[#338] Remove redundant flag for session tokens in authmate

Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
2022-01-31 21:40:00 +03:00 · 2022-01-31 21:40:00 +03:00 · 204835ace3
commit 204835ace3
parent 2b4638f6bb
3 changed files with 24 additions and 37 deletions
--- a/authmate/authmate.go
+++ b/authmate/authmate.go
@ -59,8 +59,7 @@ type (
 		NeoFSKey              *keys.PrivateKey
 		GatesPublicKeys       []*keys.PublicKey
 		EACLRules             []byte
-		ContextRules          []byte
-		SessionTkn            bool
+		SessionTokenRules     []byte
 		Lifetime              time.Duration
 		AwsCliCredentialsFile string
 		ContainerPolicies     ContainerPolicies
@ -258,14 +257,6 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
 	a.log.Info("store bearer token into NeoFS",
 		zap.Stringer("owner_tkn", oid))

-	if !options.SessionTkn && len(options.ContextRules) > 0 {
-		_, err := w.Write([]byte("Warning: rules for session token were set but --create-session flag wasn't, " +
-			"so session token was not created\n"))
-		if err != nil {
-			return err
-		}
-	}
-
 	address, err := tokens.
 		New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()).
 		Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...)
@ -480,8 +471,8 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci
 		gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i])
 	}

-	if options.SessionTkn {
-		sessionRules, err := buildContext(options.ContextRules)
+	if options.SessionTokenRules != nil {
+		sessionRules, err := buildContext(options.SessionTokenRules)
 		if err != nil {
 			return nil, fmt.Errorf("failed to build context for session token: %w", err)
 		}
--- a/cmd/authmate/main.go
+++ b/cmd/authmate/main.go
@ -36,7 +36,6 @@ var (
 	accountAddressFlag     string
 	peerAddressFlag        string
 	eaclRulesFlag          string
-	contextRulesFlag       string
 	gateWalletPathFlag     string
 	gateAccountAddressFlag string
 	accessKeyIDFlag        string
@ -45,7 +44,7 @@ var (
 	gatesPublicKeysFlag    cli.StringSlice
 	logEnabledFlag         bool
 	logDebugEnabledFlag    bool
-	sessionTokenFlag       bool
+	sessionTokenFlag       string
 	lifetimeFlag           time.Duration
 	containerPolicies      string
 	awcCliCredFile         string
@ -174,12 +173,6 @@ func issueSecret() *cli.Command {
 				Required:    false,
 				Destination: &eaclRulesFlag,
 			},
-			&cli.StringFlag{
-				Name:        "session-rules",
-				Usage:       "rules for session token as plain json string",
-				Required:    false,
-				Destination: &contextRulesFlag,
-			},
 			&cli.StringSliceFlag{
 				Name:        "gate-public-key",
 				Usage:       "public 256r1 key of a gate (use flags repeatedly for multiple gates)",
@ -198,12 +191,12 @@ func issueSecret() *cli.Command {
 				Required:    false,
 				Destination: &containerFriendlyName,
 			},
-			&cli.BoolFlag{
-				Name:        "create-session-token",
-				Usage:       "create session token",
+			&cli.StringFlag{
+				Name:        "session-token",
+				Usage:       "create session token with rules, if the rules are set as 'none', no session tokens will be created",
 				Required:    false,
 				Destination: &sessionTokenFlag,
-				Value:       false,
+				Value:       "",
 			},
 			&cli.DurationFlag{
 				Name: "lifetime",
@ -276,9 +269,8 @@ It will be ceil rounded to the nearest amount of epoch.`,
 				NeoFSKey:              key,
 				GatesPublicKeys:       gatesPublicKeys,
 				EACLRules:             getJSONRules(eaclRulesFlag),
-				ContextRules:          getJSONRules(contextRulesFlag),
+				SessionTokenRules:     getSessionRules(sessionTokenFlag),
 				ContainerPolicies:     policies,
-				SessionTkn:            sessionTokenFlag,
 				Lifetime:              lifetimeFlag,
 				AwsCliCredentialsFile: awcCliCredFile,
 			}
@ -320,6 +312,13 @@ func getJSONRules(val string) []byte {
 	return []byte(val)
 }

+func getSessionRules(r string) []byte {
+	if r == "none" {
+		return nil
+	}
+	return getJSONRules(r)
+}
+
 func obtainSecret() *cli.Command {
 	command := &cli.Command{
 		Name:  "obtain-secret",
--- a/docs/authmate.md
+++ b/docs/authmate.md
@ -97,8 +97,7 @@ parameter, but this way is **not recommended**.
 The tokens are encrypted by a set of gateway keys, so you need to pass them as well.

 Creation of the bearer token is mandatory, while creation of the session token is
-optional. If you want to add the session token, you need to add a parameter
-`create-session-token`.
+optional. 

 Rules for bearer token can be set via param `bearer-rules` (json-string and file path allowed), if it is not set,
 it will be auto-generated with values:
@ -128,9 +127,13 @@ it will be auto-generated with values:
 }
 ```

-Rules for session tokens can be set via param `session-rules` (json-string and file path allowed).
+With session token, there is 3 options: 
+* append `--session-token` parameter with your custom rules in json format (as a string or file path, see an example below)

-If the parameter `session-rules` is not set, `authmate` creates and puts three session tokens: 
+**NB!** If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
+
+* append `--session-token` parameter with the value `none` -- no session token will be created
+* skip the parameter and `authmate` will create and put session tokens with default rules:
 ```
 [
  {
@ -151,11 +154,6 @@ If the parameter `session-rules` is not set, `authmate` creates and puts three s
 ]
 ```

-If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
-
-If `session-rules` are set, but `create-session-token` is not, no session
-token will be created.
-
 Rules for mapping of `LocationConstraint` ([aws spec](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestBody)) 
 to `PlacementPolicy` ([neofs spec](https://github.com/nspcc-dev/neofs-spec/blob/master/01-arch/02-policy.md)) 
 can be set via param `container-policy` (json-string and file path allowed):
@ -174,8 +172,7 @@ $ ./neofs-authmate issue-secret --wallet wallet.json \
 --bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \
 --gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \
 --gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \
--create-session-token \
--session-rules '{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}'
+--session-token '[{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}]'
 --container-policy '{"rep-3": "REP 3"}'

 Enter password for wallet.json >