[#229] services/tree: Use bearer owner as signer

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2022-10-25 15:24:06 +03:00 committed by Denis Kirillov
parent 89530534a1
commit dce5924a89
4 changed files with 42 additions and 8 deletions

2
go.mod
View file

@ -5,7 +5,7 @@ go 1.18
require ( require (
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85 git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68
git.frostfs.info/TrueCloudLab/hrw v1.2.0 git.frostfs.info/TrueCloudLab/hrw v1.2.0
git.frostfs.info/TrueCloudLab/tzhash v1.8.0 git.frostfs.info/TrueCloudLab/tzhash v1.8.0
github.com/cheggaaa/pb v1.0.29 github.com/cheggaaa/pb v1.0.29

4
go.sum
View file

@ -42,8 +42,8 @@ git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02f
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb/go.mod h1:nkR5gaGeez3Zv2SE7aceP0YwxG2FzIB5cGKpQO2vV2o= git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb/go.mod h1:nkR5gaGeez3Zv2SE7aceP0YwxG2FzIB5cGKpQO2vV2o=
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk= git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk=
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU= git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU=
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204 h1:oQk6Fns+51JPtawUR5cJyYPQ35yC8Gi6e6P/PKkbvIc= git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68 h1:m9HLrwRINt00cSQ07hKTPExOdAmmfO8m/3iGelnTo2o=
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204/go.mod h1:qbeYz8Z/3fZ0M0jiJY/zycuXB3DQ/8xQL5xU2G78akQ= git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68/go.mod h1:TaJJOF3Uhuq8aqv2CrfuY2yhxePUinW35Xd3wfXLV/I=
git.frostfs.info/TrueCloudLab/hrw v1.2.0 h1:KvAES7xIqmQBGd2q8KanNosD9+4BhU/zqD5Kt5KSflk= git.frostfs.info/TrueCloudLab/hrw v1.2.0 h1:KvAES7xIqmQBGd2q8KanNosD9+4BhU/zqD5Kt5KSflk=
git.frostfs.info/TrueCloudLab/hrw v1.2.0/go.mod h1:mq2sbvYfO+BB6iFZwYBkgC0yc6mJNx+qZi4jW918m+Y= git.frostfs.info/TrueCloudLab/hrw v1.2.0/go.mod h1:mq2sbvYfO+BB6iFZwYBkgC0yc6mJNx+qZi4jW918m+Y=
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA= git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=

View file

@ -101,6 +101,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
} }
var tb eacl.Table var tb eacl.Table
signer := req.GetSignature().GetKey()
if tableFromBearer { if tableFromBearer {
if bt.Impersonate() { if bt.Impersonate() {
tbCore, err := s.eaclSource.GetEACL(cid) tbCore, err := s.eaclSource.GetEACL(cid)
@ -108,6 +109,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
return handleGetEACLError(err) return handleGetEACLError(err)
} }
tb = *tbCore.Value tb = *tbCore.Value
signer = bt.SigningKeyBytes()
} else { } else {
if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) { if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
return eACLErr(eaclOp, errBearerWrongOwner) return eACLErr(eaclOp, errBearerWrongOwner)
@ -123,7 +125,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
tb = *tbCore.Value tb = *tbCore.Value
} }
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp) return checkEACL(tb, signer, eACLRole(role), eaclOp)
} }
func handleGetEACLError(err error) error { func handleGetEACLError(err error) error {

View file

@ -53,6 +53,16 @@ func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) {
return cnt, nil return cnt, nil
} }
type dummyEACLSource map[string]*containercore.EACL
func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) {
cntEACL, ok := s[id.String()]
if !ok {
return nil, errors.New("container not found")
}
return cntEACL, nil
}
func testContainer(owner user.ID) container.Container { func testContainer(owner user.ID) container.Container {
var r netmapSDK.ReplicaDescriptor var r netmapSDK.ReplicaDescriptor
r.SetNumberOfObjects(1) r.SetNumberOfObjects(1)
@ -93,6 +103,11 @@ func TestMessageSign(t *testing.T) {
cnrSource: dummyContainerSource{ cnrSource: dummyContainerSource{
cid1.String(): cnr, cid1.String(): cnr,
}, },
eaclSource: dummyEACLSource{
cid1.String(): &containercore.EACL{
Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()),
},
},
}, },
} }
@ -178,6 +193,19 @@ func TestMessageSign(t *testing.T) {
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut)) require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
}) })
t.Run("impersonate", func(t *testing.T) {
cnr.Value.SetBasicACL(acl.PublicRWExtended)
var bt bearer.Token
bt.SetImpersonate(true)
require.NoError(t, bt.Sign(privs[1].PrivateKey))
req.Body.BearerToken = bt.Marshal()
require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
})
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey()) bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
require.NoError(t, bt.Sign(privs[0].PrivateKey)) require.NoError(t, bt.Sign(privs[0].PrivateKey))
req.Body.BearerToken = bt.Marshal() req.Body.BearerToken = bt.Marshal()
@ -202,6 +230,13 @@ func TestMessageSign(t *testing.T) {
} }
func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token { func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token {
var b bearer.Token
b.SetEACLTable(*testTable(cid, forPutGet, forGet))
return b
}
func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table {
tgtGet := eaclSDK.NewTarget() tgtGet := eaclSDK.NewTarget()
tgtGet.SetRole(eaclSDK.RoleUnknown) tgtGet.SetRole(eaclSDK.RoleUnknown)
tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()}) tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()})
@ -237,8 +272,5 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token
tb.SetCID(cid) tb.SetCID(cid)
var b bearer.Token return tb
b.SetEACLTable(*tb)
return b
} }