-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: introduce act #4692
feat: introduce act #4692
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
commits must follow this guideline https://github.com/ethersphere/bee/blob/master/CODING.md#commit-messages
let's also make sure all cicd checks are passing
pkg/kvs/kvs.go
Outdated
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package kvs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's move package as a subpackage to under either dynamicaccess or manifest
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
moved to accesscontrol
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly cosmetic changes
pkg/api/chunk.go
Outdated
@@ -139,6 +141,15 @@ func (s *Service) chunkUploadHandler(w http.ResponseWriter, r *http.Request) { | |||
} | |||
} | |||
|
|||
encryptedReference := chunk.Address() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't be more clear to have chunkAddress
instead encryptedReference
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should be reference
really
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
renamed to reference
pkg/api/soc.go
Outdated
@@ -155,6 +157,15 @@ func (s *Service) socUploadHandler(w http.ResponseWriter, r *http.Request) { | |||
return | |||
} | |||
|
|||
encryptedReference := sch.Address() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe have schAddress
instead of encryptedReference
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
renamed to reference
pkg/api/soc.go
Outdated
@@ -155,6 +157,15 @@ func (s *Service) socUploadHandler(w http.ResponseWriter, r *http.Request) { | |||
return | |||
} | |||
|
|||
encryptedReference := sch.Address() | |||
if headers.Act { | |||
encryptedReference, err = s.actEncryptionHandler(r.Context(), w, putter, sch.Address(), headers.HistoryAddress) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use the assigned variable instead of sch.Address()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
call it reference and reuse it as argument of s.actEncryptionHandler
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
renamed to reference
return | ||
} | ||
} | ||
|
||
err = putter.Put(r.Context(), chunk) | ||
if err != nil { | ||
logger.Debug("chunk upload: write chunk failed", "chunk_address", chunk.Address(), "error", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use the assigned variable instead of chunk.Address()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reference can change because of encryption so chunk.Adress() has to be used in the log
pkg/dynamicaccess/accesslogic.go
Outdated
if keys == nil { | ||
return nil, nil, err | ||
} | ||
return keys[0], keys[1], err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if len(keys) == 1
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
pkg/dynamicaccess/controller.go
Outdated
granteesToAdd = gl.Get() | ||
} | ||
|
||
for _, grantee := range granteesToAdd { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way that maybe both addList
and removeList
might be nil
or empty
and here we are trying to iterate over a nil
or empty
list ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and is that a problem?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Empty and nil slice has 0 length, iterating over it does nothing. I don't think it is a problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the code perspective there should be no issues, just asking from the logic perspective.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pls rename dynamicaccess
to just access
or accesscontrol
accesslogic
to access
or keys
Add stardard compliant comment to each exported function.
pkg/dynamicaccess/accesslogic.go
Outdated
func (al *ActLogic) getKeys(publicKey *ecdsa.PublicKey) ([]byte, []byte, error) { | ||
nonces := [][]byte{zeroByteArray, oneByteArray} | ||
keys, err := al.Session.Key(publicKey, nonces) | ||
if keys == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if keys == nil { | |
if len(keys) != len(nonces) { |
the length is the same as the length of nonces but indeed better check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed it
pkg/dynamicaccess/controller.go
Outdated
granteesToAdd = gl.Get() | ||
} | ||
|
||
for _, grantee := range granteesToAdd { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and is that a problem?
pkg/dynamicaccess/controller.go
Outdated
return granteeRef, egranteeRef, hRef, actRef, nil | ||
} | ||
|
||
func (c *ControllerStruct) Get(ctx context.Context, ls file.LoadSaver, publisher *ecdsa.PublicKey, encryptedglRef swarm.Address) ([]*ecdsa.PublicKey, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Every exported function needs a stardard format comment, please let this sink in
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added comments to all exported functions and structs
pkg/dynamicaccess/grantee.go
Outdated
return swarm.NewAddress(refBytes), nil | ||
} | ||
|
||
var ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this to the top of the file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
moved it
pkg/dynamicaccess/grantee.go
Outdated
} | ||
|
||
func deserializeBytes(data []byte) *ecdsa.PublicKey { | ||
key, err := btcec.ParsePubKey(data) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you really need another package an additional dependency here?
Use ecdsa serialisation functions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to use the btcec.S256 curve for deserialization, so btcec is a dependency here.
pkg/dynamicaccess/session_test.go
Outdated
if !bytes.Equal(keys1[0], keys2[0]) { | ||
t.Fatalf("shared secrets do not match %s, %s", hex.EncodeToString(keys1[0]), hex.EncodeToString(keys2[0])) | ||
} | ||
// if !bytes.Equal(keys1[1], keys2[1]) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove commented code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed
OpenAPI ci task failing on wrong credentials. Pls fix ASAP to make CICD green
|
@istae I believe this problem originates from the CI configuration. There are some other pull requests with OpenApi doc changes which failing with the same issue. Could you confirm this? |
@aranyia you may ignore the openAPI failed check. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for addressing my comments. LGTM
8f6be5b
to
20e42fa
Compare
If you need to test your changes against some other (specific) beekeeper branch, you can do it by changing the beekeeper branch on this line https://github.com/Solar-Punk-Ltd/bee/blob/3a7f51e25391504654f3b54ec458a9499fe523f9/.github/workflows/beekeeper.yml#L17 (replace with BEEKEEPER_BRANCH: "feat/act") Also to use new "act" check defined in beekeeper in this PR ethersphere/beekeeper#408, in the same beekeeper.yaml (bee repoistory), if new "act" check should be used, in Integration tests new step should be added(something like this):
|
5cb87b6
to
cb80041
Compare
Makefile
Outdated
ifeq ($(BEEKEEPER_USE_SUDO), true) | ||
sudo mv beekeeper_src/dist/beekeeper $(BEEKEEPER_INSTALL_DIR) | ||
else | ||
mv beekeeper_src/dist/beekeeper $(BEEKEEPER_INSTALL_DIR) | ||
endif | ||
rm -rf beekeeper_src | ||
endif | ||
test -f ~/.beekeeper.yaml || curl -sSfL https://raw.githubusercontent.com/ethersphere/beekeeper/$(BEEKEEPER_BRANCH)/config/beekeeper-local.yaml -o ~/.beekeeper.yaml | ||
mkdir -p ~/.beekeeper && curl -sSfL https://raw.githubusercontent.com/ethersphere/beekeeper/$(BEEKEEPER_BRANCH)/config/local.yaml -o ~/.beekeeper/local.yaml | ||
test -f ~/.beekeeper.yaml || curl -sSfL https://raw.githubusercontent.com/Solar-Punk-Ltd/beekeeper/$(BEEKEEPER_BRANCH)/config/beekeeper-local.yaml -o ~/.beekeeper.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i dont think this should be under SP
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverted to ethersphere (beekeeper 0.17.3 contains ACT tests)
Co-authored-by: Ferenc Sárai <[email protected]>
Co-authored-by: Ferenc Sárai <[email protected]>
Checklist
Description
Access control (ACT) implementation
The Access Control Trie (ACT) is a data structure that stores access control information for Swarm nodes. It is designed to provide access to personalised credentials permission to access a particular resource.
SWIP
See the ACT SWIP PR for more details.
See historical reviews and comments in the corresponding Solar Punk PR: Solar-Punk-Ltd#11
Open API Spec Version Changes (if applicable)
The version was not upgraded, but additions to the API spec can be review merged PR: Solar-Punk-Ltd#44
Motivation and Context (Optional)
See the ACT SWIP PR to understand the more motivation in more detail.