From 721df386c59999dd3566b9c3fa7429d944e16bff Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Tue, 21 Jun 2022 17:50:39 +0300 Subject: [PATCH] [#276] container: Remove session token and signature from Container/eACL Session token and signature isn't presented in `Container` and `EACLTable` messages of NeoFS API V2 protocol. These entities are needed for access control and doesn't carry payload of these messages. Remove `SetSessionToken` / `SessionToken` methods of `container.Container` and `eacl.Table` types. Provide methods to specify these components in corresponding `Client` operations. Signed-off-by: Leonard Lyubich --- client/container.go | 83 +++++++++++++++++-------------------- container/container.go | 28 ------------- container/container_test.go | 13 ------ eacl/table.go | 26 ------------ eacl/table_test.go | 12 ------ pool/pool.go | 43 +++++++++++++++---- 6 files changed, 74 insertions(+), 131 deletions(-) diff --git a/client/container.go b/client/container.go index 90816772..a1f7dff0 100644 --- a/client/container.go +++ b/client/container.go @@ -24,6 +24,9 @@ type PrmContainerPut struct { cnrSet bool cnr container.Container + + sessionSet bool + session session.Container } // SetContainer sets structured information about new NeoFS container. @@ -33,6 +36,19 @@ func (x *PrmContainerPut) SetContainer(cnr container.Container) { x.cnrSet = true } +// WithinSession specifies session within which container should be saved. +// +// Creator of the session acquires the authorship of the request. This affects +// the execution of an operation (e.g. access control). +// +// Session is optional, if set the following requirements apply: +// - session operation MUST be session.VerbContainerPut (ForVerb) +// - token MUST be signed using private key of the owner of the container to be saved +func (x *PrmContainerPut) WithinSession(s session.Container) { + x.session = s + x.sessionSet = true +} + // ResContainerPut groups resulting values of ContainerPut operation. type ResContainerPut struct { statusRes @@ -104,9 +120,9 @@ func (c *Client) ContainerPut(ctx context.Context, prm PrmContainerPut) (*ResCon var meta v2session.RequestMetaHeader prm.prmCommonMeta.writeToMetaHeader(&meta) - if tok := prm.cnr.SessionToken(); tok != nil { + if prm.sessionSet { var tokv2 v2session.Token - tok.WriteToV2(&tokv2) + prm.session.WriteToV2(&tokv2) meta.SetSessionToken(&tokv2) } @@ -241,26 +257,6 @@ func (c *Client) ContainerGet(ctx context.Context, prm PrmContainerGet) (*ResCon cnr := container.NewContainerFromV2(body.GetContainer()) - tokv2 := body.GetSessionToken() - if tokv2 != nil { - var tok session.Container - - // FIXME: (neofs-sdk-go#221) need to handle the error - err := tok.ReadFromV2(*tokv2) - if err == nil { - cnr.SetSessionToken(&tok) - } - } - - var sig *neofscrypto.Signature - - if sigv2 := body.GetSignature(); sigv2 != nil { - sig = new(neofscrypto.Signature) - sig.ReadFromV2(*sigv2) - } - - cnr.SetSignature(sig) - res.setContainer(cnr) } @@ -589,26 +585,6 @@ func (c *Client) ContainerEACL(ctx context.Context, prm PrmContainerEACL) (*ResC table := eacl.NewTableFromV2(body.GetEACL()) - tokv2 := body.GetSessionToken() - if tokv2 != nil { - var tok session.Container - - // FIXME: (neofs-sdk-go#221) need to handle the error - err := tok.ReadFromV2(*tokv2) - if err == nil { - table.SetSessionToken(&tok) - } - } - - var sig *neofscrypto.Signature - - if sigv2 := body.GetSignature(); sigv2 != nil { - sig = new(neofscrypto.Signature) - sig.ReadFromV2(*sigv2) - } - - table.SetSignature(sig) - res.setTable(table) } @@ -626,6 +602,9 @@ type PrmContainerSetEACL struct { tableSet bool table eacl.Table + + sessionSet bool + session session.Container } // SetTable sets eACL table structure to be set for the container. @@ -635,6 +614,22 @@ func (x *PrmContainerSetEACL) SetTable(table eacl.Table) { x.tableSet = true } +// WithinSession specifies session within which extended ACL of the container +// should be saved. +// +// Creator of the session acquires the authorship of the request. This affects +// the execution of an operation (e.g. access control). +// +// Session is optional, if set the following requirements apply: +// - if particular container is specified (ApplyOnlyTo), it MUST equal the container +// for which extended ACL is going to be set +// - session operation MUST be session.VerbContainerSetEACL (ForVerb) +// - token MUST be signed using private key of the owner of the container to be saved +func (x *PrmContainerSetEACL) WithinSession(s session.Container) { + x.session = s + x.sessionSet = true +} + // ResContainerSetEACL groups resulting values of ContainerSetEACL operation. type ResContainerSetEACL struct { statusRes @@ -690,9 +685,9 @@ func (c *Client) ContainerSetEACL(ctx context.Context, prm PrmContainerSetEACL) var meta v2session.RequestMetaHeader prm.prmCommonMeta.writeToMetaHeader(&meta) - if tok := prm.table.SessionToken(); tok != nil { + if prm.sessionSet { var tokv2 v2session.Token - tok.WriteToV2(&tokv2) + prm.session.WriteToV2(&tokv2) meta.SetSessionToken(&tokv2) } diff --git a/container/container.go b/container/container.go index d51d60db..d26ce12d 100644 --- a/container/container.go +++ b/container/container.go @@ -9,19 +9,13 @@ import ( "github.com/nspcc-dev/neofs-api-go/v2/refs" "github.com/nspcc-dev/neofs-sdk-go/acl" cid "github.com/nspcc-dev/neofs-sdk-go/container/id" - neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto" "github.com/nspcc-dev/neofs-sdk-go/netmap" - "github.com/nspcc-dev/neofs-sdk-go/session" "github.com/nspcc-dev/neofs-sdk-go/user" "github.com/nspcc-dev/neofs-sdk-go/version" ) type Container struct { v2 container.Container - - token *session.Container - - sig *neofscrypto.Signature } // New creates, initializes and returns blank Container instance. @@ -185,28 +179,6 @@ func (c *Container) SetPlacementPolicy(v *netmap.PlacementPolicy) { c.v2.SetPlacementPolicy(m) } -// SessionToken returns token of the session within -// which container was created. -func (c Container) SessionToken() *session.Container { - return c.token -} - -// SetSessionToken sets token of the session within -// which container was created. -func (c *Container) SetSessionToken(t *session.Container) { - c.token = t -} - -// Signature returns signature of the marshaled container. -func (c Container) Signature() *neofscrypto.Signature { - return c.sig -} - -// SetSignature sets signature of the marshaled container. -func (c *Container) SetSignature(sig *neofscrypto.Signature) { - c.sig = sig -} - // Marshal marshals Container into a protobuf binary form. func (c *Container) Marshal() ([]byte, error) { return c.v2.StableMarshal(nil), nil diff --git a/container/container_test.go b/container/container_test.go index 41a52fc2..2b2a04aa 100644 --- a/container/container_test.go +++ b/container/container_test.go @@ -9,7 +9,6 @@ import ( "github.com/nspcc-dev/neofs-sdk-go/container" containertest "github.com/nspcc-dev/neofs-sdk-go/container/test" netmaptest "github.com/nspcc-dev/neofs-sdk-go/netmap/test" - sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test" usertest "github.com/nspcc-dev/neofs-sdk-go/user/test" "github.com/nspcc-dev/neofs-sdk-go/version" versiontest "github.com/nspcc-dev/neofs-sdk-go/version/test" @@ -75,16 +74,6 @@ func TestContainerEncoding(t *testing.T) { }) } -func TestContainer_SessionToken(t *testing.T) { - tok := sessiontest.Container() - - cnr := container.New() - - cnr.SetSessionToken(tok) - - require.Equal(t, tok, cnr.SessionToken()) -} - func TestContainer_ToV2(t *testing.T) { t.Run("nil", func(t *testing.T) { var x *container.Container @@ -96,8 +85,6 @@ func TestContainer_ToV2(t *testing.T) { cnt := container.New() // check initial values - require.Nil(t, cnt.SessionToken()) - require.Nil(t, cnt.Signature()) require.Nil(t, cnt.Attributes()) require.Nil(t, cnt.PlacementPolicy()) require.Nil(t, cnt.OwnerID()) diff --git a/eacl/table.go b/eacl/table.go index fda5fd9d..a17d78a4 100644 --- a/eacl/table.go +++ b/eacl/table.go @@ -7,8 +7,6 @@ import ( v2acl "github.com/nspcc-dev/neofs-api-go/v2/acl" "github.com/nspcc-dev/neofs-api-go/v2/refs" cid "github.com/nspcc-dev/neofs-sdk-go/container/id" - neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto" - "github.com/nspcc-dev/neofs-sdk-go/session" "github.com/nspcc-dev/neofs-sdk-go/version" ) @@ -18,8 +16,6 @@ import ( type Table struct { version version.Version cid *cid.ID - token *session.Container - sig *neofscrypto.Signature records []Record } @@ -60,28 +56,6 @@ func (t *Table) AddRecord(r *Record) { } } -// SessionToken returns token of the session -// within which Table was set. -func (t Table) SessionToken() *session.Container { - return t.token -} - -// SetSessionToken sets token of the session -// within which Table was set. -func (t *Table) SetSessionToken(tok *session.Container) { - t.token = tok -} - -// Signature returns Table signature. -func (t Table) Signature() *neofscrypto.Signature { - return t.sig -} - -// SetSignature sets Table signature. -func (t *Table) SetSignature(sig *neofscrypto.Signature) { - t.sig = sig -} - // ToV2 converts Table to v2 acl.EACLTable message. // // Nil Table converts to nil. diff --git a/eacl/table_test.go b/eacl/table_test.go index 0c525f53..bed135c2 100644 --- a/eacl/table_test.go +++ b/eacl/table_test.go @@ -8,7 +8,6 @@ import ( cidtest "github.com/nspcc-dev/neofs-sdk-go/container/id/test" "github.com/nspcc-dev/neofs-sdk-go/eacl" eacltest "github.com/nspcc-dev/neofs-sdk-go/eacl/test" - sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test" "github.com/nspcc-dev/neofs-sdk-go/version" "github.com/stretchr/testify/require" ) @@ -92,15 +91,6 @@ func TestTableEncoding(t *testing.T) { }) } -func TestTable_SessionToken(t *testing.T) { - tok := sessiontest.Container() - - table := eacl.NewTable() - table.SetSessionToken(tok) - - require.Equal(t, tok, table.SessionToken()) -} - func TestTable_ToV2(t *testing.T) { t.Run("nil", func(t *testing.T) { var x *eacl.Table @@ -116,8 +106,6 @@ func TestTable_ToV2(t *testing.T) { require.Nil(t, table.Records()) _, set := table.CID() require.False(t, set) - require.Nil(t, table.SessionToken()) - require.Nil(t, table.Signature()) // convert to v2 message tableV2 := table.ToV2() diff --git a/pool/pool.go b/pool/pool.go index 8856b1d9..fdfaa84c 100644 --- a/pool/pool.go +++ b/pool/pool.go @@ -114,10 +114,7 @@ func (c *clientWrapper) balanceGet(ctx context.Context, prm PrmBalanceGet) (*acc } func (c *clientWrapper) containerPut(ctx context.Context, prm PrmContainerPut) (*cid.ID, error) { - var cliPrm sdkClient.PrmContainerPut - cliPrm.SetContainer(prm.cnr) - - res, err := c.client.ContainerPut(ctx, cliPrm) + res, err := c.client.ContainerPut(ctx, prm.prmClient) if err != nil { return nil, err } @@ -184,6 +181,10 @@ func (c *clientWrapper) containerSetEACL(ctx context.Context, prm PrmContainerSe var cliPrm sdkClient.PrmContainerSetEACL cliPrm.SetTable(prm.table) + if prm.sessionSet { + cliPrm.WithinSession(prm.session) + } + if _, err := c.client.ContainerSetEACL(ctx, cliPrm); err != nil { return err } @@ -720,15 +721,26 @@ func (x *PrmObjectSearch) SetFilters(filters object.SearchFilters) { // PrmContainerPut groups parameters of PutContainer operation. type PrmContainerPut struct { - cnr container.Container + prmClient sdkClient.PrmContainerPut waitParams WaitParams waitParamsSet bool } -// SetContainer specifies structured information about new NeoFS container. +// SetContainer container structure to be used as a parameter of the base +// client's operation. +// +// See github.com/nspcc-dev/neofs-sdk-go/client.PrmContainerPut.SetContainer. func (x *PrmContainerPut) SetContainer(cnr container.Container) { - x.cnr = cnr + x.prmClient.SetContainer(cnr) +} + +// WithinSession specifies session to be used as a parameter of the base +// client's operation. +// +// See github.com/nspcc-dev/neofs-sdk-go/client.PrmContainerPut.WithinSession. +func (x *PrmContainerPut) WithinSession(s session.Container) { + x.prmClient.WithinSession(s) } // SetWaitParams specifies timeout params to complete operation. @@ -805,15 +817,30 @@ func (x *PrmContainerEACL) SetContainerID(cnrID cid.ID) { type PrmContainerSetEACL struct { table eacl.Table + sessionSet bool + session session.Container + waitParams WaitParams waitParamsSet bool } -// SetTable specifies eACL table structure to be set for the container. +// SetTable sets structure of container's extended ACL to be used as a +// parameter of the base client's operation. +// +// See github.com/nspcc-dev/neofs-sdk-go/client.PrmContainerSetEACL.SetTable. func (x *PrmContainerSetEACL) SetTable(table eacl.Table) { x.table = table } +// WithinSession specifies session to be used as a parameter of the base +// client's operation. +// +// See github.com/nspcc-dev/neofs-sdk-go/client.PrmContainerSetEACL.WithinSession. +func (x *PrmContainerSetEACL) WithinSession(s session.Container) { + x.session = s + x.sessionSet = true +} + // SetWaitParams specifies timeout params to complete operation. // If not provided the default one will be used. // Panics if any of the wait params isn't positive.