forked from TrueCloudLab/frostfs-node
[#1423] session: Get session issuer from token structure
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
2dec3a0a93
commit
2bcc0051ab
9 changed files with 24 additions and 64 deletions
2
go.mod
2
go.mod
|
@ -19,7 +19,7 @@ require (
|
|||
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect
|
||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.1
|
||||
github.com/nspcc-dev/neofs-contract v0.15.1
|
||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220525080251-1f7fe6864d34
|
||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220526065457-bef4618cd6b9
|
||||
github.com/nspcc-dev/tzhash v1.5.2
|
||||
github.com/panjf2000/ants/v2 v2.4.0
|
||||
github.com/paulmach/orb v0.2.2
|
||||
|
|
4
go.sum
4
go.sum
|
@ -407,8 +407,8 @@ github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnB
|
|||
github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
||||
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4=
|
||||
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40=
|
||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220525080251-1f7fe6864d34 h1:s9+ckFRFDVJfYh/QezTUE4g1JP3pyU5NaNxBfUIyGh8=
|
||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220525080251-1f7fe6864d34/go.mod h1:u567oWTnAyGXbPWMrbcN0NB5zCPF+PqkaKg+vcijcho=
|
||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220526065457-bef4618cd6b9 h1:TV2/sp/2CY7h7R2MJfU7HYDvXjKGAcOMJvpmV/w4lFk=
|
||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220526065457-bef4618cd6b9/go.mod h1:u567oWTnAyGXbPWMrbcN0NB5zCPF+PqkaKg+vcijcho=
|
||||
github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
||||
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||
|
|
|
@ -164,29 +164,19 @@ func ownerFromToken(token *sessionSDK.Object) (*user.ID, *keys.PublicKey, error)
|
|||
var tokV2 sessionV2.Token
|
||||
token.WriteToV2(&tokV2)
|
||||
|
||||
ownerSessionV2 := tokV2.GetBody().GetOwnerID()
|
||||
if ownerSessionV2 == nil {
|
||||
return nil, nil, errors.New("missing session owner")
|
||||
}
|
||||
|
||||
var ownerSession user.ID
|
||||
|
||||
err := ownerSession.ReadFromV2(*ownerSessionV2)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("invalid session token: %w", err)
|
||||
}
|
||||
|
||||
tokenIssuerKey, err := unmarshalPublicKey(tokV2.GetSignature().GetKey())
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("invalid key in session token signature: %w", err)
|
||||
}
|
||||
|
||||
if !isOwnerFromKey(&ownerSession, tokenIssuerKey) {
|
||||
tokenIssuer := token.Issuer()
|
||||
|
||||
if !isOwnerFromKey(&tokenIssuer, tokenIssuerKey) {
|
||||
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
||||
return nil, nil, fmt.Errorf("%w: invalid session token owner", ErrMalformedRequest)
|
||||
}
|
||||
|
||||
return &ownerSession, tokenIssuerKey, nil
|
||||
return &tokenIssuer, tokenIssuerKey, nil
|
||||
}
|
||||
|
||||
func originalBodySignature(v *sessionV2.RequestVerificationHeader) *refsV2.Signature {
|
||||
|
|
|
@ -243,18 +243,20 @@ func (exec *execCtx) initTombstoneObject() bool {
|
|||
return false
|
||||
}
|
||||
|
||||
tombOwnerID, ok := exec.commonParameters().SessionOwner()
|
||||
if !ok {
|
||||
// make local node a tombstone object owner
|
||||
tombOwnerID = *exec.svc.netInfo.LocalNodeID()
|
||||
}
|
||||
|
||||
exec.tombstoneObj = object.New()
|
||||
exec.tombstoneObj.SetContainerID(*exec.containerID())
|
||||
exec.tombstoneObj.SetOwnerID(&tombOwnerID)
|
||||
exec.tombstoneObj.SetType(object.TypeTombstone)
|
||||
exec.tombstoneObj.SetPayload(payload)
|
||||
|
||||
tokenSession := exec.commonParameters().SessionToken()
|
||||
if tokenSession != nil {
|
||||
issuer := tokenSession.Issuer()
|
||||
exec.tombstoneObj.SetOwnerID(&issuer)
|
||||
} else {
|
||||
// make local node a tombstone object owner
|
||||
exec.tombstoneObj.SetOwnerID(exec.svc.netInfo.LocalNodeID())
|
||||
}
|
||||
|
||||
var a object.Attribute
|
||||
a.SetKey(objectV2.SysAttributeExpEpoch)
|
||||
a.SetValue(strconv.FormatUint(exec.tombstone.ExpirationEpoch(), 10))
|
||||
|
|
|
@ -109,11 +109,9 @@ func (exec execCtx) key() (*ecdsa.PrivateKey, error) {
|
|||
var sessionInfo *util.SessionInfo
|
||||
|
||||
if tok := exec.prm.common.SessionToken(); tok != nil {
|
||||
ownerSession, _ := exec.prm.common.SessionOwner()
|
||||
|
||||
sessionInfo = &util.SessionInfo{
|
||||
ID: tok.ID(),
|
||||
Owner: ownerSession,
|
||||
Owner: tok.Issuer(),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -51,11 +51,9 @@ func (t *remoteTarget) Close() (*transformer.AccessIdentifiers, error) {
|
|||
var sessionInfo *util.SessionInfo
|
||||
|
||||
if tok := t.commonPrm.SessionToken(); tok != nil {
|
||||
ownerSession, _ := t.commonPrm.SessionOwner()
|
||||
|
||||
sessionInfo = &util.SessionInfo{
|
||||
ID: tok.ID(),
|
||||
Owner: ownerSession,
|
||||
Owner: tok.Issuer(),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -87,11 +87,9 @@ func (p *Streamer) initTarget(prm *PutInitPrm) error {
|
|||
var sessionInfo *util.SessionInfo
|
||||
|
||||
if sToken != nil {
|
||||
ownerSession, _ := prm.common.SessionOwner()
|
||||
|
||||
sessionInfo = &util.SessionInfo{
|
||||
ID: sToken.ID(),
|
||||
Owner: ownerSession,
|
||||
Owner: sToken.Issuer(),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -88,11 +88,9 @@ func (c *clientWrapper) searchObjects(exec *execCtx, info client.NodeInfo) ([]oi
|
|||
var sessionInfo *util.SessionInfo
|
||||
|
||||
if tok := exec.prm.common.SessionToken(); tok != nil {
|
||||
ownerSession, _ := exec.prm.common.SessionOwner()
|
||||
|
||||
sessionInfo = &util.SessionInfo{
|
||||
ID: tok.ID(),
|
||||
Owner: ownerSession,
|
||||
Owner: tok.Issuer(),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,14 +1,12 @@
|
|||
package util
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"strconv"
|
||||
|
||||
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/bearer"
|
||||
sessionsdk "github.com/nspcc-dev/neofs-sdk-go/session"
|
||||
"github.com/nspcc-dev/neofs-sdk-go/user"
|
||||
)
|
||||
|
||||
// maxLocalTTL is maximum TTL for an operation to be considered local.
|
||||
|
@ -26,8 +24,6 @@ type CommonPrm struct {
|
|||
ttl uint32
|
||||
|
||||
xhdrs []string
|
||||
|
||||
ownerSession user.ID
|
||||
}
|
||||
|
||||
// TTL returns TTL for new requests.
|
||||
|
@ -72,14 +68,6 @@ func (p *CommonPrm) SessionToken() *sessionsdk.Object {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (p *CommonPrm) SessionOwner() (user.ID, bool) {
|
||||
if p != nil && p.token != nil {
|
||||
return p.ownerSession, true
|
||||
}
|
||||
|
||||
return user.ID{}, false
|
||||
}
|
||||
|
||||
func (p *CommonPrm) BearerToken() *bearer.Token {
|
||||
if p != nil {
|
||||
return p.bearer
|
||||
|
@ -117,19 +105,8 @@ func CommonPrmFromV2(req interface {
|
|||
|
||||
var tokenSession *sessionsdk.Object
|
||||
var err error
|
||||
var ownerSession user.ID
|
||||
|
||||
if tokenSessionV2 := meta.GetSessionToken(); tokenSessionV2 != nil {
|
||||
ownerSessionV2 := tokenSessionV2.GetBody().GetOwnerID()
|
||||
if ownerSessionV2 == nil {
|
||||
return nil, errors.New("missing session owner")
|
||||
}
|
||||
|
||||
err = ownerSession.ReadFromV2(*ownerSessionV2)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid session token: %w", err)
|
||||
}
|
||||
|
||||
tokenSession = new(sessionsdk.Object)
|
||||
|
||||
err = tokenSession.ReadFromV2(*tokenSessionV2)
|
||||
|
@ -142,11 +119,10 @@ func CommonPrmFromV2(req interface {
|
|||
ttl := meta.GetTTL()
|
||||
|
||||
prm := &CommonPrm{
|
||||
local: ttl <= maxLocalTTL,
|
||||
token: tokenSession,
|
||||
ttl: ttl - 1, // decrease TTL for new requests
|
||||
xhdrs: make([]string, 0, 2*len(xHdrs)),
|
||||
ownerSession: ownerSession,
|
||||
local: ttl <= maxLocalTTL,
|
||||
token: tokenSession,
|
||||
ttl: ttl - 1, // decrease TTL for new requests
|
||||
xhdrs: make([]string, 0, 2*len(xHdrs)),
|
||||
}
|
||||
|
||||
if tok := meta.GetBearerToken(); tok != nil {
|
||||
|
|
Loading…
Reference in a new issue