forked from TrueCloudLab/frostfs-sdk-go
[#370] bearer, session: Clarify expiration epoch
The expiration epoch is the _last_ valid epoch for an entity. Also, clarify the expiration epoch meaning for tombstones and regular objects. Signed-off-by: Pavel Karpy <p.karpy@yadro.com>
This commit is contained in:
parent
a690dcb159
commit
1bf41e9bc1
6 changed files with 28 additions and 16 deletions
|
@ -136,9 +136,10 @@ func (b Token) WriteToV2(m *acl.BearerToken) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetExp sets "exp" (expiration time) claim which identifies the
|
// SetExp sets "exp" (expiration time) claim which identifies the
|
||||||
// expiration time (in NeoFS epochs) on or after which the Token MUST NOT be
|
// expiration time (in NeoFS epochs) after which the Token MUST NOT be
|
||||||
// accepted for processing. The processing of the "exp" claim requires that the
|
// accepted for processing. The processing of the "exp" claim requires
|
||||||
// current epoch MUST be before the expiration epoch listed in the "exp" claim.
|
// that the current epoch MUST be before or equal to the expiration epoch
|
||||||
|
// listed in the "exp" claim.
|
||||||
//
|
//
|
||||||
// Naming is inspired by https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4.
|
// Naming is inspired by https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4.
|
||||||
//
|
//
|
||||||
|
@ -179,7 +180,7 @@ func (b *Token) SetIat(iat uint64) {
|
||||||
//
|
//
|
||||||
// See also SetExp, SetNbf, SetIat.
|
// See also SetExp, SetNbf, SetIat.
|
||||||
func (b Token) InvalidAt(epoch uint64) bool {
|
func (b Token) InvalidAt(epoch uint64) bool {
|
||||||
return !b.lifetimeSet || b.nbf > epoch || b.iat > epoch || b.exp <= epoch
|
return !b.lifetimeSet || b.nbf > epoch || b.iat > epoch || b.exp < epoch
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetEACLTable sets eacl.Table that replaces the one from the issuer's
|
// SetEACLTable sets eacl.Table that replaces the one from the issuer's
|
||||||
|
|
|
@ -220,7 +220,7 @@ func TestToken_InvalidAt(t *testing.T) {
|
||||||
require.True(t, val.InvalidAt(1))
|
require.True(t, val.InvalidAt(1))
|
||||||
require.False(t, val.InvalidAt(2))
|
require.False(t, val.InvalidAt(2))
|
||||||
require.False(t, val.InvalidAt(3))
|
require.False(t, val.InvalidAt(3))
|
||||||
require.True(t, val.InvalidAt(4))
|
require.False(t, val.InvalidAt(4))
|
||||||
require.True(t, val.InvalidAt(5))
|
require.True(t, val.InvalidAt(5))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -33,12 +33,18 @@ func (t *Tombstone) ToV2() *tombstone.Tombstone {
|
||||||
return (*tombstone.Tombstone)(t)
|
return (*tombstone.Tombstone)(t)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ExpirationEpoch return number of tombstone expiration epoch.
|
// ExpirationEpoch returns the last NeoFS epoch
|
||||||
|
// number of the tombstone lifetime.
|
||||||
|
//
|
||||||
|
// See also SetExpirationEpoch.
|
||||||
func (t *Tombstone) ExpirationEpoch() uint64 {
|
func (t *Tombstone) ExpirationEpoch() uint64 {
|
||||||
return (*tombstone.Tombstone)(t).GetExpirationEpoch()
|
return (*tombstone.Tombstone)(t).GetExpirationEpoch()
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetExpirationEpoch sets number of tombstone expiration epoch.
|
// SetExpirationEpoch sets the last NeoFS epoch
|
||||||
|
// number of the tombstone lifetime.
|
||||||
|
//
|
||||||
|
// See also ExpirationEpoch.
|
||||||
func (t *Tombstone) SetExpirationEpoch(v uint64) {
|
func (t *Tombstone) SetExpirationEpoch(v uint64) {
|
||||||
(*tombstone.Tombstone)(t).SetExpirationEpoch(v)
|
(*tombstone.Tombstone)(t).SetExpirationEpoch(v)
|
||||||
}
|
}
|
||||||
|
|
|
@ -219,10 +219,11 @@ func (x *commonData) unmarshalJSON(data []byte, r contextReader) error {
|
||||||
return x.readFromV2(m, false, r)
|
return x.readFromV2(m, false, r)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetExp sets "exp" (expiration time) claim which identifies the expiration time
|
// SetExp sets "exp" (expiration time) claim which identifies the expiration
|
||||||
// (in NeoFS epochs) on or after which the session MUST NOT be accepted for
|
// time (in NeoFS epochs) after which the session MUST NOT be accepted for
|
||||||
// processing. The processing of the "exp" claim requires that the current
|
// processing. The processing of the "exp" claim requires that the current
|
||||||
// epoch MUST be before the expiration epoch listed in the "exp" claim.
|
// epoch MUST be before or equal to the expiration epoch listed in the "exp"
|
||||||
|
// claim.
|
||||||
//
|
//
|
||||||
// Naming is inspired by https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4.
|
// Naming is inspired by https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4.
|
||||||
//
|
//
|
||||||
|
@ -258,7 +259,7 @@ func (x *commonData) SetIat(iat uint64) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (x commonData) expiredAt(epoch uint64) bool {
|
func (x commonData) expiredAt(epoch uint64) bool {
|
||||||
return !x.lifetimeSet || x.exp <= epoch
|
return !x.lifetimeSet || x.exp < epoch
|
||||||
}
|
}
|
||||||
|
|
||||||
// InvalidAt asserts "exp", "nbf" and "iat" claims.
|
// InvalidAt asserts "exp", "nbf" and "iat" claims.
|
||||||
|
|
|
@ -153,7 +153,8 @@ func TestContainerProtocolV2(t *testing.T) {
|
||||||
assert: func(val session.Container) {
|
assert: func(val session.Container) {
|
||||||
require.True(t, val.InvalidAt(1))
|
require.True(t, val.InvalidAt(1))
|
||||||
require.False(t, val.InvalidAt(2))
|
require.False(t, val.InvalidAt(2))
|
||||||
require.True(t, val.InvalidAt(3))
|
require.False(t, val.InvalidAt(3))
|
||||||
|
require.True(t, val.InvalidAt(4))
|
||||||
},
|
},
|
||||||
breakSign: func(m *v2session.Token) {
|
breakSign: func(m *v2session.Token) {
|
||||||
lt := m.GetBody().GetLifetime()
|
lt := m.GetBody().GetLifetime()
|
||||||
|
@ -410,7 +411,8 @@ func TestContainer_InvalidAt(t *testing.T) {
|
||||||
require.True(t, x.InvalidAt(nbf-1))
|
require.True(t, x.InvalidAt(nbf-1))
|
||||||
require.True(t, x.InvalidAt(iat-1))
|
require.True(t, x.InvalidAt(iat-1))
|
||||||
require.False(t, x.InvalidAt(iat))
|
require.False(t, x.InvalidAt(iat))
|
||||||
require.True(t, x.InvalidAt(exp))
|
require.False(t, x.InvalidAt(exp))
|
||||||
|
require.True(t, x.InvalidAt(exp+1))
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestContainer_ID(t *testing.T) {
|
func TestContainer_ID(t *testing.T) {
|
||||||
|
|
|
@ -175,7 +175,8 @@ func TestObjectProtocolV2(t *testing.T) {
|
||||||
assert: func(val session.Object) {
|
assert: func(val session.Object) {
|
||||||
require.True(t, val.InvalidAt(1))
|
require.True(t, val.InvalidAt(1))
|
||||||
require.False(t, val.InvalidAt(2))
|
require.False(t, val.InvalidAt(2))
|
||||||
require.True(t, val.InvalidAt(3))
|
require.False(t, val.InvalidAt(3))
|
||||||
|
require.True(t, val.InvalidAt(4))
|
||||||
},
|
},
|
||||||
breakSign: func(m *v2session.Token) {
|
breakSign: func(m *v2session.Token) {
|
||||||
lt := m.GetBody().GetLifetime()
|
lt := m.GetBody().GetLifetime()
|
||||||
|
@ -520,7 +521,8 @@ func TestObject_InvalidAt(t *testing.T) {
|
||||||
require.True(t, x.InvalidAt(nbf-1))
|
require.True(t, x.InvalidAt(nbf-1))
|
||||||
require.True(t, x.InvalidAt(iat-1))
|
require.True(t, x.InvalidAt(iat-1))
|
||||||
require.False(t, x.InvalidAt(iat))
|
require.False(t, x.InvalidAt(iat))
|
||||||
require.True(t, x.InvalidAt(exp))
|
require.False(t, x.InvalidAt(exp))
|
||||||
|
require.True(t, x.InvalidAt(exp+1))
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestObject_ID(t *testing.T) {
|
func TestObject_ID(t *testing.T) {
|
||||||
|
|
Loading…
Reference in a new issue