forked from TrueCloudLab/frostfs-node
[#229] services/tree: Use bearer owner as signer
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
89530534a1
commit
dce5924a89
4 changed files with 42 additions and 8 deletions
2
go.mod
2
go.mod
|
@ -5,7 +5,7 @@ go 1.18
|
||||||
require (
|
require (
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85
|
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb
|
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204
|
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68
|
||||||
git.frostfs.info/TrueCloudLab/hrw v1.2.0
|
git.frostfs.info/TrueCloudLab/hrw v1.2.0
|
||||||
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
||||||
github.com/cheggaaa/pb v1.0.29
|
github.com/cheggaaa/pb v1.0.29
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -42,8 +42,8 @@ git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02f
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb/go.mod h1:nkR5gaGeez3Zv2SE7aceP0YwxG2FzIB5cGKpQO2vV2o=
|
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb/go.mod h1:nkR5gaGeez3Zv2SE7aceP0YwxG2FzIB5cGKpQO2vV2o=
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk=
|
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk=
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU=
|
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU=
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204 h1:oQk6Fns+51JPtawUR5cJyYPQ35yC8Gi6e6P/PKkbvIc=
|
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68 h1:m9HLrwRINt00cSQ07hKTPExOdAmmfO8m/3iGelnTo2o=
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204/go.mod h1:qbeYz8Z/3fZ0M0jiJY/zycuXB3DQ/8xQL5xU2G78akQ=
|
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68/go.mod h1:TaJJOF3Uhuq8aqv2CrfuY2yhxePUinW35Xd3wfXLV/I=
|
||||||
git.frostfs.info/TrueCloudLab/hrw v1.2.0 h1:KvAES7xIqmQBGd2q8KanNosD9+4BhU/zqD5Kt5KSflk=
|
git.frostfs.info/TrueCloudLab/hrw v1.2.0 h1:KvAES7xIqmQBGd2q8KanNosD9+4BhU/zqD5Kt5KSflk=
|
||||||
git.frostfs.info/TrueCloudLab/hrw v1.2.0/go.mod h1:mq2sbvYfO+BB6iFZwYBkgC0yc6mJNx+qZi4jW918m+Y=
|
git.frostfs.info/TrueCloudLab/hrw v1.2.0/go.mod h1:mq2sbvYfO+BB6iFZwYBkgC0yc6mJNx+qZi4jW918m+Y=
|
||||||
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
|
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
|
||||||
|
|
|
@ -101,6 +101,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
||||||
}
|
}
|
||||||
|
|
||||||
var tb eacl.Table
|
var tb eacl.Table
|
||||||
|
signer := req.GetSignature().GetKey()
|
||||||
if tableFromBearer {
|
if tableFromBearer {
|
||||||
if bt.Impersonate() {
|
if bt.Impersonate() {
|
||||||
tbCore, err := s.eaclSource.GetEACL(cid)
|
tbCore, err := s.eaclSource.GetEACL(cid)
|
||||||
|
@ -108,6 +109,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
||||||
return handleGetEACLError(err)
|
return handleGetEACLError(err)
|
||||||
}
|
}
|
||||||
tb = *tbCore.Value
|
tb = *tbCore.Value
|
||||||
|
signer = bt.SigningKeyBytes()
|
||||||
} else {
|
} else {
|
||||||
if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
|
if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
|
||||||
return eACLErr(eaclOp, errBearerWrongOwner)
|
return eACLErr(eaclOp, errBearerWrongOwner)
|
||||||
|
@ -123,7 +125,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
||||||
tb = *tbCore.Value
|
tb = *tbCore.Value
|
||||||
}
|
}
|
||||||
|
|
||||||
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
|
return checkEACL(tb, signer, eACLRole(role), eaclOp)
|
||||||
}
|
}
|
||||||
|
|
||||||
func handleGetEACLError(err error) error {
|
func handleGetEACLError(err error) error {
|
||||||
|
|
|
@ -53,6 +53,16 @@ func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) {
|
||||||
return cnt, nil
|
return cnt, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type dummyEACLSource map[string]*containercore.EACL
|
||||||
|
|
||||||
|
func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) {
|
||||||
|
cntEACL, ok := s[id.String()]
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("container not found")
|
||||||
|
}
|
||||||
|
return cntEACL, nil
|
||||||
|
}
|
||||||
|
|
||||||
func testContainer(owner user.ID) container.Container {
|
func testContainer(owner user.ID) container.Container {
|
||||||
var r netmapSDK.ReplicaDescriptor
|
var r netmapSDK.ReplicaDescriptor
|
||||||
r.SetNumberOfObjects(1)
|
r.SetNumberOfObjects(1)
|
||||||
|
@ -93,6 +103,11 @@ func TestMessageSign(t *testing.T) {
|
||||||
cnrSource: dummyContainerSource{
|
cnrSource: dummyContainerSource{
|
||||||
cid1.String(): cnr,
|
cid1.String(): cnr,
|
||||||
},
|
},
|
||||||
|
eaclSource: dummyEACLSource{
|
||||||
|
cid1.String(): &containercore.EACL{
|
||||||
|
Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()),
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -178,6 +193,19 @@ func TestMessageSign(t *testing.T) {
|
||||||
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("impersonate", func(t *testing.T) {
|
||||||
|
cnr.Value.SetBasicACL(acl.PublicRWExtended)
|
||||||
|
var bt bearer.Token
|
||||||
|
bt.SetImpersonate(true)
|
||||||
|
|
||||||
|
require.NoError(t, bt.Sign(privs[1].PrivateKey))
|
||||||
|
req.Body.BearerToken = bt.Marshal()
|
||||||
|
|
||||||
|
require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
|
||||||
|
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
|
||||||
|
require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
|
||||||
|
})
|
||||||
|
|
||||||
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
|
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
|
||||||
require.NoError(t, bt.Sign(privs[0].PrivateKey))
|
require.NoError(t, bt.Sign(privs[0].PrivateKey))
|
||||||
req.Body.BearerToken = bt.Marshal()
|
req.Body.BearerToken = bt.Marshal()
|
||||||
|
@ -202,6 +230,13 @@ func TestMessageSign(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token {
|
func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token {
|
||||||
|
var b bearer.Token
|
||||||
|
b.SetEACLTable(*testTable(cid, forPutGet, forGet))
|
||||||
|
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table {
|
||||||
tgtGet := eaclSDK.NewTarget()
|
tgtGet := eaclSDK.NewTarget()
|
||||||
tgtGet.SetRole(eaclSDK.RoleUnknown)
|
tgtGet.SetRole(eaclSDK.RoleUnknown)
|
||||||
tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()})
|
tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()})
|
||||||
|
@ -237,8 +272,5 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token
|
||||||
|
|
||||||
tb.SetCID(cid)
|
tb.SetCID(cid)
|
||||||
|
|
||||||
var b bearer.Token
|
return tb
|
||||||
b.SetEACLTable(*tb)
|
|
||||||
|
|
||||||
return b
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue