From 26f30e7aceae876253debe3b3d6fad3744ccf152 Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Fri, 10 Sep 2021 11:07:26 +0300 Subject: [PATCH] [#255] Add expiration to access box Signed-off-by: Denis Kirillov --- authmate/authmate.go | 2 +- cmd/authmate/main.go | 6 +++--- creds/tokens/credentials.go | 10 +++++++--- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/authmate/authmate.go b/authmate/authmate.go index a8aa928c2..2881ae0c8 100644 --- a/authmate/authmate.go +++ b/authmate/authmate.go @@ -227,7 +227,7 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr address, err := tokens. New(a.pool, secrets.EphemeralKey). - Put(ctx, cid, oid, box, options.GatesPublicKeys...) + Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...) if err != nil { return fmt.Errorf("failed to put bearer token: %w", err) } diff --git a/cmd/authmate/main.go b/cmd/authmate/main.go index 59c5fff12..29f0b6b8f 100644 --- a/cmd/authmate/main.go +++ b/cmd/authmate/main.go @@ -26,8 +26,8 @@ import ( const ( poolConnectTimeout = 5 * time.Second poolRequestTimeout = 5 * time.Second - // a number of 15-second blocks in a month. - defaultLifetime = 172800 + // a number of 1-hour epochs in a month. + defaultLifetime = 720 ) var ( @@ -199,7 +199,7 @@ func issueSecret() *cli.Command { }, &cli.Uint64Flag{ Name: "lifetime", - Usage: "Lifetime of tokens in NeoFS epoch (number of blocks in sidechain)", + Usage: "Lifetime of tokens in NeoFS epoch", Required: false, Destination: &lifetimeFlag, Value: defaultLifetime, diff --git a/creds/tokens/credentials.go b/creds/tokens/credentials.go index c0111c8ce..4a945d1f6 100644 --- a/creds/tokens/credentials.go +++ b/creds/tokens/credentials.go @@ -21,7 +21,7 @@ type ( // Credentials is a bearer token get/put interface. Credentials interface { GetBox(context.Context, *object.Address) (*accessbox.Box, error) - Put(context.Context, *cid.ID, *owner.ID, *accessbox.AccessBox, ...*keys.PublicKey) (*object.Address, error) + Put(context.Context, *cid.ID, *owner.ID, *accessbox.AccessBox, uint64, ...*keys.PublicKey) (*object.Address, error) } cred struct { @@ -100,7 +100,7 @@ func (c *cred) getAccessBox(ctx context.Context, address *object.Address) (*acce return &box, nil } -func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *accessbox.AccessBox, keys ...*keys.PublicKey) (*object.Address, error) { +func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *accessbox.AccessBox, expiration uint64, keys ...*keys.PublicKey) (*object.Address, error) { var ( err error created = strconv.FormatInt(time.Now().Unix(), 10) @@ -124,10 +124,14 @@ func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *acce filename.SetKey(object.AttributeFileName) filename.SetValue(created + "_access.box") + expirationAttr := object.NewAttribute() + expirationAttr.SetKey("__NEOFS__EXPIRATION_EPOCH") + expirationAttr.SetValue(strconv.FormatUint(expiration, 10)) + raw := object.NewRaw() raw.SetContainerID(cid) raw.SetOwnerID(issuer) - raw.SetAttributes(filename, timestamp) + raw.SetAttributes(filename, timestamp, expirationAttr) ops := new(client.PutObjectParams).WithObject(raw.Object()).WithPayloadReader(bytes.NewBuffer(data)) oid, err := c.pool.PutObject(