fix: Delegate storage auth on market nodes

This commit is contained in:
Łukasz Magiera 2022-07-06 22:15:16 +02:00
parent 75d78de336
commit 413183e4fa
9 changed files with 82 additions and 14 deletions

View File

@ -14,6 +14,7 @@ import (
"github.com/filecoin-project/go-fil-markets/piecestore" "github.com/filecoin-project/go-fil-markets/piecestore"
"github.com/filecoin-project/go-fil-markets/retrievalmarket" "github.com/filecoin-project/go-fil-markets/retrievalmarket"
"github.com/filecoin-project/go-fil-markets/storagemarket" "github.com/filecoin-project/go-fil-markets/storagemarket"
"github.com/filecoin-project/go-jsonrpc/auth"
"github.com/filecoin-project/go-state-types/abi" "github.com/filecoin-project/go-state-types/abi"
"github.com/filecoin-project/go-state-types/builtin/v8/market" "github.com/filecoin-project/go-state-types/builtin/v8/market"
"github.com/filecoin-project/go-state-types/builtin/v8/miner" "github.com/filecoin-project/go-state-types/builtin/v8/miner"
@ -161,6 +162,8 @@ type StorageMiner interface {
StorageLocal(ctx context.Context) (map[storiface.ID]string, error) //perm:admin StorageLocal(ctx context.Context) (map[storiface.ID]string, error) //perm:admin
StorageStat(ctx context.Context, id storiface.ID) (fsutil.FsStat, error) //perm:admin StorageStat(ctx context.Context, id storiface.ID) (fsutil.FsStat, error) //perm:admin
StorageAuthVerify(ctx context.Context, token string) ([]auth.Permission, error) //perm:read
MarketImportDealData(ctx context.Context, propcid cid.Cid, path string) error //perm:write MarketImportDealData(ctx context.Context, propcid cid.Cid, path string) error //perm:write
MarketListDeals(ctx context.Context) ([]*MarketDeal, error) //perm:read MarketListDeals(ctx context.Context) ([]*MarketDeal, error) //perm:read
MarketListRetrievalDeals(ctx context.Context) ([]retrievalmarket.ProviderDealState, error) //perm:read MarketListRetrievalDeals(ctx context.Context) ([]retrievalmarket.ProviderDealState, error) //perm:read

View File

@ -854,6 +854,8 @@ type StorageMinerStruct struct {
StorageAttach func(p0 context.Context, p1 storiface.StorageInfo, p2 fsutil.FsStat) error `perm:"admin"` StorageAttach func(p0 context.Context, p1 storiface.StorageInfo, p2 fsutil.FsStat) error `perm:"admin"`
StorageAuthVerify func(p0 context.Context, p1 string) ([]auth.Permission, error) `perm:"read"`
StorageBestAlloc func(p0 context.Context, p1 storiface.SectorFileType, p2 abi.SectorSize, p3 storiface.PathType) ([]storiface.StorageInfo, error) `perm:"admin"` StorageBestAlloc func(p0 context.Context, p1 storiface.SectorFileType, p2 abi.SectorSize, p3 storiface.PathType) ([]storiface.StorageInfo, error) `perm:"admin"`
StorageDeclareSector func(p0 context.Context, p1 storiface.ID, p2 abi.SectorID, p3 storiface.SectorFileType, p4 bool) error `perm:"admin"` StorageDeclareSector func(p0 context.Context, p1 storiface.ID, p2 abi.SectorID, p3 storiface.SectorFileType, p4 bool) error `perm:"admin"`
@ -5041,6 +5043,17 @@ func (s *StorageMinerStub) StorageAttach(p0 context.Context, p1 storiface.Storag
return ErrNotSupported return ErrNotSupported
} }
func (s *StorageMinerStruct) StorageAuthVerify(p0 context.Context, p1 string) ([]auth.Permission, error) {
if s.Internal.StorageAuthVerify == nil {
return *new([]auth.Permission), ErrNotSupported
}
return s.Internal.StorageAuthVerify(p0, p1)
}
func (s *StorageMinerStub) StorageAuthVerify(p0 context.Context, p1 string) ([]auth.Permission, error) {
return *new([]auth.Permission), ErrNotSupported
}
func (s *StorageMinerStruct) StorageBestAlloc(p0 context.Context, p1 storiface.SectorFileType, p2 abi.SectorSize, p3 storiface.PathType) ([]storiface.StorageInfo, error) { func (s *StorageMinerStruct) StorageBestAlloc(p0 context.Context, p1 storiface.SectorFileType, p2 abi.SectorSize, p3 storiface.PathType) ([]storiface.StorageInfo, error) {
if s.Internal.StorageBestAlloc == nil { if s.Internal.StorageBestAlloc == nil {
return *new([]storiface.StorageInfo), ErrNotSupported return *new([]storiface.StorageInfo), ErrNotSupported

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -157,6 +157,7 @@
* [Storage](#Storage) * [Storage](#Storage)
* [StorageAddLocal](#StorageAddLocal) * [StorageAddLocal](#StorageAddLocal)
* [StorageAttach](#StorageAttach) * [StorageAttach](#StorageAttach)
* [StorageAuthVerify](#StorageAuthVerify)
* [StorageBestAlloc](#StorageBestAlloc) * [StorageBestAlloc](#StorageBestAlloc)
* [StorageDeclareSector](#StorageDeclareSector) * [StorageDeclareSector](#StorageDeclareSector)
* [StorageDropSector](#StorageDropSector) * [StorageDropSector](#StorageDropSector)
@ -3307,6 +3308,25 @@ Inputs:
Response: `{}` Response: `{}`
### StorageAuthVerify
Perms: read
Inputs:
```json
[
"string value"
]
```
Response:
```json
[
"write"
]
```
### StorageBestAlloc ### StorageBestAlloc

View File

@ -44,6 +44,7 @@ import (
mktsdagstore "github.com/filecoin-project/lotus/markets/dagstore" mktsdagstore "github.com/filecoin-project/lotus/markets/dagstore"
"github.com/filecoin-project/lotus/markets/storageadapter" "github.com/filecoin-project/lotus/markets/storageadapter"
"github.com/filecoin-project/lotus/miner" "github.com/filecoin-project/lotus/miner"
"github.com/filecoin-project/lotus/node/modules"
"github.com/filecoin-project/lotus/node/modules/dtypes" "github.com/filecoin-project/lotus/node/modules/dtypes"
"github.com/filecoin-project/lotus/storage" "github.com/filecoin-project/lotus/storage"
"github.com/filecoin-project/lotus/storage/ctladdr" "github.com/filecoin-project/lotus/storage/ctladdr"
@ -97,6 +98,9 @@ type StorageMinerAPI struct {
Epp gen.WinningPoStProver `optional:"true"` Epp gen.WinningPoStProver `optional:"true"`
DS dtypes.MetadataDS DS dtypes.MetadataDS
// StorageService is populated when we're not the main storage node (e.g. we're a markets node)
StorageService modules.MinerStorageService `optional:"true"`
ConsiderOnlineStorageDealsConfigFunc dtypes.ConsiderOnlineStorageDealsConfigFunc `optional:"true"` ConsiderOnlineStorageDealsConfigFunc dtypes.ConsiderOnlineStorageDealsConfigFunc `optional:"true"`
SetConsiderOnlineStorageDealsConfigFunc dtypes.SetConsiderOnlineStorageDealsConfigFunc `optional:"true"` SetConsiderOnlineStorageDealsConfigFunc dtypes.SetConsiderOnlineStorageDealsConfigFunc `optional:"true"`
ConsiderOnlineRetrievalDealsConfigFunc dtypes.ConsiderOnlineRetrievalDealsConfigFunc `optional:"true"` ConsiderOnlineRetrievalDealsConfigFunc dtypes.ConsiderOnlineRetrievalDealsConfigFunc `optional:"true"`
@ -119,6 +123,14 @@ type StorageMinerAPI struct {
var _ api.StorageMiner = &StorageMinerAPI{} var _ api.StorageMiner = &StorageMinerAPI{}
func (sm *StorageMinerAPI) StorageAuthVerify(ctx context.Context, token string) ([]auth.Permission, error) {
if sm.StorageService != nil {
return sm.StorageService.AuthVerify(ctx, token)
}
return sm.AuthVerify(ctx, token)
}
func (sm *StorageMinerAPI) ServeRemote(perm bool) func(w http.ResponseWriter, r *http.Request) { func (sm *StorageMinerAPI) ServeRemote(perm bool) func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
if perm == true { if perm == true {

View File

@ -124,8 +124,6 @@ func FullNodeHandler(a v1api.FullNode, permissioned bool, opts ...jsonrpc.Server
// MinerHandler returns a miner handler, to be mounted as-is on the server. // MinerHandler returns a miner handler, to be mounted as-is on the server.
func MinerHandler(a api.StorageMiner, permissioned bool) (http.Handler, error) { func MinerHandler(a api.StorageMiner, permissioned bool) (http.Handler, error) {
m := mux.NewRouter()
mapi := proxy.MetricedStorMinerAPI(a) mapi := proxy.MetricedStorMinerAPI(a)
if permissioned { if permissioned {
mapi = api.PermissionedStorMinerAPI(mapi) mapi = api.PermissionedStorMinerAPI(mapi)
@ -136,23 +134,45 @@ func MinerHandler(a api.StorageMiner, permissioned bool) (http.Handler, error) {
rpcServer.Register("Filecoin", mapi) rpcServer.Register("Filecoin", mapi)
rpcServer.AliasMethod("rpc.discover", "Filecoin.Discover") rpcServer.AliasMethod("rpc.discover", "Filecoin.Discover")
m.Handle("/rpc/v0", rpcServer) rootMux := mux.NewRouter()
m.Handle("/rpc/streams/v0/push/{uuid}", readerHandler)
m.PathPrefix("/remote").HandlerFunc(a.(*impl.StorageMinerAPI).ServeRemote(permissioned))
// debugging // remote storage
m.Handle("/debug/metrics", metrics.Exporter()) {
m.PathPrefix("/").Handler(http.DefaultServeMux) // pprof m := mux.NewRouter()
m.PathPrefix("/remote").HandlerFunc(a.(*impl.StorageMinerAPI).ServeRemote(permissioned))
if !permissioned { var hnd http.Handler = m
return m, nil if permissioned {
hnd = &auth.Handler{
Verify: a.StorageAuthVerify,
Next: m.ServeHTTP,
}
}
rootMux.PathPrefix("/remote").Handler(hnd)
} }
ah := &auth.Handler{ // local APIs
Verify: a.AuthVerify, {
Next: m.ServeHTTP, m := mux.NewRouter()
m.Handle("/rpc/v0", rpcServer)
m.Handle("/rpc/streams/v0/push/{uuid}", readerHandler)
// debugging
m.Handle("/debug/metrics", metrics.Exporter())
m.PathPrefix("/").Handler(http.DefaultServeMux) // pprof
var hnd http.Handler = m
if permissioned {
hnd = &auth.Handler{
Verify: a.AuthVerify,
Next: m.ServeHTTP,
}
}
rootMux.PathPrefix("/").Handler(hnd)
} }
return ah, nil
return rootMux, nil
} }
func handleImport(a *impl.FullNodeAPI) func(w http.ResponseWriter, r *http.Request) { func handleImport(a *impl.FullNodeAPI) func(w http.ResponseWriter, r *http.Request) {