mkadilov/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Pull requests Activity

[#1045] Provide sanity check of session token in container service

Browse source 
Without sanity check, container service provides successful response,
even though such request will never be approved by Alphabet nodes.

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2021-12-16 18:26:13 +03:00 committed by Alex Vanin
parent acb4a9e5b4
commit e610d1ea5f
2 changed files with 122 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
pkg/services/container/morph/executor.go
View file

@ -2,6 +2,7 @@ package container
import ( import (
"context" "context"
"errors"
"github.com/nspcc-dev/neofs-api-go/v2/container" "github.com/nspcc-dev/neofs-api-go/v2/container"
"github.com/nspcc-dev/neofs-api-go/v2/refs" "github.com/nspcc-dev/neofs-api-go/v2/refs"
@ -42,6 +43,10 @@ type Writer interface {
PutEACL(*eaclSDK.Table) error PutEACL(*eaclSDK.Table) error
} }
// ErrInvalidContext is thrown by morph ServiceExecutor when provided session
// token does not contain expected container context.
var ErrInvalidContext = errors.New("session token does not contain container context")
func NewExecutor(rdr Reader, wrt Writer) containerSvc.ServiceExecutor { func NewExecutor(rdr Reader, wrt Writer) containerSvc.ServiceExecutor {
return &morphExecutor{ return &morphExecutor{
rdr: rdr, rdr: rdr,
@ -56,9 +61,12 @@ func (s *morphExecutor) Put(ctx containerSvc.ContextWithToken, body *container.P
signature.NewFromV2(body.GetSignature()), signature.NewFromV2(body.GetSignature()),
) )
cnr.SetSessionToken( tok := session.NewTokenFromV2(ctx.SessionToken)
session.NewTokenFromV2(ctx.SessionToken), if ctx.SessionToken != nil && session.GetContainerContext(tok) == nil {
) return nil, ErrInvalidContext
}
cnr.SetSessionToken(tok)
cid, err := s.wrt.Put(cnr) cid, err := s.wrt.Put(cnr)
if err != nil { if err != nil {
@ -74,7 +82,11 @@ func (s *morphExecutor) Put(ctx containerSvc.ContextWithToken, body *container.P
func (s *morphExecutor) Delete(ctx containerSvc.ContextWithToken, body *container.DeleteRequestBody) (*container.DeleteResponseBody, error) { func (s *morphExecutor) Delete(ctx containerSvc.ContextWithToken, body *container.DeleteRequestBody) (*container.DeleteResponseBody, error) {
id := cid.NewFromV2(body.GetContainerID()) id := cid.NewFromV2(body.GetContainerID())
sig := body.GetSignature().GetSign() sig := body.GetSignature().GetSign()
tok := session.NewTokenFromV2(ctx.SessionToken) tok := session.NewTokenFromV2(ctx.SessionToken)
if ctx.SessionToken != nil && session.GetContainerContext(tok) == nil {
return nil, ErrInvalidContext
}
var rmWitness containercore.RemovalWitness var rmWitness containercore.RemovalWitness
@ -131,9 +143,12 @@ func (s *morphExecutor) SetExtendedACL(ctx containerSvc.ContextWithToken, body *
table.SetSignature(sign) table.SetSignature(sign)
table.SetSessionToken( tok := session.NewTokenFromV2(ctx.SessionToken)
session.NewTokenFromV2(ctx.SessionToken), if ctx.SessionToken != nil && session.GetContainerContext(tok) == nil {
) return nil, ErrInvalidContext
}
table.SetSessionToken(tok)
err := s.wrt.PutEACL(table) err := s.wrt.PutEACL(table)
if err != nil { if err != nil {

101
pkg/services/container/morph/executor_test.go Normal file
View file

@ -0,0 +1,101 @@
package container_test
import (
"context"
"testing"
"github.com/nspcc-dev/neofs-api-go/v2/container"
"github.com/nspcc-dev/neofs-api-go/v2/session"
containerCore "github.com/nspcc-dev/neofs-node/pkg/core/container"
containerSvc "github.com/nspcc-dev/neofs-node/pkg/services/container"
containerSvcMorph "github.com/nspcc-dev/neofs-node/pkg/services/container/morph"
containerSDK "github.com/nspcc-dev/neofs-sdk-go/container"
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
"github.com/nspcc-dev/neofs-sdk-go/eacl"
"github.com/nspcc-dev/neofs-sdk-go/owner"
"github.com/stretchr/testify/require"
)
type mock struct{}
func (m mock) Put(c *containerSDK.Container) (*cid.ID, error) {
return new(cid.ID), nil
}
func (m mock) Delete(witness containerCore.RemovalWitness) error {
return nil
}
func (m mock) PutEACL(table *eacl.Table) error {
return nil
}
func (m mock) Get(id *cid.ID) (*containerSDK.Container, error) {
panic("implement me")
}
func (m mock) GetEACL(id *cid.ID) (*eacl.Table, error) {
panic("implement me")
}
func (m mock) List(id *owner.ID) ([]*cid.ID, error) {
panic("implement me")
}
func TestInvalidToken(t *testing.T) {
m := mock{}
e := containerSvcMorph.NewExecutor(m, m)
tests := []struct {
name string
op func(e containerSvc.ServiceExecutor, ctx containerSvc.ContextWithToken) error
}{
{
name: "put",
op: func(e containerSvc.ServiceExecutor, ctx containerSvc.ContextWithToken) (err error) {
_, err = e.Put(ctx, new(container.PutRequestBody))
return
},
},
{
name: "delete",
op: func(e containerSvc.ServiceExecutor, ctx containerSvc.ContextWithToken) (err error) {
_, err = e.Delete(ctx, new(container.DeleteRequestBody))
return
},
},
{
name: "setEACL",
op: func(e containerSvc.ServiceExecutor, ctx containerSvc.ContextWithToken) (err error) {
_, err = e.SetExtendedACL(ctx, new(container.SetExtendedACLRequestBody))
return
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
ctx := containerSvc.ContextWithToken{
Context: context.Background(),
SessionToken: generateToken(new(session.ObjectSessionContext)),
}
require.Error(t, test.op(e, ctx), containerSvcMorph.ErrInvalidContext)
ctx.SessionToken = generateToken(new(session.ContainerSessionContext))
require.NoError(t, test.op(e, ctx))
ctx.SessionToken = nil
require.NoError(t, test.op(e, ctx))
})
}
}
func generateToken(ctx session.SessionTokenContext) *session.SessionToken {
body := new(session.SessionTokenBody)
body.SetContext(ctx)
tok := new(session.SessionToken)
tok.SetBody(body)
return tok
}