Skip to content

Commit

Permalink
layer: User anonSigner
Browse files Browse the repository at this point in the history
Signed-off-by: Evgenii Baidakov <[email protected]>
  • Loading branch information
smallhive committed Aug 10, 2023
1 parent 969f657 commit 6c1b743
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 17 deletions.
22 changes: 18 additions & 4 deletions cmd/s3-authmate/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -314,7 +314,14 @@ It will be ceil rounded to the nearest amount of epoch.`,
RebalanceInterval: poolRebalanceIntervalFlag,
}

neoFS, err := createNeoFS(ctx, log, poolCfg)
// authmate doesn't require anonKey for work, but let's create random one.
anonKey, err := keys.NewPrivateKey()
if err != nil {
log.Fatal("issueSecret: couldn't generate random key", zap.Error(err))
}
anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey)

neoFS, err := createNeoFS(ctx, log, poolCfg, anonSigner)
if err != nil {
return cli.Exit(fmt.Sprintf("failed to create NeoFS component: %s", err), 2)
}
Expand Down Expand Up @@ -648,7 +655,14 @@ func obtainSecret() *cli.Command {
RebalanceInterval: poolRebalanceIntervalFlag,
}

neoFS, err := createNeoFS(ctx, log, poolCfg)
// authmate doesn't require anonKey for work, but let's create random one.
anonKey, err := keys.NewPrivateKey()
if err != nil {
log.Fatal("obtainSecret: couldn't generate random key", zap.Error(err))
}
anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey)

neoFS, err := createNeoFS(ctx, log, poolCfg, anonSigner)
if err != nil {
return cli.Exit(fmt.Sprintf("failed to create NeoFS component: %s", err), 2)
}
Expand Down Expand Up @@ -684,7 +698,7 @@ func obtainSecret() *cli.Command {
return command
}

func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig) (authmate.NeoFS, error) {
func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig, anonSigner user.Signer) (authmate.NeoFS, error) {
log.Debug("prepare connection pool")

signer := user.NewAutoIDSignerRFC6979(*cfg.Key)
Expand All @@ -706,7 +720,7 @@ func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig) (authmate
return nil, fmt.Errorf("dial pool: %w", err)
}

neoFS := neofs.NewNeoFS(p, signer)
neoFS := neofs.NewNeoFS(p, signer, anonSigner)

return neofs.NewAuthmateNeoFS(neoFS), nil
}
15 changes: 12 additions & 3 deletions cmd/s3-gw/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,15 @@ func newApp(ctx context.Context, log *Logger, v *viper.Viper) *App {
conns, key, poolStat := getPool(ctx, log.logger, v)

signer := user.NewAutoIDSignerRFC6979(key.PrivateKey)
neoFS := neofs.NewNeoFS(conns, signer)

// authmate doesn't require anonKey for work, but let's create random one.
anonKey, err := keys.NewPrivateKey()
if err != nil {
log.logger.Fatal("newApp: couldn't generate random key", zap.Error(err))
}
anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey)

neoFS := neofs.NewNeoFS(conns, signer, anonSigner)

// prepare auth center
ctr := auth.New(neofs.NewAuthmateNeoFS(neoFS), key, v.GetStringSlice(cfgAllowedAccessKeyIDPrefixes), getAccessBoxCacheConfig(v, log.logger))
Expand Down Expand Up @@ -135,7 +143,7 @@ func (a *App) initLayer(ctx context.Context) {
// prepare random key for anonymous requests
anonKey, err := keys.NewPrivateKey()
if err != nil {
a.log.Fatal("couldn't generate random key", zap.Error(err))
a.log.Fatal("initLayer: couldn't generate random key", zap.Error(err))
}

layerCfg := &layer.Config{
Expand All @@ -146,10 +154,11 @@ func (a *App) initLayer(ctx context.Context) {
TreeService: treeService,
}

anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey)
signer := user.NewAutoIDSignerRFC6979(a.gateKey.PrivateKey)

// prepare object layer
a.obj = layer.NewLayer(a.log, neofs.NewNeoFS(a.pool, signer), layerCfg)
a.obj = layer.NewLayer(a.log, neofs.NewNeoFS(a.pool, signer, anonSigner), layerCfg)

if a.cfg.GetBool(cfgEnableNATS) {
nopts := getNotificationsOptions(a.cfg, a.log)
Expand Down
31 changes: 21 additions & 10 deletions internal/neofs/neofs.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"time"

objectv2 "github.com/nspcc-dev/neofs-api-go/v2/object"
"github.com/nspcc-dev/neofs-s3-gw/api"
"github.com/nspcc-dev/neofs-s3-gw/api/layer"
"github.com/nspcc-dev/neofs-s3-gw/authmate"
"github.com/nspcc-dev/neofs-s3-gw/creds/tokens"
Expand All @@ -35,16 +36,26 @@ import (
type NeoFS struct {
pool *pool.Pool
gateSigner user.Signer
anonSigner user.Signer
}

// NewNeoFS creates new NeoFS using provided pool.Pool.
func NewNeoFS(p *pool.Pool, signer user.Signer) *NeoFS {
func NewNeoFS(p *pool.Pool, signer user.Signer, anonSigner user.Signer) *NeoFS {

Check warning on line 43 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L43

Added line #L43 was not covered by tests
return &NeoFS{
pool: p,
gateSigner: signer,
anonSigner: anonSigner,
}

Check warning on line 48 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L45-L48

Added lines #L45 - L48 were not covered by tests
}

func (x *NeoFS) signer(ctx context.Context) user.Signer {
if api.IsAnonymousRequest(ctx) {
return x.anonSigner

Check warning on line 53 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L51-L53

Added lines #L51 - L53 were not covered by tests
}

return x.gateSigner

Check warning on line 56 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L56

Added line #L56 was not covered by tests
}

// TimeToEpoch implements neofs.NeoFS interface method.
func (x *NeoFS) TimeToEpoch(ctx context.Context, now, futureTime time.Time) (uint64, uint64, error) {
dur := futureTime.Sub(now)
Expand Down Expand Up @@ -139,7 +150,7 @@ func (x *NeoFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreat
putWaiter := waiter.NewContainerPutWaiter(x.pool, waiter.DefaultPollInterval)

Check warning on line 151 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L150-L151

Added lines #L150 - L151 were not covered by tests
// send request to save the container
idCnr, err := putWaiter.ContainerPut(ctx, cnr, x.gateSigner, prmPut)
idCnr, err := putWaiter.ContainerPut(ctx, cnr, x.signer(ctx), prmPut)

Check warning on line 153 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L153

Added line #L153 was not covered by tests
if err != nil {
return cid.ID{}, fmt.Errorf("save container via connection pool: %w", err)
}
Expand All @@ -166,7 +177,7 @@ func (x *NeoFS) SetContainerEACL(ctx context.Context, table eacl.Table, sessionT
}

eaclWaiter := waiter.NewContainerSetEACLWaiter(x.pool, waiter.DefaultPollInterval)
err := eaclWaiter.ContainerSetEACL(ctx, table, x.gateSigner, prm)
err := eaclWaiter.ContainerSetEACL(ctx, table, x.signer(ctx), prm)

Check warning on line 180 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L179-L180

Added lines #L179 - L180 were not covered by tests
if err != nil {
return fmt.Errorf("save eACL via connection pool: %w", err)
}
Expand All @@ -193,7 +204,7 @@ func (x *NeoFS) DeleteContainer(ctx context.Context, id cid.ID, token *session.C
}

deleteWaiter := waiter.NewContainerDeleteWaiter(x.pool, waiter.DefaultPollInterval)
err := deleteWaiter.ContainerDelete(ctx, id, x.gateSigner, prm)
err := deleteWaiter.ContainerDelete(ctx, id, x.signer(ctx), prm)

Check warning on line 207 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L206-L207

Added lines #L206 - L207 were not covered by tests
if err != nil {
return fmt.Errorf("delete container via connection pool: %w", err)
}
Expand Down Expand Up @@ -261,7 +272,7 @@ func (x *NeoFS) CreateObject(ctx context.Context, prm layer.PrmObjectCreate) (oi
prmObjPutInit.WithBearerToken(*prm.BearerToken)

Check warning on line 272 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L272

Added line #L272 was not covered by tests
}

writer, err := x.pool.ObjectPutInit(ctx, obj, x.gateSigner, prmObjPutInit)
writer, err := x.pool.ObjectPutInit(ctx, obj, x.signer(ctx), prmObjPutInit)

Check warning on line 275 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L275

Added line #L275 was not covered by tests
if err != nil {
reason, ok := isErrAccessDenied(err)
if ok {
Expand Down Expand Up @@ -326,7 +337,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer

if prm.WithHeader {
if prm.WithPayload {
header, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.gateSigner, prmGet)
header, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.signer(ctx), prmGet)

Check warning on line 340 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L340

Added line #L340 was not covered by tests
if err != nil {
if reason, ok := isErrAccessDenied(err); ok {
return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
Expand Down Expand Up @@ -355,7 +366,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer
prmHead.WithBearerToken(*prm.BearerToken)

Check warning on line 366 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L366

Added line #L366 was not covered by tests
}

hdrRes, err := x.pool.ObjectHead(ctx, prm.Container, prm.Object, x.gateSigner, prmHead)
hdrRes, err := x.pool.ObjectHead(ctx, prm.Container, prm.Object, x.signer(ctx), prmHead)

Check warning on line 369 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L369

Added line #L369 was not covered by tests
if err != nil {
if reason, ok := isErrAccessDenied(err); ok {
return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
Expand All @@ -373,7 +384,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer
Head: &hdr,
}, nil
} else if prm.PayloadRange[0]+prm.PayloadRange[1] == 0 {
_, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.gateSigner, prmGet)
_, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.signer(ctx), prmGet)

Check warning on line 387 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L387

Added line #L387 was not covered by tests
if err != nil {
if reason, ok := isErrAccessDenied(err); ok {
return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
Expand All @@ -393,7 +404,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer
prmRange.WithBearerToken(*prm.BearerToken)

Check warning on line 404 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L404

Added line #L404 was not covered by tests
}

res, err := x.pool.ObjectRangeInit(ctx, prm.Container, prm.Object, prm.PayloadRange[0], prm.PayloadRange[1], x.gateSigner, prmRange)
res, err := x.pool.ObjectRangeInit(ctx, prm.Container, prm.Object, prm.PayloadRange[0], prm.PayloadRange[1], x.signer(ctx), prmRange)

Check warning on line 407 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L407

Added line #L407 was not covered by tests
if err != nil {
if reason, ok := isErrAccessDenied(err); ok {
return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
Expand All @@ -415,7 +426,7 @@ func (x *NeoFS) DeleteObject(ctx context.Context, prm layer.PrmObjectDelete) err
prmDelete.WithBearerToken(*prm.BearerToken)

Check warning on line 426 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L426

Added line #L426 was not covered by tests
}

_, err := x.pool.ObjectDelete(ctx, prm.Container, prm.Object, x.gateSigner, prmDelete)
_, err := x.pool.ObjectDelete(ctx, prm.Container, prm.Object, x.signer(ctx), prmDelete)

Check warning on line 429 in internal/neofs/neofs.go

View check run for this annotation

Codecov / codecov/patch

internal/neofs/neofs.go#L429

Added line #L429 was not covered by tests
if err != nil {
if reason, ok := isErrAccessDenied(err); ok {
return fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
Expand Down

0 comments on commit 6c1b743

Please sign in to comment.