From 10ee865e98e87106c42f764849faa1adb0a5c6dc Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Mon, 15 Apr 2024 17:04:34 +0300 Subject: [PATCH] [#1096] tree: Make `verifyClient` fill ape request with user claim tags Signed-off-by: Airat Arifullin --- cmd/frostfs-node/tree.go | 1 + pkg/services/tree/ape.go | 28 ++++++++++++++++++++++++++++ pkg/services/tree/options.go | 27 ++++++++++++++++++++------- 3 files changed, 49 insertions(+), 7 deletions(-) diff --git a/cmd/frostfs-node/tree.go b/cmd/frostfs-node/tree.go index ff00b6fa..49ecb6fd 100644 --- a/cmd/frostfs-node/tree.go +++ b/cmd/frostfs-node/tree.go @@ -53,6 +53,7 @@ func initTreeService(c *cfg) { src: c.cfgObject.cnrSource, cli: c.shared.cnrClient, }), + tree.WithFrostfsidSubjectProvider(c.shared.frostfsidClient), tree.WithEACLSource(c.cfgObject.eaclSource), tree.WithNetmapSource(c.netMapSource), tree.WithPrivateKey(&c.key.PrivateKey), diff --git a/pkg/services/tree/ape.go b/pkg/services/tree/ape.go index 5da49a59..f5872150 100644 --- a/pkg/services/tree/ape.go +++ b/pkg/services/tree/ape.go @@ -14,10 +14,15 @@ import ( cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" + commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" ) +var ( + subjectNotFoundErrorMessage = "subject not found" +) + func (s *Service) checkAPE(container *core.Container, cid cid.ID, operation acl.Op, role acl.Role, publicKey *keys.PublicKey) error { namespace := "" cntNamespace, hasNamespace := strings.CutSuffix(cnrSDK.ReadDomain(container.Value).Zone(), ".ns") @@ -37,6 +42,10 @@ func (s *Service) checkAPE(container *core.Container, cid cid.ID, operation acl. nativeschema.PropertyKeyActorPublicKey: hex.EncodeToString(publicKey.Bytes()), nativeschema.PropertyKeyActorRole: schemaRole, } + reqProps, err = s.fillWithUserClaimTags(reqProps, publicKey) + if err != nil { + return apeErr(err) + } var resourceName string if namespace == "root" || namespace == "" { @@ -68,3 +77,22 @@ func apeErr(err error) error { errAccessDenied.WriteReason(err.Error()) return errAccessDenied } + +// fillWithUserClaimTags fills ape request properties with user claim tags getting them from frostfsid contract by actor public key. +func (s *Service) fillWithUserClaimTags(reqProps map[string]string, publicKey *keys.PublicKey) (map[string]string, error) { + if reqProps == nil { + reqProps = make(map[string]string) + } + subj, err := s.frostfsidSubjectProvider.GetSubject(publicKey.GetScriptHash()) + if err != nil { + if !strings.Contains(err.Error(), subjectNotFoundErrorMessage) { + return nil, fmt.Errorf("get subject error: %w", err) + } + return reqProps, nil + } + for k, v := range subj.KV { + properyKey := fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, k) + reqProps[properyKey] = v + } + return reqProps, nil +} diff --git a/pkg/services/tree/options.go b/pkg/services/tree/options.go index 0e5f6427..c4ef8085 100644 --- a/pkg/services/tree/options.go +++ b/pkg/services/tree/options.go @@ -4,6 +4,7 @@ import ( "crypto/ecdsa" "time" + "git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/local_object_storage/pilorama" @@ -11,8 +12,13 @@ import ( cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" + "github.com/nspcc-dev/neo-go/pkg/util" ) +type FrostfsidSubjectProvider interface { + GetSubject(util.Uint160) (*client.Subject, error) +} + type ContainerSource interface { container.Source @@ -25,13 +31,14 @@ type ContainerSource interface { } type cfg struct { - log *logger.Logger - key *ecdsa.PrivateKey - rawPub []byte - nmSource netmap.Source - cnrSource ContainerSource - eaclSource container.EACLSource - forest pilorama.Forest + log *logger.Logger + key *ecdsa.PrivateKey + rawPub []byte + nmSource netmap.Source + cnrSource ContainerSource + frostfsidSubjectProvider FrostfsidSubjectProvider + eaclSource container.EACLSource + forest pilorama.Forest // replication-related parameters replicatorChannelCapacity int replicatorWorkerCount int @@ -55,6 +62,12 @@ func WithContainerSource(src ContainerSource) Option { } } +func WithFrostfsidSubjectProvider(provider FrostfsidSubjectProvider) Option { + return func(c *cfg) { + c.frostfsidSubjectProvider = provider + } +} + // WithEACLSource sets a eACL table source for a tree service. // This option is required. func WithEACLSource(src container.EACLSource) Option {