forked from TrueCloudLab/frostfs-node
[#229] services/tree: Use bearer owner as signer
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
89530534a1
commit
dce5924a89
4 changed files with 40 additions and 6 deletions
2
go.mod
2
go.mod
|
@ -5,7 +5,7 @@ go 1.18
|
|||
require (
|
||||
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230418080822-bd44a3f47b85
|
||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.0.0-20230307110621-19a8ef2d02fb
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418075216-d0c5d837d204
|
||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230418145405-db5b89496d68
|
||||
git.frostfs.info/TrueCloudLab/hrw v1.2.0
|
||||
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
||||
github.com/cheggaaa/pb v1.0.29
|
||||
|
|
BIN
go.sum
BIN
go.sum
Binary file not shown.
|
@ -101,6 +101,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
}
|
||||
|
||||
var tb eacl.Table
|
||||
signer := req.GetSignature().GetKey()
|
||||
if tableFromBearer {
|
||||
if bt.Impersonate() {
|
||||
tbCore, err := s.eaclSource.GetEACL(cid)
|
||||
|
@ -108,6 +109,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
return handleGetEACLError(err)
|
||||
}
|
||||
tb = *tbCore.Value
|
||||
signer = bt.SigningKeyBytes()
|
||||
} else {
|
||||
if !bearer.ResolveIssuer(*bt).Equals(cnr.Value.Owner()) {
|
||||
return eACLErr(eaclOp, errBearerWrongOwner)
|
||||
|
@ -123,7 +125,7 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
|
|||
tb = *tbCore.Value
|
||||
}
|
||||
|
||||
return checkEACL(tb, req.GetSignature().GetKey(), eACLRole(role), eaclOp)
|
||||
return checkEACL(tb, signer, eACLRole(role), eaclOp)
|
||||
}
|
||||
|
||||
func handleGetEACLError(err error) error {
|
||||
|
|
|
@ -53,6 +53,16 @@ func (s dummyContainerSource) Get(id cid.ID) (*containercore.Container, error) {
|
|||
return cnt, nil
|
||||
}
|
||||
|
||||
type dummyEACLSource map[string]*containercore.EACL
|
||||
|
||||
func (s dummyEACLSource) GetEACL(id cid.ID) (*containercore.EACL, error) {
|
||||
cntEACL, ok := s[id.String()]
|
||||
if !ok {
|
||||
return nil, errors.New("container not found")
|
||||
}
|
||||
return cntEACL, nil
|
||||
}
|
||||
|
||||
func testContainer(owner user.ID) container.Container {
|
||||
var r netmapSDK.ReplicaDescriptor
|
||||
r.SetNumberOfObjects(1)
|
||||
|
@ -93,6 +103,11 @@ func TestMessageSign(t *testing.T) {
|
|||
cnrSource: dummyContainerSource{
|
||||
cid1.String(): cnr,
|
||||
},
|
||||
eaclSource: dummyEACLSource{
|
||||
cid1.String(): &containercore.EACL{
|
||||
Value: testTable(cid1, privs[0].PublicKey(), privs[1].PublicKey()),
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -178,6 +193,19 @@ func TestMessageSign(t *testing.T) {
|
|||
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
|
||||
})
|
||||
|
||||
t.Run("impersonate", func(t *testing.T) {
|
||||
cnr.Value.SetBasicACL(acl.PublicRWExtended)
|
||||
var bt bearer.Token
|
||||
bt.SetImpersonate(true)
|
||||
|
||||
require.NoError(t, bt.Sign(privs[1].PrivateKey))
|
||||
req.Body.BearerToken = bt.Marshal()
|
||||
|
||||
require.NoError(t, SignMessage(req, &privs[0].PrivateKey))
|
||||
require.Error(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectPut))
|
||||
require.NoError(t, s.verifyClient(req, cid1, req.GetBody().GetBearerToken(), acl.OpObjectGet))
|
||||
})
|
||||
|
||||
bt := testBearerToken(cid1, privs[1].PublicKey(), privs[2].PublicKey())
|
||||
require.NoError(t, bt.Sign(privs[0].PrivateKey))
|
||||
req.Body.BearerToken = bt.Marshal()
|
||||
|
@ -202,6 +230,13 @@ func TestMessageSign(t *testing.T) {
|
|||
}
|
||||
|
||||
func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token {
|
||||
var b bearer.Token
|
||||
b.SetEACLTable(*testTable(cid, forPutGet, forGet))
|
||||
|
||||
return b
|
||||
}
|
||||
|
||||
func testTable(cid cid.ID, forPutGet, forGet *keys.PublicKey) *eaclSDK.Table {
|
||||
tgtGet := eaclSDK.NewTarget()
|
||||
tgtGet.SetRole(eaclSDK.RoleUnknown)
|
||||
tgtGet.SetBinaryKeys([][]byte{forPutGet.Bytes(), forGet.Bytes()})
|
||||
|
@ -237,8 +272,5 @@ func testBearerToken(cid cid.ID, forPutGet, forGet *keys.PublicKey) bearer.Token
|
|||
|
||||
tb.SetCID(cid)
|
||||
|
||||
var b bearer.Token
|
||||
b.SetEACLTable(*tb)
|
||||
|
||||
return b
|
||||
return tb
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue