Skip to content

Commit

Permalink
bearer: allow to override email attribute name
Browse files Browse the repository at this point in the history
It can be Email, can be email, can be e-mail, whatever you want, but it better
be configurable since NeoFS is case-sensitive and some variants are more
appropriate in some cases.

Signed-off-by: Roman Khimov <[email protected]>
  • Loading branch information
roman-khimov committed May 26, 2023
1 parent f587c07 commit c8436ea
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 1 deletion.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ neofs:
passphrase: '' # Passphrase to decrypt wallet. If you're using a wallet without a password, place '' here.
cid: 2qAEwyRwV1sMmq8pc32mKCt1SRmTBXrzP9KbfMoHmqYM
bearer_user_id: NUVPACMnKFhpuHjsRjhUvXz1XhqfGZYVtY
bearer_email_attribute: email
```
| Parameter | Type | Default value | Description |
|---------------------------|----------|---------------|--------------------------------------------------------------------------|
Expand All @@ -72,6 +73,7 @@ neofs:
| `neofs.wallet.passphrase` | `string` | | Passphrase to decrypt wallet. |
| `neofs.cid` | `string` | | container ID in NeoFS where objects will be stored |
| `neofs.bearer_user_id` | `string` | | User ID that will be given the right to upload objects into NeoFS container (can be omitted to allow this for any owner of the token) |
| `neofs.bearer_email_attribute`| `string`| `Email` | The name of the NeoFS attribute used as to match user by his e-mail address (case sensitive as all NeoFS attributes) |

### NeoFS nodes section
```
Expand Down
3 changes: 2 additions & 1 deletion bearer/bearer.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ func NewGenerator(config *Config) *Generator {

// Config for bearer token generator.
type Config struct {
EmailAttr string
Key *keys.PrivateKey
UserID *user.ID
ContainerID cid.ID
Expand All @@ -38,7 +39,7 @@ func (b *Generator) NewBearer(email string, currentEpoch uint64) (string, string
t := eacl.CreateTable(b.config.ContainerID)
// order of rec is important
rec := eacl.CreateRecord(eacl.ActionAllow, eacl.OperationPut)
rec.AddObjectAttributeFilter(eacl.MatchStringEqual, "Email", hashedEmail)
rec.AddObjectAttributeFilter(eacl.MatchStringEqual, b.config.EmailAttr, hashedEmail)
eacl.AddFormedTarget(rec, eacl.RoleOthers)
t.AddRecord(rec)
rec2 := eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut)
Expand Down
5 changes: 5 additions & 0 deletions cmd/neofs-oauthz/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,10 @@ func (a *app) initAuthCfg(key *keys.PrivateKey) {
}
}

emailattr := a.cfg.GetString(cfgEmailAttr)
if len(emailattr) == 0 {
emailattr = defaultEmailAttr
}
lifetime := a.cfg.GetUint64(cfgBearerLifetime)
if lifetime == 0 {
lifetime = defaultBearerLifetime
Expand All @@ -222,6 +226,7 @@ func (a *app) initAuthCfg(key *keys.PrivateKey) {

a.authCfg = &auth.Config{
Bearer: &bearer.Config{
EmailAttr: emailattr,
Key: key,
UserID: userID,
ContainerID: containerID,
Expand Down
2 changes: 2 additions & 0 deletions cmd/neofs-oauthz/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
)

const (
defaultEmailAttr = "Email"
defaultBearerCookieName = "Bearer"
defaultBearerLifetime = 30
defaultConnectTimeout = 30 * time.Second
Expand All @@ -28,6 +29,7 @@ const (
cfgTLSKey = "tls_key"

cfgContainerID = "neofs.cid"
cfgEmailAttr = "neofs.bearer_email_attribute"
cfgUserID = "neofs.bearer_user_id"
cfgBearerLifetime = "neofs.bearer_lifetime"
cfgNeoFSWalletPath = "neofs.wallet.path"
Expand Down
1 change: 1 addition & 0 deletions config/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ oauth:
token: "https://github.com/login/oauth/access_token"

neofs:
bearer_email_attribute: email # Exact name of the NeoFS attribute to be used for e-mail hash matching.
bearer_user_id: NUVPACMnKFhpuHjsRjhUvXz1XhqfGZYVtY # If set, limits bearer token issued to the specified user ID.
wallet:
path: /path/to/wallet.json
Expand Down

0 comments on commit c8436ea

Please sign in to comment.