From a1748ae0e75a769db0c919215249a97cb0381573 Mon Sep 17 00:00:00 2001 From: Pavel Karpy Date: Fri, 23 Dec 2022 14:58:18 +0300 Subject: [PATCH] [#370] bearer, session: Clarify expiration epoch The expiration epoch is the _last_ valid epoch for an entity. Also, clarify the expiration epoch meaning for tombstones and regular objects. Signed-off-by: Pavel Karpy Signed-off-by: Evgenii Stratonikov --- bearer/bearer.go | 9 +++++---- bearer/bearer_test.go | 2 +- object/tombstone.go | 10 ++++++++-- session/common.go | 11 ++++++----- session/container_test.go | 6 ++++-- session/object_test.go | 6 ++++-- 6 files changed, 28 insertions(+), 16 deletions(-) diff --git a/bearer/bearer.go b/bearer/bearer.go index d1575388..2b0ae284 100644 --- a/bearer/bearer.go +++ b/bearer/bearer.go @@ -136,9 +136,10 @@ func (b Token) WriteToV2(m *acl.BearerToken) { } // SetExp sets "exp" (expiration time) claim which identifies the -// expiration time (in NeoFS epochs) on or after which the Token MUST NOT be -// accepted for processing. The processing of the "exp" claim requires that the -// current epoch MUST be before the expiration epoch listed in the "exp" claim. +// expiration time (in NeoFS epochs) after which the Token MUST NOT be +// accepted for processing. The processing of the "exp" claim requires +// that the current epoch MUST be before or equal to the expiration epoch +// listed in the "exp" claim. // // Naming is inspired by https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4. // @@ -179,7 +180,7 @@ func (b *Token) SetIat(iat uint64) { // // See also SetExp, SetNbf, SetIat. func (b Token) InvalidAt(epoch uint64) bool { - return !b.lifetimeSet || b.nbf > epoch || b.iat > epoch || b.exp <= epoch + return !b.lifetimeSet || b.nbf > epoch || b.iat > epoch || b.exp < epoch } // SetEACLTable sets eacl.Table that replaces the one from the issuer's diff --git a/bearer/bearer_test.go b/bearer/bearer_test.go index 02727d52..0b9c45b7 100644 --- a/bearer/bearer_test.go +++ b/bearer/bearer_test.go @@ -220,7 +220,7 @@ func TestToken_InvalidAt(t *testing.T) { require.True(t, val.InvalidAt(1)) require.False(t, val.InvalidAt(2)) require.False(t, val.InvalidAt(3)) - require.True(t, val.InvalidAt(4)) + require.False(t, val.InvalidAt(4)) require.True(t, val.InvalidAt(5)) } diff --git a/object/tombstone.go b/object/tombstone.go index 502d2145..cd85335c 100644 --- a/object/tombstone.go +++ b/object/tombstone.go @@ -33,12 +33,18 @@ func (t *Tombstone) ToV2() *tombstone.Tombstone { return (*tombstone.Tombstone)(t) } -// ExpirationEpoch return number of tombstone expiration epoch. +// ExpirationEpoch returns the last NeoFS epoch +// number of the tombstone lifetime. +// +// See also SetExpirationEpoch. func (t *Tombstone) ExpirationEpoch() uint64 { return (*tombstone.Tombstone)(t).GetExpirationEpoch() } -// SetExpirationEpoch sets number of tombstone expiration epoch. +// SetExpirationEpoch sets the last NeoFS epoch +// number of the tombstone lifetime. +// +// See also ExpirationEpoch. func (t *Tombstone) SetExpirationEpoch(v uint64) { (*tombstone.Tombstone)(t).SetExpirationEpoch(v) } diff --git a/session/common.go b/session/common.go index 186f2059..1587251a 100644 --- a/session/common.go +++ b/session/common.go @@ -219,10 +219,11 @@ func (x *commonData) unmarshalJSON(data []byte, r contextReader) error { return x.readFromV2(m, false, r) } -// SetExp sets "exp" (expiration time) claim which identifies the expiration time -// (in NeoFS epochs) on or after which the session MUST NOT be accepted for -// processing. The processing of the "exp" claim requires that the current -// epoch MUST be before the expiration epoch listed in the "exp" claim. +// SetExp sets "exp" (expiration time) claim which identifies the expiration +// time (in NeoFS epochs) after which the session MUST NOT be accepted for +// processing. The processing of the "exp" claim requires that the current +// epoch MUST be before or equal to the expiration epoch listed in the "exp" +// claim. // // Naming is inspired by https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4. // @@ -258,7 +259,7 @@ func (x *commonData) SetIat(iat uint64) { } func (x commonData) expiredAt(epoch uint64) bool { - return !x.lifetimeSet || x.exp <= epoch + return !x.lifetimeSet || x.exp < epoch } // InvalidAt asserts "exp", "nbf" and "iat" claims. diff --git a/session/container_test.go b/session/container_test.go index 11f745d6..d58ab917 100644 --- a/session/container_test.go +++ b/session/container_test.go @@ -153,7 +153,8 @@ func TestContainerProtocolV2(t *testing.T) { assert: func(val session.Container) { require.True(t, val.InvalidAt(1)) require.False(t, val.InvalidAt(2)) - require.True(t, val.InvalidAt(3)) + require.False(t, val.InvalidAt(3)) + require.True(t, val.InvalidAt(4)) }, breakSign: func(m *v2session.Token) { lt := m.GetBody().GetLifetime() @@ -410,7 +411,8 @@ func TestContainer_InvalidAt(t *testing.T) { require.True(t, x.InvalidAt(nbf-1)) require.True(t, x.InvalidAt(iat-1)) require.False(t, x.InvalidAt(iat)) - require.True(t, x.InvalidAt(exp)) + require.False(t, x.InvalidAt(exp)) + require.True(t, x.InvalidAt(exp+1)) } func TestContainer_ID(t *testing.T) { diff --git a/session/object_test.go b/session/object_test.go index 856aa3ba..09c7319a 100644 --- a/session/object_test.go +++ b/session/object_test.go @@ -175,7 +175,8 @@ func TestObjectProtocolV2(t *testing.T) { assert: func(val session.Object) { require.True(t, val.InvalidAt(1)) require.False(t, val.InvalidAt(2)) - require.True(t, val.InvalidAt(3)) + require.False(t, val.InvalidAt(3)) + require.True(t, val.InvalidAt(4)) }, breakSign: func(m *v2session.Token) { lt := m.GetBody().GetLifetime() @@ -520,7 +521,8 @@ func TestObject_InvalidAt(t *testing.T) { require.True(t, x.InvalidAt(nbf-1)) require.True(t, x.InvalidAt(iat-1)) require.False(t, x.InvalidAt(iat)) - require.True(t, x.InvalidAt(exp)) + require.False(t, x.InvalidAt(exp)) + require.True(t, x.InvalidAt(exp+1)) } func TestObject_ID(t *testing.T) {