dkirillov/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#255] Add expiration to access box

Browse source 
Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
Denis Kirillov 2021-09-10 11:07:26 +03:00 committed by Alex Vanin
parent 3c2e25f977
commit 26f30e7ace
3 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
authmate/authmate.go
View file

@ -227,7 +227,7 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
address, err := tokens. address, err := tokens.
New(a.pool, secrets.EphemeralKey). New(a.pool, secrets.EphemeralKey).
Put(ctx, cid, oid, box, options.GatesPublicKeys...) Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...)
if err != nil { if err != nil {
return fmt.Errorf("failed to put bearer token: %w", err) return fmt.Errorf("failed to put bearer token: %w", err)
} }

6
cmd/authmate/main.go
View file

@ -26,8 +26,8 @@ import (
const ( const (
poolConnectTimeout = 5 * time.Second poolConnectTimeout = 5 * time.Second
poolRequestTimeout = 5 * time.Second poolRequestTimeout = 5 * time.Second
// a number of 15-second blocks in a month. // a number of 1-hour epochs in a month.
defaultLifetime = 172800 defaultLifetime = 720
) )
var ( var (
@ -199,7 +199,7 @@ func issueSecret() *cli.Command {
}, },
&cli.Uint64Flag{ &cli.Uint64Flag{
Name: "lifetime", Name: "lifetime",
Usage: "Lifetime of tokens in NeoFS epoch (number of blocks in sidechain)", Usage: "Lifetime of tokens in NeoFS epoch",
Required: false, Required: false,
Destination: &lifetimeFlag, Destination: &lifetimeFlag,
Value: defaultLifetime, Value: defaultLifetime,

10
creds/tokens/credentials.go
View file

@ -21,7 +21,7 @@ type (
// Credentials is a bearer token get/put interface. // Credentials is a bearer token get/put interface.
Credentials interface { Credentials interface {
GetBox(context.Context, *object.Address) (*accessbox.Box, error) GetBox(context.Context, *object.Address) (*accessbox.Box, error)
Put(context.Context, *cid.ID, *owner.ID, *accessbox.AccessBox, ...*keys.PublicKey) (*object.Address, error) Put(context.Context, *cid.ID, *owner.ID, *accessbox.AccessBox, uint64, ...*keys.PublicKey) (*object.Address, error)
} }
cred struct { cred struct {
@ -100,7 +100,7 @@ func (c *cred) getAccessBox(ctx context.Context, address *object.Address) (*acce
return &box, nil return &box, nil
} }
func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *accessbox.AccessBox, keys ...*keys.PublicKey) (*object.Address, error) { func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *accessbox.AccessBox, expiration uint64, keys ...*keys.PublicKey) (*object.Address, error) {
var ( var (
err error err error
created = strconv.FormatInt(time.Now().Unix(), 10) created = strconv.FormatInt(time.Now().Unix(), 10)
@ -124,10 +124,14 @@ func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *acce
filename.SetKey(object.AttributeFileName) filename.SetKey(object.AttributeFileName)
filename.SetValue(created + "_access.box") filename.SetValue(created + "_access.box")
expirationAttr := object.NewAttribute()
expirationAttr.SetKey("__NEOFS__EXPIRATION_EPOCH")
expirationAttr.SetValue(strconv.FormatUint(expiration, 10))
raw := object.NewRaw() raw := object.NewRaw()
raw.SetContainerID(cid) raw.SetContainerID(cid)
raw.SetOwnerID(issuer) raw.SetOwnerID(issuer)
raw.SetAttributes(filename, timestamp) raw.SetAttributes(filename, timestamp, expirationAttr)
ops := new(client.PutObjectParams).WithObject(raw.Object()).WithPayloadReader(bytes.NewBuffer(data)) ops := new(client.PutObjectParams).WithObject(raw.Object()).WithPayloadReader(bytes.NewBuffer(data))
oid, err := c.pool.PutObject( oid, err := c.pool.PutObject(