Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

node/container: check session tokens on SN side #2903

Merged
merged 1 commit into from
Jul 31, 2024
Merged

node/container: check session tokens on SN side #2903

merged 1 commit into from
Jul 31, 2024

Conversation

carpawell
Copy link
Member

Closes #2898.

@carpawell carpawell self-assigned this Jul 29, 2024
@carpawell carpawell force-pushed the fix/check-session-token-expiration branch 3 times, most recently from 9f67a9f to ef47bea Compare July 30, 2024 16:45
@carpawell carpawell marked this pull request as ready for review July 30, 2024 16:45
@carpawell carpawell requested a review from smallhive July 30, 2024 16:45
@codecov Codecov
Copy link

codecov bot commented Jul 30, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 84.21053% with 3 lines in your changes missing coverage. Please review.

Project coverage is 23.66%. Comparing base (1ebe897) to head (456b7fa).

Files Patch % Lines
pkg/services/container/morph/executor.go 88.88% 1 Missing and 1 partial ⚠️
cmd/neofs-node/container.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2903      +/-   ##
==========================================
+ Coverage   23.64%   23.66%   +0.01%     
==========================================
  Files         774      774              
  Lines       44872    44887      +15     
==========================================
+ Hits        10610    10621      +11     
- Misses      33417    33419       +2     
- Partials      845      847       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cthulhu-rider
cthulhu-rider reviewed Jul 30, 2024
View reviewed changes
Copy link
Contributor

@cthulhu-rider cthulhu-rider left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good overall

pkg/services/container/morph/executor.go Outdated
@@ -337,6 +341,22 @@ func (s *morphExecutor) validateToken(t *sessionV2.Token, cIDV2 *refs.ContainerI
return fmt.Errorf("incorrect token signature: %w", err)
}

if lt := t.GetBody().GetLifetime(); lt != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why u decided to make lifetime optional? IR denies such tokens

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tbh, it was not easy to check:

  1. API does not claim it as a required field: https://github.com/nspcc-dev/neofs-api/blob/4bd8b4da96c810e69a9a1336adb5e4e84bac62eb/session/types.proto#L98-L110
  2. IR unmarshals it (and it can be done without any errors for a token without lifetime) and only when i looked at InvalidAt i found that it should be set (so it is not required now in fact, it is: unset lifetime == expired lifetime)

fixed, but not sure why it was so difficult to prove (and not sure what error should be)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

API does not claim it as a required field

u goddamn right! This brings us to the next topic

lets consider corner case not really expected in practice:

  • current epoch is 0
  • 1st request has no embedded lifetime field
  • 2nd one has it with all zeros

according to lifetime claim docs and protobuf, both tokens are valid. Then why we require the field? I think we should start treating the field as optional (fix SDK code) and simply work with values as they are (defaulting to 0). What do u think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do u think?

i think in any case we should add some words to the API (optional/required). about optionality: i think it is ok to have a token without a lifetime, though it can be considered a security issue

@roman-khimov

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We better have lifetime mandatory.

@carpawell
node/container: check session tokens on SN side
456b7fa 
Closes #2898.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
@carpawell carpawell force-pushed the fix/check-session-token-expiration branch from ef47bea to 456b7fa Compare July 31, 2024 13:34
@cthulhu-rider cthulhu-rider merged commit d073407 into master Jul 31, 2024
20 of 22 checks passed
@cthulhu-rider cthulhu-rider deleted the fix/check-session-token-expiration branch July 31, 2024 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roman-khimov roman-khimov roman-khimov approved these changes

@cthulhu-rider cthulhu-rider cthulhu-rider approved these changes

@smallhive smallhive Awaiting requested review from smallhive

Assignees

@carpawell carpawell

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validate session token on the node
3 participants
@carpawell @roman-khimov @cthulhu-rider