[#106] Check bearer token lifetime

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2020-10-22 15:37:59 +03:00 committed by Alex Vanin
parent bb455af05f
commit 23ec33e821
3 changed files with 27 additions and 3 deletions

View file

@ -353,6 +353,7 @@ func initObjectService(c *cfg) {
eacl.WithMorphClient(c.cfgObject.cnrClient),
eacl.WithLogger(c.log),
),
acl.WithNetmapState(c.cfgNetmap.state),
),
),
)

View file

@ -15,6 +15,7 @@ import (
v2signature "github.com/nspcc-dev/neofs-api-go/v2/signature"
crypto "github.com/nspcc-dev/neofs-crypto"
core "github.com/nspcc-dev/neofs-node/pkg/core/container"
"github.com/nspcc-dev/neofs-node/pkg/core/netmap"
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
@ -82,6 +83,8 @@ type eACLCfg struct {
eACL *eacl.Validator
localStorage *localstore.Storage
state netmap.State
}
type accessErr struct {
@ -521,7 +524,7 @@ func eACLCheck(msg interface{}, reqInfo requestInfo, cfg *eACLCfg) bool {
}
// if bearer token is not present, isValidBearer returns true
if !isValidBearer(reqInfo) {
if !isValidBearer(reqInfo, cfg.state) {
return false
}
@ -606,7 +609,7 @@ func eACLErr(info requestInfo) error {
// isValidBearer returns true if bearer token correctly signed by authorized
// entity. This method might be define on whole ACL service because it will
// require to fetch current epoch to check lifetime.
func isValidBearer(reqInfo requestInfo) bool {
func isValidBearer(reqInfo requestInfo, st netmap.State) bool {
token := reqInfo.bearer
// 0. Check if bearer token is present in reqInfo. It might be non nil
@ -653,7 +656,19 @@ func isValidBearer(reqInfo requestInfo) bool {
}
}
// todo: 4. Then check token lifetime.
// 4. Then check token lifetime.
if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) {
return false
}
return true
}
func isValidLifetime(lifetime *bearer.TokenLifetime, epoch uint64) bool {
// The "exp" (expiration time) claim identifies the expiration time on
// or after which the JWT MUST NOT be accepted for processing.
// The "nbf" (not before) claim identifies the time before which the JWT
// MUST NOT be accepted for processing
// RFC 7519 sections 4.1.4, 4.1.5
return epoch >= lifetime.GetNbf() && epoch <= lifetime.GetExp()
}

View file

@ -3,6 +3,7 @@ package acl
import (
"github.com/nspcc-dev/neofs-api-go/v2/object"
"github.com/nspcc-dev/neofs-node/pkg/core/container"
"github.com/nspcc-dev/neofs-node/pkg/core/netmap"
"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/localstore"
"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
)
@ -41,3 +42,10 @@ func WithLocalStorage(v *localstore.Storage) Option {
c.localStorage = v
}
}
// WithNetmapState returns options to set global netmap state.
func WithNetmapState(v netmap.State) Option {
return func(c *cfg) {
c.state = v
}
}