[#329] Add multiple session tokens in authmate

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
Denis Kirillov 2022-01-26 09:57:11 +03:00 committed by Alex Vanin
parent 3686828577
commit 13664135c5
2 changed files with 58 additions and 14 deletions

View file

@ -384,20 +384,21 @@ func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) {
return table, nil return table, nil
} }
func buildContext(rules []byte) (*session.ContainerContext, error) { func buildContext(rules []byte) ([]*session.ContainerContext, error) {
sessionCtx := session.NewContainerContext() // wildcard == true on by default var sessionCtxs []*session.ContainerContext
if len(rules) != 0 { if len(rules) != 0 {
// cast ToV2 temporary, because there is no method for unmarshalling in ContainerContext in api-go // cast ToV2 temporary, because there is no method for unmarshalling in ContainerContext in api-go
err := sessionCtx.UnmarshalJSON(rules) err := json.Unmarshal(rules, &sessionCtxs)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read rules for session token: %w", err) return nil, fmt.Errorf("failed to unmarshal rules for session token: %w", err)
} }
return sessionCtx, nil return sessionCtxs, nil
} }
sessionCtx := session.NewContainerContext()
sessionCtx.ForPut() sessionCtx.ForPut()
sessionCtx.ApplyTo(nil) return []*session.ContainerContext{sessionCtx}, nil
return sessionCtx, nil
} }
func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) { func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) {
@ -441,14 +442,18 @@ func buildSessionToken(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOpt
return tok, tok.Sign(&key.PrivateKey) return tok, tok.Sign(&key.PrivateKey)
} }
func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOptions, ctx *session.ContainerContext, gatesKeys []*keys.PublicKey) ([]*session.Token, error) { func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOptions, ctxs []*session.ContainerContext, gatesKeys []*keys.PublicKey) ([][]*session.Token, error) {
sessionTokens := make([]*session.Token, 0, len(gatesKeys)) sessionTokens := make([][]*session.Token, 0, len(gatesKeys))
for _, gateKey := range gatesKeys { for _, gateKey := range gatesKeys {
tkns := make([]*session.Token, len(ctxs))
for i, ctx := range ctxs {
tkn, err := buildSessionToken(key, oid, lifetime, ctx, gateKey) tkn, err := buildSessionToken(key, oid, lifetime, ctx, gateKey)
if err != nil { if err != nil {
return nil, err return nil, err
} }
sessionTokens = append(sessionTokens, tkn) tkns[i] = tkn
}
sessionTokens = append(sessionTokens, tkns)
} }
return sessionTokens, nil return sessionTokens, nil
} }
@ -480,7 +485,7 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci
return nil, err return nil, err
} }
for i, sessionToken := range sessionTokens { for i, sessionToken := range sessionTokens {
gates[i].SessionToken = sessionToken gates[i].SessionToken = sessionToken[0]
} }
} }

39
authmate/authmate_test.go Normal file
View file

@ -0,0 +1,39 @@
package authmate
import (
"testing"
"github.com/stretchr/testify/require"
)
func TestContainerSessionRules(t *testing.T) {
jsonRules := []byte(`
[
{
"verb": "PUT",
"wildcard": true,
"containerID": null
},
{
"verb": "DELETE",
"wildcard": true,
"containerID": null
},
{
"verb": "SETEACL",
"wildcard": true,
"containerID": null
}
]`)
sessionContext, err := buildContext(jsonRules)
require.NoError(t, err)
require.Len(t, sessionContext, 3)
require.True(t, sessionContext[0].IsForPut())
require.Nil(t, sessionContext[0].Container())
require.True(t, sessionContext[1].IsForDelete())
require.Nil(t, sessionContext[1].Container())
require.True(t, sessionContext[2].IsForSetEACL())
require.Nil(t, sessionContext[2].Container())
}