forked from TrueCloudLab/frostfs-node
[#1328] services/tree: Implement access control
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
parent
94b9e13431
commit
16e3421825
8 changed files with 332 additions and 28 deletions
|
@ -52,16 +52,10 @@ func (s *Service) replicateLoop(ctx context.Context) {
|
||||||
|
|
||||||
func (s *Service) replicate(ctx context.Context, op movePair) error {
|
func (s *Service) replicate(ctx context.Context, op movePair) error {
|
||||||
req := newApplyRequest(&op)
|
req := newApplyRequest(&op)
|
||||||
// TODO(@fyrchik): #1328 access control
|
err := signMessage(req, s.key)
|
||||||
//err := signature.SignDataWithHandler(s.key, req, func(key, sign []byte) {
|
if err != nil {
|
||||||
// req.Signature = &Signature{
|
return fmt.Errorf("can't sign data: %w", err)
|
||||||
// Key: key,
|
}
|
||||||
// Sign: sign,
|
|
||||||
// }
|
|
||||||
//})
|
|
||||||
//if err != nil {
|
|
||||||
// return fmt.Errorf("can't sign data: %w", err)
|
|
||||||
//}
|
|
||||||
|
|
||||||
nodes, err := s.getContainerNodes(op.cid)
|
nodes, err := s.getContainerNodes(op.cid)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -6,9 +6,9 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/v2/signature"
|
|
||||||
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/pilorama"
|
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/pilorama"
|
||||||
cidSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
cidSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
||||||
|
"github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -61,7 +61,7 @@ func (s *Service) Add(_ context.Context, req *AddRequest) (*AddResponse, error)
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
err := s.verifyClient(req, cid, req.GetSignature().GetKey())
|
err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationPut)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -91,7 +91,7 @@ func (s *Service) AddByPath(_ context.Context, req *AddByPathRequest) (*AddByPat
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
err := s.verifyClient(req, cid, req.GetSignature().GetKey())
|
err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationPut)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -133,7 +133,7 @@ func (s *Service) Remove(_ context.Context, req *RemoveRequest) (*RemoveResponse
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
err := s.verifyClient(req, cid, req.GetSignature().GetKey())
|
err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationPut)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -164,7 +164,7 @@ func (s *Service) Move(_ context.Context, req *MoveRequest) (*MoveResponse, erro
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
err := s.verifyClient(req, cid, req.GetSignature().GetKey())
|
err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationPut)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -194,6 +194,11 @@ func (s *Service) GetNodeByPath(_ context.Context, req *GetNodeByPathRequest) (*
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationGet)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
attr := b.GetPathAttribute()
|
attr := b.GetPathAttribute()
|
||||||
if len(attr) == 0 {
|
if len(attr) == 0 {
|
||||||
attr = pilorama.AttributeFilename
|
attr = pilorama.AttributeFilename
|
||||||
|
@ -255,6 +260,11 @@ func (s *Service) GetSubTree(req *GetSubTreeRequest, srv TreeService_GetSubTreeS
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err := s.verifyClient(req, cid, b.GetBearerToken(), eacl.OperationGet)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
queue := []nodeDepthPair{{[]uint64{b.GetRootId()}, 0}}
|
queue := []nodeDepthPair{{[]uint64{b.GetRootId()}, 0}}
|
||||||
|
|
||||||
for len(queue) != 0 {
|
for len(queue) != 0 {
|
||||||
|
@ -293,7 +303,7 @@ func (s *Service) GetSubTree(req *GetSubTreeRequest, srv TreeService_GetSubTreeS
|
||||||
|
|
||||||
// Apply locally applies operation from the remote node to the tree.
|
// Apply locally applies operation from the remote node to the tree.
|
||||||
func (s *Service) Apply(_ context.Context, req *ApplyRequest) (*ApplyResponse, error) {
|
func (s *Service) Apply(_ context.Context, req *ApplyRequest) (*ApplyResponse, error) {
|
||||||
err := signature.VerifyServiceMessage(req)
|
err := verifyMessage(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
BIN
pkg/services/tree/service.pb.go
generated
BIN
pkg/services/tree/service.pb.go
generated
Binary file not shown.
|
@ -36,6 +36,7 @@ message AddRequest {
|
||||||
string tree_id = 2;
|
string tree_id = 2;
|
||||||
uint64 parent_id = 3;
|
uint64 parent_id = 3;
|
||||||
repeated KeyValue meta = 4;
|
repeated KeyValue meta = 4;
|
||||||
|
bytes bearer_token = 5;
|
||||||
}
|
}
|
||||||
|
|
||||||
Body body = 1;
|
Body body = 1;
|
||||||
|
@ -59,6 +60,7 @@ message AddByPathRequest {
|
||||||
string path_attribute = 3;
|
string path_attribute = 3;
|
||||||
repeated string path = 4;
|
repeated string path = 4;
|
||||||
repeated KeyValue meta = 5;
|
repeated KeyValue meta = 5;
|
||||||
|
bytes bearer_token = 6;
|
||||||
}
|
}
|
||||||
|
|
||||||
Body body = 1;
|
Body body = 1;
|
||||||
|
@ -81,6 +83,7 @@ message RemoveRequest {
|
||||||
bytes container_id = 1;
|
bytes container_id = 1;
|
||||||
string tree_id = 2;
|
string tree_id = 2;
|
||||||
uint64 node_id = 3;
|
uint64 node_id = 3;
|
||||||
|
bytes bearer_token = 4;
|
||||||
}
|
}
|
||||||
|
|
||||||
Body body = 1;
|
Body body = 1;
|
||||||
|
@ -104,6 +107,7 @@ message MoveRequest {
|
||||||
uint64 parent_id = 3;
|
uint64 parent_id = 3;
|
||||||
uint64 node_id = 4;
|
uint64 node_id = 4;
|
||||||
repeated KeyValue meta = 5;
|
repeated KeyValue meta = 5;
|
||||||
|
bytes bearer_token = 6;
|
||||||
}
|
}
|
||||||
|
|
||||||
Body body = 1;
|
Body body = 1;
|
||||||
|
@ -128,6 +132,7 @@ message GetNodeByPathRequest {
|
||||||
repeated string attributes = 5;
|
repeated string attributes = 5;
|
||||||
bool latest_only = 6;
|
bool latest_only = 6;
|
||||||
bool all_attributes = 7;
|
bool all_attributes = 7;
|
||||||
|
bytes bearer_token = 8;
|
||||||
}
|
}
|
||||||
|
|
||||||
Body body = 1;
|
Body body = 1;
|
||||||
|
@ -157,6 +162,7 @@ message GetSubTreeRequest {
|
||||||
// Optional depth of the traversal. Zero means return only root.
|
// Optional depth of the traversal. Zero means return only root.
|
||||||
// Maximum depth is 10.
|
// Maximum depth is 10.
|
||||||
uint32 depth = 4;
|
uint32 depth = 4;
|
||||||
|
bytes bearer_token = 5;
|
||||||
}
|
}
|
||||||
|
|
||||||
Body body = 1;
|
Body body = 1;
|
||||||
|
|
BIN
pkg/services/tree/service_neofs.pb.go
generated
Normal file
BIN
pkg/services/tree/service_neofs.pb.go
generated
Normal file
Binary file not shown.
|
@ -7,16 +7,26 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||||
"github.com/nspcc-dev/neofs-api-go/v2/signature"
|
"github.com/nspcc-dev/neofs-api-go/v2/refs"
|
||||||
|
"github.com/nspcc-dev/neofs-sdk-go/bearer"
|
||||||
cidSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
cidSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
||||||
|
neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
|
||||||
|
neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
|
||||||
|
"github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/user"
|
"github.com/nspcc-dev/neofs-sdk-go/user"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (s *Service) verifyClient(req interface{}, cid cidSDK.ID, rawKey []byte) error {
|
type message interface {
|
||||||
// TODO(@fyrchik): #1328 access control
|
SignedDataSize() int
|
||||||
return nil
|
ReadSignedData([]byte) ([]byte, error)
|
||||||
//nolint:govet
|
GetSignature() *Signature
|
||||||
err := signature.VerifyServiceMessage(req)
|
SetSignature(*Signature)
|
||||||
|
}
|
||||||
|
|
||||||
|
// verifyClient verifies that the request for a client operation was either signed by owner
|
||||||
|
// or contains a valid bearer token.
|
||||||
|
func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op eacl.Operation) error {
|
||||||
|
err := verifyMessage(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -28,17 +38,95 @@ func (s *Service) verifyClient(req interface{}, cid cidSDK.ID, rawKey []byte) er
|
||||||
|
|
||||||
ownerID := cnr.Value.Owner()
|
ownerID := cnr.Value.Owner()
|
||||||
|
|
||||||
pub, err := keys.NewPublicKeyFromBytes(rawKey, elliptic.P256())
|
if len(rawBearer) == 0 { // must be signed by the owner
|
||||||
|
// No error is expected because `VerifyDataWithSource` checks the signature.
|
||||||
|
// However, we may use different algorithms in the future, thus this check.
|
||||||
|
pub, err := keys.NewPublicKeyFromBytes(req.GetSignature().GetKey(), elliptic.P256())
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("invalid public key: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
var actualID user.ID
|
||||||
|
user.IDFromKey(&actualID, (ecdsa.PublicKey)(*pub))
|
||||||
|
|
||||||
|
if !actualID.Equals(ownerID) {
|
||||||
|
return errors.New("`Move` request must be signed by a container owner")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var bt bearer.Token
|
||||||
|
if err := bt.Unmarshal(rawBearer); err != nil {
|
||||||
|
return fmt.Errorf("invalid bearer token: %w", err)
|
||||||
|
}
|
||||||
|
if !bearer.ResolveIssuer(bt).Equals(ownerID) {
|
||||||
|
return errors.New("bearer token must be signed by the container owner")
|
||||||
|
}
|
||||||
|
if !bt.AssertContainer(cid) {
|
||||||
|
return errors.New("bearer token is created for another container")
|
||||||
|
}
|
||||||
|
if !bt.VerifySignature() {
|
||||||
|
return errors.New("invalid bearer token signature")
|
||||||
|
}
|
||||||
|
|
||||||
|
tb := bt.EACLTable()
|
||||||
|
|
||||||
|
// The default action should be DENY, so we use RoleOthers to allow token issuer
|
||||||
|
// to restrict everyone not affected by the previous rules.
|
||||||
|
// This can be simplified after nspcc-dev/neofs-sdk-go#243 .
|
||||||
|
action, found := eacl.NewValidator().CalculateAction(new(eacl.ValidationUnit).
|
||||||
|
WithEACLTable(&tb).
|
||||||
|
WithContainerID(&cid).
|
||||||
|
WithRole(eacl.RoleOthers).
|
||||||
|
WithSenderKey(req.GetSignature().GetKey()).
|
||||||
|
WithOperation(op))
|
||||||
|
if !found || action != eacl.ActionAllow {
|
||||||
|
return errors.New("operation denied by bearer eACL")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func verifyMessage(m message) error {
|
||||||
|
binBody, err := m.ReadSignedData(nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("invalid public key: %w", err)
|
return fmt.Errorf("marshal request body: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
var actualID user.ID
|
sig := m.GetSignature()
|
||||||
user.IDFromKey(&actualID, (ecdsa.PublicKey)(*pub))
|
|
||||||
|
|
||||||
if !actualID.Equals(ownerID) {
|
// TODO(@cthulhu-rider): #1387 use Signature message from NeoFS API to avoid conversion
|
||||||
return errors.New("`Move` request must be signed by a container owner")
|
var sigV2 refs.Signature
|
||||||
|
sigV2.SetKey(sig.GetKey())
|
||||||
|
sigV2.SetSign(sig.GetSign())
|
||||||
|
sigV2.SetScheme(refs.ECDSA_SHA512)
|
||||||
|
|
||||||
|
var sigSDK neofscrypto.Signature
|
||||||
|
sigSDK.ReadFromV2(sigV2)
|
||||||
|
|
||||||
|
if !sigSDK.Verify(binBody) {
|
||||||
|
return errors.New("invalid signature")
|
||||||
}
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func signMessage(m message, key *ecdsa.PrivateKey) error {
|
||||||
|
binBody, err := m.ReadSignedData(nil)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
keySDK := neofsecdsa.Signer(*key)
|
||||||
|
data, err := keySDK.Sign(binBody)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
rawPub := make([]byte, keySDK.Public().MaxEncodedSize())
|
||||||
|
rawPub = rawPub[:keySDK.Public().Encode(rawPub)]
|
||||||
|
m.SetSignature(&Signature{
|
||||||
|
Key: rawPub,
|
||||||
|
Sign: data,
|
||||||
|
})
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
206
pkg/services/tree/signature_test.go
Normal file
206
pkg/services/tree/signature_test.go
Normal file
|
@ -0,0 +1,206 @@
|
||||||
|
package tree
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/sha256"
|
||||||
|
"errors"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||||
|
"github.com/nspcc-dev/neofs-api-go/v2/acl"
|
||||||
|
containercore "github.com/nspcc-dev/neofs-node/pkg/core/container"
|
||||||
|
"github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
||||||
|
"github.com/nspcc-dev/neofs-sdk-go/bearer"
|
||||||
|
"github.com/nspcc-dev/neofs-sdk-go/container"
|
||||||
|
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
||||||
|
cidtest "github.com/nspcc-dev/neofs-sdk-go/container/id/test"
|
||||||
|
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||||
|
netmapSDK "github.com/nspcc-dev/neofs-sdk-go/netmap"
|
||||||
|
"github.com/nspcc-dev/neofs-sdk-go/user"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"go.uber.org/zap/zaptest"
|
||||||
|
)
|
||||||
|
|
||||||
|
type dummyNetmapSource struct {
|
||||||
|
netmap.Source
|
||||||
|
}
|
||||||
|
|
||||||
|
type dummyContainerSource map[string]*containercore.Container
|
||||||
|
|
||||||
|
func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) {
|
||||||
|
cnt, ok := s[id.String()]
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("container not found")
|
||||||
|
}
|
||||||
|
return cnt, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func testContainer(owner user.ID) container.Container {
|
||||||
|
var r netmapSDK.ReplicaDescriptor
|
||||||
|
r.SetNumberOfObjects(1)
|
||||||
|
|
||||||
|
var pp netmapSDK.PlacementPolicy
|
||||||
|
pp.AddReplicas(r)
|
||||||
|
|
||||||
|
var cnt container.Container
|
||||||
|
cnt.SetOwner(owner)
|
||||||
|
cnt.SetPlacementPolicy(pp)
|
||||||
|
|
||||||
|
return cnt
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestMessageSign(t *testing.T) {
|
||||||
|
privs := make([]*keys.PrivateKey, 4)
|
||||||
|
for i := range privs {
|
||||||
|
p, err := keys.NewPrivateKey()
|
||||||
|
require.NoError(t, err)
|
||||||
|
privs[i] = p
|
||||||
|
}
|
||||||
|
|
||||||
|
cid1 := cidtest.ID()
|
||||||
|
cid2 := cidtest.ID()
|
||||||
|
|
||||||
|
var ownerID user.ID
|
||||||
|
user.IDFromKey(&ownerID, (ecdsa.PublicKey)(*privs[0].PublicKey()))
|
||||||
|
|
||||||
|
s := &Service{
|
||||||
|
cfg: cfg{
|
||||||
|
log: zaptest.NewLogger(t),
|
||||||
|
key: &privs[0].PrivateKey,
|
||||||
|
nmSource: dummyNetmapSource{},
|
||||||
|
cnrSource: dummyContainerSource{
|
||||||
|
cid1.String(): &containercore.Container{
|
||||||
|
Value: testContainer(ownerID),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
rawCID1 := make([]byte, sha256.Size)
|
||||||
|
cid1.Encode(rawCID1)
|
||||||
|
|
||||||
|
req := &MoveRequest{
|
||||||
|
Body: &MoveRequest_Body{
|
||||||
|
ContainerId: rawCID1,
|
||||||
|
ParentId: 1,
|
||||||
|
NodeId: 2,
|
||||||
|
Meta: []*KeyValue{
|
||||||
|
{Key: "kkk", Value: []byte("vvv")},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
t.Run("missing signature, no panic", func(t *testing.T) {
|
||||||
|
require.Error(t, s.verifyClient(req, cid2, nil, eaclSDK.OperationUnknown))
|
||||||
|
})
|
||||||
|
|
||||||
|
require.NoError(t, signMessage(req, &privs[0].PrivateKey))
|
||||||
|
require.NoError(t, s.verifyClient(req, cid1, nil, eaclSDK.OperationUnknown))
|
||||||
|
|
||||||
|
t.Run("invalid CID", func(t *testing.T) {
|
||||||
|
require.Error(t, s.verifyClient(req, cid2, nil, eaclSDK.OperationUnknown))
|
||||||
|
})
|
||||||
|
t.Run("invalid key", func(t *testing.T) {
|
||||||
|
require.NoError(t, signMessage(req, &privs[1].PrivateKey))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, nil, eaclSDK.OperationUnknown))
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("bearer", func(t *testing.T) {
|
||||||
|
t.Run("invalid bearer", func(t *testing.T) {
|
||||||
|
req.Body.BearerToken = []byte{0xFF}
|
||||||
|
require.NoError(t, signMessage(req, &privs[0].PrivateKey))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationPut))
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("invalid bearer CID", func(t *testing.T) {
|
||||||
|
bt := testBearerToken(cid2, privs[1].PublicKey(), privs[2].PublicKey())
|
||||||
|
require.NoError(t, bt.Sign(privs[0].PrivateKey))
|
||||||
|
req.Body.BearerToken = bt.Marshal()
|
||||||
|
|
||||||
|
require.NoError(t, signMessage(req, &privs[1].PrivateKey))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationPut))
|
||||||
|
})
|
||||||
|
t.Run("invalid bearer owner", func(t *testing.T) {
|
||||||
|
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
|
||||||
|
require.NoError(t, bt.Sign(privs[1].PrivateKey))
|
||||||
|
req.Body.BearerToken = bt.Marshal()
|
||||||
|
|
||||||
|
require.NoError(t, signMessage(req, &privs[1].PrivateKey))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationPut))
|
||||||
|
})
|
||||||
|
t.Run("invalid bearer signature", func(t *testing.T) {
|
||||||
|
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
|
||||||
|
require.NoError(t, bt.Sign(privs[0].PrivateKey))
|
||||||
|
|
||||||
|
var bv2 acl.BearerToken
|
||||||
|
bt.WriteToV2(&bv2)
|
||||||
|
bv2.GetSignature().SetSign([]byte{1, 2, 3})
|
||||||
|
req.Body.BearerToken = bv2.StableMarshal(nil)
|
||||||
|
|
||||||
|
require.NoError(t, signMessage(req, &privs[1].PrivateKey))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationPut))
|
||||||
|
})
|
||||||
|
|
||||||
|
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
|
||||||
|
require.NoError(t, bt.Sign(privs[0].PrivateKey))
|
||||||
|
req.Body.BearerToken = bt.Marshal()
|
||||||
|
|
||||||
|
t.Run("put and get", func(t *testing.T) {
|
||||||
|
require.NoError(t, signMessage(req, &privs[1].PrivateKey))
|
||||||
|
require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationPut))
|
||||||
|
require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationGet))
|
||||||
|
})
|
||||||
|
t.Run("only get", func(t *testing.T) {
|
||||||
|
require.NoError(t, signMessage(req, &privs[2].PrivateKey))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationPut))
|
||||||
|
require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationGet))
|
||||||
|
})
|
||||||
|
t.Run("none", func(t *testing.T) {
|
||||||
|
require.NoError(t, signMessage(req, &privs[3].PrivateKey))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationPut))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), eaclSDK.OperationGet))
|
||||||
|
})
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func testBearerToken(cid cid.ID, forPut, forGet *keys.PublicKey) bearer.Token {
|
||||||
|
tgtGet := eaclSDK.NewTarget()
|
||||||
|
tgtGet.SetRole(eaclSDK.RoleUnknown)
|
||||||
|
tgtGet.SetBinaryKeys([][]byte{forPut.Bytes(), forGet.Bytes()})
|
||||||
|
|
||||||
|
rGet := eaclSDK.NewRecord()
|
||||||
|
rGet.SetAction(eaclSDK.ActionAllow)
|
||||||
|
rGet.SetOperation(eaclSDK.OperationGet)
|
||||||
|
rGet.SetTargets(*tgtGet)
|
||||||
|
|
||||||
|
tgtPut := eaclSDK.NewTarget()
|
||||||
|
tgtPut.SetRole(eaclSDK.RoleUnknown)
|
||||||
|
tgtPut.SetBinaryKeys([][]byte{forPut.Bytes()})
|
||||||
|
|
||||||
|
rPut := eaclSDK.NewRecord()
|
||||||
|
rPut.SetAction(eaclSDK.ActionAllow)
|
||||||
|
rPut.SetOperation(eaclSDK.OperationPut)
|
||||||
|
rPut.SetTargets(*tgtPut)
|
||||||
|
|
||||||
|
tb := eaclSDK.NewTable()
|
||||||
|
tb.AddRecord(rGet)
|
||||||
|
tb.AddRecord(rPut)
|
||||||
|
|
||||||
|
tgt := eaclSDK.NewTarget()
|
||||||
|
tgt.SetRole(eaclSDK.RoleOthers)
|
||||||
|
|
||||||
|
for _, op := range []eaclSDK.Operation{eaclSDK.OperationGet, eaclSDK.OperationPut} {
|
||||||
|
r := eaclSDK.NewRecord()
|
||||||
|
r.SetAction(eaclSDK.ActionDeny)
|
||||||
|
r.SetTargets(*tgt)
|
||||||
|
r.SetOperation(op)
|
||||||
|
tb.AddRecord(r)
|
||||||
|
}
|
||||||
|
|
||||||
|
tb.SetCID(cid)
|
||||||
|
|
||||||
|
var b bearer.Token
|
||||||
|
b.SetEACLTable(*tb)
|
||||||
|
|
||||||
|
return b
|
||||||
|
}
|
BIN
pkg/services/tree/types_neofs.pb.go
generated
Normal file
BIN
pkg/services/tree/types_neofs.pb.go
generated
Normal file
Binary file not shown.
Loading…
Reference in a new issue