-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token signatures and issuers #564
Conversation
cthulhu-rider
commented
Mar 4, 2024
- based on and blocked by Support bearer token issuer neofs-api-go#446
c006761
to
bb870dc
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #564 +/- ##
==========================================
+ Coverage 68.15% 68.16% +0.01%
==========================================
Files 122 122
Lines 9965 9987 +22
==========================================
+ Hits 6792 6808 +16
- Misses 2799 2804 +5
- Partials 374 375 +1 ☔ View full report in Codecov by Sentry. |
bearer/bearer.go
Outdated
// SignByIssuer combines [Token.Sign] and [Token.SetIssuer] in one call. Use | ||
// this method for stable authorization in the system. SignByUser should not be | ||
// mixed with the mentioned methods. | ||
func (b *Token) SignByIssuer(signer user.Signer) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you do this one way and the next commit does it another way, why? why not just Sign
that sets issuer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd vote for Sign(signer user.Signer)
unification, but I fear @amlwwalker will hate us for changing the interface again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
made same interface
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't hate anything you guys are doing @roman-khimov just have to keep up! 😂
b3cd074
to
4123c78
Compare
Dedicated field for the bearer token issuer was recently added to the protocol nspcc-dev/neofs-api#266. Now SDK provides getter and setter for it. Previously, `Token` type accepted `neofscrypto.Signer` parameter in `Sign` method to calculate and set signature of the bearer token. Obviously, the method did not set nonexistent issuer field. The only way to access the issuer was `ResolveIssuer` method resolving user ID from the public key. Now `Sign` method accepts parameter of `user.Signer` type to additionally set issuer field. This is a breaking change overall, but still needed for stable system authorization and library usage. `ResolveIssuer` method now dual: it starts like `Issuer` and falls back to the old behavior when field is missing. Signed-off-by: Leonard Lyubich <[email protected]>
Previously, `Sign` method set session token's issuer only if it had not been set yet. This could lead to the unexpected behavior on signing formed (completely or partially) token. Although this scenario is not common in NeoFS - the token is created once and then only read - this behavior does not make sense, so it's worth to be changed. Closes #546. Signed-off-by: Leonard Lyubich <[email protected]>
`Sign` method sets both issuer and signature of the token. There could be a need to set signature only, e.g. for testing. Now signature could be set via new method `SetSignature` also used by `Sign` itself. Refs #546. Signed-off-by: Leonard Lyubich <[email protected]>
4123c78
to
bd31d70
Compare
d4f0257
to
bd31d70
Compare
integration test failures aint related to these changes. #572 |