[#529] objectcore: Fix object content validation

There are old objects where the owner of the object may not match the one who issued the token. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-07-28 15:44:35 +03:00 · 2023-07-28 15:44:35 +03:00 · ae81d6660a
commit ae81d6660a
parent ab2614ec2d
10 changed files with 535 additions and 42 deletions
--- a/cmd/frostfs-node/config.go
+++ b/cmd/frostfs-node/config.go
@ -511,6 +511,8 @@ type cfgObject struct {
 	cfgLocalStorage cfgLocalStorage

 	tombstoneLifetime uint64
+
+	skipSessionTokenIssuerVerification bool
 }

 type cfgNotifications struct {
@ -677,8 +679,9 @@ func initCfgGRPC() cfgGRPC {

 func initCfgObject(appCfg *config.Config) cfgObject {
 	return cfgObject{
-		pool:              initObjectPool(appCfg),
-		tombstoneLifetime: objectconfig.TombstoneLifetime(appCfg),
+		pool:                               initObjectPool(appCfg),
+		tombstoneLifetime:                  objectconfig.TombstoneLifetime(appCfg),
+		skipSessionTokenIssuerVerification: objectconfig.Put(appCfg).SkipSessionTokenIssuerVerification(),
 	}
 }

--- a/cmd/frostfs-node/config/object/config.go
+++ b/cmd/frostfs-node/config/object/config.go
@ -51,3 +51,8 @@ func (g PutConfig) PoolSizeLocal() int {

 	return PutPoolSizeDefault
 }
+
+// SkipSessionTokenIssuerVerification returns the value of "skip_session_token_issuer_verification" config parameter or `false“ if is not defined.
+func (g PutConfig) SkipSessionTokenIssuerVerification() bool {
+	return config.BoolSafe(g.cfg, "skip_session_token_issuer_verification")
+}
--- a/cmd/frostfs-node/config/object/config_test.go
+++ b/cmd/frostfs-node/config/object/config_test.go
@ -16,6 +16,7 @@ func TestObjectSection(t *testing.T) {
 		require.Equal(t, objectconfig.PutPoolSizeDefault, objectconfig.Put(empty).PoolSizeRemote())
 		require.Equal(t, objectconfig.PutPoolSizeDefault, objectconfig.Put(empty).PoolSizeLocal())
 		require.EqualValues(t, objectconfig.DefaultTombstoneLifetime, objectconfig.TombstoneLifetime(empty))
+		require.False(t, objectconfig.Put(empty).SkipSessionTokenIssuerVerification())
 	})

 	const path = "../../../../config/example/node"
@ -24,6 +25,7 @@ func TestObjectSection(t *testing.T) {
 		require.Equal(t, 100, objectconfig.Put(c).PoolSizeRemote())
 		require.Equal(t, 200, objectconfig.Put(c).PoolSizeLocal())
 		require.EqualValues(t, 10, objectconfig.TombstoneLifetime(c))
+		require.True(t, objectconfig.Put(c).SkipSessionTokenIssuerVerification())
 	}

 	configtest.ForEachFileType(path, fileConfigTest)
--- a/cmd/frostfs-node/object.go
+++ b/cmd/frostfs-node/object.go
@ -160,8 +160,9 @@ func initObjectService(c *cfg) {
 	addPolicer(c, keyStorage, c.bgClientCache)

 	traverseGen := util.NewTraverserGenerator(c.netMapSource, c.cfgObject.cnrSource, c)
+	irFetcher := newCachedIRFetcher(createInnerRingFetcher(c))

-	sPut := createPutSvc(c, keyStorage)
+	sPut := createPutSvc(c, keyStorage, &irFetcher)

 	sPutV2 := createPutSvcV2(sPut, keyStorage)

@ -184,7 +185,7 @@ func initObjectService(c *cfg) {

 	splitSvc := createSplitService(c, sPutV2, sGetV2, sSearchV2, sDeleteV2)

-	aclSvc := createACLServiceV2(c, splitSvc)
+	aclSvc := createACLServiceV2(c, splitSvc, &irFetcher)

 	var commonSvc objectService.Common
 	commonSvc.Init(&c.internals, aclSvc)
@ -295,7 +296,7 @@ func createReplicator(c *cfg, keyStorage *util.KeyStorage, cache *cache.ClientCa
 	)
 }

-func createPutSvc(c *cfg, keyStorage *util.KeyStorage) *putsvc.Service {
+func createPutSvc(c *cfg, keyStorage *util.KeyStorage, irFetcher *cachedIRFetcher) *putsvc.Service {
 	ls := c.cfgObject.cfgLocalStorage.localStorage

 	var os putsvc.ObjectStorage = engineWithoutNotifications{
@ -320,8 +321,10 @@ func createPutSvc(c *cfg, keyStorage *util.KeyStorage) *putsvc.Service {
 		c.netMapSource,
 		c,
 		c.cfgNetmap.state,
+		irFetcher,
 		putsvc.WithWorkerPools(c.cfgObject.pool.putRemote, c.cfgObject.pool.putLocal),
 		putsvc.WithLogger(c.log),
+		putsvc.WithVerifySessionTokenIssuer(!c.cfgObject.skipSessionTokenIssuerVerification),
 	)
 }

@ -405,14 +408,13 @@ func createSplitService(c *cfg, sPutV2 *putsvcV2.Service, sGetV2 *getsvcV2.Servi
 	)
 }

-func createACLServiceV2(c *cfg, splitSvc *objectService.TransportSplitter) v2.Service {
+func createACLServiceV2(c *cfg, splitSvc *objectService.TransportSplitter, irFetcher *cachedIRFetcher) v2.Service {
 	ls := c.cfgObject.cfgLocalStorage.localStorage
-	irFetcher := createInnerRingFetcher(c)

 	return v2.New(
 		splitSvc,
 		c.netMapSource,
-		newCachedIRFetcher(irFetcher),
+		irFetcher,
 		acl.NewChecker(
 			c.cfgNetmap.state,
 			c.cfgObject.eaclSource,