pogpp/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Pull requests Activity

[#509] Save isCustom flag into accessbox

Browse source 
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-10-14 12:07:09 +03:00
parent 6a90f4e624
commit 57b7e83380
7 changed files with 73 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
creds/accessbox/accessbox.go
View file

@ -106,6 +106,7 @@ func PackTokens(gatesData []*GateData, secret []byte, isCustomSecret bool) (*Acc
return nil, nil, fmt.Errorf("create ephemeral key: %w", err) return nil, nil, fmt.Errorf("create ephemeral key: %w", err)
} }
box.SeedKey = ephemeralKey.PublicKey().Bytes() box.SeedKey = ephemeralKey.PublicKey().Bytes()
box.IsCustom = isCustomSecret
if secret == nil { if secret == nil {
secret, err = generateSecret() secret, err = generateSecret()
@ -127,7 +128,7 @@ func PackTokens(gatesData []*GateData, secret []byte, isCustomSecret bool) (*Acc
} }
// GetTokens returns gate tokens from AccessBox. // GetTokens returns gate tokens from AccessBox.
func (x *AccessBox) GetTokens(owner *keys.PrivateKey, isCustomSecret bool) (*GateData, error) { func (x *AccessBox) GetTokens(owner *keys.PrivateKey) (*GateData, error) {
seedKey, err := keys.NewPublicKeyFromBytes(x.SeedKey, elliptic.P256()) seedKey, err := keys.NewPublicKeyFromBytes(x.SeedKey, elliptic.P256())
if err != nil { if err != nil {
return nil, fmt.Errorf("couldn't unmarshal SeedKey: %w", err) return nil, fmt.Errorf("couldn't unmarshal SeedKey: %w", err)
@ -138,7 +139,7 @@ func (x *AccessBox) GetTokens(owner *keys.PrivateKey, isCustomSecret bool) (*Gat
continue continue
} }
gateData, err := decodeGate(gate, owner, seedKey, isCustomSecret) gateData, err := x.decodeGate(gate, owner, seedKey)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to decode gate: %w", err) return nil, fmt.Errorf("failed to decode gate: %w", err)
} }
@ -166,8 +167,8 @@ func (x *AccessBox) GetPlacementPolicy() ([]*ContainerPolicy, error) {
} }
// GetBox parses AccessBox to Box. // GetBox parses AccessBox to Box.
func (x *AccessBox) GetBox(owner *keys.PrivateKey, isCustomSecret bool) (*Box, error) { func (x *AccessBox) GetBox(owner *keys.PrivateKey) (*Box, error) {
tokens, err := x.GetTokens(owner, isCustomSecret) tokens, err := x.GetTokens(owner)
if err != nil { if err != nil {
return nil, fmt.Errorf("get tokens: %w", err) return nil, fmt.Errorf("get tokens: %w", err)
} }
@ -222,7 +223,7 @@ func encodeGate(ephemeralKey *keys.PrivateKey, seedKey *keys.PublicKey, tokens *
return gate, nil return gate, nil
} }
func decodeGate(gate *AccessBox_Gate, owner *keys.PrivateKey, seedKey *keys.PublicKey, isCustomSecret bool) (*GateData, error) { func (x *AccessBox) decodeGate(gate *AccessBox_Gate, owner *keys.PrivateKey, seedKey *keys.PublicKey) (*GateData, error) {
data, err := decrypt(owner, seedKey, gate.Tokens) data, err := decrypt(owner, seedKey, gate.Tokens)
if err != nil { if err != nil {
return nil, fmt.Errorf("decrypt tokens: %w", err) return nil, fmt.Errorf("decrypt tokens: %w", err)
@ -248,7 +249,7 @@ func decodeGate(gate *AccessBox_Gate, owner *keys.PrivateKey, seedKey *keys.Publ
gateData := NewGateData(owner.PublicKey(), &bearerTkn) gateData := NewGateData(owner.PublicKey(), &bearerTkn)
gateData.SessionTokens = sessionTkns gateData.SessionTokens = sessionTkns
if isCustomSecret { if x.IsCustom {
gateData.SecretKey = string(tokens.SecretKey) gateData.SecretKey = string(tokens.SecretKey)
} else { } else {
gateData.SecretKey = hex.EncodeToString(tokens.SecretKey) gateData.SecretKey = hex.EncodeToString(tokens.SecretKey)

72
creds/accessbox/accessbox.pb.go
View file

@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT. // Code generated by protoc-gen-go. DO NOT EDIT.
// versions: // versions:
// protoc-gen-go v1.30.0 // protoc-gen-go v1.34.2
// protoc v3.12.4 // protoc v3.21.9
// source: creds/accessbox/accessbox.proto // source: creds/accessbox/accessbox.proto
package accessbox package accessbox
@ -28,6 +28,7 @@ type AccessBox struct {
SeedKey []byte `protobuf:"bytes,1,opt,name=seedKey,proto3" json:"seedKey,omitempty"` SeedKey []byte `protobuf:"bytes,1,opt,name=seedKey,proto3" json:"seedKey,omitempty"`
Gates []*AccessBox_Gate `protobuf:"bytes,2,rep,name=gates,proto3" json:"gates,omitempty"` Gates []*AccessBox_Gate `protobuf:"bytes,2,rep,name=gates,proto3" json:"gates,omitempty"`
ContainerPolicy []*AccessBox_ContainerPolicy `protobuf:"bytes,3,rep,name=containerPolicy,proto3" json:"containerPolicy,omitempty"` ContainerPolicy []*AccessBox_ContainerPolicy `protobuf:"bytes,3,rep,name=containerPolicy,proto3" json:"containerPolicy,omitempty"`
IsCustom bool `protobuf:"varint,4,opt,name=isCustom,proto3" json:"isCustom,omitempty"`
} }
func (x *AccessBox) Reset() { func (x *AccessBox) Reset() {
@ -83,6 +84,13 @@ func (x *AccessBox) GetContainerPolicy() []*AccessBox_ContainerPolicy {
return nil return nil
} }
func (x *AccessBox) GetIsCustom() bool {
if x != nil {
return x.IsCustom
}
return false
}
type Tokens struct { type Tokens struct {
state protoimpl.MessageState state protoimpl.MessageState
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
@ -261,7 +269,7 @@ var File_creds_accessbox_accessbox_proto protoreflect.FileDescriptor
var file_creds_accessbox_accessbox_proto_rawDesc = []byte{ var file_creds_accessbox_accessbox_proto_rawDesc = []byte{
0x0a, 0x1f, 0x63, 0x72, 0x65, 0x64, 0x73, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x0a, 0x1f, 0x63, 0x72, 0x65, 0x64, 0x73, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f,
0x78, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x78, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x12, 0x09, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x22, 0xc7, 0x02, 0x0a, 0x6f, 0x12, 0x09, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x22, 0xe3, 0x02, 0x0a,
0x09, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x42, 0x6f, 0x78, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x09, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x42, 0x6f, 0x78, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65,
0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x73, 0x65, 0x65, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x73, 0x65, 0x65,
0x64, 0x4b, 0x65, 0x79, 0x12, 0x2f, 0x0a, 0x05, 0x67, 0x61, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2f, 0x0a, 0x05, 0x67, 0x61, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20,
@ -272,29 +280,31 @@ var file_creds_accessbox_accessbox_proto_rawDesc = []byte{
0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73,
0x73, 0x42, 0x6f, 0x78, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6f, 0x73, 0x42, 0x6f, 0x78, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6f,
0x6c, 0x69, 0x63, 0x79, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x50,
0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x44, 0x0a, 0x04, 0x47, 0x61, 0x74, 0x65, 0x12, 0x16, 0x0a, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x43, 0x75, 0x73, 0x74, 0x6f,
0x06, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x74, 0x6d, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x73, 0x43, 0x75, 0x73, 0x74, 0x6f,
0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x67, 0x61, 0x74, 0x65, 0x50, 0x75, 0x62, 0x6d, 0x1a, 0x44, 0x0a, 0x04, 0x47, 0x61, 0x74, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x6f, 0x6b,
0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x67, 0x61, 0x65, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
0x74, 0x65, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x1a, 0x59, 0x0a, 0x0f, 0x43, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x67, 0x61, 0x74, 0x65, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x2e, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x67, 0x61, 0x74, 0x65, 0x50, 0x75,
0x0a, 0x12, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x1a, 0x59, 0x0a, 0x0f, 0x43, 0x6f, 0x6e, 0x74, 0x61,
0x61, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x6c, 0x6f, 0x63, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x2e, 0x0a, 0x12, 0x6c, 0x6f,
0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x12, 0x16, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74,
0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x6e, 0x0a, 0x06, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f,
0x12, 0x1c, 0x0a, 0x09, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69,
0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x63, 0x79, 0x22, 0x6e, 0x0a, 0x06, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09,
0x0a, 0x0b, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52,
0x01, 0x28, 0x0c, 0x52, 0x0b, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x09, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x0a, 0x0b, 0x62, 0x65,
0x12, 0x24, 0x0a, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x61, 0x72, 0x65, 0x72, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52,
0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x0b, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x24, 0x0a, 0x0d,
0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x46, 0x5a, 0x44, 0x67, 0x69, 0x74, 0x2e, 0x66, 0x72, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x03, 0x20,
0x6f, 0x73, 0x74, 0x66, 0x73, 0x2e, 0x69, 0x6e, 0x66, 0x6f, 0x2f, 0x54, 0x72, 0x75, 0x65, 0x43, 0x03, 0x28, 0x0c, 0x52, 0x0d, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x6f, 0x6b, 0x65,
0x6c, 0x6f, 0x75, 0x64, 0x4c, 0x61, 0x62, 0x2f, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66, 0x73, 0x2d, 0x6e, 0x73, 0x42, 0x46, 0x5a, 0x44, 0x67, 0x69, 0x74, 0x2e, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66,
0x73, 0x33, 0x2d, 0x67, 0x77, 0x2f, 0x63, 0x72, 0x65, 0x64, 0x73, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x73, 0x2e, 0x69, 0x6e, 0x66, 0x6f, 0x2f, 0x54, 0x72, 0x75, 0x65, 0x43, 0x6c, 0x6f, 0x75, 0x64,
0x6e, 0x62, 0x6f, 0x78, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x62, 0x06, 0x4c, 0x61, 0x62, 0x2f, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66, 0x73, 0x2d, 0x73, 0x33, 0x2d, 0x67,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, 0x77, 0x2f, 0x63, 0x72, 0x65, 0x64, 0x73, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x62, 0x6f, 0x78,
0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x62, 0x6f, 0x78, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x33,
} }
var ( var (
@ -310,7 +320,7 @@ func file_creds_accessbox_accessbox_proto_rawDescGZIP() []byte {
} }
var file_creds_accessbox_accessbox_proto_msgTypes = make([]protoimpl.MessageInfo, 4) var file_creds_accessbox_accessbox_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
var file_creds_accessbox_accessbox_proto_goTypes = []interface{}{ var file_creds_accessbox_accessbox_proto_goTypes = []any{
(*AccessBox)(nil), // 0: accessbox.AccessBox (*AccessBox)(nil), // 0: accessbox.AccessBox
(*Tokens)(nil), // 1: accessbox.Tokens (*Tokens)(nil), // 1: accessbox.Tokens
(*AccessBox_Gate)(nil), // 2: accessbox.AccessBox.Gate (*AccessBox_Gate)(nil), // 2: accessbox.AccessBox.Gate
@ -332,7 +342,7 @@ func file_creds_accessbox_accessbox_proto_init() {
return return
} }
if !protoimpl.UnsafeEnabled { if !protoimpl.UnsafeEnabled {
file_creds_accessbox_accessbox_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { file_creds_accessbox_accessbox_proto_msgTypes[0].Exporter = func(v any, i int) any {
switch v := v.(*AccessBox); i { switch v := v.(*AccessBox); i {
case 0: case 0:
return &v.state return &v.state
@ -344,7 +354,7 @@ func file_creds_accessbox_accessbox_proto_init() {
return nil return nil
} }
} }
file_creds_accessbox_accessbox_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { file_creds_accessbox_accessbox_proto_msgTypes[1].Exporter = func(v any, i int) any {
switch v := v.(*Tokens); i { switch v := v.(*Tokens); i {
case 0: case 0:
return &v.state return &v.state
@ -356,7 +366,7 @@ func file_creds_accessbox_accessbox_proto_init() {
return nil return nil
} }
} }
file_creds_accessbox_accessbox_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { file_creds_accessbox_accessbox_proto_msgTypes[2].Exporter = func(v any, i int) any {
switch v := v.(*AccessBox_Gate); i { switch v := v.(*AccessBox_Gate); i {
case 0: case 0:
return &v.state return &v.state
@ -368,7 +378,7 @@ func file_creds_accessbox_accessbox_proto_init() {
return nil return nil
} }
} }
file_creds_accessbox_accessbox_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { file_creds_accessbox_accessbox_proto_msgTypes[3].Exporter = func(v any, i int) any {
switch v := v.(*AccessBox_ContainerPolicy); i { switch v := v.(*AccessBox_ContainerPolicy); i {
case 0: case 0:
return &v.state return &v.state

1
creds/accessbox/accessbox.proto
View file

@ -20,6 +20,7 @@ message AccessBox {
bytes seedKey = 1 [json_name = "seedKey"]; bytes seedKey = 1 [json_name = "seedKey"];
repeated Gate gates = 2 [json_name = "gates"]; repeated Gate gates = 2 [json_name = "gates"];
repeated ContainerPolicy containerPolicy = 3 [json_name = "containerPolicy"]; repeated ContainerPolicy containerPolicy = 3 [json_name = "containerPolicy"];
bool isCustom = 4 [json_name = "isCustom"];
} }
message Tokens { message Tokens {

22
creds/accessbox/accessbox_test.go
View file

@ -70,7 +70,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
err = box2.Unmarshal(data) err = box2.Unmarshal(data)
require.NoError(t, err) require.NoError(t, err)
tkns, err := box2.GetTokens(cred, false) tkns, err := box2.GetTokens(cred)
require.NoError(t, err) require.NoError(t, err)
assertBearerToken(t, tkn, *tkns.BearerToken) assertBearerToken(t, tkn, *tkns.BearerToken)
@ -105,7 +105,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
err = box2.Unmarshal(data) err = box2.Unmarshal(data)
require.NoError(t, err) require.NoError(t, err)
tkns, err := box2.GetTokens(cred, false) tkns, err := box2.GetTokens(cred)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens) require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens)
@ -140,7 +140,7 @@ func TestAccessboxMultipleKeys(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
for i, k := range privateKeys { for i, k := range privateKeys {
tkns, err := box.GetTokens(k, false) tkns, err := box.GetTokens(k)
require.NoError(t, err, "key #%d: %s failed", i, k) require.NoError(t, err, "key #%d: %s failed", i, k)
assertBearerToken(t, tkn, *tkns.BearerToken) assertBearerToken(t, tkn, *tkns.BearerToken)
} }
@ -168,7 +168,7 @@ func TestUnknownKey(t *testing.T) {
box, _, err = PackTokens([]*GateData{gate}, nil, false) box, _, err = PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err) require.NoError(t, err)
_, err = box.GetTokens(wrongCred, false) _, err = box.GetTokens(wrongCred)
require.Error(t, err) require.Error(t, err)
} }
@ -231,7 +231,7 @@ func TestGetBox(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, hex.EncodeToString(secret), secrets.SecretKey) require.Equal(t, hex.EncodeToString(secret), secrets.SecretKey)
box, err := accessBox.GetBox(cred, false) box, err := accessBox.GetBox(cred)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey) require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
}) })
@ -241,7 +241,7 @@ func TestGetBox(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, string(secret), secrets.SecretKey) require.Equal(t, string(secret), secrets.SecretKey)
box, err := accessBox.GetBox(cred, true) box, err := accessBox.GetBox(cred)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, string(secret), box.Gate.SecretKey) require.Equal(t, string(secret), box.Gate.SecretKey)
}) })
@ -261,10 +261,10 @@ func TestAccessBox(t *testing.T) {
randomKey, err := keys.NewPrivateKey() randomKey, err := keys.NewPrivateKey()
require.NoError(t, err) require.NoError(t, err)
_, err = accessBox.GetTokens(randomKey, false) _, err = accessBox.GetTokens(randomKey)
require.Error(t, err) require.Error(t, err)
_, err = accessBox.GetBox(randomKey, false) _, err = accessBox.GetBox(randomKey)
require.Error(t, err) require.Error(t, err)
}) })
@ -294,17 +294,17 @@ func TestAccessBox(t *testing.T) {
_, err = accessBox.GetPlacementPolicy() _, err = accessBox.GetPlacementPolicy()
require.Error(t, err) require.Error(t, err)
_, err = accessBox.GetBox(cred, false) _, err = accessBox.GetBox(cred)
require.Error(t, err) require.Error(t, err)
}) })
t.Run("empty seed key", func(t *testing.T) { t.Run("empty seed key", func(t *testing.T) {
accessBox.SeedKey = nil accessBox.SeedKey = nil
_, err = accessBox.GetTokens(cred, false) _, err = accessBox.GetTokens(cred)
require.Error(t, err) require.Error(t, err)
_, err = accessBox.GetBox(cred, false) _, err = accessBox.GetBox(cred)
require.Error(t, err) require.Error(t, err)
}) })

14
creds/tokens/credentials.go
View file

@ -5,7 +5,6 @@ import (
"errors" "errors"
"fmt" "fmt"
"strconv" "strconv"
"strings"
"time" "time"
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/cache" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/cache"
@ -132,10 +131,9 @@ func New(cfg Config) Credentials {
} }
func (c *cred) GetBox(ctx context.Context, cnrID cid.ID, accessKeyID string) (*accessbox.Box, []object.Attribute, error) { func (c *cred) GetBox(ctx context.Context, cnrID cid.ID, accessKeyID string) (*accessbox.Box, []object.Attribute, error) {
isCustomSecret := isCustom(accessKeyID)
cachedBoxValue := c.cache.Get(accessKeyID) cachedBoxValue := c.cache.Get(accessKeyID)
if cachedBoxValue != nil { if cachedBoxValue != nil {
return c.checkIfCredentialsAreRemoved(ctx, cnrID, accessKeyID, cachedBoxValue, isCustomSecret) return c.checkIfCredentialsAreRemoved(ctx, cnrID, accessKeyID, cachedBoxValue)
} }
box, attrs, err := c.getAccessBox(ctx, cnrID, accessKeyID) box, attrs, err := c.getAccessBox(ctx, cnrID, accessKeyID)
@ -143,7 +141,7 @@ func (c *cred) GetBox(ctx context.Context, cnrID cid.ID, accessKeyID string) (*a
return nil, nil, fmt.Errorf("get access box: %w", err) return nil, nil, fmt.Errorf("get access box: %w", err)
} }
cachedBox, err := box.GetBox(c.key, isCustomSecret) cachedBox, err := box.GetBox(c.key)
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("get gate box: %w", err) return nil, nil, fmt.Errorf("get gate box: %w", err)
} }
@ -153,7 +151,7 @@ func (c *cred) GetBox(ctx context.Context, cnrID cid.ID, accessKeyID string) (*a
return cachedBox, attrs, nil return cachedBox, attrs, nil
} }
func (c *cred) checkIfCredentialsAreRemoved(ctx context.Context, cnrID cid.ID, accessKeyID string, cachedBoxValue *cache.AccessBoxCacheValue, isCustomSecret bool) (*accessbox.Box, []object.Attribute, error) { func (c *cred) checkIfCredentialsAreRemoved(ctx context.Context, cnrID cid.ID, accessKeyID string, cachedBoxValue *cache.AccessBoxCacheValue) (*accessbox.Box, []object.Attribute, error) {
if time.Since(cachedBoxValue.PutTime) < c.removingCheckDuration { if time.Since(cachedBoxValue.PutTime) < c.removingCheckDuration {
return cachedBoxValue.Box, cachedBoxValue.Attributes, nil return cachedBoxValue.Box, cachedBoxValue.Attributes, nil
} }
@ -167,7 +165,7 @@ func (c *cred) checkIfCredentialsAreRemoved(ctx context.Context, cnrID cid.ID, a
return cachedBoxValue.Box, cachedBoxValue.Attributes, nil return cachedBoxValue.Box, cachedBoxValue.Attributes, nil
} }
cachedBox, err := box.GetBox(c.key, isCustomSecret) cachedBox, err := box.GetBox(c.key)
if err != nil { if err != nil {
c.cache.Delete(accessKeyID) c.cache.Delete(accessKeyID)
return nil, nil, fmt.Errorf("get gate box: %w", err) return nil, nil, fmt.Errorf("get gate box: %w", err)
@ -261,7 +259,3 @@ func (c *cred) createObject(ctx context.Context, prm CredentialsParam, update bo
return addr, nil return addr, nil
} }
func isCustom(accessKeyID string) bool {
return (&oid.Address{}).DecodeString(strings.ReplaceAll(accessKeyID, "0", "/")) != nil
}

1
docs/images/authentication/accessbox-object.puml
View file

@ -21,6 +21,7 @@ package AccessBox {
SeedKey => Encoded public seed key SeedKey => Encoded public seed key
List of Gates *--> Gate List of Gates *--> Gate
List of container policies *--> ContainerPolicy List of container policies *--> ContainerPolicy
IsCustom => True if SecretKey was imported and must be treated as it is
} }

15
docs/images/authentication/accessbox-object.svg
View file

File diff suppressed because one or more lines are too long
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB