Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#65] Allow no sign requests #79

Merged
merged 3 commits into from
Jun 15, 2021
Merged

[#65] Allow no sign requests #79

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f733ec3
[#65] Allow no sign requests
KirillovDenis Jun 11, 2021
fe970f5
[#65] Added NoAuthorizationHeader error
KirillovDenis Jun 11, 2021
0f5ab78
[#65] Using containerList falls back
KirillovDenis Jun 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion api/auth/center.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ type (
prs int
)

var ErrNoAuthorizationHeader = errors.New("no authorization header")

func (p prs) Read(_ []byte) (n int, err error) {
panic("implement me")
}
Expand All @@ -70,7 +72,7 @@ func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {

authHeaderField := r.Header["Authorization"]
if len(authHeaderField) != 1 {
return nil, errors.New("unsupported request: wrong length of Authorization header field")
return nil, ErrNoAuthorizationHeader
}

sms1 := c.reg.getSubmatches(authHeaderField[0])
Expand Down
22 changes: 13 additions & 9 deletions api/layer/layer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,18 +130,22 @@ func (n *layer) GetBucketInfo(ctx context.Context, name string) (*BucketInfo, er
return nil, err
}

list, err := n.containerList(ctx)
if err != nil {
return nil, err
}

for _, bkt := range list {
if bkt.Name == name {
return bkt, nil
containerID := new(cid.ID)
if err := containerID.Parse(name); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why do you do this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

containerList(ctx) returns containers whose owner is request sender. If we interact with some public container but sender is not its owner returned list will be empty

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It only works if we're using container ID as name, but we might as well use the name from attribute, so we need some logic to do that too. Your current code is at the same time an optimization for CID, so we can leave it, but instead of returning an error on the next line it should still try to fetch the container via listing (as was done by the old code). This way CIDs will work for public unauthenticated containers, but authenticated users could still access containers via names from attributes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What should we do if a public container is requested by name?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Return error, you can't list all containers to find the one with proper name.

list, err := n.containerList(ctx)
if err != nil {
return nil, err
}
for _, bkt := range list {
if bkt.Name == name {
return bkt, nil
}
}

return nil, status.Error(codes.NotFound, "bucket not found")
}

return nil, status.Error(codes.NotFound, "bucket not found")
return n.containerInfo(ctx, containerID)
}

// ListBuckets returns all user containers. Name of the bucket is a container
Expand Down
17 changes: 12 additions & 5 deletions api/user-auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,22 @@ var BearerTokenKey = KeyWrapper("__context_bearer_token_key")
func AttachUserAuth(router *mux.Router, center auth.Center, log *zap.Logger) {
router.Use(func(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var ctx context.Context
token, err := center.Authenticate(r)
if err != nil {
log.Error("failed to pass authentication", zap.Error(err))
WriteErrorResponse(r.Context(), w, GetAPIError(ErrAccessDenied), r.URL)
return
if err == auth.ErrNoAuthorizationHeader {
log.Debug("couldn't receive bearer token, using neofs-key")
ctx = r.Context()
} else {
log.Error("failed to pass authentication", zap.Error(err))
WriteErrorResponse(r.Context(), w, GetAPIError(ErrAccessDenied), r.URL)
return
}
} else {
ctx = context.WithValue(r.Context(), BearerTokenKey, token)
}

h.ServeHTTP(w, r.WithContext(
context.WithValue(r.Context(), BearerTokenKey, token)))
h.ServeHTTP(w, r.WithContext(ctx))
})
})
}