layer: User anonSigner

Signed-off-by: Evgenii Baidakov <[email protected]>

cmd/s3-authmate/main.go

@@ -314,7 +314,14 @@ It will be ceil rounded to the nearest amount of epoch.`,
 				RebalanceInterval:  poolRebalanceIntervalFlag,
 			}
 
-			neoFS, err := createNeoFS(ctx, log, poolCfg)
+			// authmate doesn't require anonKey for work, but let's create random one.
+			anonKey, err := keys.NewPrivateKey()
+			if err != nil {
+				log.Fatal("issueSecret: couldn't generate random key", zap.Error(err))
+			}
+			anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey)
+
+			neoFS, err := createNeoFS(ctx, log, poolCfg, anonSigner)
 			if err != nil {
 				return cli.Exit(fmt.Sprintf("failed to create NeoFS component: %s", err), 2)
 			}
@@ -648,7 +655,14 @@ func obtainSecret() *cli.Command {
 				RebalanceInterval:  poolRebalanceIntervalFlag,
 			}
 
-			neoFS, err := createNeoFS(ctx, log, poolCfg)
+			// authmate doesn't require anonKey for work, but let's create random one.
+			anonKey, err := keys.NewPrivateKey()
+			if err != nil {
+				log.Fatal("obtainSecret: couldn't generate random key", zap.Error(err))
+			}
+			anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey)
+
+			neoFS, err := createNeoFS(ctx, log, poolCfg, anonSigner)
 			if err != nil {
 				return cli.Exit(fmt.Sprintf("failed to create NeoFS component: %s", err), 2)
 			}
@@ -684,7 +698,7 @@ func obtainSecret() *cli.Command {
 	return command
 }
 
-func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig) (authmate.NeoFS, error) {
+func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig, anonSigner user.Signer) (authmate.NeoFS, error) {
 	log.Debug("prepare connection pool")
 
 	signer := user.NewAutoIDSignerRFC6979(*cfg.Key)
@@ -706,7 +720,7 @@ func createNeoFS(ctx context.Context, log *zap.Logger, cfg PoolConfig) (authmate
 		return nil, fmt.Errorf("dial pool: %w", err)
 	}
 
-	neoFS := neofs.NewNeoFS(p, signer)
+	neoFS := neofs.NewNeoFS(p, signer, anonSigner)
 
 	return neofs.NewAuthmateNeoFS(neoFS), nil
 }

cmd/s3-gw/app.go

@@ -91,7 +91,16 @@ func newApp(ctx context.Context, log *Logger, v *viper.Viper) *App {
 	conns, key, poolStat := getPool(ctx, log.logger, v)
 
 	signer := user.NewAutoIDSignerRFC6979(key.PrivateKey)
-	neoFS := neofs.NewNeoFS(conns, signer)
+
+	// authmate doesn't require anonKey for work, but let's create random one.
+	anonKey, err := keys.NewPrivateKey()
+	if err != nil {
+		log.logger.Fatal("newApp: couldn't generate random key", zap.Error(err))
+	}
+	anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey)
+	log.logger.Info("anonymous signer", zap.String("userID", anonSigner.UserID().String()))
+
+	neoFS := neofs.NewNeoFS(conns, signer, anonSigner)
 
 	// prepare auth center
 	ctr := auth.New(neofs.NewAuthmateNeoFS(neoFS), key, v.GetStringSlice(cfgAllowedAccessKeyIDPrefixes), getAccessBoxCacheConfig(v, log.logger))
@@ -111,18 +120,18 @@ func newApp(ctx context.Context, log *Logger, v *viper.Viper) *App {
 		settings:   newAppSettings(log, v),
 	}
 
-	app.init(ctx)
+	app.init(ctx, anonSigner)
 
 	return app
 }
 
-func (a *App) init(ctx context.Context) {
-	a.initAPI(ctx)
+func (a *App) init(ctx context.Context, anonSigner user.Signer) {
+	a.initAPI(ctx, anonSigner)
 	a.initMetrics()
 	a.initServers(ctx)
 }
 
-func (a *App) initLayer(ctx context.Context) {
+func (a *App) initLayer(ctx context.Context, anonSigner user.Signer) {
 	a.initResolver(ctx)
 
 	treeServiceEndpoint := a.cfg.GetString(cfgTreeServiceEndpoint)
@@ -132,14 +141,6 @@ func (a *App) initLayer(ctx context.Context) {
 	}
 	a.log.Info("init tree service", zap.String("endpoint", treeServiceEndpoint))
 
-	// prepare random key for anonymous requests
-	anonKey, err := keys.NewPrivateKey()
-	if err != nil {
-		a.log.Fatal("couldn't generate random key", zap.Error(err))
-	}
-
-	anonSigner := user.NewAutoIDSignerRFC6979(anonKey.PrivateKey)
-
 	layerCfg := &layer.Config{
 		Caches:      getCacheOptions(a.cfg, a.log),
 		GateKey:     a.gateKey,
@@ -151,7 +152,7 @@ func (a *App) initLayer(ctx context.Context) {
 	signer := user.NewAutoIDSignerRFC6979(a.gateKey.PrivateKey)
 
 	// prepare object layer
-	a.obj = layer.NewLayer(a.log, neofs.NewNeoFS(a.pool, signer), layerCfg)
+	a.obj = layer.NewLayer(a.log, neofs.NewNeoFS(a.pool, signer, anonSigner), layerCfg)
 
 	if a.cfg.GetBool(cfgEnableNATS) {
 		nopts := getNotificationsOptions(a.cfg, a.log)
@@ -187,8 +188,8 @@ func getDefaultPolicyValue(v *viper.Viper) string {
 	return defaultPolicyStr
 }
 
-func (a *App) initAPI(ctx context.Context) {
-	a.initLayer(ctx)
+func (a *App) initAPI(ctx context.Context, anonSigner user.Signer) {
+	a.initLayer(ctx, anonSigner)
 	a.initHandler()
 }
 

internal/neofs/neofs.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	objectv2 "github.com/nspcc-dev/neofs-api-go/v2/object"
+	"github.com/nspcc-dev/neofs-s3-gw/api"
 	"github.com/nspcc-dev/neofs-s3-gw/api/layer"
 	"github.com/nspcc-dev/neofs-s3-gw/authmate"
 	"github.com/nspcc-dev/neofs-s3-gw/creds/tokens"
@@ -35,16 +36,26 @@ import (
 type NeoFS struct {
 	pool       *pool.Pool
 	gateSigner user.Signer
+	anonSigner user.Signer
 }
 
 // NewNeoFS creates new NeoFS using provided pool.Pool.
-func NewNeoFS(p *pool.Pool, signer user.Signer) *NeoFS {
+func NewNeoFS(p *pool.Pool, signer user.Signer, anonSigner user.Signer) *NeoFS {
 	return &NeoFS{
 		pool:       p,
 		gateSigner: signer,
+		anonSigner: anonSigner,
 	}
 }
 
+func (x *NeoFS) signer(ctx context.Context) user.Signer {
+	if api.IsAnonymousRequest(ctx) {
+		return x.anonSigner
+	}
+
+	return x.gateSigner
+}
+
 // TimeToEpoch implements neofs.NeoFS interface method.
 func (x *NeoFS) TimeToEpoch(ctx context.Context, now, futureTime time.Time) (uint64, uint64, error) {
 	dur := futureTime.Sub(now)
@@ -139,7 +150,7 @@ func (x *NeoFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreat
 	putWaiter := waiter.NewContainerPutWaiter(x.pool, waiter.DefaultPollInterval)
 
 	// send request to save the container
-	idCnr, err := putWaiter.ContainerPut(ctx, cnr, x.gateSigner, prmPut)
+	idCnr, err := putWaiter.ContainerPut(ctx, cnr, x.signer(ctx), prmPut)
 	if err != nil {
 		return cid.ID{}, fmt.Errorf("save container via connection pool: %w", err)
 	}
@@ -166,7 +177,7 @@ func (x *NeoFS) SetContainerEACL(ctx context.Context, table eacl.Table, sessionT
 	}
 
 	eaclWaiter := waiter.NewContainerSetEACLWaiter(x.pool, waiter.DefaultPollInterval)
-	err := eaclWaiter.ContainerSetEACL(ctx, table, x.gateSigner, prm)
+	err := eaclWaiter.ContainerSetEACL(ctx, table, x.signer(ctx), prm)
 	if err != nil {
 		return fmt.Errorf("save eACL via connection pool: %w", err)
 	}
@@ -193,7 +204,7 @@ func (x *NeoFS) DeleteContainer(ctx context.Context, id cid.ID, token *session.C
 	}
 
 	deleteWaiter := waiter.NewContainerDeleteWaiter(x.pool, waiter.DefaultPollInterval)
-	err := deleteWaiter.ContainerDelete(ctx, id, x.gateSigner, prm)
+	err := deleteWaiter.ContainerDelete(ctx, id, x.signer(ctx), prm)
 	if err != nil {
 		return fmt.Errorf("delete container via connection pool: %w", err)
 	}
@@ -261,7 +272,7 @@ func (x *NeoFS) CreateObject(ctx context.Context, prm layer.PrmObjectCreate) (oi
 		prmObjPutInit.WithBearerToken(*prm.BearerToken)
 	}
 
-	writer, err := x.pool.ObjectPutInit(ctx, obj, x.gateSigner, prmObjPutInit)
+	writer, err := x.pool.ObjectPutInit(ctx, obj, x.signer(ctx), prmObjPutInit)
 	if err != nil {
 		reason, ok := isErrAccessDenied(err)
 		if ok {
@@ -310,7 +321,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer
 
 	if prm.WithHeader {
 		if prm.WithPayload {
-			header, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.gateSigner, prmGet)
+			header, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.signer(ctx), prmGet)
 			if err != nil {
 				if reason, ok := isErrAccessDenied(err); ok {
 					return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
@@ -339,7 +350,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer
 			prmHead.WithBearerToken(*prm.BearerToken)
 		}
 
-		hdrRes, err := x.pool.ObjectHead(ctx, prm.Container, prm.Object, x.gateSigner, prmHead)
+		hdrRes, err := x.pool.ObjectHead(ctx, prm.Container, prm.Object, x.signer(ctx), prmHead)
 		if err != nil {
 			if reason, ok := isErrAccessDenied(err); ok {
 				return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
@@ -357,7 +368,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer
 			Head: &hdr,
 		}, nil
 	} else if prm.PayloadRange[0]+prm.PayloadRange[1] == 0 {
-		_, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.gateSigner, prmGet)
+		_, res, err := x.pool.ObjectGetInit(ctx, prm.Container, prm.Object, x.signer(ctx), prmGet)
 		if err != nil {
 			if reason, ok := isErrAccessDenied(err); ok {
 				return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
@@ -377,7 +388,7 @@ func (x *NeoFS) ReadObject(ctx context.Context, prm layer.PrmObjectRead) (*layer
 		prmRange.WithBearerToken(*prm.BearerToken)
 	}
 
-	res, err := x.pool.ObjectRangeInit(ctx, prm.Container, prm.Object, prm.PayloadRange[0], prm.PayloadRange[1], x.gateSigner, prmRange)
+	res, err := x.pool.ObjectRangeInit(ctx, prm.Container, prm.Object, prm.PayloadRange[0], prm.PayloadRange[1], x.signer(ctx), prmRange)
 	if err != nil {
 		if reason, ok := isErrAccessDenied(err); ok {
 			return nil, fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)
@@ -399,7 +410,7 @@ func (x *NeoFS) DeleteObject(ctx context.Context, prm layer.PrmObjectDelete) err
 		prmDelete.WithBearerToken(*prm.BearerToken)
 	}
 
-	_, err := x.pool.ObjectDelete(ctx, prm.Container, prm.Object, x.gateSigner, prmDelete)
+	_, err := x.pool.ObjectDelete(ctx, prm.Container, prm.Object, x.signer(ctx), prmDelete)
 	if err != nil {
 		if reason, ok := isErrAccessDenied(err); ok {
 			return fmt.Errorf("%w: %s", layer.ErrAccessDenied, reason)