From dce5924a89dd5058bf3b1c3edf78413b7a5ffce8 Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Tue, 25 Oct 2022 15:24:06 +0300 Subject: [PATCH] [#229] services/tree: Use bearer owner as signer Signed-off-by: Denis Kirillov --- go.mod | 2 +- go.sum | 4 +-- pkg/services/tree/signature.go | 4 ++- pkg/services/tree/signature_test.go | 40 ++++++++++++++++++++++++++--- 4 files changed, 42 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 8cbb4ba38..d54770ba2 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.18 require ( git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85 git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb - git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204 + git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68 git.frostfs.info/TrueCloudLab/hrw v1.2.0 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 github.com/cheggaaa/pb v1.0.29 diff --git a/go.sum b/go.sum index a1616a7b5..7b140a44d 100644 --- a/go.sum +++ b/go.sum @@ -42,8 +42,8 @@ git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02f git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb/go.mod h1:nkR5gaGeez3Zv2SE7aceP0YwxG2FzIB5cGKpQO2vV2o= git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk= git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU= -git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204 h1:oQk6Fns+51JPtawUR5cJyYPQ35yC8Gi6e6P/PKkbvIc= -git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204/go.mod h1:qbeYz8Z/3fZ0M0jiJY/zycuXB3DQ/8xQL5xU2G78akQ= +git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68 h1:m9HLrwRINt00cSQ07hKTPExOdAmmfO8m/3iGelnTo2o= +git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68/go.mod h1:TaJJOF3Uhuq8aqv2CrfuY2yhxePUinW35Xd3wfXLV/I= git.frostfs.info/TrueCloudLab/hrw v1.2.0 h1:KvAES7xIqmQBGd2q8KanNosD9+4BhU/zqD5Kt5KSflk= git.frostfs.info/TrueCloudLab/hrw v1.2.0/go.mod h1:mq2sbvYfO+BB6iFZwYBkgC0yc6mJNx+qZi4jW918m+Y= git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA= diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go index 4aacbc3b1..439912969 100644 --- a/pkg/services/tree/signature.go +++ b/pkg/services/tree/signature.go @@ -101,6 +101,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op } var tb eacl.Table + signer := req.GetSignature().GetKey() if tableFromBearer { if bt.Impersonate() { tbCore, err := s.eaclSource.GetEACL(cid) @@ -108,6 +109,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op return handleGetEACLError(err) } tb = *tbCore.Value + signer = bt.SigningKeyBytes() } else { if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) { return eACLErr(eaclOp, errBearerWrongOwner) @@ -123,7 +125,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op tb = *tbCore.Value } - return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp) + return checkEACL(tb, signer, eACLRole(role), eaclOp) } func handleGetEACLError(err error) error { diff --git a/pkg/services/tree/signature_test.go b/pkg/services/tree/signature_test.go index b336e60a2..eaf9b8b79 100644 --- a/pkg/services/tree/signature_test.go +++ b/pkg/services/tree/signature_test.go @@ -53,6 +53,16 @@ func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) { return cnt, nil } +type dummyEACLSource map[string]*containercore.EACL + +func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) { + cntEACL, ok := s[id.String()] + if !ok { + return nil, errors.New("container not found") + } + return cntEACL, nil +} + func testContainer(owner user.ID) container.Container { var r netmapSDK.ReplicaDescriptor r.SetNumberOfObjects(1) @@ -93,6 +103,11 @@ func TestMessageSign(t *testing.T) { cnrSource: dummyContainerSource{ cid1.String(): cnr, }, + eaclSource: dummyEACLSource{ + cid1.String(): &containercore.EACL{ + Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()), + }, + }, }, } @@ -178,6 +193,19 @@ func TestMessageSign(t *testing.T) { require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut)) }) + t.Run("impersonate", func(t *testing.T) { + cnr.Value.SetBasicACL(acl.PublicRWExtended) + var bt bearer.Token + bt.SetImpersonate(true) + + require.NoError(t, bt.Sign(privs[1].PrivateKey)) + req.Body.BearerToken = bt.Marshal() + + require.NoError(t, SignMessage(req, &privs[0].PrivateKey)) + require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut)) + require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet)) + }) + bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey()) require.NoError(t, bt.Sign(privs[0].PrivateKey)) req.Body.BearerToken = bt.Marshal() @@ -202,6 +230,13 @@ func TestMessageSign(t *testing.T) { } func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token { + var b bearer.Token + b.SetEACLTable(*testTable(cid, forPutGet, forGet)) + + return b +} + +func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table { tgtGet := eaclSDK.NewTarget() tgtGet.SetRole(eaclSDK.RoleUnknown) tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()}) @@ -237,8 +272,5 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token tb.SetCID(cid) - var b bearer.Token - b.SetEACLTable(*tb) - - return b + return tb }