From 88459963fb8e2f252c4f148f7d8c3904d8a0034e Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Tue, 29 Sep 2020 19:44:59 +0300 Subject: [PATCH] [#57] services/object: Sign requests with session key Use key storage in object services in order to sign requests with private session key within user session. Signed-off-by: Leonard Lyubich --- pkg/services/object/head/distributed.go | 4 ++-- pkg/services/object/head/remote.go | 12 +++++++++--- pkg/services/object/head/service.go | 8 ++++---- pkg/services/object/put/remote.go | 14 +++++++++++--- pkg/services/object/put/service.go | 17 ++++------------- pkg/services/object/put/streamer.go | 17 ++++++++--------- pkg/services/object/range/remote.go | 15 ++++++++++++--- pkg/services/object/range/service.go | 7 +++---- pkg/services/object/range/streamer.go | 11 ++++++----- pkg/services/object/rangehash/distributed.go | 4 ++-- pkg/services/object/rangehash/remote.go | 12 +++++++++--- pkg/services/object/rangehash/service.go | 7 +++---- pkg/services/object/search/remote.go | 12 +++++++++--- pkg/services/object/search/service.go | 8 ++++---- pkg/services/object/search/streamer.go | 6 +++--- 15 files changed, 89 insertions(+), 65 deletions(-) diff --git a/pkg/services/object/head/distributed.go b/pkg/services/object/head/distributed.go index 91835ba52..9fe4e0c7a 100644 --- a/pkg/services/object/head/distributed.go +++ b/pkg/services/object/head/distributed.go @@ -115,8 +115,8 @@ loop: } } else { header = &remoteHeader{ - key: h.key, - node: addr, + keyStorage: h.keyStorage, + node: addr, } } diff --git a/pkg/services/object/head/remote.go b/pkg/services/object/head/remote.go index 705db3d9e..e922cc8cd 100644 --- a/pkg/services/object/head/remote.go +++ b/pkg/services/object/head/remote.go @@ -2,24 +2,29 @@ package headsvc import ( "context" - "crypto/ecdsa" "github.com/nspcc-dev/neofs-api-go/pkg/client" "github.com/nspcc-dev/neofs-node/pkg/core/object" "github.com/nspcc-dev/neofs-node/pkg/network" + "github.com/nspcc-dev/neofs-node/pkg/services/object/util" "github.com/pkg/errors" ) type remoteHeader struct { - key *ecdsa.PrivateKey + keyStorage *util.KeyStorage node *network.Address } func (h *remoteHeader) head(ctx context.Context, prm *Prm, handler func(*object.Object)) error { + key, err := h.keyStorage.GetKey(prm.common.SessionToken()) + if err != nil { + return errors.Wrapf(err, "(%T) could not receive private key", h) + } + addr := h.node.NetAddr() - c, err := client.New(h.key, + c, err := client.New(key, client.WithAddress(addr), ) if err != nil { @@ -35,6 +40,7 @@ func (h *remoteHeader) head(ctx context.Context, prm *Prm, handler func(*object. hdr, err := c.GetObjectHeader(ctx, p, client.WithTTL(1), // FIXME: use constant + client.WithSession(prm.common.SessionToken()), ) if err != nil { return errors.Wrapf(err, "(%T) could not head object in %s", h, addr) diff --git a/pkg/services/object/head/service.go b/pkg/services/object/head/service.go index 1c50b1011..f0fe1deaf 100644 --- a/pkg/services/object/head/service.go +++ b/pkg/services/object/head/service.go @@ -2,7 +2,6 @@ package headsvc import ( "context" - "crypto/ecdsa" objectSDK "github.com/nspcc-dev/neofs-api-go/pkg/object" "github.com/nspcc-dev/neofs-node/pkg/core/container" @@ -10,6 +9,7 @@ import ( "github.com/nspcc-dev/neofs-node/pkg/core/object" "github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore" "github.com/nspcc-dev/neofs-node/pkg/network" + objutil "github.com/nspcc-dev/neofs-node/pkg/services/object/util" "github.com/nspcc-dev/neofs-node/pkg/util" "github.com/pkg/errors" ) @@ -25,7 +25,7 @@ type Service struct { type Option func(*cfg) type cfg struct { - key *ecdsa.PrivateKey + keyStorage *objutil.KeyStorage localStore *localstore.Storage @@ -92,9 +92,9 @@ func (s *Service) Head(ctx context.Context, prm *Prm) (*Response, error) { }, nil } -func WithKey(v *ecdsa.PrivateKey) Option { +func WithKeyStorage(v *objutil.KeyStorage) Option { return func(c *cfg) { - c.key = v + c.keyStorage = v } } diff --git a/pkg/services/object/put/remote.go b/pkg/services/object/put/remote.go index ebd550cfe..b3752cc46 100644 --- a/pkg/services/object/put/remote.go +++ b/pkg/services/object/put/remote.go @@ -2,11 +2,12 @@ package putsvc import ( "context" - "crypto/ecdsa" "github.com/nspcc-dev/neofs-api-go/pkg/client" + "github.com/nspcc-dev/neofs-api-go/pkg/token" "github.com/nspcc-dev/neofs-node/pkg/core/object" "github.com/nspcc-dev/neofs-node/pkg/network" + "github.com/nspcc-dev/neofs-node/pkg/services/object/util" "github.com/nspcc-dev/neofs-node/pkg/services/object_manager/transformer" "github.com/pkg/errors" ) @@ -16,7 +17,9 @@ type remoteTarget struct { ctx context.Context - key *ecdsa.PrivateKey + keyStorage *util.KeyStorage + + token *token.SessionToken addr *network.Address @@ -30,9 +33,14 @@ func (t *remoteTarget) WriteHeader(obj *object.RawObject) error { } func (t *remoteTarget) Close() (*transformer.AccessIdentifiers, error) { + key, err := t.keyStorage.GetKey(t.token) + if err != nil { + return nil, errors.Wrapf(err, "(%T) could not receive private key", t) + } + addr := t.addr.NetAddr() - c, err := client.New(t.key, + c, err := client.New(key, client.WithAddress(addr), ) if err != nil { diff --git a/pkg/services/object/put/service.go b/pkg/services/object/put/service.go index 93aff63b8..c156e75e0 100644 --- a/pkg/services/object/put/service.go +++ b/pkg/services/object/put/service.go @@ -2,14 +2,13 @@ package putsvc import ( "context" - "crypto/ecdsa" "github.com/nspcc-dev/neofs-node/pkg/core/container" "github.com/nspcc-dev/neofs-node/pkg/core/netmap" "github.com/nspcc-dev/neofs-node/pkg/core/object" "github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore" "github.com/nspcc-dev/neofs-node/pkg/network" - "github.com/nspcc-dev/neofs-node/pkg/services/session/storage" + objutil "github.com/nspcc-dev/neofs-node/pkg/services/object/util" "github.com/nspcc-dev/neofs-node/pkg/util" ) @@ -24,12 +23,10 @@ type Service struct { type Option func(*cfg) type cfg struct { - key *ecdsa.PrivateKey + keyStorage *objutil.KeyStorage maxSizeSrc MaxSizeSource - tokenStore *storage.TokenStore - localStore *localstore.Storage cnrSrc container.Source @@ -69,9 +66,9 @@ func (p *Service) Put(ctx context.Context) (*Streamer, error) { }, nil } -func WithKey(v *ecdsa.PrivateKey) Option { +func WithKeyStorage(v *objutil.KeyStorage) Option { return func(c *cfg) { - c.key = v + c.keyStorage = v } } @@ -81,12 +78,6 @@ func WithMaxSizeSource(v MaxSizeSource) Option { } } -func WithTokenStorage(v *storage.TokenStore) Option { - return func(c *cfg) { - c.tokenStore = v - } -} - func WithLocalStorage(v *localstore.Storage) Option { return func(c *cfg) { c.localStore = v diff --git a/pkg/services/object/put/streamer.go b/pkg/services/object/put/streamer.go index 4abcd9f96..56666d015 100644 --- a/pkg/services/object/put/streamer.go +++ b/pkg/services/object/put/streamer.go @@ -23,8 +23,6 @@ var errNotInit = errors.New("stream not initialized") var errInitRecall = errors.New("init recall") -var errPrivateTokenNotFound = errors.New("private token not found") - func (p *Streamer) Init(prm *PutInitPrm) error { // initialize destination target if err := p.initTarget(prm); err != nil { @@ -63,15 +61,15 @@ func (p *Streamer) initTarget(prm *PutInitPrm) error { // prepare trusted-Put object target // get private token from local storage - pToken := p.tokenStore.Get(sToken.OwnerID(), sToken.ID()) - if pToken == nil { - return errPrivateTokenNotFound + sessionKey, err := p.keyStorage.GetKey(sToken) + if err != nil { + return errors.Wrapf(err, "(%T) could not receive session key", p) } p.target = transformer.NewPayloadSizeLimiter( p.maxSizeSrc.MaxObjectSize(), func() transformer.ObjectTarget { - return transformer.NewFormatTarget(pToken.SessionKey(), p.newCommonTarget(prm), sToken) + return transformer.NewFormatTarget(sessionKey, p.newCommonTarget(prm), sToken) }, ) @@ -133,9 +131,10 @@ func (p *Streamer) newCommonTarget(prm *PutInitPrm) transformer.ObjectTarget { } } else { return &remoteTarget{ - ctx: p.ctx, - key: p.key, - addr: addr, + ctx: p.ctx, + keyStorage: p.keyStorage, + token: prm.common.SessionToken(), + addr: addr, } } }, diff --git a/pkg/services/object/range/remote.go b/pkg/services/object/range/remote.go index 821de474d..473c6d56a 100644 --- a/pkg/services/object/range/remote.go +++ b/pkg/services/object/range/remote.go @@ -2,31 +2,39 @@ package rangesvc import ( "context" - "crypto/ecdsa" "io" "github.com/nspcc-dev/neofs-api-go/pkg/client" "github.com/nspcc-dev/neofs-api-go/pkg/object" + "github.com/nspcc-dev/neofs-api-go/pkg/token" "github.com/nspcc-dev/neofs-node/pkg/network" + "github.com/nspcc-dev/neofs-node/pkg/services/object/util" "github.com/pkg/errors" ) type remoteRangeWriter struct { ctx context.Context - key *ecdsa.PrivateKey + keyStorage *util.KeyStorage node *network.Address + token *token.SessionToken + addr *object.Address rng *object.Range } func (r *remoteRangeWriter) WriteTo(w io.Writer) (int64, error) { + key, err := r.keyStorage.GetKey(r.token) + if err != nil { + return 0, errors.Wrapf(err, "(%T) could not receive private key", r) + } + addr := r.node.NetAddr() - c, err := client.New(r.key, + c, err := client.New(key, client.WithAddress(addr), ) if err != nil { @@ -38,6 +46,7 @@ func (r *remoteRangeWriter) WriteTo(w io.Writer) (int64, error) { WithRange(r.rng). WithAddress(r.addr), client.WithTTL(1), // FIXME: use constant + client.WithSession(r.token), ) if err != nil { return 0, errors.Wrapf(err, "(%T) could not read object payload range from %s", r, addr) diff --git a/pkg/services/object/range/service.go b/pkg/services/object/range/service.go index 5e3a36933..459c74133 100644 --- a/pkg/services/object/range/service.go +++ b/pkg/services/object/range/service.go @@ -2,7 +2,6 @@ package rangesvc import ( "context" - "crypto/ecdsa" "sync" "github.com/nspcc-dev/neofs-api-go/pkg/object" @@ -23,7 +22,7 @@ type Service struct { type Option func(*cfg) type cfg struct { - key *ecdsa.PrivateKey + keyStorage *objutil.KeyStorage localStore *localstore.Storage @@ -124,9 +123,9 @@ func (s *Service) fillTraverser(ctx context.Context, prm *Prm, traverser *objuti } } -func WithKey(v *ecdsa.PrivateKey) Option { +func WithKeyStorage(v *objutil.KeyStorage) Option { return func(c *cfg) { - c.key = v + c.keyStorage = v } } diff --git a/pkg/services/object/range/streamer.go b/pkg/services/object/range/streamer.go index 0e51d2ed7..7d22826cb 100644 --- a/pkg/services/object/range/streamer.go +++ b/pkg/services/object/range/streamer.go @@ -178,11 +178,12 @@ loop: } } else { rngWriter = &remoteRangeWriter{ - ctx: p.ctx, - key: p.key, - node: addr, - addr: objAddr, - rng: nextRange, + ctx: p.ctx, + keyStorage: p.keyStorage, + node: addr, + token: p.prm.common.SessionToken(), + addr: objAddr, + rng: nextRange, } } diff --git a/pkg/services/object/rangehash/distributed.go b/pkg/services/object/rangehash/distributed.go index c4dc1b74a..da956974e 100644 --- a/pkg/services/object/rangehash/distributed.go +++ b/pkg/services/object/rangehash/distributed.go @@ -112,8 +112,8 @@ loop: } } else { hasher = &remoteHasher{ - key: h.key, - node: addr, + keyStorage: h.keyStorage, + node: addr, } } diff --git a/pkg/services/object/rangehash/remote.go b/pkg/services/object/rangehash/remote.go index bdbaa33ff..2fffcb56d 100644 --- a/pkg/services/object/rangehash/remote.go +++ b/pkg/services/object/rangehash/remote.go @@ -2,25 +2,30 @@ package rangehashsvc import ( "context" - "crypto/ecdsa" "fmt" "github.com/nspcc-dev/neofs-api-go/pkg" "github.com/nspcc-dev/neofs-api-go/pkg/client" "github.com/nspcc-dev/neofs-node/pkg/network" + "github.com/nspcc-dev/neofs-node/pkg/services/object/util" "github.com/pkg/errors" ) type remoteHasher struct { - key *ecdsa.PrivateKey + keyStorage *util.KeyStorage node *network.Address } func (h *remoteHasher) hashRange(ctx context.Context, prm *Prm, handler func([][]byte)) error { + key, err := h.keyStorage.GetKey(prm.common.SessionToken()) + if err != nil { + return errors.Wrapf(err, "(%T) could not receive private key", h) + } + addr := h.node.NetAddr() - c, err := client.New(h.key, + c, err := client.New(key, client.WithAddress(addr), ) if err != nil { @@ -36,6 +41,7 @@ func (h *remoteHasher) hashRange(ctx context.Context, prm *Prm, handler func([][ opts := []client.CallOption{ client.WithTTL(1), // FIXME: use constant + client.WithSession(prm.common.SessionToken()), } switch prm.typ { diff --git a/pkg/services/object/rangehash/service.go b/pkg/services/object/rangehash/service.go index 41843deca..54980c90b 100644 --- a/pkg/services/object/rangehash/service.go +++ b/pkg/services/object/rangehash/service.go @@ -2,7 +2,6 @@ package rangehashsvc import ( "context" - "crypto/ecdsa" "crypto/sha256" "fmt" "io" @@ -27,7 +26,7 @@ type Service struct { type Option func(*cfg) type cfg struct { - key *ecdsa.PrivateKey + keyStorage *objutil.KeyStorage localStore *localstore.Storage @@ -218,9 +217,9 @@ func (s *Service) getHashes(ctx context.Context, prm *Prm, traverser *objutil.Ra return resp, nil } -func WithKey(v *ecdsa.PrivateKey) Option { +func WithKeyStorage(v *objutil.KeyStorage) Option { return func(c *cfg) { - c.key = v + c.keyStorage = v } } diff --git a/pkg/services/object/search/remote.go b/pkg/services/object/search/remote.go index d597d3018..f3e4f87f5 100644 --- a/pkg/services/object/search/remote.go +++ b/pkg/services/object/search/remote.go @@ -2,26 +2,31 @@ package searchsvc import ( "context" - "crypto/ecdsa" "github.com/nspcc-dev/neofs-api-go/pkg/client" "github.com/nspcc-dev/neofs-api-go/pkg/object" "github.com/nspcc-dev/neofs-node/pkg/network" + "github.com/nspcc-dev/neofs-node/pkg/services/object/util" "github.com/pkg/errors" ) type remoteStream struct { prm *Prm - key *ecdsa.PrivateKey + keyStorage *util.KeyStorage addr *network.Address } func (s *remoteStream) stream(ctx context.Context, ch chan<- []*object.ID) error { + key, err := s.keyStorage.GetKey(s.prm.common.SessionToken()) + if err != nil { + return errors.Wrapf(err, "(%T) could not receive private key", s) + } + addr := s.addr.NetAddr() - c, err := client.New(s.key, + c, err := client.New(key, client.WithAddress(addr), ) if err != nil { @@ -33,6 +38,7 @@ func (s *remoteStream) stream(ctx context.Context, ch chan<- []*object.ID) error WithContainerID(s.prm.cid). WithSearchFilters(s.prm.query.ToSearchFilters()), client.WithTTL(1), // FIXME: use constant + client.WithSession(s.prm.common.SessionToken()), ) if err != nil { return errors.Wrapf(err, "(%T) could not search objects in %s", s, addr) diff --git a/pkg/services/object/search/service.go b/pkg/services/object/search/service.go index 87c371d75..62f06fcd2 100644 --- a/pkg/services/object/search/service.go +++ b/pkg/services/object/search/service.go @@ -2,7 +2,6 @@ package searchsvc import ( "context" - "crypto/ecdsa" "io" "sync" @@ -12,6 +11,7 @@ import ( "github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore" "github.com/nspcc-dev/neofs-node/pkg/network" "github.com/nspcc-dev/neofs-node/pkg/services/object/search/query/v1" + objutil "github.com/nspcc-dev/neofs-node/pkg/services/object/util" "github.com/nspcc-dev/neofs-node/pkg/util" "github.com/pkg/errors" ) @@ -23,7 +23,7 @@ type Service struct { type Option func(*cfg) type cfg struct { - key *ecdsa.PrivateKey + keyStorage *objutil.KeyStorage localStore *localstore.Storage @@ -104,9 +104,9 @@ func readFullStream(s *Streamer, cap int) ([]*object.ID, error) { return res, nil } -func WithKey(v *ecdsa.PrivateKey) Option { +func WithKeyStorage(v *objutil.KeyStorage) Option { return func(c *cfg) { - c.key = v + c.keyStorage = v } } diff --git a/pkg/services/object/search/streamer.go b/pkg/services/object/search/streamer.go index df26a14bd..0a2f73203 100644 --- a/pkg/services/object/search/streamer.go +++ b/pkg/services/object/search/streamer.go @@ -160,9 +160,9 @@ loop: } } else { streamer = &remoteStream{ - prm: prm, - key: p.key, - addr: addr, + prm: prm, + keyStorage: p.keyStorage, + addr: addr, } }