package server import ( "bytes" "context" "crypto/ecdsa" "encoding/hex" "errors" "fmt" "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/control" frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto" frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa" "go.uber.org/zap" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) type Server struct { *cfg } type AuthorizedKeysFetcher interface { FetchRawKeys() [][]byte } type emptyKeysFetcher struct{} func (f emptyKeysFetcher) FetchRawKeys() [][]byte { return nil } // Option of the Server's constructor. type Option func(*cfg) type cfg struct { log *zap.Logger keysFetcher AuthorizedKeysFetcher } func defaultCfg() *cfg { return &cfg{ log: zap.NewNop(), keysFetcher: emptyKeysFetcher{}, } } // New creates, initializes and returns new Server instance. func New(opts ...Option) *Server { c := defaultCfg() for _, opt := range opts { opt(c) } c.log = c.log.With(zap.String("service", "control API")) return &Server{ cfg: c, } } // WithAuthorizedKeysFetcher returns option to add list of public // keys that have rights to use Control service. func WithAuthorizedKeysFetcher(fetcher AuthorizedKeysFetcher) Option { return func(c *cfg) { c.keysFetcher = fetcher } } // WithLogger returns option to set logger. func WithLogger(log *zap.Logger) Option { return func(c *cfg) { c.log = log } } // HealthCheck returns health status of the local node. // // If request is unsigned or signed by disallowed key, permission error returns. func (s *Server) HealthCheck(_ context.Context, req *control.HealthCheckRequest) (*control.HealthCheckResponse, error) { s.log.Info("healthcheck", zap.String("key", hex.EncodeToString(req.Signature.Key))) // verify request if err := s.isValidRequest(req); err != nil { return nil, status.Error(codes.PermissionDenied, err.Error()) } resp := &control.HealthCheckResponse{ Body: &control.HealthCheckResponse_Body{ HealthStatus: control.HealthStatus_READY, }, } return resp, nil } // SignedMessage is an interface of Control service message. type SignedMessage interface { ReadSignedData([]byte) ([]byte, error) GetSignature() *control.Signature SetSignature(*control.Signature) } var errDisallowedKey = errors.New("key is not in the allowed list") var errMissingSignature = errors.New("missing signature") var errInvalidSignature = errors.New("invalid signature") func (s *Server) isValidRequest(req SignedMessage) error { sign := req.GetSignature() if sign == nil { return errMissingSignature } var ( key = sign.GetKey() allowed = false ) // check if key is allowed for _, authKey := range s.keysFetcher.FetchRawKeys() { if allowed = bytes.Equal(authKey, key); allowed { break } } if !allowed { return errDisallowedKey } // verify signature binBody, err := req.ReadSignedData(nil) if err != nil { return fmt.Errorf("marshal request body: %w", err) } // TODO(@cthulhu-rider): #468 use Signature message from FrostFS API to avoid conversion var sigV2 refs.Signature sigV2.SetKey(sign.GetKey()) sigV2.SetSign(sign.GetSign()) sigV2.SetScheme(refs.ECDSA_SHA512) var sig frostfscrypto.Signature if err := sig.ReadFromV2(sigV2); err != nil { return fmt.Errorf("can't read signature: %w", err) } if !sig.Verify(binBody) { return errInvalidSignature } return nil } // SignMessage signs Control service message with private key. func SignMessage(key *ecdsa.PrivateKey, msg SignedMessage) error { binBody, err := msg.ReadSignedData(nil) if err != nil { return fmt.Errorf("marshal request body: %w", err) } var sig frostfscrypto.Signature err = sig.Calculate(frostfsecdsa.Signer(*key), binBody) if err != nil { return fmt.Errorf("calculate signature: %w", err) } // TODO(@cthulhu-rider): #468 use Signature message from FrostFS API to avoid conversion var sigV2 refs.Signature sig.WriteToV2(&sigV2) var sigControl control.Signature sigControl.Key = sigV2.GetKey() sigControl.Sign = sigV2.GetSign() msg.SetSignature(&sigControl) return nil }