frostfs-s3-gw/authmate/authmate.go
Leonard Lyubich 34a221c5c9 [#346] Upgrade NeoFS SDK Go library
Core changes:
  - `object.ID` moved to new package `oid`;
  - `object.Address` moved to new package `address`;
  - `pool.Object` interface changes.

Additionally:
  - Set container owner in `Agent.IssueSecret`.
  - Remove no longer needed fields from `GetObjectParams`
  - `Length` and `Offset` are never assigned. These values
  are set in `Range` field.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2022-03-04 00:14:30 +03:00

485 lines
14 KiB
Go

package authmate
import (
"context"
"crypto/ecdsa"
"encoding/binary"
"encoding/hex"
"encoding/json"
"fmt"
"io"
"math"
"os"
"strconv"
"time"
"github.com/google/uuid"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/nspcc-dev/neofs-s3-gw/api/cache"
"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
"github.com/nspcc-dev/neofs-s3-gw/creds/tokens"
"github.com/nspcc-dev/neofs-sdk-go/acl"
"github.com/nspcc-dev/neofs-sdk-go/client"
apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
"github.com/nspcc-dev/neofs-sdk-go/container"
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
"github.com/nspcc-dev/neofs-sdk-go/eacl"
"github.com/nspcc-dev/neofs-sdk-go/netmap"
"github.com/nspcc-dev/neofs-sdk-go/object/address"
"github.com/nspcc-dev/neofs-sdk-go/owner"
"github.com/nspcc-dev/neofs-sdk-go/policy"
"github.com/nspcc-dev/neofs-sdk-go/pool"
"github.com/nspcc-dev/neofs-sdk-go/session"
"github.com/nspcc-dev/neofs-sdk-go/token"
"go.uber.org/zap"
)
const (
defaultAuthContainerBasicACL acl.BasicACL = 0b00111100100011001000110011001110 // 0x3C8C8CCE - private container with only GET allowed to others
)
// Agent contains client communicating with NeoFS and logger.
type Agent struct {
pool pool.Pool
log *zap.Logger
}
// New creates an object of type Agent that consists of Client and logger.
func New(log *zap.Logger, conns pool.Pool) *Agent {
return &Agent{log: log, pool: conns}
}
type (
// ContainerPolicies contains mapping of aws LocationConstraint to neofs PlacementPolicy.
ContainerPolicies map[string]string
// IssueSecretOptions contains options for passing to Agent.IssueSecret method.
IssueSecretOptions struct {
Container ContainerOptions
NeoFSKey *keys.PrivateKey
GatesPublicKeys []*keys.PublicKey
EACLRules []byte
SessionTokenRules []byte
Lifetime time.Duration
AwsCliCredentialsFile string
ContainerPolicies ContainerPolicies
}
// ContainerOptions groups parameters of auth container to put the secret into.
ContainerOptions struct {
ID *cid.ID
FriendlyName string
PlacementPolicy string
}
// ObtainSecretOptions contains options for passing to Agent.ObtainSecret method.
ObtainSecretOptions struct {
SecretAddress string
GatePrivateKey *keys.PrivateKey
}
)
// lifetimeOptions holds NeoFS epochs, iat -- epoch, which a token was issued at, exp -- epoch, when the token expires.
type lifetimeOptions struct {
Iat uint64
Exp uint64
}
type epochDurations struct {
currentEpoch uint64
msPerBlock int64
blocksInEpoch uint64
}
type (
issuingResult struct {
AccessKeyID string `json:"access_key_id"`
SecretAccessKey string `json:"secret_access_key"`
OwnerPrivateKey string `json:"owner_private_key"`
ContainerID string `json:"container_id"`
}
obtainingResult struct {
BearerToken *token.BearerToken `json:"-"`
SecretAccessKey string `json:"secret_access_key"`
}
)
func (a *Agent) checkContainer(ctx context.Context, opts ContainerOptions, idOwner *owner.ID) (*cid.ID, error) {
if opts.ID != nil {
// check that container exists
_, err := a.pool.GetContainer(ctx, opts.ID)
return opts.ID, err
}
pp, err := policy.Parse(opts.PlacementPolicy)
if err != nil {
return nil, fmt.Errorf("failed to build placement policy: %w", err)
}
cnrOptions := []container.Option{
container.WithPolicy(pp),
container.WithCustomBasicACL(defaultAuthContainerBasicACL),
container.WithAttribute(container.AttributeTimestamp, strconv.FormatInt(time.Now().Unix(), 10)),
container.WithOwnerID(idOwner),
}
if opts.FriendlyName != "" {
cnrOptions = append(cnrOptions, container.WithAttribute(container.AttributeName, opts.FriendlyName))
}
cnr := container.New(cnrOptions...)
if opts.FriendlyName != "" {
container.SetNativeName(cnr, opts.FriendlyName)
}
cnrID, err := a.pool.PutContainer(ctx, cnr)
if err != nil {
return nil, err
}
if err := a.pool.WaitForContainerPresence(ctx, cnrID, pool.DefaultPollingParams()); err != nil {
return nil, err
}
return cnrID, nil
}
func (a *Agent) getEpochDurations(ctx context.Context) (*epochDurations, error) {
if conn, _, err := a.pool.Connection(); err != nil {
return nil, err
} else if networkInfoRes, err := conn.NetworkInfo(ctx, client.PrmNetworkInfo{}); err != nil {
return nil, err
} else if err = apistatus.ErrFromStatus(networkInfoRes.Status()); err != nil {
return nil, err
} else {
networkInfo := networkInfoRes.Info()
res := &epochDurations{
currentEpoch: networkInfo.CurrentEpoch(),
msPerBlock: networkInfo.MsPerBlock(),
}
networkInfo.NetworkConfig().IterateParameters(func(parameter *netmap.NetworkParameter) bool {
if string(parameter.Key()) == "EpochDuration" {
data := make([]byte, 8)
copy(data, parameter.Value())
res.blocksInEpoch = binary.LittleEndian.Uint64(data)
return true
}
return false
})
if res.blocksInEpoch == 0 {
return nil, fmt.Errorf("not found param: EpochDuration")
}
return res, nil
}
}
func checkPolicy(policyString string) (*netmap.PlacementPolicy, error) {
result, err := policy.Parse(policyString)
if err == nil {
return result, nil
}
result = netmap.NewPlacementPolicy()
if err = result.UnmarshalJSON([]byte(policyString)); err == nil {
return result, nil
}
return nil, fmt.Errorf("can't parse placement policy")
}
func preparePolicy(policy ContainerPolicies) ([]*accessbox.AccessBox_ContainerPolicy, error) {
if policy == nil {
return nil, nil
}
var result []*accessbox.AccessBox_ContainerPolicy
for locationConstraint, placementPolicy := range policy {
parsedPolicy, err := checkPolicy(placementPolicy)
if err != nil {
return nil, err
}
marshaled, err := parsedPolicy.Marshal()
if err != nil {
return nil, fmt.Errorf("can't marshal placement policy: %w", err)
}
result = append(result, &accessbox.AccessBox_ContainerPolicy{
LocationConstraint: locationConstraint,
Policy: marshaled,
})
}
return result, nil
}
// IssueSecret creates an auth token, puts it in the NeoFS network and writes to io.Writer a new secret access key.
func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecretOptions) error {
var (
err error
id *cid.ID
box *accessbox.AccessBox
lifetime lifetimeOptions
)
policies, err := preparePolicy(options.ContainerPolicies)
if err != nil {
return err
}
durations, err := a.getEpochDurations(ctx)
if err != nil {
return err
}
lifetime.Iat = durations.currentEpoch
msPerEpoch := durations.blocksInEpoch * uint64(durations.msPerBlock)
epochLifetime := uint64(options.Lifetime.Milliseconds()) / msPerEpoch
if uint64(options.Lifetime.Milliseconds())%msPerEpoch != 0 {
epochLifetime++
}
if epochLifetime >= math.MaxUint64-lifetime.Iat {
lifetime.Exp = math.MaxUint64
} else {
lifetime.Exp = lifetime.Iat + epochLifetime
}
idOwner := owner.NewIDFromPublicKey(&options.NeoFSKey.PrivateKey.PublicKey)
a.log.Info("check container or create", zap.Stringer("cid", options.Container.ID),
zap.String("friendly_name", options.Container.FriendlyName),
zap.String("placement_policy", options.Container.PlacementPolicy))
if id, err = a.checkContainer(ctx, options.Container, idOwner); err != nil {
return err
}
gatesData, err := createTokens(options, lifetime, id)
if err != nil {
return err
}
box, secrets, err := accessbox.PackTokens(gatesData)
if err != nil {
return err
}
box.ContainerPolicy = policies
a.log.Info("store bearer token into NeoFS",
zap.Stringer("owner_tkn", idOwner))
addr, err := tokens.
New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()).
Put(ctx, id, idOwner, box, lifetime.Exp, options.GatesPublicKeys...)
if err != nil {
return fmt.Errorf("failed to put bearer token: %w", err)
}
accessKeyID := addr.ContainerID().String() + "0" + addr.ObjectID().String()
ir := &issuingResult{
AccessKeyID: accessKeyID,
SecretAccessKey: secrets.AccessKey,
OwnerPrivateKey: hex.EncodeToString(secrets.EphemeralKey.Bytes()),
ContainerID: id.String(),
}
enc := json.NewEncoder(w)
enc.SetIndent("", " ")
if err = enc.Encode(ir); err != nil {
return err
}
if options.AwsCliCredentialsFile != "" {
profileName := "authmate_cred_" + addr.ObjectID().String()
if _, err = os.Stat(options.AwsCliCredentialsFile); os.IsNotExist(err) {
profileName = "default"
}
file, err := os.OpenFile(options.AwsCliCredentialsFile, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600)
if err != nil {
return fmt.Errorf("couldn't open aws cli credentials file: %w", err)
}
defer file.Close()
if _, err = file.WriteString(fmt.Sprintf("\n[%s]\naws_access_key_id = %s\naws_secret_access_key = %s\n",
profileName, accessKeyID, secrets.AccessKey)); err != nil {
return err
}
}
return nil
}
// ObtainSecret receives an existing secret access key from NeoFS and
// writes to io.Writer the secret access key.
func (a *Agent) ObtainSecret(ctx context.Context, w io.Writer, options *ObtainSecretOptions) error {
bearerCreds := tokens.New(a.pool, options.GatePrivateKey, cache.DefaultAccessBoxConfig())
addr := address.NewAddress()
if err := addr.Parse(options.SecretAddress); err != nil {
return fmt.Errorf("failed to parse secret address: %w", err)
}
box, err := bearerCreds.GetBox(ctx, addr)
if err != nil {
return fmt.Errorf("failed to get tokens: %w", err)
}
or := &obtainingResult{
BearerToken: box.Gate.BearerToken,
SecretAccessKey: box.Gate.AccessKey,
}
enc := json.NewEncoder(w)
enc.SetIndent("", " ")
return enc.Encode(or)
}
func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) {
table := eacl.NewTable()
if len(eaclTable) != 0 {
return table, table.UnmarshalJSON(eaclTable)
}
record := eacl.NewRecord()
record.SetOperation(eacl.OperationGet)
record.SetAction(eacl.ActionAllow)
// TODO: Change this later.
// from := eacl.HeaderFromObject
// matcher := eacl.MatchStringEqual
// record.AddFilter(from eacl.FilterHeaderType, matcher eacl.Match, name string, value string)
eacl.AddFormedTarget(record, eacl.RoleOthers)
table.SetCID(cid)
table.AddRecord(record)
return table, nil
}
func buildContext(rules []byte) ([]*session.ContainerContext, error) {
var sessionCtxs []*session.ContainerContext
if len(rules) != 0 {
// cast ToV2 temporary, because there is no method for unmarshalling in ContainerContext in api-go
err := json.Unmarshal(rules, &sessionCtxs)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal rules for session token: %w", err)
}
var (
containsPut = false
containsSetEACL = false
)
for _, s := range sessionCtxs {
if s.IsForPut() {
containsPut = true
} else if s.IsForSetEACL() {
containsSetEACL = true
}
}
if containsPut && !containsSetEACL {
ectx := session.NewContainerContext()
ectx.ForSetEACL()
sessionCtxs = append(sessionCtxs, ectx)
}
return sessionCtxs, nil
}
sessionCtxPut := session.NewContainerContext()
sessionCtxPut.ForPut()
sessionCtxDelete := session.NewContainerContext()
sessionCtxDelete.ForDelete()
sessionCtxEACL := session.NewContainerContext()
sessionCtxEACL.ForSetEACL()
return []*session.ContainerContext{sessionCtxPut, sessionCtxDelete, sessionCtxEACL}, nil
}
func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) {
oid := owner.NewIDFromPublicKey((*ecdsa.PublicKey)(gateKey))
bearerToken := token.NewBearerToken()
bearerToken.SetEACLTable(table)
bearerToken.SetOwner(oid)
bearerToken.SetLifetime(lifetime.Exp, lifetime.Iat, lifetime.Iat)
return bearerToken, bearerToken.SignToken(&key.PrivateKey)
}
func buildBearerTokens(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gatesKeys []*keys.PublicKey) ([]*token.BearerToken, error) {
bearerTokens := make([]*token.BearerToken, 0, len(gatesKeys))
for _, gateKey := range gatesKeys {
tkn, err := buildBearerToken(key, table, lifetime, gateKey)
if err != nil {
return nil, err
}
bearerTokens = append(bearerTokens, tkn)
}
return bearerTokens, nil
}
func buildSessionToken(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOptions, ctx *session.ContainerContext, gateKey *keys.PublicKey) (*session.Token, error) {
tok := session.NewToken()
tok.SetContext(ctx)
uid, err := uuid.New().MarshalBinary()
if err != nil {
return nil, err
}
tok.SetID(uid)
tok.SetOwnerID(oid)
tok.SetSessionKey(gateKey.Bytes())
tok.SetIat(lifetime.Iat)
tok.SetNbf(lifetime.Iat)
tok.SetExp(lifetime.Exp)
return tok, tok.Sign(&key.PrivateKey)
}
func buildSessionTokens(key *keys.PrivateKey, oid *owner.ID, lifetime lifetimeOptions, ctxs []*session.ContainerContext, gatesKeys []*keys.PublicKey) ([][]*session.Token, error) {
sessionTokens := make([][]*session.Token, 0, len(gatesKeys))
for _, gateKey := range gatesKeys {
tkns := make([]*session.Token, len(ctxs))
for i, ctx := range ctxs {
tkn, err := buildSessionToken(key, oid, lifetime, ctx, gateKey)
if err != nil {
return nil, err
}
tkns[i] = tkn
}
sessionTokens = append(sessionTokens, tkns)
}
return sessionTokens, nil
}
func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *cid.ID) ([]*accessbox.GateData, error) {
gates := make([]*accessbox.GateData, len(options.GatesPublicKeys))
table, err := buildEACLTable(cid, options.EACLRules)
if err != nil {
return nil, fmt.Errorf("failed to build eacl table: %w", err)
}
bearerTokens, err := buildBearerTokens(options.NeoFSKey, table, lifetime, options.GatesPublicKeys)
if err != nil {
return nil, fmt.Errorf("failed to build bearer tokens: %w", err)
}
for i, gateKey := range options.GatesPublicKeys {
gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i])
}
if options.SessionTokenRules != nil {
sessionRules, err := buildContext(options.SessionTokenRules)
if err != nil {
return nil, fmt.Errorf("failed to build context for session token: %w", err)
}
oid := owner.NewIDFromPublicKey(&options.NeoFSKey.PrivateKey.PublicKey)
sessionTokens, err := buildSessionTokens(options.NeoFSKey, oid, lifetime, sessionRules, options.GatesPublicKeys)
if err != nil {
return nil, fmt.Errorf("failed to biuild session token: %w", err)
}
for i, sessionTkns := range sessionTokens {
gates[i].SessionTokens = sessionTkns
}
}
return gates, nil
}