From dce5924a89dd5058bf3b1c3edf78413b7a5ffce8 Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Tue, 25 Oct 2022 15:24:06 +0300 Subject: [PATCH] [#229] services/tree: Use bearer owner as signer Signed-off-by: Denis Kirillov --- go.mod | 2 +- go.sum | Bin 95867 -> 95867 bytes pkg/services/tree/signature.go | 4 ++- pkg/services/tree/signature_test.go | 40 +++++++++++++++++++++++++--- 4 files changed, 40 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 8cbb4ba38..d54770ba2 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.18 require ( git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85 git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb - git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204 + git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68 git.frostfs.info/TrueCloudLab/hrw v1.2.0 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 github.com/cheggaaa/pb v1.0.29 diff --git a/go.sum b/go.sum index a1616a7b56f41b94ec4790f75583aae0752c48d5..7b140a44d5128a359df6c36bcd6e625d924db2e7 100644 GIT binary patch delta 171 zcmezUhV}Ow)(xrxPKG9?CI+UuDM_YD7M3QKW+`SC3K@o0xt1P2Mdd-BekBG5$-#jJ z<{9200j?GPDUP|hY5o?u`o@{=sX2Ke`9}GZ8+bJ)^9zW1VlhfTJzp<3KLuoBNTQdQ zzngJrMrol%Vquw)b5UApq)}x?MQT83W?s0lX+(-~d0K=|n7${_M1^KP!R>s4jJc@* DI_EWd delta 171 zcmezUhV}Ow)(xrxP6ps4jJc@* D=36uS diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go index 4aacbc3b1..439912969 100644 --- a/pkg/services/tree/signature.go +++ b/pkg/services/tree/signature.go @@ -101,6 +101,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op } var tb eacl.Table + signer := req.GetSignature().GetKey() if tableFromBearer { if bt.Impersonate() { tbCore, err := s.eaclSource.GetEACL(cid) @@ -108,6 +109,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op return handleGetEACLError(err) } tb = *tbCore.Value + signer = bt.SigningKeyBytes() } else { if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) { return eACLErr(eaclOp, errBearerWrongOwner) @@ -123,7 +125,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op tb = *tbCore.Value } - return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp) + return checkEACL(tb, signer, eACLRole(role), eaclOp) } func handleGetEACLError(err error) error { diff --git a/pkg/services/tree/signature_test.go b/pkg/services/tree/signature_test.go index b336e60a2..eaf9b8b79 100644 --- a/pkg/services/tree/signature_test.go +++ b/pkg/services/tree/signature_test.go @@ -53,6 +53,16 @@ func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) { return cnt, nil } +type dummyEACLSource map[string]*containercore.EACL + +func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) { + cntEACL, ok := s[id.String()] + if !ok { + return nil, errors.New("container not found") + } + return cntEACL, nil +} + func testContainer(owner user.ID) container.Container { var r netmapSDK.ReplicaDescriptor r.SetNumberOfObjects(1) @@ -93,6 +103,11 @@ func TestMessageSign(t *testing.T) { cnrSource: dummyContainerSource{ cid1.String(): cnr, }, + eaclSource: dummyEACLSource{ + cid1.String(): &containercore.EACL{ + Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()), + }, + }, }, } @@ -178,6 +193,19 @@ func TestMessageSign(t *testing.T) { require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut)) }) + t.Run("impersonate", func(t *testing.T) { + cnr.Value.SetBasicACL(acl.PublicRWExtended) + var bt bearer.Token + bt.SetImpersonate(true) + + require.NoError(t, bt.Sign(privs[1].PrivateKey)) + req.Body.BearerToken = bt.Marshal() + + require.NoError(t, SignMessage(req, &privs[0].PrivateKey)) + require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut)) + require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet)) + }) + bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey()) require.NoError(t, bt.Sign(privs[0].PrivateKey)) req.Body.BearerToken = bt.Marshal() @@ -202,6 +230,13 @@ func TestMessageSign(t *testing.T) { } func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token { + var b bearer.Token + b.SetEACLTable(*testTable(cid, forPutGet, forGet)) + + return b +} + +func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table { tgtGet := eaclSDK.NewTarget() tgtGet.SetRole(eaclSDK.RoleUnknown) tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()}) @@ -237,8 +272,5 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token tb.SetCID(cid) - var b bearer.Token - b.SetEACLTable(*tb) - - return b + return tb }