From 72708296ccb1420a30b70f5020c107800fa38612 Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Fri, 3 Jun 2022 17:12:55 +0300 Subject: [PATCH] Upgrade NeoFS SDK Go to v1.0.0-rc.4 and NeoFS API Go to v2.12.2 Signed-off-by: Leonard Lyubich --- cmd/neofs-cli/modules/bearer/create.go | 8 ++--- go.mod | 4 +-- go.sum | 8 ++--- pkg/innerring/processors/container/common.go | 4 --- pkg/services/object/acl/acl.go | 34 ++++++++------------ 5 files changed, 24 insertions(+), 34 deletions(-) diff --git a/cmd/neofs-cli/modules/bearer/create.go b/cmd/neofs-cli/modules/bearer/create.go index 4a50456c1..3796b115a 100644 --- a/cmd/neofs-cli/modules/bearer/create.go +++ b/cmd/neofs-cli/modules/bearer/create.go @@ -103,10 +103,10 @@ func createToken(cmd *cobra.Command, _ []string) error { } var b bearer.Token - b.SetExpiration(exp) - b.SetNotBefore(nvb) - b.SetIssuedAt(iat) - b.SetOwnerID(ownerID) + b.SetExp(exp) + b.SetNbf(nvb) + b.SetIat(iat) + b.ForUser(ownerID) eaclPath, _ := cmd.Flags().GetString(eaclFlag) if eaclPath != "" { diff --git a/go.mod b/go.mod index c8a462f3c..e9bc04121 100644 --- a/go.mod +++ b/go.mod @@ -17,9 +17,9 @@ require ( github.com/nspcc-dev/hrw v1.0.9 github.com/nspcc-dev/neo-go v0.98.3 github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect - github.com/nspcc-dev/neofs-api-go/v2 v2.12.2-0.20220530190258-c82dcf7e1610 + github.com/nspcc-dev/neofs-api-go/v2 v2.12.2 github.com/nspcc-dev/neofs-contract v0.15.1 - github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220531091404-82d762f536a3 + github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4 github.com/nspcc-dev/tzhash v1.5.2 github.com/panjf2000/ants/v2 v2.4.0 github.com/paulmach/orb v0.2.2 diff --git a/go.sum b/go.sum index c54d95d64..f054303f5 100644 --- a/go.sum +++ b/go.sum @@ -397,8 +397,8 @@ github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af h1:QO github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af/go.mod h1:QBE0I30F2kOAISNpT5oks82yF4wkkUq3SCfI3Hqgx/Y= github.com/nspcc-dev/neofs-api-go/v2 v2.11.0-pre.0.20211201134523-3604d96f3fe1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs= github.com/nspcc-dev/neofs-api-go/v2 v2.11.1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs= -github.com/nspcc-dev/neofs-api-go/v2 v2.12.2-0.20220530190258-c82dcf7e1610 h1:JwrxHWQJSOxx0LvnEvFj3MpKjWQAPXOq55uuGimghR0= -github.com/nspcc-dev/neofs-api-go/v2 v2.12.2-0.20220530190258-c82dcf7e1610/go.mod h1:73j09Xa7I2zQbM3HCvAHnDHPYiiWnEHa1d6Z6RDMBLU= +github.com/nspcc-dev/neofs-api-go/v2 v2.12.2 h1:ifV/c0bW1TPiEKZlNqhfZl8lzX0f6FokjYUaze/hlBk= +github.com/nspcc-dev/neofs-api-go/v2 v2.12.2/go.mod h1:73j09Xa7I2zQbM3HCvAHnDHPYiiWnEHa1d6Z6RDMBLU= github.com/nspcc-dev/neofs-contract v0.15.1 h1:1r27t4SGKF7W1PRPOIfircEXHvALThNYNagT+SIabcA= github.com/nspcc-dev/neofs-contract v0.15.1/go.mod h1:kxO5ZTqdzFnRM5RMvM+Fhd+3GGrJo6AmG2ZyA9OCqqQ= github.com/nspcc-dev/neofs-crypto v0.2.0/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA= @@ -407,8 +407,8 @@ github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnB github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw= github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4= github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40= -github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220531091404-82d762f536a3 h1:AjuzmxXE32Gm/fCvKyRc40Qwqs45J8QSpA7sBR+VD4c= -github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220531091404-82d762f536a3/go.mod h1:ci0d8ppgduRvrAhZVGKj6PhuOiVpvKnlDvSlDI9hkJk= +github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4 h1:BaQbS6/dQUt51fHYoDr+CzXpJ5NAdHhva70re37r4No= +github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4/go.mod h1:k58jgszGX3pws2yiOXu9m0i32BzRgi1T6Bpd/L1KrJU= github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso= github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE= github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso= diff --git a/pkg/innerring/processors/container/common.go b/pkg/innerring/processors/container/common.go index df45a5bf7..a1075b31d 100644 --- a/pkg/innerring/processors/container/common.go +++ b/pkg/innerring/processors/container/common.go @@ -158,10 +158,6 @@ func (cp *Processor) checkTokenLifetime(token session.Container) error { return fmt.Errorf("could not read current epoch: %w", err) } - if token.ExpiredAt(curEpoch) { - return fmt.Errorf("token is expired at %d", curEpoch) - } - if token.InvalidAt(curEpoch) { return fmt.Errorf("token is not valid at %d", curEpoch) } diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 547ed287b..39e6895dc 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -14,6 +14,7 @@ import ( eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2" v2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/v2" bearerSDK "github.com/nspcc-dev/neofs-sdk-go/bearer" + neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa" eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl" "github.com/nspcc-dev/neofs-sdk-go/user" ) @@ -218,31 +219,33 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error { } // 1. First check token lifetime. Simplest verification. - if !isValidLifetime(token, st.CurrentEpoch()) { + if token.InvalidAt(st.CurrentEpoch()) { return errBearerExpired } // 2. Then check if bearer token is signed correctly. - if err := token.VerifySignature(); err != nil { + if !token.VerifySignature() { return errBearerInvalidSignature } // 3. Then check if container owner signed this token. - issuer, ok := token.Issuer() - if !ok { - panic("unexpected false return from Issuer method on signed bearer token") - } - - if !issuer.Equals(ownerCnr) { + if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) { // TODO: #767 in this case we can issue all owner keys from neofs.id and check once again return errBearerNotSignedByOwner } // 4. Then check if request sender has rights to use this token. - tokenOwner := token.OwnerID() - requestSenderKey := unmarshalPublicKey(reqInfo.SenderKey()) + var keySender neofsecdsa.PublicKey - if !isOwnerFromKey(tokenOwner, requestSenderKey) { + err := keySender.Decode(reqInfo.SenderKey()) + if err != nil { + return fmt.Errorf("decode sender public key: %w", err) + } + + var usrSender user.ID + user.IDFromKey(&usrSender, ecdsa.PublicKey(keySender)) + + if !token.AssertUser(usrSender) { // TODO: #767 in this case we can issue all owner keys from neofs.id and check once again return errBearerInvalidOwner } @@ -250,15 +253,6 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error { return nil } -func isValidLifetime(t *bearerSDK.Token, epoch uint64) bool { - // The "exp" (expiration time) claim identifies the expiration time on - // or after which the JWT MUST NOT be accepted for processing. - // The "nbf" (not before) claim identifies the time before which the JWT - // MUST NOT be accepted for processing - // RFC 7519 sections 4.1.4, 4.1.5 - return epoch >= t.NotBefore() && epoch <= t.Expiration() -} - func isOwnerFromKey(id user.ID, key *keys.PublicKey) bool { if key == nil { return false