From 16e3421825b71b4f927da84467fe9d8c1089b57b Mon Sep 17 00:00:00 2001 From: Evgenii Stratonikov Date: Thu, 5 May 2022 14:00:30 +0300 Subject: [PATCH] [#1328] services/tree: Implement access control Signed-off-by: Evgenii Stratonikov --- pkg/services/tree/replicator.go | 14 +- pkg/services/tree/service.go | 22 ++- pkg/services/tree/service.pb.go | Bin 83904 -> 86587 bytes pkg/services/tree/service.proto | 6 + pkg/services/tree/service_neofs.pb.go | Bin 0 -> 41371 bytes pkg/services/tree/signature.go | 112 ++++++++++++-- pkg/services/tree/signature_test.go | 206 ++++++++++++++++++++++++++ pkg/services/tree/types_neofs.pb.go | Bin 0 -> 3011 bytes 8 files changed, 332 insertions(+), 28 deletions(-) create mode 100644 pkg/services/tree/service_neofs.pb.go create mode 100644 pkg/services/tree/signature_test.go create mode 100644 pkg/services/tree/types_neofs.pb.go diff --git a/pkg/services/tree/replicator.go b/pkg/services/tree/replicator.go index 87cced5b4..16399ef91 100644 --- a/pkg/services/tree/replicator.go +++ b/pkg/services/tree/replicator.go @@ -52,16 +52,10 @@ func (s *Service) replicateLoop(ctx context.Context) { func (s *Service) replicate(ctx context.Context, op movePair) error { req := newApplyRequest(&op) - // TODO(@fyrchik): #1328 access control - //err := signature.SignDataWithHandler(s.key, req, func(key, sign []byte) { - // req.Signature = &Signature{ - // Key: key, - // Sign: sign, - // } - //}) - //if err != nil { - // return fmt.Errorf("can't sign data: %w", err) - //} + err := signMessage(req, s.key) + if err != nil { + return fmt.Errorf("can't sign data: %w", err) + } nodes, err := s.getContainerNodes(op.cid) if err != nil { diff --git a/pkg/services/tree/service.go b/pkg/services/tree/service.go index 8cf6236cd..9647e0b87 100644 --- a/pkg/services/tree/service.go +++ b/pkg/services/tree/service.go @@ -6,9 +6,9 @@ import ( "errors" "fmt" - "github.com/nspcc-dev/neofs-api-go/v2/signature" "github.com/nspcc-dev/neofs-node/pkg/local_object_storage/pilorama" cidSDK "github.com/nspcc-dev/neofs-sdk-go/container/id" + "github.com/nspcc-dev/neofs-sdk-go/eacl" "go.uber.org/zap" ) @@ -61,7 +61,7 @@ func (s *Service) Add(_ context.Context, req *AddRequest) (*AddResponse, error) return nil, err } - err := s.verifyClient(req, cid, req.GetSignature().GetKey()) + err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationPut) if err != nil { return nil, err } @@ -91,7 +91,7 @@ func (s *Service) AddByPath(_ context.Context, req *AddByPathRequest) (*AddByPat return nil, err } - err := s.verifyClient(req, cid, req.GetSignature().GetKey()) + err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationPut) if err != nil { return nil, err } @@ -133,7 +133,7 @@ func (s *Service) Remove(_ context.Context, req *RemoveRequest) (*RemoveResponse return nil, err } - err := s.verifyClient(req, cid, req.GetSignature().GetKey()) + err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationPut) if err != nil { return nil, err } @@ -164,7 +164,7 @@ func (s *Service) Move(_ context.Context, req *MoveRequest) (*MoveResponse, erro return nil, err } - err := s.verifyClient(req, cid, req.GetSignature().GetKey()) + err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationPut) if err != nil { return nil, err } @@ -194,6 +194,11 @@ func (s *Service) GetNodeByPath(_ context.Context, req *GetNodeByPathRequest) (* return nil, err } + err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationGet) + if err != nil { + return nil, err + } + attr := b.GetPathAttribute() if len(attr) == 0 { attr = pilorama.AttributeFilename @@ -255,6 +260,11 @@ func (s *Service) GetSubTree(req *GetSubTreeRequest, srv TreeService_GetSubTreeS return err } + err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationGet) + if err != nil { + return err + } + queue := []nodeDepthPair{{[]uint64{b.GetRootId()}, 0}} for len(queue) != 0 { @@ -293,7 +303,7 @@ func (s *Service) GetSubTree(req *GetSubTreeRequest, srv TreeService_GetSubTreeS // Apply locally applies operation from the remote node to the tree. func (s *Service) Apply(_ context.Context, req *ApplyRequest) (*ApplyResponse, error) { - err := signature.VerifyServiceMessage(req) + err := verifyMessage(req) if err != nil { return nil, err } diff --git a/pkg/services/tree/service.pb.go b/pkg/services/tree/service.pb.go index 6a58fd550146c35f0330ee8ad8d9ba9180ffc10d..50027db5ce42316405ac22fd02517cc3a3239e9a 100644 GIT binary patch delta 4423 zcmb_f3s6+o8J@H5-ra=@EXcz0*mV(vKo;0tb{8-a#K$nz62q8enzSMqahhfVM$Od8 zw8nJWG1XL*FZOma#*j9dG)-fe?$jr;ivk7|7H|};gqKN7up$N!qbNP++*Q$%XeMEX zJNKUFfBx_BpY>L#4!*0Z9$PAE=arVMDP8kK`SYb^*j!|q@3fS!US}yQd7*U93f{GR z9qY6FYHfL$zl9IBtX@;Tt~_I=nRU#bIe9EDKW(a1tK30POeoPN2Ge&0J)sWHFI_iz zx4bQhfs?;Wk`3_tJA^>oV*pteB4KowmEP%rO6PbQ0yhxbra;#a%>ImEpc|*3Jz>;*LMKJOBFM z>6)xn7PED|)$TsF=Ou-v#KpgC&<)Rm^_UXHbppy-5@GI{>Gte@UxAZXL!dhuptiGt zE@x$P1g;;}rUYoM>oXm^jW6h0A@}oVDSO(o*wgAn-5>>Ve=w|r%3G_Ta3s>4$(M9~ z>mpcDW5bgZv(ZwMgyJzJPIRPV)*-7RK#Q$4k=WLjg2%?fFwrHlruNHu2x&2~*W%;p zxH*c6yL*6Y9ojIJJw|xL3QvQP3F$UyA`7I)hQ+5urb?Ly<2` zu_7BD&m1~xhmB+-)0>E0SDdKyTJTC^9wxkIw!rprBdQM>pgV4={944)FVbMH)uMMS zWyg9l6W)C>c%1&Xwrg?t#3Ml^EF;hI16x_jqj1$1>QDIs+&nBmb1ITXvjEGF2yA`b zH{nQcT?p?H0bhR}kLn&fe650pE@OAHgAMg8Md~?z{=(j+*ebuqo--q`A(yRC-4}`8 zK_$}q;<33QPGGpXY}iRZx9k(q+hAd%JflWD+?YYZj=lwv478Z|Kp?x&e#CGu$aIDH z`(ez^@QcQHoc6fz+K>~L3*nVr20Z6Y#;X_1C_ZXJn>QWaMl*J|i4<;urc8&yqk24E z_b4{k&h#hT1>a{8lM>Fb7C0c*rVMt(l}+&|9@e6#NsYfWS+HSXCW89a=o~g9sM$a> zpN^c7Xp}V@M3y8+Hm9-!`}Y{}adVcmNKK45aNUl;wlMspIS|@$r&LBroHS2K(hysx z$Ho&T=*}=i?G$$tR({ff;Nhf6!s4u{Xo;s_8_?aIz#pUY|ba(nn^VQW0a+kmQ` z1g!l!0>!7a40Fur6p`jJRZ?!!Nrk;}e#)BgVW%$IMl(s(#u;XPmWO_qV#VYK0@A?% z*?vGj1(tE&fhA{EDOUMxQW_zm6rvzZh*G5%8&xN})~%ZCf-8KcUSjJx@rA zRI8x%@uQ=EB#7)t3S_+IVV9I(QO68OKBII=MND|NL)KsXp%m#FA+x9e?KIt@d-wQ4 zqFEt(+PyBOaesF8S%Oo;k0aI>jkzQF*m@)s;(0CRdc;bfh;^-@Sk;+Gh0n6cWwh;J z2Hx*8_|>7II*v!psF})xTT4}g9;dDb|Gy=QNw*Wsv+-?y=$h<@Iev^dUN-iWlk8&R zzV-1P4!QaCEa{&L5{7MO1Z*8jL;kfO9KUYn0$O|~QL0i9gWLM~n>@Y7+v&}6vc0Ss z{K+|Eb4WXtq?qPa!|-W8n@@ReV6XPBd|W!mUZtvOBymR@(ZV{Qq$4fgSBt?mzE_r9 z8SK;n)A9F6D0u>dUU&yA+ZadK#6LAhi>F^$36AB{u(saSnZuX3(pExx{7wS1yXj_s!Y zAe5cUp}rge_u;5}4D}98=q6KEO)liD$uya?#MCO}jN_QPN>O`miPWkjyntNx7*W#| zzzkH%RS<1xhFpDQpWte5zZ^qVnT(IV3c+B5h&TSDljaDNQyb1^qq*to!g_wrV%?VUy4W_4Zw;|W?*o{0?&CP=70GVwvGzOJDThl z6QA}q1V3-pH~P)py5q5(52cdk;FYF4m&nkaw+f+mYA%xcH( z0h?4LP>*45d3|7EWtTu*_z_k>DrxwuZzxea5XXi*L`fU&ZaG#?6xj~<;_i0{s=t}; zPP#OW;9rODEqxD&)RY$-TKkfx^vlUeG4(OKL;6qwlh=y^VYiw%*)eN|;`o&#>@q9S zQl3EaX{SN1;7;U?&2Ue2Eh4nQ=uy}bi?b)g?pRx_l9M&>yptEbBI5`7KH_~M%V+lCgPV0^BeU(fXzPLrZz!Ibv~#uKSk zATfAmeBSppHe9@s5zV5@mW4IRSgn+%=o^T^lQ%74Y=~VR;va~1PXs==nJvTWkh)dG z3FAZ}r|nyNWAJv3aEB8W6MB06bl~&^H6Y6CcP8{ZJ|-!CKaR%R9V%*StygTQ+8ct3 zMk=p?+46BOoDGt~2`$ItghWU=ge+zdQp)LBg-wv^31OS6P}H`R&j_)vsj3^NG~k9uwk_-LOQSPBHmx39IZj?x?mB%srYSO;d zKX*v~5J)N~gr7Cs%`@r!PP!nF0(O0KN-wC11rt}2`6>F<#2_;$lhce}1zCBQf;FUo q_t4}p0?I#LC=I1@+QWn}2OjNRf7iTVAE(IMZS zCRJT11V2TmRjYE*q@rn*3~NISasf)95R6IMKm){t%bH*k96}%^luZ6(2#p5!hzo-a|FKJXtk*%+rv2Af8 z&aYJAyk3rLzn7!A@wb6p%V)`@Oy3&;o|%NT>jai*gwLwOzQs!e3G19Pq^;2f4!k`r zwpYt$QOanTsbv|j29CcQk)h2Z52SB7twhbU21Gpq>`emndlS*}A^)xkG&k;21Wx*E z^(fdgmu1;dvR57u_Il;=xBk$u!cMonNX&Tr&p%=*R-*4FH4_}B3w%xV#6gPO=>rG*+bOcObPz!u}2|etCBxY6omA(FX9BvH41_|Aq}!C+ETu78BUMyZcfR zj?PByO<7U}dy(TEcNwq9<>Jo@Hw+!WpsyH+jjl41G`!c5gOXr5u6GooDOimKr|fvr z#b2nw^zLNrKIOo&ZV{hfv0?I*3+>$^6%52k?<&bW7Exf=x3ggUPLWXOL~E-PUw>~# z?RU@n+ZDW;m)i2sa9oD1S6$Nbn=Cj6+<0dLOvydJ~ zqZ+91=;&$%5fBVnA@rmoZB&WvcN8#Qs6gYBY^?6mqBkTU+^5I2_B04#wK)cNeMO86 z(zA}&8oE%4&ApkjdcJUWRif>oh95oMt{?{5m_TgU-(|-GY*HB7@q>q0VTt;_O#*Fh6WU?FCC5YAHKo zJPC%LTz|U;U$jffzw2?K{$df$)e)Qju@#f&444?xG1T-Z?lxhlUxoILOcY+qp_?^C zMpp`CF@sHg=qo~AC5Yb0P2*IHb?x;?{Yr#$)Jfl$V{QLTTBRdtyta>f^BCzwz9n(P zcQ2o&>xc>)`Yk-g^3$#>>I2q?dkIVzybSRaR<=sw&nF{OQMd5Dl|3cAv1Q>LB#h3$ z?yv#cV`V=}lvnyQrgpq@oETsW3R63#^9iwHVV|15t6>$s)o<4qdMxcr!W=k&{Nu8<@`A&MWD3Nnaw$MxIA_L=G8~;U^=rrRqHn zgw7UlyTFk?0rQT1gw}hpkfR*ho*7KgJ}$i()NW)HXd24q;EMD)EqR8KT#3n1I|f3T z`WU@e#OUqBg8NQh?wYYmS|Sh)PTjZS&~-Cci+}7n9$GhQ#nLh91cth*nVE9>`%mU! z_hUDYALy>e+Pi7~UJWc?S77sLHMdgY38X(fm>_4bV>y3&RD(@pB0lUdhG!x}a_bK! z3Te85806)Ame8P)WFb0{&p9c^CHejj$ygf_Y0WfN*^zPasp7-YB#6x2R`uj#X?q5? z_LVSyaAAmjmW@d4a8K4?{)i|MYvo8HzB$Wg#4%nvZB{Zbb#$^>A+52Y)3vjaq|)nh zQo{MV^B#-an6&qIl>ew5G*2k0D3XHsbdhvwI==|f^8)ftn&X2-`gzBLN;I@)v*DJ- zrkb4QOe49>{WJ%!zDbxsbt#ggx?kt6!bS#ry7>&CpUX)O)yhe(oc-i@jc!aJd9+qe zN|SiX&!yMwJj@2`#o=OvE-GoIg6VwsDWlBGF^|iQn{qDIi$p=!6C%+2a#F%aQUmJ=BPpeuG{j7^)lAdH9cnh&3+N6tDUx<&6IZ~E zD6D!ki^_H!JCR4I|_>HPH|c@=xdCgJANHLyQeNHLjg2!Qq<% z-L54`IMS6u4{O4=)6>v)a#T_&kQIt*0bva$O|uF5H)UN++P_-rgP`>F-z0=Kd3wRJ)0rj)<*=M6*jWn#H>G$==8-AEX@v|ToO-9%jc zi23F;q##~eE0Sc1I;ZO1NGF%I62N8-F(F0s?Y`LzGv)pTnj WyF#!|weFbZyIJ7S-xJC9+5ZKkS3-CI diff --git a/pkg/services/tree/service.proto b/pkg/services/tree/service.proto index 0da34f652..fa19ff0eb 100644 --- a/pkg/services/tree/service.proto +++ b/pkg/services/tree/service.proto @@ -36,6 +36,7 @@ message AddRequest { string tree_id = 2; uint64 parent_id = 3; repeated KeyValue meta = 4; + bytes bearer_token = 5; } Body body = 1; @@ -59,6 +60,7 @@ message AddByPathRequest { string path_attribute = 3; repeated string path = 4; repeated KeyValue meta = 5; + bytes bearer_token = 6; } Body body = 1; @@ -81,6 +83,7 @@ message RemoveRequest { bytes container_id = 1; string tree_id = 2; uint64 node_id = 3; + bytes bearer_token = 4; } Body body = 1; @@ -104,6 +107,7 @@ message MoveRequest { uint64 parent_id = 3; uint64 node_id = 4; repeated KeyValue meta = 5; + bytes bearer_token = 6; } Body body = 1; @@ -128,6 +132,7 @@ message GetNodeByPathRequest { repeated string attributes = 5; bool latest_only = 6; bool all_attributes = 7; + bytes bearer_token = 8; } Body body = 1; @@ -157,6 +162,7 @@ message GetSubTreeRequest { // Optional depth of the traversal. Zero means return only root. // Maximum depth is 10. uint32 depth = 4; + bytes bearer_token = 5; } Body body = 1; diff --git a/pkg/services/tree/service_neofs.pb.go b/pkg/services/tree/service_neofs.pb.go new file mode 100644 index 0000000000000000000000000000000000000000..5f86e75835d43fcebf53ca73293f4473c95ce125 GIT binary patch literal 41371 zcmeHQT~8Z16n$=fh1I9PLZYSJ?y3?GP*y9XZK;5Ls;X*|I56tOlbvyZY}Nn1*LTJf zU&j-ml)*Dts?<{a?Q^fsJ^q;CkiAPMoLz9ivq;%U*9dWM?uOCHyS@kF$)+MJ944FFDKAf231(!(vgiXtbEJX`0O< zIe>gc)@(6`EIen|P<4?nnsGLbc`{*FQL=zvT}D^XP*tS*)hHHGw#4EGz3D=XS^tJ@ zA512v{9i~dzZ|BM<(AQ^{ub+FV`3q<*tgyb{Nb1VqEUmxrR2G4egD@Tb~AXF3K_*P zn8%YXJL#FsVsU|K_f*<*7(7R^e~yKG^BR-AQpr9>85a^0LibtB-tMz35-|EVgZErU zs!dj-K0rtK1nMh>2g`b`%2Me+#h;;R-|g0|I`W%JdB~yK>^%L-1*9%!21l*;-I%ub zQI=mu37Zvv=hk$UgI&y8F-JL0cR538HsP6`&EqM9DW39-C0tyXKZ6Z~2yhjdYrq+^9&UD#;}rARCp&oUS{F2?CXNS*=6uP@{AC7Z+(CQ^x+ui14L zOPC%+$|Qne1sKm0E_t$4g|ZWXP<9>Xe23t)Y%+kfC{zIrvqP&?k&+ADrfNR!4_A%* z+W=e6M_<{>r_Uq6=2rQ)LP@O5X@8%II6=^qvsxtl28e(^kVa)TQsIv|j22_R5&-oP{~* zoM2IQ&O6zcU8-eax_B@$yLe)9b}?vlIy2avo!M!Hkcb$eGH-&({E2+$J=~@>e(0gl zfuj4heUmFSy3n)uLPTl>2tLYZAEkkzkq!v<%{^HV(=By4suH2LDc2O>a8(Y_u1xxr zM-!ERPma_gG>wxaS8kzPJ@Gfi0;9+gu1vQsoK{uWvBwEHEwD;KQYuc883!770{sVOa)fdG~btnnedz${PISJOX=CPE9U z#T@AoGTYi-Yij@;D)hvO8UP0ufdS=GjVbzMpv@O-yZRBU0Op{7&Gyx(=%Mr`3drZF z$oYN40E4vSGWG$YDx~b?n5sD&W=eoFz(yhL@BIeNwU$lT259xy>d?& z3OCOXiy_xcpje4EM%LDXia7#B>|hv6k>Rl&T8Pvwbr@veh;0#AfP!dZW^A~Q{e$Qs^dNr6ZOg<6uTcTGJRELmc6(ok8HMJG&gon095B*(@ zafi61#T&o1afuDiZU!e-FPn-`tZKUwrW9ey91Ub=dl+u+zB< zq&ARRs%N_Kp{*sbTI(3m%D^f22q!Xr(y@hG(AjNTt95XSt;ai`v1a^jKBjTXXXzF9 zMtnCoE{gBfW_+FWjbgh~DN{MZDG_o~0sOE!65jMFk$Q}IykZh{*1>t??%ow5w~}llvx9uw>S7~Y z+p4qG0hAtZ5n>pj6c~#7~qpE2Sr#BE~mOf(Ei(2W*em zW+F@aB%~U4XiKT|5Q9TYy@P4mW!7+%=Xh$^K(Qv5&LEh&M{58v2jB^w*HNzw*{7vk zslziDzCXp|K!(Sz&BB;&sl&;IJB;nV!$@)2!I*<|u#td+)YyS&qX?XCKNlR7UC)%= z0*H?3)BYT!TgR&ro6o4iyKzcy(dTYGd0NbzP)N_`8x$4w7V3q1AiLe}oq%ynkWhRx|N9(PU9LQ8E(a%$1@01qS^d`FXdtUMc BD-fI`|U9Econ6`K^)t=72a)jOmjM3 z!?>FX*u~atJUd>=b6ExO6ml_E=>|`D=g$od+%ezu>8Q0sacUCsJAS~a@=|&A1*hOL zTH!KGTzKR%HlXp2##`f7)&SZD>%9kcuv{5xm}s5hR99y{u;%pe8Y3PV@sC?-IN#Oo z^Idfa?SA;&=%!@dFt>bn@@z3upG@@j6`j*GExviW9*)1-!xb0rn;h{uK3Y#x;noZ$ z!aYc*p09F{kfLiXX*!3V!hX$wdXzx z_kzz?@a#CD*Zpjq(d&v^P3aHj^JM9bU~iF$Ga%c2fgc5Ix7gV$_oZi7g7^fRqa@hX_IuDO{=^Hul(F)!B`9*ZH98fA8$Bt=LWw zgagWi%?P#;wHWqmKJE-^S8{1f{1U;yzo+96Jhg@}V@emSgrz^~-pkk2{S5pYYd5_5 zeWglKHM5y!Km*HAL5U)#;c!i7+76cq;<6umI2?h%O;b*FtSn_>-Ox1qUJJv-4p1qn z07W7zVNj7}HU&=#NO=lE8VBCMMsY*qadS_ZVL+x>m1wZs*`{zqf~XDGIO?cgQzprM zQ!AT;6D!-&plCSJ{Qp(_#znuCzZN32mb<%Okcz|lXnnw~D<=~WytJ2%oWAh!DHza? zYAm=_-Cc4GfQ&MDUIW8_|7cI-c$|2BSCIi_S7`jF7Cs+OOloQUx5Q-pV@a{&U3-+ zhJV67z2AfXcAK`V&^O>E+h>;T1NEEmoME~<`|Xi%`+tl5fOb$vcImD&eK?;162AC6 literal 0 HcmV?d00001