forked from TrueCloudLab/frostfs-s3-gw
[#329] Add multiple session tokens in authmate
Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
parent
3686828577
commit
13664135c5
2 changed files with 58 additions and 14 deletions
|
@ -384,20 +384,21 @@ func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) {
|
||||||
return table, nil
|
return table, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildContext(rules []byte) (*session.ContainerContext, error) {
|
func buildContext(rules []byte) ([]*session.ContainerContext, error) {
|
||||||
sessionCtx := session.NewContainerContext() // wildcard == true on by default
|
var sessionCtxs []*session.ContainerContext
|
||||||
|
|
||||||
if len(rules) != 0 {
|
if len(rules) != 0 {
|
||||||
// cast ToV2 temporary, because there is no method for unmarshalling in ContainerContext in api-go
|
// cast ToV2 temporary, because there is no method for unmarshalling in ContainerContext in api-go
|
||||||
err := sessionCtx.UnmarshalJSON(rules)
|
err := json.Unmarshal(rules, &sessionCtxs)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to read rules for session token: %w", err)
|
return nil, fmt.Errorf("failed to unmarshal rules for session token: %w", err)
|
||||||
}
|
}
|
||||||
return sessionCtx, nil
|
return sessionCtxs, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sessionCtx := session.NewContainerContext()
|
||||||
sessionCtx.ForPut()
|
sessionCtx.ForPut()
|
||||||
sessionCtx.ApplyTo(nil)
|
return []*session.ContainerContext{sessionCtx}, nil
|
||||||
return sessionCtx, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) {
|
func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) {
|
||||||
|
@ -441,14 +442,18 @@ func buildSessionToken(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOpt
|
||||||
return tok, tok.Sign(&key.PrivateKey)
|
return tok, tok.Sign(&key.PrivateKey)
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOptions, ctx *session.ContainerContext, gatesKeys []*keys.PublicKey) ([]*session.Token, error) {
|
func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOptions, ctxs []*session.ContainerContext, gatesKeys []*keys.PublicKey) ([][]*session.Token, error) {
|
||||||
sessionTokens := make([]*session.Token, 0, len(gatesKeys))
|
sessionTokens := make([][]*session.Token, 0, len(gatesKeys))
|
||||||
for _, gateKey := range gatesKeys {
|
for _, gateKey := range gatesKeys {
|
||||||
|
tkns := make([]*session.Token, len(ctxs))
|
||||||
|
for i, ctx := range ctxs {
|
||||||
tkn, err := buildSessionToken(key, oid, lifetime, ctx, gateKey)
|
tkn, err := buildSessionToken(key, oid, lifetime, ctx, gateKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
sessionTokens = append(sessionTokens, tkn)
|
tkns[i] = tkn
|
||||||
|
}
|
||||||
|
sessionTokens = append(sessionTokens, tkns)
|
||||||
}
|
}
|
||||||
return sessionTokens, nil
|
return sessionTokens, nil
|
||||||
}
|
}
|
||||||
|
@ -480,7 +485,7 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
for i, sessionToken := range sessionTokens {
|
for i, sessionToken := range sessionTokens {
|
||||||
gates[i].SessionToken = sessionToken
|
gates[i].SessionToken = sessionToken[0]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
39
authmate/authmate_test.go
Normal file
39
authmate/authmate_test.go
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
package authmate
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestContainerSessionRules(t *testing.T) {
|
||||||
|
jsonRules := []byte(`
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"verb": "PUT",
|
||||||
|
"wildcard": true,
|
||||||
|
"containerID": null
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"verb": "DELETE",
|
||||||
|
"wildcard": true,
|
||||||
|
"containerID": null
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"verb": "SETEACL",
|
||||||
|
"wildcard": true,
|
||||||
|
"containerID": null
|
||||||
|
}
|
||||||
|
]`)
|
||||||
|
|
||||||
|
sessionContext, err := buildContext(jsonRules)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
require.Len(t, sessionContext, 3)
|
||||||
|
require.True(t, sessionContext[0].IsForPut())
|
||||||
|
require.Nil(t, sessionContext[0].Container())
|
||||||
|
require.True(t, sessionContext[1].IsForDelete())
|
||||||
|
require.Nil(t, sessionContext[1].Container())
|
||||||
|
require.True(t, sessionContext[2].IsForSetEACL())
|
||||||
|
require.Nil(t, sessionContext[2].Container())
|
||||||
|
}
|
Loading…
Reference in a new issue