forked from TrueCloudLab/frostfs-node
[#505] ir/container: Check key ownership during set eACL handling
Use NeoFS ID contract client to check if public key from notification event is tied to the owner of the container for which the eACL is being changed. Approve changes coming from the owner of the container only. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
b0271aa478
commit
372cba1fca
2 changed files with 36 additions and 2 deletions
|
@ -7,6 +7,7 @@ import (
|
|||
"fmt"
|
||||
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/morph/event/container"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
@ -43,9 +44,40 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
|
|||
return errors.New("invalid signature")
|
||||
}
|
||||
|
||||
// TODO: check key ownership
|
||||
// verify the identity of the container owner
|
||||
return cp.checkEACLOwnership(table, key)
|
||||
}
|
||||
|
||||
return nil
|
||||
func (cp *Processor) checkEACLOwnership(binTable []byte, key *keys.PublicKey) error {
|
||||
// unmarshal table
|
||||
table := eacl.NewTable()
|
||||
|
||||
err := table.Unmarshal(binTable)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid binary table: %w", err)
|
||||
}
|
||||
|
||||
// receive owner of the related container
|
||||
cnr, err := cp.cnrClient.Get(table.CID())
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not receive the container: %w", err)
|
||||
}
|
||||
|
||||
ownerID := cnr.OwnerID()
|
||||
|
||||
// check key ownership
|
||||
ownerKeys, err := cp.idClient.AccountKeys(ownerID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not received owner keys %s: %w", ownerID, err)
|
||||
}
|
||||
|
||||
for _, ownerKey := range ownerKeys {
|
||||
if ownerKey.Equal(key) {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
return fmt.Errorf("key %s is not tied to the owner of the container", key)
|
||||
}
|
||||
|
||||
func (cp *Processor) approveSetEACL(e container.SetEACL) {
|
||||
|
|
|
@ -8,6 +8,7 @@ import (
|
|||
"github.com/nspcc-dev/neofs-node/pkg/innerring/config"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/morph/client"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/morph/client/container/wrapper"
|
||||
neofsid "github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid/wrapper"
|
||||
"github.com/nspcc-dev/neofs-node/pkg/morph/event"
|
||||
containerEvent "github.com/nspcc-dev/neofs-node/pkg/morph/event/container"
|
||||
"github.com/panjf2000/ants/v2"
|
||||
|
@ -29,6 +30,7 @@ type (
|
|||
alphabetState AlphabetState
|
||||
feeProvider *config.FeeConfig
|
||||
cnrClient *wrapper.Wrapper
|
||||
idClient *neofsid.ClientWrapper
|
||||
}
|
||||
|
||||
// Params of the processor constructor.
|
||||
|
|
Loading…
Reference in a new issue