From 8ecf33472d81643fe662c66049c96d0d85078bc4 Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Thu, 10 Aug 2023 13:56:40 +0400 Subject: [PATCH] layer: User anonSigner Signed-off-by: Evgenii Baidakov --- cmd/s3-authmate/main.go | 22 ++++++++++++++++++---- cmd/s3-gw/app.go | 33 +++++++++++++++++---------------- internal/neofs/neofs.go | 31 +++++++++++++++++++++---------- 3 files changed, 56 insertions(+), 30 deletions(-) diff --git a/cmd/s3-authmate/main.go b/cmd/s3-authmate/main.go index ac8a0ee2..dcc8fca6 100644 --- a/cmd/s3-authmate/main.go +++ b/cmd/s3-authmate/main.go @@ -314,7 +314,14 @@ It will be ceil rounded to the nearest amount of epoch.`, RebalanceInterval: poolRebalanceIntervalFlag, } - neoFS, err := createNeoFS(ctx, log, poolCfg) + // authmate doesn't require anonKey for work, but let's create random one. + anonKey, err := keys.NewPrivateKey() + if err != nil { + log.Fatal("issueSecret: couldn't generate random key", zap.Error(err)) + } + anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey) + + neoFS, err := createNeoFS(ctx, log, poolCfg, anonSigner) if err != nil { return cli.Exit(fmt.Sprintf("failed to create NeoFS component: %s", err), 2) } @@ -648,7 +655,14 @@ func obtainSecret() *cli.Command { RebalanceInterval: poolRebalanceIntervalFlag, } - neoFS, err := createNeoFS(ctx, log, poolCfg) + // authmate doesn't require anonKey for work, but let's create random one. + anonKey, err := keys.NewPrivateKey() + if err != nil { + log.Fatal("obtainSecret: couldn't generate random key", zap.Error(err)) + } + anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey) + + neoFS, err := createNeoFS(ctx, log, poolCfg, anonSigner) if err != nil { return cli.Exit(fmt.Sprintf("failed to create NeoFS component: %s", err), 2) } @@ -684,7 +698,7 @@ func obtainSecret() *cli.Command { return command } -func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig) (authmate.NeoFS, error) { +func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig, anonSigner user.Signer) (authmate.NeoFS, error) { log.Debug("prepare connection pool") signer := user.NewAutoIDSignerRFC6979(*cfg.Key) @@ -706,7 +720,7 @@ func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig) (authmate return nil, fmt.Errorf("dial pool: %w", err) } - neoFS := neofs.NewNeoFS(p, signer) + neoFS := neofs.NewNeoFS(p, signer, anonSigner) return neofs.NewAuthmateNeoFS(neoFS), nil } diff --git a/cmd/s3-gw/app.go b/cmd/s3-gw/app.go index 2fd59f9c..9faa914b 100644 --- a/cmd/s3-gw/app.go +++ b/cmd/s3-gw/app.go @@ -91,7 +91,16 @@ func newApp(ctx context.Context, log *Logger, v *viper.Viper) *App { conns, key, poolStat := getPool(ctx, log.logger, v) signer := user.NewAutoIDSignerRFC6979(key.PrivateKey) - neoFS := neofs.NewNeoFS(conns, signer) + + // authmate doesn't require anonKey for work, but let's create random one. + anonKey, err := keys.NewPrivateKey() + if err != nil { + log.logger.Fatal("newApp: couldn't generate random key", zap.Error(err)) + } + anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey) + log.logger.Info("anonymous signer", zap.String("userID", anonSigner.UserID().String())) + + neoFS := neofs.NewNeoFS(conns, signer, anonSigner) // prepare auth center ctr := auth.New(neofs.NewAuthmateNeoFS(neoFS), key, v.GetStringSlice(cfgAllowedAccessKeyIDPrefixes), getAccessBoxCacheConfig(v, log.logger)) @@ -111,18 +120,18 @@ func newApp(ctx context.Context, log *Logger, v *viper.Viper) *App { settings: newAppSettings(log, v), } - app.init(ctx) + app.init(ctx, anonSigner) return app } -func (a *App) init(ctx context.Context) { - a.initAPI(ctx) +func (a *App) init(ctx context.Context, anonSigner user.Signer) { + a.initAPI(ctx, anonSigner) a.initMetrics() a.initServers(ctx) } -func (a *App) initLayer(ctx context.Context) { +func (a *App) initLayer(ctx context.Context, anonSigner user.Signer) { a.initResolver(ctx) treeServiceEndpoint := a.cfg.GetString(cfgTreeServiceEndpoint) @@ -132,14 +141,6 @@ func (a *App) initLayer(ctx context.Context) { } a.log.Info("init tree service", zap.String("endpoint", treeServiceEndpoint)) - // prepare random key for anonymous requests - anonKey, err := keys.NewPrivateKey() - if err != nil { - a.log.Fatal("couldn't generate random key", zap.Error(err)) - } - - anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey) - layerCfg := &layer.Config{ Caches: getCacheOptions(a.cfg, a.log), GateKey: a.gateKey, @@ -151,7 +152,7 @@ func (a *App) initLayer(ctx context.Context) { signer := user.NewAutoIDSignerRFC6979(a.gateKey.PrivateKey) // prepare object layer - a.obj = layer.NewLayer(a.log, neofs.NewNeoFS(a.pool, signer), layerCfg) + a.obj = layer.NewLayer(a.log, neofs.NewNeoFS(a.pool, signer, anonSigner), layerCfg) if a.cfg.GetBool(cfgEnableNATS) { nopts := getNotificationsOptions(a.cfg, a.log) @@ -187,8 +188,8 @@ func getDefaultPolicyValue(v *viper.Viper) string { return defaultPolicyStr } -func (a *App) initAPI(ctx context.Context) { - a.initLayer(ctx) +func (a *App) initAPI(ctx context.Context, anonSigner user.Signer) { + a.initLayer(ctx, anonSigner) a.initHandler() } diff --git a/internal/neofs/neofs.go b/internal/neofs/neofs.go index 93d6802e..67d6e266 100644 --- a/internal/neofs/neofs.go +++ b/internal/neofs/neofs.go @@ -11,6 +11,7 @@ import ( "time" objectv2 "github.com/nspcc-dev/neofs-api-go/v2/object" + "github.com/nspcc-dev/neofs-s3-gw/api" "github.com/nspcc-dev/neofs-s3-gw/api/layer" "github.com/nspcc-dev/neofs-s3-gw/authmate" "github.com/nspcc-dev/neofs-s3-gw/creds/tokens" @@ -35,16 +36,26 @@ import ( type NeoFS struct { pool *pool.Pool gateSigner user.Signer + anonSigner user.Signer } // NewNeoFS creates new NeoFS using provided pool.Pool. -func NewNeoFS(p *pool.Pool, signer user.Signer) *NeoFS { +func NewNeoFS(p *pool.Pool, signer user.Signer, anonSigner user.Signer) *NeoFS { return &NeoFS{ pool: p, gateSigner: signer, + anonSigner: anonSigner, } } +func (x *NeoFS) signer(ctx context.Context) user.Signer { + if api.IsAnonymousRequest(ctx) { + return x.anonSigner + } + + return x.gateSigner +} + // TimeToEpoch implements neofs.NeoFS interface method. func (x *NeoFS) TimeToEpoch(ctx context.Context, now, futureTime time.Time) (uint64, uint64, error) { dur := futureTime.Sub(now) @@ -139,7 +150,7 @@ func (x *NeoFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreat putWaiter := waiter.NewContainerPutWaiter(x.pool, waiter.DefaultPollInterval) // send request to save the container - idCnr, err := putWaiter.ContainerPut(ctx, cnr, x.gateSigner, prmPut) + idCnr, err := putWaiter.ContainerPut(ctx, cnr, x.signer(ctx), prmPut) if err != nil { return cid.ID{}, fmt.Errorf("save container via connection pool: %w", err) } @@ -166,7 +177,7 @@ func (x *NeoFS) SetContainerEACL(ctx context.Context, table eacl.Table, sessionT } eaclWaiter := waiter.NewContainerSetEACLWaiter(x.pool, waiter.DefaultPollInterval) - err := eaclWaiter.ContainerSetEACL(ctx, table, x.gateSigner, prm) + err := eaclWaiter.ContainerSetEACL(ctx, table, x.signer(ctx), prm) if err != nil { return fmt.Errorf("save eACL via connection pool: %w", err) } @@ -193,7 +204,7 @@ func (x *NeoFS) DeleteContainer(ctx context.Context, id cid.ID, token *session.C } deleteWaiter := waiter.NewContainerDeleteWaiter(x.pool, waiter.DefaultPollInterval) - err := deleteWaiter.ContainerDelete(ctx, id, x.gateSigner, prm) + err := deleteWaiter.ContainerDelete(ctx, id, x.signer(ctx), prm) if err != nil { return fmt.Errorf("delete container via connection pool: %w", err) } @@ -261,7 +272,7 @@ func (x *NeoFS) CreateObject(ctx context.Context, prm layer.PrmObjectCreate) (oi prmObjPutInit.WithBearerToken(*prm.BearerToken) } - writer, err := x.pool.ObjectPutInit(ctx, obj, x.gateSigner, prmObjPutInit) + writer, err := x.pool.ObjectPutInit(ctx, obj, x.signer(ctx), prmObjPutInit) if err != nil { reason, ok := isErrAccessDenied(err) if ok { @@ -320,7 +331,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer if prm.WithHeader { if prm.WithPayload { - header, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.gateSigner, prmGet) + header, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.signer(ctx), prmGet) if err != nil { if reason, ok := isErrAccessDenied(err); ok { return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason) @@ -349,7 +360,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer prmHead.WithBearerToken(*prm.BearerToken) } - hdrRes, err := x.pool.ObjectHead(ctx, prm.Container, prm.Object, x.gateSigner, prmHead) + hdrRes, err := x.pool.ObjectHead(ctx, prm.Container, prm.Object, x.signer(ctx), prmHead) if err != nil { if reason, ok := isErrAccessDenied(err); ok { return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason) @@ -367,7 +378,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer Head: &hdr, }, nil } else if prm.PayloadRange[0]+prm.PayloadRange[1] == 0 { - _, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.gateSigner, prmGet) + _, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.signer(ctx), prmGet) if err != nil { if reason, ok := isErrAccessDenied(err); ok { return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason) @@ -387,7 +398,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer prmRange.WithBearerToken(*prm.BearerToken) } - res, err := x.pool.ObjectRangeInit(ctx, prm.Container, prm.Object, prm.PayloadRange[0], prm.PayloadRange[1], x.gateSigner, prmRange) + res, err := x.pool.ObjectRangeInit(ctx, prm.Container, prm.Object, prm.PayloadRange[0], prm.PayloadRange[1], x.signer(ctx), prmRange) if err != nil { if reason, ok := isErrAccessDenied(err); ok { return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason) @@ -409,7 +420,7 @@ func (x *NeoFS) DeleteObject(ctx context.Context, prm layer.PrmObjectDelete) err prmDelete.WithBearerToken(*prm.BearerToken) } - _, err := x.pool.ObjectDelete(ctx, prm.Container, prm.Object, x.gateSigner, prmDelete) + _, err := x.pool.ObjectDelete(ctx, prm.Container, prm.Object, x.signer(ctx), prmDelete) if err != nil { if reason, ok := isErrAccessDenied(err); ok { return fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)