forked from TrueCloudLab/frostfs-node
Compare commits
4 commits
master
...
KirillovDe
Author | SHA1 | Date | |
---|---|---|---|
9f28e2bf0c | |||
|
6f991ab762 | ||
fe56f11edc | |||
56f12c77b9 |
6 changed files with 64 additions and 25 deletions
|
@ -48,7 +48,7 @@ func GetSDKClient(cmd *cobra.Command, key *ecdsa.PrivateKey, addr network.Addres
|
|||
)
|
||||
|
||||
prmInit.SetDefaultPrivateKey(*key)
|
||||
prmInit.ResolveNeoFSFailures()
|
||||
prmInit.ResolveFrostFSFailures()
|
||||
prmDial.SetServerURI(addr.URIAddr())
|
||||
if timeout := viper.GetDuration(commonflags.Timeout); timeout > 0 {
|
||||
// In CLI we can only set a timeout for the whole operation.
|
||||
|
|
12
go.mod
12
go.mod
|
@ -39,10 +39,15 @@ require (
|
|||
gopkg.in/yaml.v3 v3.0.1
|
||||
)
|
||||
|
||||
replace (
|
||||
github.com/TrueCloudLab/frostfs-api-go/v2 v2.0.0-20221212144048-1351b6656d68 => github.com/KirillovDenis/frostfs-api-go/v2 v2.11.2-0.20230221082308-ac00938fa447
|
||||
github.com/TrueCloudLab/frostfs-sdk-go v0.0.0-20221214065929-4c779423f556 => github.com/KirillovDenis/frostfs-sdk-go v0.0.0-20230221122223-9424a67fb108
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/TrueCloudLab/frostfs-crypto v0.5.0 // indirect
|
||||
github.com/TrueCloudLab/rfc6979 v0.3.0 // indirect
|
||||
github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
|
||||
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20221202181307-76fa05c21b12 // indirect
|
||||
github.com/benbjohnson/clock v1.1.0 // indirect
|
||||
github.com/beorn7/perks v1.0.1 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.1.2 // indirect
|
||||
|
@ -54,7 +59,7 @@ require (
|
|||
github.com/golang/snappy v0.0.3 // indirect
|
||||
github.com/google/go-querystring v1.1.0 // indirect
|
||||
github.com/gorilla/websocket v1.4.2 // indirect
|
||||
github.com/hashicorp/golang-lru v0.5.4 // indirect
|
||||
github.com/hashicorp/golang-lru v0.6.0 // indirect
|
||||
github.com/hashicorp/hcl v1.0.0 // indirect
|
||||
github.com/holiman/uint256 v1.2.0 // indirect
|
||||
github.com/inconshreveable/mousetrap v1.0.1 // indirect
|
||||
|
@ -89,8 +94,9 @@ require (
|
|||
github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954 // indirect
|
||||
github.com/twmb/murmur3 v1.1.5 // indirect
|
||||
github.com/urfave/cli v1.22.5 // indirect
|
||||
go.uber.org/multierr v1.8.0 // indirect
|
||||
go.uber.org/multierr v1.9.0 // indirect
|
||||
golang.org/x/crypto v0.4.0 // indirect
|
||||
golang.org/x/exp v0.0.0-20221227203929-1b447090c38c // indirect
|
||||
golang.org/x/net v0.4.0 // indirect
|
||||
golang.org/x/sync v0.1.0 // indirect
|
||||
golang.org/x/sys v0.3.0 // indirect
|
||||
|
|
BIN
go.sum
BIN
go.sum
Binary file not shown.
|
@ -124,15 +124,17 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
bearerTok := reqInfo.Bearer()
|
||||
impersonate := bearerTok != nil && bearerTok.Impersonate()
|
||||
|
||||
// if bearer token is not allowed, then ignore it
|
||||
if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
|
||||
if impersonate || !basicACL.AllowedBearerRules(reqInfo.Operation()) {
|
||||
reqInfo.CleanBearer()
|
||||
}
|
||||
|
||||
var table eaclSDK.Table
|
||||
cnr := reqInfo.ContainerID()
|
||||
|
||||
bearerTok := reqInfo.Bearer()
|
||||
if bearerTok == nil {
|
||||
eaclInfo, err := c.eaclSrc.GetEACL(cnr)
|
||||
if err != nil {
|
||||
|
|
|
@ -2,6 +2,7 @@ package v2
|
|||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"fmt"
|
||||
|
||||
sessionV2 "github.com/TrueCloudLab/frostfs-api-go/v2/session"
|
||||
|
@ -113,6 +114,12 @@ func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
|
|||
return nil, nil, errEmptyVerificationHeader
|
||||
}
|
||||
|
||||
if r.bearer != nil && r.bearer.Impersonate() {
|
||||
issuer := bearer.ResolveIssuer(*r.bearer)
|
||||
pubKey, err := keys.NewPublicKeyFromBytes(r.bearer.SigningKeyBytes(), elliptic.P256())
|
||||
return &issuer, pubKey, err
|
||||
}
|
||||
|
||||
// if session token is presented, use it as truth source
|
||||
if r.token != nil {
|
||||
// verify signature of session token
|
||||
|
|
|
@ -56,7 +56,23 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
return fmt.Errorf("can't get container %s: %w", cid, err)
|
||||
}
|
||||
|
||||
role, err := roleFromReq(cnr, req)
|
||||
eaclOp := eACLOp(op)
|
||||
|
||||
var bt *bearer.Token
|
||||
if len(rawBearer) > 0 {
|
||||
bt = new(bearer.Token)
|
||||
if err = bt.Unmarshal(rawBearer); err != nil {
|
||||
return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
|
||||
}
|
||||
if !bt.VerifySignature() {
|
||||
return eACLErr(eaclOp, errBearerSignature)
|
||||
}
|
||||
if !bt.AssertContainer(cid) {
|
||||
return eACLErr(eaclOp, errBearerWrongContainer)
|
||||
}
|
||||
}
|
||||
|
||||
role, err := roleFromReq(cnr, req, bt)
|
||||
if err != nil {
|
||||
return fmt.Errorf("can't get request role: %w", err)
|
||||
}
|
||||
|
@ -71,8 +87,6 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
return nil
|
||||
}
|
||||
|
||||
eaclOp := eACLOp(op)
|
||||
|
||||
var tableFromBearer bool
|
||||
if len(rawBearer) != 0 {
|
||||
if !basicACL.AllowedBearerRules(op) {
|
||||
|
@ -86,22 +100,25 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
}
|
||||
|
||||
var tb eacl.Table
|
||||
signer := req.GetSignature().GetKey()
|
||||
if tableFromBearer {
|
||||
var bt bearer.Token
|
||||
if err = bt.Unmarshal(rawBearer); err != nil {
|
||||
return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))
|
||||
}
|
||||
if !bearer.ResolveIssuer(bt).Equals(cnr.Value.Owner()) {
|
||||
return eACLErr(eaclOp, errBearerWrongOwner)
|
||||
}
|
||||
if !bt.AssertContainer(cid) {
|
||||
return eACLErr(eaclOp, errBearerWrongContainer)
|
||||
}
|
||||
if !bt.VerifySignature() {
|
||||
return eACLErr(eaclOp, errBearerSignature)
|
||||
if bt.Impersonate() {
|
||||
tbCore, err := s.eaclSource.GetEACL(cid)
|
||||
if err != nil {
|
||||
if client.IsErrEACLNotFound(err) {
|
||||
return nil
|
||||
}
|
||||
|
||||
return fmt.Errorf("get eACL table: %w", err)
|
||||
}
|
||||
tb = *tbCore.Value
|
||||
signer = bt.SigningKeyBytes()
|
||||
} else {
|
||||
if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
|
||||
return eACLErr(eaclOp, errBearerWrongOwner)
|
||||
}
|
||||
tb = bt.EACLTable()
|
||||
}
|
||||
} else {
|
||||
tbCore, err := s.eaclSource.GetEACL(cid)
|
||||
if err != nil {
|
||||
|
@ -115,7 +132,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
tb = *tbCore.Value
|
||||
}
|
||||
|
||||
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
|
||||
return checkEACL(tb, signer, eACLRole(role), eaclOp)
|
||||
}
|
||||
|
||||
func verifyMessage(m message) error {
|
||||
|
@ -168,7 +185,7 @@ func SignMessage(m message, key *ecdsa.PrivateKey) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func roleFromReq(cnr *core.Container, req message) (acl.Role, error) {
|
||||
func roleFromReq(cnr *core.Container, req message, bt *bearer.Token) (acl.Role, error) {
|
||||
role := acl.RoleOthers
|
||||
owner := cnr.Value.Owner()
|
||||
|
||||
|
@ -177,6 +194,13 @@ func roleFromReq(cnr *core.Container, req message) (acl.Role, error) {
|
|||
return role, fmt.Errorf("invalid public key: %w", err)
|
||||
}
|
||||
|
||||
if bt != nil && bt.Impersonate() {
|
||||
pub, err = keys.NewPublicKeyFromBytes(bt.SigningKeyBytes(), elliptic.P256())
|
||||
if err != nil {
|
||||
return role, fmt.Errorf("invalid public key: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
var reqSigner user.ID
|
||||
user.IDFromKey(&reqSigner, (ecdsa.PublicKey)(*pub))
|
||||
|
||||
|
|
Loading…
Reference in a new issue