forked from TrueCloudLab/frostfs-s3-gw
267 lines
8.5 KiB
Go
267 lines
8.5 KiB
Go
package tokens
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/cache"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
|
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
|
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
type (
|
|
// Credentials is a bearer token get/put interface.
|
|
Credentials interface {
|
|
GetBox(context.Context, cid.ID, string) (*accessbox.Box, []object.Attribute, error)
|
|
Put(context.Context, CredentialsParam) (oid.Address, error)
|
|
Update(context.Context, CredentialsParam) (oid.Address, error)
|
|
}
|
|
|
|
CredentialsParam struct {
|
|
Container cid.ID
|
|
AccessKeyID string
|
|
AccessBox *accessbox.AccessBox
|
|
Expiration uint64
|
|
Keys keys.PublicKeys
|
|
CustomAttributes []object.Attribute
|
|
}
|
|
|
|
cred struct {
|
|
key *keys.PrivateKey
|
|
frostFS FrostFS
|
|
cache *cache.AccessBoxCache
|
|
removingCheckDuration time.Duration
|
|
log *zap.Logger
|
|
}
|
|
|
|
Config struct {
|
|
FrostFS FrostFS
|
|
Key *keys.PrivateKey
|
|
CacheConfig *cache.Config
|
|
RemovingCheckAfterDurations time.Duration
|
|
}
|
|
)
|
|
|
|
// PrmObjectCreate groups parameters of objects created by credential tool.
|
|
type PrmObjectCreate struct {
|
|
// FrostFS container to store the object.
|
|
Container cid.ID
|
|
|
|
// File path.
|
|
Filepath string
|
|
|
|
// Optional.
|
|
// If provided cred object will be created using crdt approach.
|
|
NewVersionForAccessKeyID string
|
|
|
|
// Optional.
|
|
// If provided cred object will contain specific crdt name attribute for first accessbox object version.
|
|
// If NewVersionForAccessKeyID is provided this field isn't used.
|
|
CustomAccessKey string
|
|
|
|
// Last FrostFS epoch of the object lifetime.
|
|
ExpirationEpoch uint64
|
|
|
|
// Object payload.
|
|
Payload []byte
|
|
|
|
// CustomAttributes are additional user provided attributes for box object.
|
|
CustomAttributes []object.Attribute
|
|
}
|
|
|
|
// PrmGetCredsObject groups parameters of getting credential object.
|
|
type PrmGetCredsObject struct {
|
|
// FrostFS container to get the object.
|
|
Container cid.ID
|
|
|
|
// S3 access key id.
|
|
AccessKeyID string
|
|
}
|
|
|
|
var ErrCustomAccessKeyIDNotFound = errors.New("custom AccessKeyId not found")
|
|
|
|
// FrostFS represents virtual connection to FrostFS network.
|
|
type FrostFS interface {
|
|
// CreateObject creates and saves a parameterized object in the specified
|
|
// FrostFS container from a specific user. It sets 'Timestamp' attribute to the current time.
|
|
// It returns the ID of the saved object.
|
|
//
|
|
// It returns exactly one non-nil value. It returns any error encountered which
|
|
// prevented the object from being created.
|
|
CreateObject(context.Context, PrmObjectCreate) (oid.ID, error)
|
|
|
|
// GetCredsObject gets the credential object from FrostFS network.
|
|
// It uses search by system name and select using CRDT 2PSet. In case of absence CRDT header
|
|
// it heads object by address.
|
|
//
|
|
// It returns exactly one non-nil value. It returns any error encountered which
|
|
// prevented the object payload from being read.
|
|
// Returns ErrCustomAccessKeyIDNotFound if provided AccessKey is custom, and it was not found.
|
|
// Object must contain full payload.
|
|
GetCredsObject(context.Context, PrmGetCredsObject) (*object.Object, error)
|
|
}
|
|
|
|
var (
|
|
// ErrEmptyPublicKeys is returned when no HCS keys are provided.
|
|
ErrEmptyPublicKeys = errors.New("HCS public keys could not be empty")
|
|
// ErrEmptyBearerToken is returned when no bearer token is provided.
|
|
ErrEmptyBearerToken = errors.New("Bearer token could not be empty")
|
|
)
|
|
|
|
var _ Credentials = (*cred)(nil)
|
|
|
|
// New creates a new Credentials instance using the given cli and key.
|
|
func New(cfg Config) Credentials {
|
|
return &cred{
|
|
frostFS: cfg.FrostFS,
|
|
key: cfg.Key,
|
|
cache: cache.NewAccessBoxCache(cfg.CacheConfig),
|
|
removingCheckDuration: cfg.RemovingCheckAfterDurations,
|
|
log: cfg.CacheConfig.Logger,
|
|
}
|
|
}
|
|
|
|
func (c *cred) GetBox(ctx context.Context, cnrID cid.ID, accessKeyID string) (*accessbox.Box, []object.Attribute, error) {
|
|
isCustomSecret := isCustom(accessKeyID)
|
|
cachedBoxValue := c.cache.Get(accessKeyID)
|
|
if cachedBoxValue != nil {
|
|
return c.checkIfCredentialsAreRemoved(ctx, cnrID, accessKeyID, cachedBoxValue, isCustomSecret)
|
|
}
|
|
|
|
box, attrs, err := c.getAccessBox(ctx, cnrID, accessKeyID)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("get access box: %w", err)
|
|
}
|
|
|
|
cachedBox, err := box.GetBox(c.key, isCustomSecret)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("get gate box: %w", err)
|
|
}
|
|
|
|
c.putBoxToCache(accessKeyID, cachedBox, attrs)
|
|
|
|
return cachedBox, attrs, nil
|
|
}
|
|
|
|
func (c *cred) checkIfCredentialsAreRemoved(ctx context.Context, cnrID cid.ID, accessKeyID string, cachedBoxValue *cache.AccessBoxCacheValue, isCustomSecret bool) (*accessbox.Box, []object.Attribute, error) {
|
|
if time.Since(cachedBoxValue.PutTime) < c.removingCheckDuration {
|
|
return cachedBoxValue.Box, cachedBoxValue.Attributes, nil
|
|
}
|
|
|
|
box, attrs, err := c.getAccessBox(ctx, cnrID, accessKeyID)
|
|
if err != nil {
|
|
if client.IsErrObjectAlreadyRemoved(err) {
|
|
c.cache.Delete(accessKeyID)
|
|
return nil, nil, fmt.Errorf("get access box: %w", err)
|
|
}
|
|
return cachedBoxValue.Box, cachedBoxValue.Attributes, nil
|
|
}
|
|
|
|
cachedBox, err := box.GetBox(c.key, isCustomSecret)
|
|
if err != nil {
|
|
c.cache.Delete(accessKeyID)
|
|
return nil, nil, fmt.Errorf("get gate box: %w", err)
|
|
}
|
|
// we need this to reset PutTime
|
|
// to don't check for removing each time after removingCheckDuration interval
|
|
c.putBoxToCache(accessKeyID, cachedBox, attrs)
|
|
|
|
return cachedBoxValue.Box, attrs, nil
|
|
}
|
|
|
|
func (c *cred) putBoxToCache(accessKeyID string, box *accessbox.Box, attrs []object.Attribute) {
|
|
if err := c.cache.Put(accessKeyID, box, attrs); err != nil {
|
|
c.log.Warn(logs.CouldntPutAccessBoxIntoCache, zap.String("accessKeyID", accessKeyID))
|
|
}
|
|
}
|
|
|
|
func (c *cred) getAccessBox(ctx context.Context, cnrID cid.ID, accessKeyID string) (*accessbox.AccessBox, []object.Attribute, error) {
|
|
prm := PrmGetCredsObject{
|
|
Container: cnrID,
|
|
AccessKeyID: accessKeyID,
|
|
}
|
|
obj, err := c.frostFS.GetCredsObject(ctx, prm)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("read payload and attributes: %w", err)
|
|
}
|
|
|
|
// decode access box
|
|
var box accessbox.AccessBox
|
|
if err = box.Unmarshal(obj.Payload()); err != nil {
|
|
return nil, nil, fmt.Errorf("unmarhal access box: %w", err)
|
|
}
|
|
|
|
return &box, obj.Attributes(), nil
|
|
}
|
|
|
|
func (c *cred) Put(ctx context.Context, prm CredentialsParam) (oid.Address, error) {
|
|
if prm.AccessKeyID != "" {
|
|
c.log.Info(logs.CheckCustomAccessKeyIDUniqueness, zap.String("access_key_id", prm.AccessKeyID))
|
|
credsPrm := PrmGetCredsObject{
|
|
Container: prm.Container,
|
|
AccessKeyID: prm.AccessKeyID,
|
|
}
|
|
|
|
if _, err := c.frostFS.GetCredsObject(ctx, credsPrm); err == nil {
|
|
return oid.Address{}, fmt.Errorf("access key id '%s' already exists", prm.AccessKeyID)
|
|
} else if !errors.Is(err, ErrCustomAccessKeyIDNotFound) {
|
|
return oid.Address{}, fmt.Errorf("check AccessKeyID uniqueness: %w", err)
|
|
}
|
|
}
|
|
|
|
return c.createObject(ctx, prm, false)
|
|
}
|
|
|
|
func (c *cred) Update(ctx context.Context, prm CredentialsParam) (oid.Address, error) {
|
|
return c.createObject(ctx, prm, true)
|
|
}
|
|
|
|
func (c *cred) createObject(ctx context.Context, prm CredentialsParam, update bool) (oid.Address, error) {
|
|
if len(prm.Keys) == 0 {
|
|
return oid.Address{}, ErrEmptyPublicKeys
|
|
} else if prm.AccessBox == nil {
|
|
return oid.Address{}, ErrEmptyBearerToken
|
|
}
|
|
data, err := prm.AccessBox.Marshal()
|
|
if err != nil {
|
|
return oid.Address{}, fmt.Errorf("marshall box: %w", err)
|
|
}
|
|
|
|
var newVersionFor string
|
|
if update {
|
|
newVersionFor = prm.AccessKeyID
|
|
}
|
|
|
|
idObj, err := c.frostFS.CreateObject(ctx, PrmObjectCreate{
|
|
Container: prm.Container,
|
|
Filepath: strconv.FormatInt(time.Now().Unix(), 10) + "_access.box",
|
|
ExpirationEpoch: prm.Expiration,
|
|
CustomAccessKey: prm.AccessKeyID,
|
|
NewVersionForAccessKeyID: newVersionFor,
|
|
Payload: data,
|
|
CustomAttributes: prm.CustomAttributes,
|
|
})
|
|
if err != nil {
|
|
return oid.Address{}, fmt.Errorf("create object: %w", err)
|
|
}
|
|
|
|
var addr oid.Address
|
|
addr.SetObject(idObj)
|
|
addr.SetContainer(prm.Container)
|
|
|
|
return addr, nil
|
|
}
|
|
|
|
func isCustom(accessKeyID string) bool {
|
|
return (&oid.Address{}).DecodeString(strings.ReplaceAll(accessKeyID, "0", "/")) != nil
|
|
}
|