forked from TrueCloudLab/frostfs-s3-gw
180 lines
4.1 KiB
Go
180 lines
4.1 KiB
Go
package server
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/ecdsa"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/control"
|
|
frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
|
|
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
|
"go.uber.org/zap"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
type Server struct {
|
|
*cfg
|
|
}
|
|
|
|
type AuthorizedKeysFetcher interface {
|
|
FetchRawKeys() [][]byte
|
|
}
|
|
|
|
type emptyKeysFetcher struct{}
|
|
|
|
func (f emptyKeysFetcher) FetchRawKeys() [][]byte { return nil }
|
|
|
|
// Option of the Server's constructor.
|
|
type Option func(*cfg)
|
|
|
|
type cfg struct {
|
|
log *zap.Logger
|
|
|
|
keysFetcher AuthorizedKeysFetcher
|
|
}
|
|
|
|
func defaultCfg() *cfg {
|
|
return &cfg{
|
|
log: zap.NewNop(),
|
|
keysFetcher: emptyKeysFetcher{},
|
|
}
|
|
}
|
|
|
|
// New creates, initializes and returns new Server instance.
|
|
func New(opts ...Option) *Server {
|
|
c := defaultCfg()
|
|
|
|
for _, opt := range opts {
|
|
opt(c)
|
|
}
|
|
|
|
c.log = c.log.With(zap.String("service", "control API"))
|
|
|
|
return &Server{
|
|
cfg: c,
|
|
}
|
|
}
|
|
|
|
// WithAuthorizedKeysFetcher returns option to add list of public
|
|
// keys that have rights to use Control service.
|
|
func WithAuthorizedKeysFetcher(fetcher AuthorizedKeysFetcher) Option {
|
|
return func(c *cfg) {
|
|
c.keysFetcher = fetcher
|
|
}
|
|
}
|
|
|
|
// WithLogger returns option to set logger.
|
|
func WithLogger(log *zap.Logger) Option {
|
|
return func(c *cfg) {
|
|
c.log = log
|
|
}
|
|
}
|
|
|
|
// HealthCheck returns health status of the local node.
|
|
//
|
|
// If request is unsigned or signed by disallowed key, permission error returns.
|
|
func (s *Server) HealthCheck(_ context.Context, req *control.HealthCheckRequest) (*control.HealthCheckResponse, error) {
|
|
s.log.Info("healthcheck", zap.String("key", hex.EncodeToString(req.Signature.Key)))
|
|
|
|
// verify request
|
|
if err := s.isValidRequest(req); err != nil {
|
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
}
|
|
|
|
resp := &control.HealthCheckResponse{
|
|
Body: &control.HealthCheckResponse_Body{
|
|
HealthStatus: control.HealthStatus_READY,
|
|
},
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
// SignedMessage is an interface of Control service message.
|
|
type SignedMessage interface {
|
|
ReadSignedData([]byte) ([]byte, error)
|
|
GetSignature() *control.Signature
|
|
SetSignature(*control.Signature)
|
|
}
|
|
|
|
var errDisallowedKey = errors.New("key is not in the allowed list")
|
|
var errMissingSignature = errors.New("missing signature")
|
|
var errInvalidSignature = errors.New("invalid signature")
|
|
|
|
func (s *Server) isValidRequest(req SignedMessage) error {
|
|
sign := req.GetSignature()
|
|
if sign == nil {
|
|
return errMissingSignature
|
|
}
|
|
|
|
var (
|
|
key = sign.GetKey()
|
|
allowed = false
|
|
)
|
|
|
|
// check if key is allowed
|
|
for _, authKey := range s.keysFetcher.FetchRawKeys() {
|
|
if allowed = bytes.Equal(authKey, key); allowed {
|
|
break
|
|
}
|
|
}
|
|
|
|
if !allowed {
|
|
return errDisallowedKey
|
|
}
|
|
|
|
// verify signature
|
|
binBody, err := req.ReadSignedData(nil)
|
|
if err != nil {
|
|
return fmt.Errorf("marshal request body: %w", err)
|
|
}
|
|
|
|
// TODO(@cthulhu-rider): #468 use Signature message from FrostFS API to avoid conversion
|
|
var sigV2 refs.Signature
|
|
sigV2.SetKey(sign.GetKey())
|
|
sigV2.SetSign(sign.GetSign())
|
|
sigV2.SetScheme(refs.ECDSA_SHA512)
|
|
|
|
var sig frostfscrypto.Signature
|
|
if err := sig.ReadFromV2(sigV2); err != nil {
|
|
return fmt.Errorf("can't read signature: %w", err)
|
|
}
|
|
|
|
if !sig.Verify(binBody) {
|
|
return errInvalidSignature
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SignMessage signs Control service message with private key.
|
|
func SignMessage(key *ecdsa.PrivateKey, msg SignedMessage) error {
|
|
binBody, err := msg.ReadSignedData(nil)
|
|
if err != nil {
|
|
return fmt.Errorf("marshal request body: %w", err)
|
|
}
|
|
|
|
var sig frostfscrypto.Signature
|
|
|
|
err = sig.Calculate(frostfsecdsa.Signer(*key), binBody)
|
|
if err != nil {
|
|
return fmt.Errorf("calculate signature: %w", err)
|
|
}
|
|
|
|
// TODO(@cthulhu-rider): #468 use Signature message from FrostFS API to avoid conversion
|
|
var sigV2 refs.Signature
|
|
sig.WriteToV2(&sigV2)
|
|
|
|
var sigControl control.Signature
|
|
sigControl.Key = sigV2.GetKey()
|
|
sigControl.Sign = sigV2.GetSign()
|
|
|
|
msg.SetSignature(&sigControl)
|
|
|
|
return nil
|
|
}
|