forked from TrueCloudLab/frostfs-node
[#229] services/tree: Use bearer owner as signer
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
89530534a1
commit
dce5924a89
4 changed files with 42 additions and 8 deletions
2
go.mod
2
go.mod
|
@ -5,7 +5,7 @@ go 1.18
|
|||
require (
|
||||
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85
|
||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68
|
||||
git.frostfs.info/TrueCloudLab/hrw v1.2.0
|
||||
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
||||
github.com/cheggaaa/pb v1.0.29
|
||||
|
|
4
go.sum
4
go.sum
|
@ -42,8 +42,8 @@ git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02f
|
|||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb/go.mod h1:nkR5gaGeez3Zv2SE7aceP0YwxG2FzIB5cGKpQO2vV2o=
|
||||
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk=
|
||||
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU=
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204 h1:oQk6Fns+51JPtawUR5cJyYPQ35yC8Gi6e6P/PKkbvIc=
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204/go.mod h1:qbeYz8Z/3fZ0M0jiJY/zycuXB3DQ/8xQL5xU2G78akQ=
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68 h1:m9HLrwRINt00cSQ07hKTPExOdAmmfO8m/3iGelnTo2o=
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68/go.mod h1:TaJJOF3Uhuq8aqv2CrfuY2yhxePUinW35Xd3wfXLV/I=
|
||||
git.frostfs.info/TrueCloudLab/hrw v1.2.0 h1:KvAES7xIqmQBGd2q8KanNosD9+4BhU/zqD5Kt5KSflk=
|
||||
git.frostfs.info/TrueCloudLab/hrw v1.2.0/go.mod h1:mq2sbvYfO+BB6iFZwYBkgC0yc6mJNx+qZi4jW918m+Y=
|
||||
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
|
||||
|
|
|
@ -101,6 +101,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
}
|
||||
|
||||
var tb eacl.Table
|
||||
signer := req.GetSignature().GetKey()
|
||||
if tableFromBearer {
|
||||
if bt.Impersonate() {
|
||||
tbCore, err := s.eaclSource.GetEACL(cid)
|
||||
|
@ -108,6 +109,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
return handleGetEACLError(err)
|
||||
}
|
||||
tb = *tbCore.Value
|
||||
signer = bt.SigningKeyBytes()
|
||||
} else {
|
||||
if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
|
||||
return eACLErr(eaclOp, errBearerWrongOwner)
|
||||
|
@ -123,7 +125,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
tb = *tbCore.Value
|
||||
}
|
||||
|
||||
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
|
||||
return checkEACL(tb, signer, eACLRole(role), eaclOp)
|
||||
}
|
||||
|
||||
func handleGetEACLError(err error) error {
|
||||
|
|
|
@ -53,6 +53,16 @@ func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) {
|
|||
return cnt, nil
|
||||
}
|
||||
|
||||
type dummyEACLSource map[string]*containercore.EACL
|
||||
|
||||
func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) {
|
||||
cntEACL, ok := s[id.String()]
|
||||
if !ok {
|
||||
return nil, errors.New("container not found")
|
||||
}
|
||||
return cntEACL, nil
|
||||
}
|
||||
|
||||
func testContainer(owner user.ID) container.Container {
|
||||
var r netmapSDK.ReplicaDescriptor
|
||||
r.SetNumberOfObjects(1)
|
||||
|
@ -93,6 +103,11 @@ func TestMessageSign(t *testing.T) {
|
|||
cnrSource: dummyContainerSource{
|
||||
cid1.String(): cnr,
|
||||
},
|
||||
eaclSource: dummyEACLSource{
|
||||
cid1.String(): &containercore.EACL{
|
||||
Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()),
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -178,6 +193,19 @@ func TestMessageSign(t *testing.T) {
|
|||
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
|
||||
})
|
||||
|
||||
t.Run("impersonate", func(t *testing.T) {
|
||||
cnr.Value.SetBasicACL(acl.PublicRWExtended)
|
||||
var bt bearer.Token
|
||||
bt.SetImpersonate(true)
|
||||
|
||||
require.NoError(t, bt.Sign(privs[1].PrivateKey))
|
||||
req.Body.BearerToken = bt.Marshal()
|
||||
|
||||
require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
|
||||
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
|
||||
require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
|
||||
})
|
||||
|
||||
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
|
||||
require.NoError(t, bt.Sign(privs[0].PrivateKey))
|
||||
req.Body.BearerToken = bt.Marshal()
|
||||
|
@ -202,6 +230,13 @@ func TestMessageSign(t *testing.T) {
|
|||
}
|
||||
|
||||
func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token {
|
||||
var b bearer.Token
|
||||
b.SetEACLTable(*testTable(cid, forPutGet, forGet))
|
||||
|
||||
return b
|
||||
}
|
||||
|
||||
func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table {
|
||||
tgtGet := eaclSDK.NewTarget()
|
||||
tgtGet.SetRole(eaclSDK.RoleUnknown)
|
||||
tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()})
|
||||
|
@ -237,8 +272,5 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token
|
|||
|
||||
tb.SetCID(cid)
|
||||
|
||||
var b bearer.Token
|
||||
b.SetEACLTable(*tb)
|
||||
|
||||
return b
|
||||
return tb
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue