Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: introduce act #4692

Merged
merged 12 commits into from
Aug 7, 2024
Merged

feat: introduce act #4692

merged 12 commits into from
Aug 7, 2024

Conversation

aranyia
Copy link
Contributor

@aranyia aranyia commented May 22, 2024

Checklist

  • I have read the coding guide.
  • My change requires a documentation update, and I have done it.
  • I have added tests to cover my changes.
  • I have filled out the description and linked the related issues.

Description

Access control (ACT) implementation

The Access Control Trie (ACT) is a data structure that stores access control information for Swarm nodes. It is designed to provide access to personalised credentials permission to access a particular resource.

SWIP

See the ACT SWIP PR for more details.

See historical reviews and comments in the corresponding Solar Punk PR: Solar-Punk-Ltd#11

Open API Spec Version Changes (if applicable)

The version was not upgraded, but additions to the API spec can be review merged PR: Solar-Punk-Ltd#44

Motivation and Context (Optional)

See the ACT SWIP PR to understand the more motivation in more detail.

@aranyia aranyia marked this pull request as ready for review May 27, 2024 11:54
@istae istae requested review from acha-bill and martinconic May 27, 2024 12:41
Copy link
Member

@istae istae left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commits must follow this guideline https://github.com/ethersphere/bee/blob/master/CODING.md#commit-messages

let's also make sure all cicd checks are passing

pkg/kvs/kvs.go Outdated
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package kvs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's move package as a subpackage to under either dynamicaccess or manifest

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved to accesscontrol

@istae istae requested a review from janos May 30, 2024 14:26
Copy link
Contributor

@acha-bill acha-bill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly cosmetic changes

pkg/soc/testing/soc.go Outdated Show resolved Hide resolved
pkg/kvs/kvs_test.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/session.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/accesslogic.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/accesslogic_test.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/history.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/grantee.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/grantee_test.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/controller.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/controller.go Outdated Show resolved Hide resolved
pkg/api/chunk.go Outdated
@@ -139,6 +141,15 @@ func (s *Service) chunkUploadHandler(w http.ResponseWriter, r *http.Request) {
}
}

encryptedReference := chunk.Address()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't be more clear to have chunkAddress instead encryptedReference ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it should be reference really

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

renamed to reference

pkg/api/soc.go Outdated
@@ -155,6 +157,15 @@ func (s *Service) socUploadHandler(w http.ResponseWriter, r *http.Request) {
return
}

encryptedReference := sch.Address()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe have schAddress instead of encryptedReference ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

renamed to reference

pkg/api/soc.go Outdated
@@ -155,6 +157,15 @@ func (s *Service) socUploadHandler(w http.ResponseWriter, r *http.Request) {
return
}

encryptedReference := sch.Address()
if headers.Act {
encryptedReference, err = s.actEncryptionHandler(r.Context(), w, putter, sch.Address(), headers.HistoryAddress)
Copy link
Contributor

@martinconic martinconic Jun 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use the assigned variable instead of sch.Address()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

call it reference and reuse it as argument of s.actEncryptionHandler

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

renamed to reference

return
}
}

err = putter.Put(r.Context(), chunk)
if err != nil {
logger.Debug("chunk upload: write chunk failed", "chunk_address", chunk.Address(), "error", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use the assigned variable instead of chunk.Address() ?

Copy link
Contributor

@bosi95 bosi95 Jun 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reference can change because of encryption so chunk.Adress() has to be used in the log

if keys == nil {
return nil, nil, err
}
return keys[0], keys[1], err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if len(keys) == 1 ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

granteesToAdd = gl.Get()
}

for _, grantee := range granteesToAdd {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way that maybe both addList and removeList might be nil or empty and here we are trying to iterate over a nil or empty list ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and is that a problem?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty and nil slice has 0 length, iterating over it does nothing. I don't think it is a problem.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the code perspective there should be no issues, just asking from the logic perspective.

Copy link
Member

@zelig zelig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls rename dynamicaccess to just access or accesscontrol
accesslogic to access or keys

Add stardard compliant comment to each exported function.

func (al *ActLogic) getKeys(publicKey *ecdsa.PublicKey) ([]byte, []byte, error) {
nonces := [][]byte{zeroByteArray, oneByteArray}
keys, err := al.Session.Key(publicKey, nonces)
if keys == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if keys == nil {
if len(keys) != len(nonces) {

the length is the same as the length of nonces but indeed better check.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed it

pkg/dynamicaccess/accesslogic.go Outdated Show resolved Hide resolved
granteesToAdd = gl.Get()
}

for _, grantee := range granteesToAdd {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and is that a problem?

return granteeRef, egranteeRef, hRef, actRef, nil
}

func (c *ControllerStruct) Get(ctx context.Context, ls file.LoadSaver, publisher *ecdsa.PublicKey, encryptedglRef swarm.Address) ([]*ecdsa.PublicKey, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Every exported function needs a stardard format comment, please let this sink in

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added comments to all exported functions and structs

pkg/dynamicaccess/controller.go Outdated Show resolved Hide resolved
return swarm.NewAddress(refBytes), nil
}

var (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this to the top of the file

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved it

}

func deserializeBytes(data []byte) *ecdsa.PublicKey {
key, err := btcec.ParsePubKey(data)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you really need another package an additional dependency here?
Use ecdsa serialisation functions

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to use the btcec.S256 curve for deserialization, so btcec is a dependency here.

if !bytes.Equal(keys1[0], keys2[0]) {
t.Fatalf("shared secrets do not match %s, %s", hex.EncodeToString(keys1[0]), hex.EncodeToString(keys2[0]))
}
// if !bytes.Equal(keys1[1], keys2[1]) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove commented code

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed

@zelig
Copy link
Member

zelig commented Jun 4, 2024

OpenAPI ci task failing on wrong credentials. Pls fix ASAP to make CICD green

Building some OpenAPI specs for you...
openapi/Swarm.yaml openapi/SwarmDebug.yaml

⚠️ This command is deprecated. Use "build" command instead.

Prerendering docs

🎉 bundled successfully in: /github/workspace/openapi/Swarm.yaml_fr0K4GtFkL2hD5nF33txjWz85u1HC6.html (1875 KiB) [⏱ 1.108s]
upload failed: openapi/Swarm.yaml_fr0K4GtFkL2hD5nF33txjWz85u1HC6.html to s3://swarm-openapi-specs/Swarm.yaml_fr0K4GtFkL2hD5nF33txjWz85u1HC6.html Unable to locate credentials

pkg/dynamicaccess/history.go Outdated Show resolved Hide resolved
pkg/api/dynamicaccess.go Outdated Show resolved Hide resolved
pkg/api/dynamicaccess.go Outdated Show resolved Hide resolved
pkg/manifest/mantaray.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/session_test.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/accesslogic.go Outdated Show resolved Hide resolved
pkg/dynamicaccess/accesslogic_test.go Outdated Show resolved Hide resolved
@aranyia
Copy link
Contributor Author

aranyia commented Jun 11, 2024

OpenAPI ci task failing on wrong credentials. Pls fix ASAP to make CICD green

Building some OpenAPI specs for you...
openapi/Swarm.yaml openapi/SwarmDebug.yaml

⚠️ This command is deprecated. Use "build" command instead.

Prerendering docs

🎉 bundled successfully in: /github/workspace/openapi/Swarm.yaml_fr0K4GtFkL2hD5nF33txjWz85u1HC6.html (1875 KiB) [⏱ 1.108s]
upload failed: openapi/Swarm.yaml_fr0K4GtFkL2hD5nF33txjWz85u1HC6.html to s3://swarm-openapi-specs/Swarm.yaml_fr0K4GtFkL2hD5nF33txjWz85u1HC6.html Unable to locate credentials

@istae I believe this problem originates from the CI configuration. There are some other pull requests with OpenApi doc changes which failing with the same issue. Could you confirm this?

@istae
Copy link
Member

istae commented Jun 11, 2024

@aranyia you may ignore the openAPI failed check.

@aranyia aranyia requested review from acha-bill, janos and zelig July 3, 2024 13:28
Copy link
Member

@janos janos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing my comments. LGTM

@aranyia aranyia force-pushed the act branch 2 times, most recently from 8f6be5b to 20e42fa Compare July 9, 2024 14:19
@gacevicljubisa
Copy link
Contributor

gacevicljubisa commented Jul 23, 2024

If you need to test your changes against some other (specific) beekeeper branch, you can do it by changing the beekeeper branch on this line https://github.com/Solar-Punk-Ltd/bee/blob/3a7f51e25391504654f3b54ec458a9499fe523f9/.github/workflows/beekeeper.yml#L17 (replace with BEEKEEPER_BRANCH: "feat/act")
just make sure that you return it to "master" branch before the merge.

Also to use new "act" check defined in beekeeper in this PR ethersphere/beekeeper#408, in the same beekeeper.yaml (bee repoistory), if new "act" check should be used, in Integration tests new step should be added(something like this):

      - name: Test act
        id: act
        run: timeout ${TIMEOUT} beekeeper check --cluster-name local-dns --checks=ci-act

@aranyia aranyia force-pushed the act branch 2 times, most recently from 5cb87b6 to cb80041 Compare July 25, 2024 09:39
Makefile Outdated
ifeq ($(BEEKEEPER_USE_SUDO), true)
sudo mv beekeeper_src/dist/beekeeper $(BEEKEEPER_INSTALL_DIR)
else
mv beekeeper_src/dist/beekeeper $(BEEKEEPER_INSTALL_DIR)
endif
rm -rf beekeeper_src
endif
test -f ~/.beekeeper.yaml || curl -sSfL https://raw.githubusercontent.com/ethersphere/beekeeper/$(BEEKEEPER_BRANCH)/config/beekeeper-local.yaml -o ~/.beekeeper.yaml
mkdir -p ~/.beekeeper && curl -sSfL https://raw.githubusercontent.com/ethersphere/beekeeper/$(BEEKEEPER_BRANCH)/config/local.yaml -o ~/.beekeeper/local.yaml
test -f ~/.beekeeper.yaml || curl -sSfL https://raw.githubusercontent.com/Solar-Punk-Ltd/beekeeper/$(BEEKEEPER_BRANCH)/config/beekeeper-local.yaml -o ~/.beekeeper.yaml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont think this should be under SP

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted to ethersphere (beekeeper 0.17.3 contains ACT tests)

@istae istae merged commit 7e45f3e into ethersphere:master Aug 7, 2024
13 of 14 checks passed
@aranyia aranyia mentioned this pull request Aug 8, 2024
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants