
||||
|
|
|
@ -23,8 +23,6 @@ var errNotInit = errors.New("stream not initialized")
|
|||
|
||||
var errInitRecall = errors.New("init recall")
|
||||
|
||||
var errPrivateTokenNotFound = errors.New("private token not found")
|
||||
|
||||
func (p *Streamer) Init(prm *PutInitPrm) error {
|
||||
// initialize destination target
|
||||
if err := p.initTarget(prm); err != nil {
|
||||
|
@ -63,15 +61,15 @@ func (p *Streamer) initTarget(prm *PutInitPrm) error {
|
|||
// prepare trusted-Put object target
|
||||
|
||||
// get private token from local storage
|
||||
pToken := p.tokenStore.Get(sToken.OwnerID(), sToken.ID())
|
||||
if pToken == nil {
|
||||
return errPrivateTokenNotFound
|
||||
sessionKey, err := p.keyStorage.GetKey(sToken)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "(%T) could not receive session key", p)
|
||||
}
|
||||
|
||||
p.target = transformer.NewPayloadSizeLimiter(
|
||||
p.maxSizeSrc.MaxObjectSize(),
|
||||
func() transformer.ObjectTarget {
|
||||
return transformer.NewFormatTarget(pToken.SessionKey(), p.newCommonTarget(prm), sToken)
|
||||
return transformer.NewFormatTarget(sessionKey, p.newCommonTarget(prm), sToken)
|
||||
},
|
||||
)
|
||||
|
||||
|
@ -134,7 +132,8 @@ func (p *Streamer) newCommonTarget(prm *PutInitPrm) transformer.ObjectTarget {
|
|||
} else {
|
||||
return &remoteTarget{
|
||||
ctx: p.ctx,
|
||||
key: p.key,
|
||||
keyStorage: p.keyStorage,
|
||||
token: prm.common.SessionToken(),
|
||||
addr: addr,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2,31 +2,39 @@ package rangesvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"io"
|
||||
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/client"
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/object"
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/token"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/network"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/util"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
type remoteRangeWriter struct {
|
||||
ctx context.Context
|
||||
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *util.KeyStorage
|
||||
|
||||
node *network.Address
|
||||
|
||||
token *token.SessionToken
|
||||
|
||||
addr *object.Address
|
||||
|
||||
rng *object.Range
|
||||
}
|
||||
|
||||
func (r *remoteRangeWriter) WriteTo(w io.Writer) (int64, error) {
|
||||
key, err := r.keyStorage.GetKey(r.token)
|
||||
if err != nil {
|
||||
return 0, errors.Wrapf(err, "(%T) could not receive private key", r)
|
||||
}
|
||||
|
||||
addr := r.node.NetAddr()
|
||||
|
||||
c, err := client.New(r.key,
|
||||
c, err := client.New(key,
|
||||
client.WithAddress(addr),
|
||||
)
|
||||
if err != nil {
|
||||
|
@ -38,6 +46,7 @@ func (r *remoteRangeWriter) WriteTo(w io.Writer) (int64, error) {
|
|||
WithRange(r.rng).
|
||||
WithAddress(r.addr),
|
||||
client.WithTTL(1), // FIXME: use constant
|
||||
client.WithSession(r.token),
|
||||
)
|
||||
if err != nil {
|
||||
return 0, errors.Wrapf(err, "(%T) could not read object payload range from %s", r, addr)
|
||||
|
|
|
@ -2,7 +2,6 @@ package rangesvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"sync"
|
||||
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/object"
|
||||
|
@ -23,7 +22,7 @@ type Service struct {
|
|||
type Option func(*cfg)
|
||||
|
||||
type cfg struct {
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *objutil.KeyStorage
|
||||
|
||||
localStore *localstore.Storage
|
||||
|
||||
|
@ -124,9 +123,9 @@ func (s *Service) fillTraverser(ctx context.Context, prm *Prm, traverser *objuti
|
|||
}
|
||||
}
|
||||
|
||||
func WithKey(v *ecdsa.PrivateKey) Option {
|
||||
func WithKeyStorage(v *objutil.KeyStorage) Option {
|
||||
return func(c *cfg) {
|
||||
c.key = v
|
||||
c.keyStorage = v
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -179,8 +179,9 @@ loop:
|
|||
} else {
|
||||
rngWriter = &remoteRangeWriter{
|
||||
ctx: p.ctx,
|
||||
key: p.key,
|
||||
keyStorage: p.keyStorage,
|
||||
node: addr,
|
||||
token: p.prm.common.SessionToken(),
|
||||
addr: objAddr,
|
||||
rng: nextRange,
|
||||
}
|
||||
|
|
|
@ -112,7 +112,7 @@ loop:
|
|||
}
|
||||
} else {
|
||||
hasher = &remoteHasher{
|
||||
key: h.key,
|
||||
keyStorage: h.keyStorage,
|
||||
node: addr,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2,25 +2,30 @@ package rangehashsvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"fmt"
|
||||
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg"
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/client"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/network"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/util"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
type remoteHasher struct {
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *util.KeyStorage
|
||||
|
||||
node *network.Address
|
||||
}
|
||||
|
||||
func (h *remoteHasher) hashRange(ctx context.Context, prm *Prm, handler func([][]byte)) error {
|
||||
key, err := h.keyStorage.GetKey(prm.common.SessionToken())
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "(%T) could not receive private key", h)
|
||||
}
|
||||
|
||||
addr := h.node.NetAddr()
|
||||
|
||||
c, err := client.New(h.key,
|
||||
c, err := client.New(key,
|
||||
client.WithAddress(addr),
|
||||
)
|
||||
if err != nil {
|
||||
|
@ -36,6 +41,7 @@ func (h *remoteHasher) hashRange(ctx context.Context, prm *Prm, handler func([][
|
|||
|
||||
opts := []client.CallOption{
|
||||
client.WithTTL(1), // FIXME: use constant
|
||||
client.WithSession(prm.common.SessionToken()),
|
||||
}
|
||||
|
||||
switch prm.typ {
|
||||
|
|
|
@ -2,7 +2,6 @@ package rangehashsvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"crypto/sha256"
|
||||
"fmt"
|
||||
"io"
|
||||
|
@ -27,7 +26,7 @@ type Service struct {
|
|||
type Option func(*cfg)
|
||||
|
||||
type cfg struct {
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *objutil.KeyStorage
|
||||
|
||||
localStore *localstore.Storage
|
||||
|
||||
|
@ -218,9 +217,9 @@ func (s *Service) getHashes(ctx context.Context, prm *Prm, traverser *objutil.Ra
|
|||
return resp, nil
|
||||
}
|
||||
|
||||
func WithKey(v *ecdsa.PrivateKey) Option {
|
||||
func WithKeyStorage(v *objutil.KeyStorage) Option {
|
||||
return func(c *cfg) {
|
||||
c.key = v
|
||||
c.keyStorage = v
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -2,26 +2,31 @@ package searchsvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/client"
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/object"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/network"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/util"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
type remoteStream struct {
|
||||
prm *Prm
|
||||
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *util.KeyStorage
|
||||
|
||||
addr *network.Address
|
||||
}
|
||||
|
||||
func (s *remoteStream) stream(ctx context.Context, ch chan<- []*object.ID) error {
|
||||
key, err := s.keyStorage.GetKey(s.prm.common.SessionToken())
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "(%T) could not receive private key", s)
|
||||
}
|
||||
|
||||
addr := s.addr.NetAddr()
|
||||
|
||||
c, err := client.New(s.key,
|
||||
c, err := client.New(key,
|
||||
client.WithAddress(addr),
|
||||
)
|
||||
if err != nil {
|
||||
|
@ -33,6 +38,7 @@ func (s *remoteStream) stream(ctx context.Context, ch chan<- []*object.ID) error
|
|||
WithContainerID(s.prm.cid).
|
||||
WithSearchFilters(s.prm.query.ToSearchFilters()),
|
||||
client.WithTTL(1), // FIXME: use constant
|
||||
client.WithSession(s.prm.common.SessionToken()),
|
||||
)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "(%T) could not search objects in %s", s, addr)
|
||||
|
|
|
@ -2,7 +2,6 @@ package searchsvc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"io"
|
||||
"sync"
|
||||
|
||||
|
@ -12,6 +11,7 @@ import (
|
|||
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/network"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/search/query/v1"
|
||||
objutil "github.com/nspcc-dev/neofs-node/pkg/services/object/util"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/util"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
@ -23,7 +23,7 @@ type Service struct {
|
|||
type Option func(*cfg)
|
||||
|
||||
type cfg struct {
|
||||
key *ecdsa.PrivateKey
|
||||
keyStorage *objutil.KeyStorage
|
||||
|
||||
localStore *localstore.Storage
|
||||
|
||||
|
@ -104,9 +104,9 @@ func readFullStream(s *Streamer, cap int) ([]*object.ID, error) {
|
|||
return res, nil
|
||||
}
|
||||
|
||||
func WithKey(v *ecdsa.PrivateKey) Option {
|
||||
func WithKeyStorage(v *objutil.KeyStorage) Option {
|
||||
return func(c *cfg) {
|
||||
c.key = v
|
||||
c.keyStorage = v
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -161,7 +161,7 @@ loop:
|
|||
} else {
|
||||
streamer = &remoteStream{
|
||||
prm: prm,
|
||||
key: p.key,
|
||||
keyStorage: p.keyStorage,
|
||||
addr: addr,
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue