forked from TrueCloudLab/frostfs-s3-gw
[#135] authmate: Support CRDT GSet for credentials
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
7a380fa46c
commit
84358f6742
7 changed files with 274 additions and 38 deletions
|
|
@ -3,6 +3,7 @@ package main
|
|||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
|
|
@ -19,6 +20,7 @@ import (
|
|||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/version"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/wallet"
|
||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool"
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials"
|
||||
|
|
@ -88,6 +90,7 @@ var (
|
|||
const (
|
||||
envWalletPassphrase = "wallet.passphrase"
|
||||
envWalletGatePassphrase = "wallet.gate.passphrase"
|
||||
envSecretAccessKey = "secret.access.key"
|
||||
)
|
||||
|
||||
var zapConfig = zap.Config{
|
||||
|
|
@ -229,6 +232,12 @@ func issueSecret() *cli.Command {
|
|||
Required: false,
|
||||
Destination: &containerIDFlag,
|
||||
},
|
||||
&cli.StringFlag{
|
||||
Name: "access-key-id",
|
||||
Usage: "access key id for s3 (use this flag to update existing creds, if this flag is provided '--container-id', '--container-friendly-name' and '--container-placement-policy' are ineffective)",
|
||||
Required: false,
|
||||
Destination: &accessKeyIDFlag,
|
||||
},
|
||||
&cli.StringFlag{
|
||||
Name: "container-friendly-name",
|
||||
Usage: "friendly name of auth container to put the secret into",
|
||||
|
|
@ -333,6 +342,32 @@ It will be ceil rounded to the nearest amount of epoch.`,
|
|||
}
|
||||
}
|
||||
|
||||
var credsToUpdate *authmate.UpdateOptions
|
||||
if len(accessKeyIDFlag) > 0 {
|
||||
secretAccessKeyStr := wallet.GetPassword(viper.GetViper(), envSecretAccessKey)
|
||||
if secretAccessKeyStr == nil {
|
||||
return fmt.Errorf("you must provide AUTHMATE_SECRET_ACCESS_KEY env to update existing creds")
|
||||
}
|
||||
|
||||
secretAccessKey, err := hex.DecodeString(*secretAccessKeyStr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("access key must be hex encoded")
|
||||
}
|
||||
|
||||
var addr oid.Address
|
||||
credAddr := strings.Replace(accessKeyIDFlag, "0", "/", 1)
|
||||
if err = addr.DecodeString(credAddr); err != nil {
|
||||
return fmt.Errorf("failed to parse creds address: %w", err)
|
||||
}
|
||||
// we can create new creds version only in the same container
|
||||
containerID = addr.Container()
|
||||
|
||||
credsToUpdate = &authmate.UpdateOptions{
|
||||
Address: addr,
|
||||
SecretAccessKey: secretAccessKey,
|
||||
}
|
||||
}
|
||||
|
||||
var gatesPublicKeys []*keys.PublicKey
|
||||
for _, key := range gatesPublicKeysFlag.Value() {
|
||||
gpk, err := keys.NewPublicKeyFromString(key)
|
||||
|
|
@ -380,6 +415,7 @@ It will be ceil rounded to the nearest amount of epoch.`,
|
|||
ContainerPolicies: policies,
|
||||
Lifetime: lifetimeFlag,
|
||||
AwsCliCredentialsFile: awcCliCredFile,
|
||||
UpdateCreds: credsToUpdate,
|
||||
}
|
||||
|
||||
var tcancel context.CancelFunc
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue