forked from TrueCloudLab/frostfs-node
Upgrade NeoFS SDK Go to v1.0.0-rc.4 and NeoFS API Go to v2.12.2
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
c41d9c3fbe
commit
72708296cc
5 changed files with 24 additions and 34 deletions
|
@ -103,10 +103,10 @@ func createToken(cmd *cobra.Command, _ []string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
var b bearer.Token
|
var b bearer.Token
|
||||||
b.SetExpiration(exp)
|
b.SetExp(exp)
|
||||||
b.SetNotBefore(nvb)
|
b.SetNbf(nvb)
|
||||||
b.SetIssuedAt(iat)
|
b.SetIat(iat)
|
||||||
b.SetOwnerID(ownerID)
|
b.ForUser(ownerID)
|
||||||
|
|
||||||
eaclPath, _ := cmd.Flags().GetString(eaclFlag)
|
eaclPath, _ := cmd.Flags().GetString(eaclFlag)
|
||||||
if eaclPath != "" {
|
if eaclPath != "" {
|
||||||
|
|
4
go.mod
4
go.mod
|
@ -17,9 +17,9 @@ require (
|
||||||
github.com/nspcc-dev/hrw v1.0.9
|
github.com/nspcc-dev/hrw v1.0.9
|
||||||
github.com/nspcc-dev/neo-go v0.98.3
|
github.com/nspcc-dev/neo-go v0.98.3
|
||||||
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect
|
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af // indirect
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2-0.20220530190258-c82dcf7e1610
|
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2
|
||||||
github.com/nspcc-dev/neofs-contract v0.15.1
|
github.com/nspcc-dev/neofs-contract v0.15.1
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220531091404-82d762f536a3
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4
|
||||||
github.com/nspcc-dev/tzhash v1.5.2
|
github.com/nspcc-dev/tzhash v1.5.2
|
||||||
github.com/panjf2000/ants/v2 v2.4.0
|
github.com/panjf2000/ants/v2 v2.4.0
|
||||||
github.com/paulmach/orb v0.2.2
|
github.com/paulmach/orb v0.2.2
|
||||||
|
|
8
go.sum
8
go.sum
|
@ -397,8 +397,8 @@ github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af h1:QO
|
||||||
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af/go.mod h1:QBE0I30F2kOAISNpT5oks82yF4wkkUq3SCfI3Hqgx/Y=
|
github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220321144137-d5a9af5860af/go.mod h1:QBE0I30F2kOAISNpT5oks82yF4wkkUq3SCfI3Hqgx/Y=
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.11.0-pre.0.20211201134523-3604d96f3fe1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs=
|
github.com/nspcc-dev/neofs-api-go/v2 v2.11.0-pre.0.20211201134523-3604d96f3fe1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs=
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.11.1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs=
|
github.com/nspcc-dev/neofs-api-go/v2 v2.11.1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs=
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2-0.20220530190258-c82dcf7e1610 h1:JwrxHWQJSOxx0LvnEvFj3MpKjWQAPXOq55uuGimghR0=
|
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2 h1:ifV/c0bW1TPiEKZlNqhfZl8lzX0f6FokjYUaze/hlBk=
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2-0.20220530190258-c82dcf7e1610/go.mod h1:73j09Xa7I2zQbM3HCvAHnDHPYiiWnEHa1d6Z6RDMBLU=
|
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2/go.mod h1:73j09Xa7I2zQbM3HCvAHnDHPYiiWnEHa1d6Z6RDMBLU=
|
||||||
github.com/nspcc-dev/neofs-contract v0.15.1 h1:1r27t4SGKF7W1PRPOIfircEXHvALThNYNagT+SIabcA=
|
github.com/nspcc-dev/neofs-contract v0.15.1 h1:1r27t4SGKF7W1PRPOIfircEXHvALThNYNagT+SIabcA=
|
||||||
github.com/nspcc-dev/neofs-contract v0.15.1/go.mod h1:kxO5ZTqdzFnRM5RMvM+Fhd+3GGrJo6AmG2ZyA9OCqqQ=
|
github.com/nspcc-dev/neofs-contract v0.15.1/go.mod h1:kxO5ZTqdzFnRM5RMvM+Fhd+3GGrJo6AmG2ZyA9OCqqQ=
|
||||||
github.com/nspcc-dev/neofs-crypto v0.2.0/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA=
|
github.com/nspcc-dev/neofs-crypto v0.2.0/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA=
|
||||||
|
@ -407,8 +407,8 @@ github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnB
|
||||||
github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4=
|
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40=
|
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220531091404-82d762f536a3 h1:AjuzmxXE32Gm/fCvKyRc40Qwqs45J8QSpA7sBR+VD4c=
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4 h1:BaQbS6/dQUt51fHYoDr+CzXpJ5NAdHhva70re37r4No=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.3.0.20220531091404-82d762f536a3/go.mod h1:ci0d8ppgduRvrAhZVGKj6PhuOiVpvKnlDvSlDI9hkJk=
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4/go.mod h1:k58jgszGX3pws2yiOXu9m0i32BzRgi1T6Bpd/L1KrJU=
|
||||||
github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||||
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
||||||
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||||
|
|
|
@ -158,10 +158,6 @@ func (cp *Processor) checkTokenLifetime(token session.Container) error {
|
||||||
return fmt.Errorf("could not read current epoch: %w", err)
|
return fmt.Errorf("could not read current epoch: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if token.ExpiredAt(curEpoch) {
|
|
||||||
return fmt.Errorf("token is expired at %d", curEpoch)
|
|
||||||
}
|
|
||||||
|
|
||||||
if token.InvalidAt(curEpoch) {
|
if token.InvalidAt(curEpoch) {
|
||||||
return fmt.Errorf("token is not valid at %d", curEpoch)
|
return fmt.Errorf("token is not valid at %d", curEpoch)
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,7 @@ import (
|
||||||
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
|
eaclV2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl/v2"
|
||||||
v2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/v2"
|
v2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/v2"
|
||||||
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/bearer"
|
bearerSDK "github.com/nspcc-dev/neofs-sdk-go/bearer"
|
||||||
|
neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
|
||||||
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
|
||||||
"github.com/nspcc-dev/neofs-sdk-go/user"
|
"github.com/nspcc-dev/neofs-sdk-go/user"
|
||||||
)
|
)
|
||||||
|
@ -218,31 +219,33 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1. First check token lifetime. Simplest verification.
|
// 1. First check token lifetime. Simplest verification.
|
||||||
if !isValidLifetime(token, st.CurrentEpoch()) {
|
if token.InvalidAt(st.CurrentEpoch()) {
|
||||||
return errBearerExpired
|
return errBearerExpired
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2. Then check if bearer token is signed correctly.
|
// 2. Then check if bearer token is signed correctly.
|
||||||
if err := token.VerifySignature(); err != nil {
|
if !token.VerifySignature() {
|
||||||
return errBearerInvalidSignature
|
return errBearerInvalidSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Then check if container owner signed this token.
|
// 3. Then check if container owner signed this token.
|
||||||
issuer, ok := token.Issuer()
|
if !bearerSDK.ResolveIssuer(*token).Equals(ownerCnr) {
|
||||||
if !ok {
|
|
||||||
panic("unexpected false return from Issuer method on signed bearer token")
|
|
||||||
}
|
|
||||||
|
|
||||||
if !issuer.Equals(ownerCnr) {
|
|
||||||
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
||||||
return errBearerNotSignedByOwner
|
return errBearerNotSignedByOwner
|
||||||
}
|
}
|
||||||
|
|
||||||
// 4. Then check if request sender has rights to use this token.
|
// 4. Then check if request sender has rights to use this token.
|
||||||
tokenOwner := token.OwnerID()
|
var keySender neofsecdsa.PublicKey
|
||||||
requestSenderKey := unmarshalPublicKey(reqInfo.SenderKey())
|
|
||||||
|
|
||||||
if !isOwnerFromKey(tokenOwner, requestSenderKey) {
|
err := keySender.Decode(reqInfo.SenderKey())
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("decode sender public key: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
var usrSender user.ID
|
||||||
|
user.IDFromKey(&usrSender, ecdsa.PublicKey(keySender))
|
||||||
|
|
||||||
|
if !token.AssertUser(usrSender) {
|
||||||
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
|
||||||
return errBearerInvalidOwner
|
return errBearerInvalidOwner
|
||||||
}
|
}
|
||||||
|
@ -250,15 +253,6 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func isValidLifetime(t *bearerSDK.Token, epoch uint64) bool {
|
|
||||||
// The "exp" (expiration time) claim identifies the expiration time on
|
|
||||||
// or after which the JWT MUST NOT be accepted for processing.
|
|
||||||
// The "nbf" (not before) claim identifies the time before which the JWT
|
|
||||||
// MUST NOT be accepted for processing
|
|
||||||
// RFC 7519 sections 4.1.4, 4.1.5
|
|
||||||
return epoch >= t.NotBefore() && epoch <= t.Expiration()
|
|
||||||
}
|
|
||||||
|
|
||||||
func isOwnerFromKey(id user.ID, key *keys.PublicKey) bool {
|
func isOwnerFromKey(id user.ID, key *keys.PublicKey) bool {
|
||||||
if key == nil {
|
if key == nil {
|
||||||
return false
|
return false
|
||||||
|
|
Loading…
Reference in a new issue