Commit graph

1024 commits

Author SHA1 Message Date
Leonard Lyubich
2f38fef31a [#589] ir/container: Verify session token lifetime
Session tokens have limited lifetime in NeoFS. Container processor should
verify lifetime of the incoming tokens.

Define `NetworkState` interface with `Epoch` method to get number of the
current epoch. Use Netmap contract client's wrapper as `NetworkState` of
Container `Processor`. Check values of token lifetime, and deny if:

  * NBF value is gt the current epoch;
  * IAT is gt the current epoch;
  * EXP is le the current epoch.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-09 10:17:49 +03:00
Alex Vanin
e1ac2fe2e5 [#588] Fix go fmt linter errors
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
2021-06-03 18:59:07 +03:00
Pavel Karpy
752efc6f8c [#584] pkg/innerring: Delete using deprecated methods
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2021-06-03 13:59:59 +03:00
Pavel Karpy
057ebf9d51 [#584] pkg/innerring: Stop using deprecated methods
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2021-06-03 13:59:59 +03:00
Leonard Lyubich
ed80f704d0 [#556] innerring/neofs: Process Bind/Unbind events
Make IR processor of NeoFS contract to handle `Bind`/`Unbind` notification
events. The processor verifies the format of wallet script hash and public
keys, and call NeoFS ID client wrapper in order to approve adding/removing
keys from NeoFS account.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-02 10:50:44 +03:00
Leonard Lyubich
48d934ecf8 [#556] morph/neofsid: Construct static client with enabled notary
Pass `TryNotary()` option to constructor of the static client of the NeoFS
ID contract in `NewFromMorph`. This will allow to use client wrapper for key
management in IR application.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-02 10:50:44 +03:00
Leonard Lyubich
f76083484b [#556] morph/container: Do not parse public key in Put event parser
Morph event structures defined in `pkg/morph/event` should only carry
notification values without any additional interpretation. All logical work
should be concentrated on app-side. Change `Bind.User` / `Unbind.User` to
return byte slice. Change `Bind.Keys` / `Unbind.Keys` to return `[][]byte`.
`ParseBind` / `ParseUnbind` don't decode data from now.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-02 10:50:44 +03:00
Leonard Lyubich
55c83454b6 [#556] morph/neofsid: Implement key management on client wrapper
Implement method `ClientWrapper.ManageKeys` method which provides the
interface to add/remove keys to/from NeoFS account.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-02 10:50:44 +03:00
Leonard Lyubich
4713e6b2b8 [#556] morph/neofsid: Add Client methods to add/remove keys
Implement `AddKeys` / `RemoveKeys` methods to call `addKey` / `removeKey`
methods of NeoFS ID contract.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-02 10:50:44 +03:00
Leonard Lyubich
8c2d42368a [#556] morph/neofs: Implement wrapper over contract client
Implement wrapper over NeoFS contact's client which allows you to
conveniently interact with the contract. Implement `ManageKeys` method
for binding or unbinding public keys to the NeoFS account.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-02 10:50:44 +03:00
Leonard Lyubich
9dc741d43e [#556] morph/neofs: Implement contract client
Implement NeoFS contact's client which is responsible for collecting call
arguments and parsing stack items. Initially key binding and unbinding are
supported.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-02 10:50:44 +03:00
Evgenii Stratonikov
b8a7c11e57 [#501] object/put: reduce TTL of the relayed request
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2021-06-02 10:31:14 +03:00
Evgenii Stratonikov
3468491224 [#501] object/put: relay requests for signed objects
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2021-06-02 10:31:14 +03:00
Evgenii Stratonikov
a422f42ca9 [#501] object/put: refactor distributed target
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2021-06-02 10:31:14 +03:00
Leonard Lyubich
d34de558f0 [#570] *: Use generator of test owner IDs from API Go lib
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 20:45:15 +03:00
Leonard Lyubich
3e1463cc76 [#570] *: Use generator of test container IDs from API Go lib
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 20:45:15 +03:00
Leonard Lyubich
3dd10b6795 [#570] *: Remove usage of deprecated elements from API Go library
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 20:45:15 +03:00
Leonard Lyubich
70a7354e9d [#570] *: Use new Equal method of owner.ID type
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 20:45:15 +03:00
Leonard Lyubich
49a42b1d3e [#567] innerring: Close cached clients on shutdown
Register `CloseAll` method to be called on IR application shutdown.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 13:11:37 +03:00
Leonard Lyubich
bf92e895c0 [#567] network/clients: Implement method to close the cached clients
Update API Go library with introduce `Client.Conn` method. Implement
`ClientCache.CloseAll` method which reads and closes connections of all
cached clients.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 13:11:37 +03:00
Leonard Lyubich
9359f28161 [#525] ir/container: Compare owner IDs via Equal method
In recent change of API Go library `owner.ID.Equal` signature was
implemented.

Replace the comparison of string representations with `Equal` method call
and remove related TODOs.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 11:53:06 +03:00
Leonard Lyubich
937171911a [#525] ir/container: Simplify the approach to verify token signature
In recent change of API Go library `Token.Verify` signature was implemented.

Replace previous version-casting approach with new method call in token
signature check stage.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 11:53:06 +03:00
Leonard Lyubich
23c5277014 [#525] ir/container: Check session verb and container ID
Token of the container session should be written out with container context.
The context should have the verb corresponding to the operation. If an
operation is performed on a fixed container, the session should be
propagated to it or to all user containers

Implement all described checks in validation of `Put` / `Delete` / `SetEACL`
events.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 11:53:06 +03:00
Leonard Lyubich
b73c0c67a2 [#525] ir/container: Fix checks without session token
In previous implementation verification of `SetEACL` events failed on events
without session token. It was caused by redundant tries to verify `nil`
session token.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-31 11:53:06 +03:00
Leonard Lyubich
ead4513feb [#525] ir/container: Verify operations with session token
Session token can be presented `Put`, `Delete` and `SetEACL` notification
events. IR should consider this case as issuing a power of attorney to a
third party. Thus, checking the eligibility for an operation should be
complicated:

 - token owner should be the owner of the related container;
 - the intent must be signed with a session key;
 - the power of attorney must be signed by the owner of the container.

Omitted checks (TBD):

 - session token should have container session context;
 - the verb of the context should correspond to the operation.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 17:07:20 +03:00
Pavel Karpy
f89c8bf239 [#549] clientCache: Add TLS to client
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2021-05-27 17:07:04 +03:00
Pavel Karpy
f267fbc56a [#549] network/Address: Add TLS
There is no TLS protocol support in
`go-multiaddr` library, but there is
public function that can register any
protocol that can be implemented outside
the library. Also `TLSEnabled` function
for parsing TLS protocol from
`network.Address` was added.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2021-05-27 17:07:04 +03:00
Pavel Karpy
33bef46f31 [#549] network/cache: Change Get signature
Make network cache's `Get` method accept
`network.Address` argument instead of
string.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2021-05-27 17:07:04 +03:00
Leonard Lyubich
5a3a27ba9f [#525] ir/container: Remove no longer needed FIXME
In latest design of `Container` contract key binding is removed.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
fb4e328171 [#525] morph/container: Remove binding key argument from Put call
`bindKey` parameter of `Put` method of `Container` contract was removed in
latest version.

Do not pass bind key of type `[]byte` to `Put` invocation. Remove no longer
needed field from `PutArgs`.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
e1fbc28851 [#525] ir/container: Remove resolved FIXME about notary call
From `017fb6abed9455c7c99631adcb0bb04d42741f87` used container client is
constructed with enabled notary mode.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
a1bfcdc74a [#525] v2/container: Write session token from header to removal witness
If container is removed via session, then session token should be included
in removal witness.

Write session token from request meta header to `container.RemovalWitness`
structure which is passed to `wrapper.Delete` function.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
40c796bd7e [#525] ir/container: Write session token on delete approval
Approved removed container ID should be stored in sidechain along with
related session token.

Forward session token from `Delete` event to `Wrapper.Delete` method.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
631d7b0e07 [#525] morph/container: Accept container session token in Delete
`Delete` method of latest `Container` contract accepts binary session token
as an argument.

Provide `DeleteArgs.SetSessionToken` method. Accept session token as a
`[]byte` in `Wrapper.Put` method and attach it to `PutArgs`. Marshal session
token from `RemovalWitness` in `wrapper.Delete` function and pass it to the
method.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
166e5440ab [#525] event/container: Parse session token from Delete notification
The 3rd item of `Delete` container notification event is a byte array of
serialized session token.  Parse session token in `ParseDelete` function.
Provide `Delete.SessionToken` method.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
c12ea210da Fix typo in error details of ParseSetEACL function
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
9659bdc14d [#525] event/container: Fix docs of SessionToken methods
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
a1e1350db0 [#525] core/container: Extend removal witness with session token
NeoFS containers can be removed within a trusted session. There is a need to
take this into account during removal inspection.

Define `SessionToken` / `SetSessionToken` methods on `RemovalWitness` struct
in order to embed `session.Token` to it.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
9a0964efa4 [#525] morph/container: Accept RemovalWitness in Delete function
Make `wrapper.Delete` function to accept `container.RemovalWitness` struct
instead of its separated elements. `Signature` type is replaced by binary
signature since public key is unused.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
d691a20d52 [#525] core/container: Define removal witness
Define `RemovalWitness` structure which groups the information required to
prove and verify the removal of a container. This type is going to be used
in container Delete-related methods.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
edfdc4274a [#525] morph/container: Pass session token to Delete call
Pass session token (byte array) argument to `Delete` method call of
`Container` contract.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
cfa209d74e [#525] morph/container: Attach parsed session token to table in GetEACL
Unmarshal session token from `EACLValues` and write it to resulting
`eacl.Table` structure in `Wrapper.GetEACL` method.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
7ca6f601ef [#525] morph/container: Parse session token, key and signature in EACL
`EACL` method of `Container` contract returns binary session token, key and
signature along with eACL table.

Provide `Signature`, `PublicKey` and `SessionToken` getters from
`EACLValues` structure. Parse and set all values in `Client.EACL` methods.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
4ef369732a [#525] ir/container: Write session token on eACL table approval
Approved eACL table should be stored in sidechain along with related session
token.

Forward session token from `SetEACL` event to `Wrapper.PutEACL` method.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
db7312274c [#525] event/container: Parse session token from SetEACL notification
The 4th item of `SetEACL` container notification event is a byte array of
serialized session token.

Parse session token in `ParseSetEACL` function. Provide
`SetEACL.SessionToken` method.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
b09f212990 [#525] v2/container: Write session token from header to eACL table
If eACL table is set via session, then session token should be written to
it.

Write session token from request meta header to `eacl.Table` structure which
is passed to `wrapper.PutEACL` function.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
5c2b8de87d [#525] v2/container: Make context with token reusable
Rename `PutContext` to `ContextWithToken` and implement its constructor as a
separate function in order to reuse it in other RPCs.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
959610080a [#525] morph/container: Accept container session token in PutEACL
`SetEACL` method of latest `Container` contract accepts binary session token
as an argument.

Provide `SetEACLArgs.SetSessionToken` method. Accept session token as a
`[]byte` in `Wrapper.PutEACL` method and attach it to `SetEACLArgs`. Marshal
session token from container in `wrapper.PutEACL` function and pass it to
the method.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
c4a3adc8b0 [#525] morph/container: Attach all parsed items to container in Get
Unmarshal session token from `GetValues` and write it to resulting
`Container` structure in `Wrapper.Get` method. Write key-signature pair from
`GetValues` to resulting `Container` structure in `Wrapper.Get` method.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00
Leonard Lyubich
b9b369dd5b [#525] morph/container: Parse session token, key and signature in Get
`Get` method of `Container` contract returns binary session token, key and
signature along with container.

Provide `Signature`, `PublicKey` and `SessionToken` getters from `GetValues`
structure. Parse and set all values in `Client.Get` methods.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 12:03:49 +03:00