forked from TrueCloudLab/frostfs-node
[#106] Check bearer token lifetime
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
parent
bb455af05f
commit
23ec33e821
3 changed files with 27 additions and 3 deletions
|
@ -353,6 +353,7 @@ func initObjectService(c *cfg) {
|
||||||
eacl.WithMorphClient(c.cfgObject.cnrClient),
|
eacl.WithMorphClient(c.cfgObject.cnrClient),
|
||||||
eacl.WithLogger(c.log),
|
eacl.WithLogger(c.log),
|
||||||
),
|
),
|
||||||
|
acl.WithNetmapState(c.cfgNetmap.state),
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
|
|
|
@ -15,6 +15,7 @@ import (
|
||||||
v2signature "github.com/nspcc-dev/neofs-api-go/v2/signature"
|
v2signature "github.com/nspcc-dev/neofs-api-go/v2/signature"
|
||||||
crypto "github.com/nspcc-dev/neofs-crypto"
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
||||||
core "github.com/nspcc-dev/neofs-node/pkg/core/container"
|
core "github.com/nspcc-dev/neofs-node/pkg/core/container"
|
||||||
|
"github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
||||||
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
|
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
|
||||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
|
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
|
||||||
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
|
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
|
||||||
|
@ -82,6 +83,8 @@ type eACLCfg struct {
|
||||||
eACL *eacl.Validator
|
eACL *eacl.Validator
|
||||||
|
|
||||||
localStorage *localstore.Storage
|
localStorage *localstore.Storage
|
||||||
|
|
||||||
|
state netmap.State
|
||||||
}
|
}
|
||||||
|
|
||||||
type accessErr struct {
|
type accessErr struct {
|
||||||
|
@ -521,7 +524,7 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
// if bearer token is not present, isValidBearer returns true
|
// if bearer token is not present, isValidBearer returns true
|
||||||
if !isValidBearer(reqInfo) {
|
if !isValidBearer(reqInfo, cfg.state) {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -606,7 +609,7 @@ func eACLErr(info requestInfo) error {
|
||||||
// isValidBearer returns true if bearer token correctly signed by authorized
|
// isValidBearer returns true if bearer token correctly signed by authorized
|
||||||
// entity. This method might be define on whole ACL service because it will
|
// entity. This method might be define on whole ACL service because it will
|
||||||
// require to fetch current epoch to check lifetime.
|
// require to fetch current epoch to check lifetime.
|
||||||
func isValidBearer(reqInfo requestInfo) bool {
|
func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
|
||||||
token := reqInfo.bearer
|
token := reqInfo.bearer
|
||||||
|
|
||||||
// 0. Check if bearer token is present in reqInfo. It might be non nil
|
// 0. Check if bearer token is present in reqInfo. It might be non nil
|
||||||
|
@ -653,7 +656,19 @@ func isValidBearer(reqInfo requestInfo) bool {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// todo: 4. Then check token lifetime.
|
// 4. Then check token lifetime.
|
||||||
|
if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func isValidLifetime(lifetime *bearer.TokenLifetime, epoch uint64) bool {
|
||||||
|
// The "exp" (expiration time) claim identifies the expiration time on
|
||||||
|
// or after which the JWT MUST NOT be accepted for processing.
|
||||||
|
// The "nbf" (not before) claim identifies the time before which the JWT
|
||||||
|
// MUST NOT be accepted for processing
|
||||||
|
// RFC 7519 sections 4.1.4, 4.1.5
|
||||||
|
return epoch >= lifetime.GetNbf() && epoch <= lifetime.GetExp()
|
||||||
|
}
|
||||||
|
|
|
@ -3,6 +3,7 @@ package acl
|
||||||
import (
|
import (
|
||||||
"github.com/nspcc-dev/neofs-api-go/v2/object"
|
"github.com/nspcc-dev/neofs-api-go/v2/object"
|
||||||
"github.com/nspcc-dev/neofs-node/pkg/core/container"
|
"github.com/nspcc-dev/neofs-node/pkg/core/container"
|
||||||
|
"github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
||||||
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
|
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
|
||||||
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
|
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
|
||||||
)
|
)
|
||||||
|
@ -41,3 +42,10 @@ func WithLocalStorage(v *localstore.Storage) Option {
|
||||||
c.localStorage = v
|
c.localStorage = v
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WithNetmapState returns options to set global netmap state.
|
||||||
|
func WithNetmapState(v netmap.State) Option {
|
||||||
|
return func(c *cfg) {
|
||||||
|
c.state = v
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue