frostfs-node/pkg/innerring/processors/container/process_eacl.go

package container

import (
	"errors"
	"fmt"

	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"
	cntClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/container"
	containerEvent "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event/container"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
	"go.uber.org/zap"
)

func (cp *Processor) processSetEACL(e containerEvent.SetEACL) bool {
	if !cp.alphabetState.IsAlphabet() {
		cp.log.Info(logs.ContainerNonAlphabetModeIgnoreSetEACL)
		return true
	}

	err := cp.checkSetEACL(e)
	if err != nil {
		cp.log.Error(logs.ContainerSetEACLCheckFailed,
			zap.String("error", err.Error()),
		)

		return false
	}

	if err := cp.morphClient.NotarySignAndInvokeTX(e.NotaryRequest().MainTransaction); err != nil {
		cp.log.Error(logs.ContainerCouldNotApproveSetEACL,
			zap.String("error", err.Error()),
		)
		return false
	}

	return true
}

func (cp *Processor) checkSetEACL(e containerEvent.SetEACL) error {
	binTable := e.Table()

	// unmarshal table
	table := eacl.NewTable()

	err := table.Unmarshal(binTable)
	if err != nil {
		return fmt.Errorf("invalid binary table: %w", err)
	}

	idCnr, ok := table.CID()
	if !ok {
		return errors.New("missing container ID in eACL table")
	}

	// receive owner of the related container
	cnr, err := cntClient.Get(cp.cnrClient, idCnr)
	if err != nil {
		return fmt.Errorf("could not receive the container: %w", err)
	}

	// ACL extensions can be disabled by basic ACL, check it
	if !cnr.Value.BasicACL().Extendable() {
		return errors.New("ACL extension disabled by container basic ACL")
	}

	err = cp.verifySignature(signatureVerificationData{
		ownerContainer:  cnr.Value.Owner(),
		verb:            session.VerbContainerSetEACL,
		idContainerSet:  true,
		idContainer:     idCnr,
		binTokenSession: e.SessionToken(),
		binPublicKey:    e.PublicKey(),
		signature:       e.Signature(),
		signedData:      binTable,
	})
	if err != nil {
		return fmt.Errorf("auth eACL table setting: %w", err)
	}

	return nil
}
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`package container`

			`import (`
[#505] ir/container: Verify signature of binary eACL tables Add signature check to `checkSetEACL` method of the `setEACL` notification handler in Container processor. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:26:41 +00:00			`"errors"`
			`"fmt"`

[#240] logs: Move log messages to constants Drop duplicate entities. Format entities. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com> Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-04-12 14:35:10 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"`
Rename package name Due to source code relocation from GitHub. Signed-off-by: Alex Vanin <a.vanin@yadro.com> 2023-03-07 13:38:26 +00:00			`cntClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/container"`
[#280] ir: Add container processor unit tests Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com> 2023-04-26 09:05:33 +00:00			`containerEvent "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event/container"`
Rename package name Due to source code relocation from GitHub. Signed-off-by: Alex Vanin <a.vanin@yadro.com> 2023-03-07 13:38:26 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"`
			`"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"`
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`"go.uber.org/zap"`
			`)`

[#374] Add inner-ring event metrics Signed-off-by: Alejandro Lopez <a.lopez@yadro.com> 2023-05-26 10:24:41 +00:00			`func (cp *Processor) processSetEACL(e containerEvent.SetEACL) bool {`
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`if !cp.alphabetState.IsAlphabet() {`
[#240] logs: Move log messages to constants Drop duplicate entities. Format entities. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com> Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-04-12 14:35:10 +00:00			`cp.log.Info(logs.ContainerNonAlphabetModeIgnoreSetEACL)`
[#374] Add inner-ring event metrics Signed-off-by: Alejandro Lopez <a.lopez@yadro.com> 2023-05-26 10:24:41 +00:00			`return true`
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`}`

			`err := cp.checkSetEACL(e)`
			`if err != nil {`
[#240] logs: Move log messages to constants Drop duplicate entities. Format entities. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com> Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-04-12 14:35:10 +00:00			`cp.log.Error(logs.ContainerSetEACLCheckFailed,`
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`zap.String("error", err.Error()),`
			`)`

[#374] Add inner-ring event metrics Signed-off-by: Alejandro Lopez <a.lopez@yadro.com> 2023-05-26 10:24:41 +00:00			`return false`
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`}`

[#374] Add inner-ring event metrics Signed-off-by: Alejandro Lopez <a.lopez@yadro.com> 2023-05-26 10:24:41 +00:00			`if err := cp.morphClient.NotarySignAndInvokeTX(e.NotaryRequest().MainTransaction); err != nil {`
			`cp.log.Error(logs.ContainerCouldNotApproveSetEACL,`
			`zap.String("error", err.Error()),`
			`)`
			`return false`
			`}`

			`return true`
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`}`

[#280] ir: Add container processor unit tests Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com> 2023-04-26 09:05:33 +00:00			`func (cp *Processor) checkSetEACL(e containerEvent.SetEACL) error {`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`binTable := e.Table()`
[#505] ir/container: Check key ownership during set eACL handling Use NeoFS ID contract client to check if public key from notification event is tied to the owner of the container for which the eACL is being changed. Approve changes coming from the owner of the container only. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:28:10 +00:00
			`// unmarshal table`
			`table := eacl.NewTable()`

[#1423] session: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-18 15:20:08 +00:00			`err := table.Unmarshal(binTable)`
[#505] ir/container: Check key ownership during set eACL handling Use NeoFS ID contract client to check if public key from notification event is tied to the owner of the container for which the eACL is being changed. Approve changes coming from the owner of the container only. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:28:10 +00:00			`if err != nil {`
			`return fmt.Errorf("invalid binary table: %w", err)`
			`}`

[#1377] oid, cid: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-12 16:37:46 +00:00			`idCnr, ok := table.CID()`
			`if !ok {`
			`return errors.New("missing container ID in eACL table")`
			`}`

[#505] ir/container: Check key ownership during set eACL handling Use NeoFS ID contract client to check if public key from notification event is tied to the owner of the container for which the eACL is being changed. Approve changes coming from the owner of the container only. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:28:10 +00:00			`// receive owner of the related container`
[#1454] Upgrade NeoFS SDK Go module with new IDs Core changes: * avoid package-colliding variable naming * avoid using pointers to IDs where unnecessary * avoid using `idSDK` import alias pattern * use `EncodeToString` for protocol string calculation and `String` for printing Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-31 17:00:41 +00:00			`cnr, err := cntClient.Get(cp.cnrClient, idCnr)`
[#505] ir/container: Check key ownership during set eACL handling Use NeoFS ID contract client to check if public key from notification event is tied to the owner of the container for which the eACL is being changed. Approve changes coming from the owner of the container only. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:28:10 +00:00			`if err != nil {`
			`return fmt.Errorf("could not receive the container: %w", err)`
			`}`

[#1485] ir/container: Accept eACL only if extension is allowed In order to extend container ACL `F` bit must be set in basic ACL. Make `Container` contract processor to deny eACL tables bound to non-extendable containers. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-06-06 16:23:15 +00:00			`// ACL extensions can be disabled by basic ACL, check it`
[#1533] acl: Upgrade NeoFS SDK Go with refactored basic ACL Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-06-17 13:40:51 +00:00			`if !cnr.Value.BasicACL().Extendable() {`
[#1485] ir/container: Accept eACL only if extension is allowed In order to extend container ACL `F` bit must be set in basic ACL. Make `Container` contract processor to deny eACL tables bound to non-extendable containers. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-06-06 16:23:15 +00:00			`return errors.New("ACL extension disabled by container basic ACL")`
			`}`

[#1423] session: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-18 15:20:08 +00:00			`err = cp.verifySignature(signatureVerificationData{`
[#1556] Upgrade NeoFS SDK Go with changed container API Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-06-28 07:01:05 +00:00			`ownerContainer: cnr.Value.Owner(),`
[#1423] session: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-18 15:20:08 +00:00			`verb: session.VerbContainerSetEACL,`
			`idContainerSet: true,`
			`idContainer: idCnr,`
			`binTokenSession: e.SessionToken(),`
			`binPublicKey: e.PublicKey(),`
			`signature: e.Signature(),`
			`signedData: binTable,`
			`})`
			`if err != nil {`
			`return fmt.Errorf("auth eACL table setting: %w", err)`
[#525] ir/container: Check session verb and container ID Token of the container session should be written out with container context. The context should have the verb corresponding to the operation. If an operation is performed on a fixed container, the session should be propagated to it or to all user containers Implement all described checks in validation of `Put` / `Delete` / `SetEACL` events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-28 12:39:27 +00:00			`}`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00
[#1423] session: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-18 15:20:08 +00:00			`return nil`
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`}`