feat: introduce act #4692
feat: introduce act #4692
Conversation
There was a problem hiding this comment.
commits must follow this guideline https://github.com/ethersphere/bee/blob/master/CODING.md#commit-messages
let's also make sure all cicd checks are passing
pkg/kvs/kvs.go
Outdated
| // Use of this source code is governed by a BSD-style | ||
| // license that can be found in the LICENSE file. | ||
|
|
||
| package kvs |
There was a problem hiding this comment.
let's move package as a subpackage to under either dynamicaccess or manifest
pkg/api/chunk.go
Outdated
| @@ -139,6 +141,15 @@ func (s *Service) chunkUploadHandler(w http.ResponseWriter, r *http.Request) { | |||
| } | |||
| } | |||
|
|
|||
| encryptedReference := chunk.Address() | |||
There was a problem hiding this comment.
Wouldn't be more clear to have chunkAddress instead encryptedReference ?
pkg/api/soc.go
Outdated
| @@ -155,6 +157,15 @@ func (s *Service) socUploadHandler(w http.ResponseWriter, r *http.Request) { | |||
| return | |||
| } | |||
|
|
|||
| encryptedReference := sch.Address() | |||
There was a problem hiding this comment.
Maybe have schAddress instead of encryptedReference ?
pkg/api/soc.go
Outdated
| @@ -155,6 +157,15 @@ func (s *Service) socUploadHandler(w http.ResponseWriter, r *http.Request) { | |||
| return | |||
| } | |||
|
|
|||
| encryptedReference := sch.Address() | |||
| if headers.Act { | |||
| encryptedReference, err = s.actEncryptionHandler(r.Context(), w, putter, sch.Address(), headers.HistoryAddress) | |||
There was a problem hiding this comment.
Should we use the assigned variable instead of sch.Address()
There was a problem hiding this comment.
call it reference and reuse it as argument of s.actEncryptionHandler
| return | ||
| } | ||
| } | ||
|
|
||
| err = putter.Put(r.Context(), chunk) | ||
| if err != nil { | ||
| logger.Debug("chunk upload: write chunk failed", "chunk_address", chunk.Address(), "error", err) |
There was a problem hiding this comment.
Should we use the assigned variable instead of chunk.Address() ?
There was a problem hiding this comment.
reference can change because of encryption so chunk.Adress() has to be used in the log
pkg/dynamicaccess/accesslogic.go
Outdated
| if keys == nil { | ||
| return nil, nil, err | ||
| } | ||
| return keys[0], keys[1], err |
There was a problem hiding this comment.
What if len(keys) == 1 ?
pkg/dynamicaccess/controller.go
Outdated
| granteesToAdd = gl.Get() | ||
| } | ||
|
|
||
| for _, grantee := range granteesToAdd { |
There was a problem hiding this comment.
Is there a way that maybe both addList and removeList might be nil or empty and here we are trying to iterate over a nil or empty list ?
There was a problem hiding this comment.
Empty and nil slice has 0 length, iterating over it does nothing. I don't think it is a problem.
There was a problem hiding this comment.
From the code perspective there should be no issues, just asking from the logic perspective.
pkg/dynamicaccess/accesslogic.go
Outdated
| func (al *ActLogic) getKeys(publicKey *ecdsa.PublicKey) ([]byte, []byte, error) { | ||
| nonces := [][]byte{zeroByteArray, oneByteArray} | ||
| keys, err := al.Session.Key(publicKey, nonces) | ||
| if keys == nil { |
There was a problem hiding this comment.
| if keys == nil { | |
| if len(keys) != len(nonces) { |
the length is the same as the length of nonces but indeed better check.
pkg/dynamicaccess/controller.go
Outdated
| granteesToAdd = gl.Get() | ||
| } | ||
|
|
||
| for _, grantee := range granteesToAdd { |
pkg/dynamicaccess/controller.go
Outdated
| return granteeRef, egranteeRef, hRef, actRef, nil | ||
| } | ||
|
|
||
| func (c *ControllerStruct) Get(ctx context.Context, ls file.LoadSaver, publisher *ecdsa.PublicKey, encryptedglRef swarm.Address) ([]*ecdsa.PublicKey, error) { |
There was a problem hiding this comment.
Every exported function needs a stardard format comment, please let this sink in
There was a problem hiding this comment.
Added comments to all exported functions and structs
pkg/dynamicaccess/grantee.go
Outdated
| return swarm.NewAddress(refBytes), nil | ||
| } | ||
|
|
||
| var ( |
pkg/dynamicaccess/grantee.go
Outdated
| } | ||
|
|
||
| func deserializeBytes(data []byte) *ecdsa.PublicKey { | ||
| key, err := btcec.ParsePubKey(data) |
There was a problem hiding this comment.
do you really need another package an additional dependency here?
Use ecdsa serialisation functions
There was a problem hiding this comment.
We need to use the btcec.S256 curve for deserialization, so btcec is a dependency here.
pkg/dynamicaccess/session_test.go
Outdated
| if !bytes.Equal(keys1[0], keys2[0]) { | ||
| t.Fatalf("shared secrets do not match %s, %s", hex.EncodeToString(keys1[0]), hex.EncodeToString(keys2[0])) | ||
| } | ||
| // if !bytes.Equal(keys1[1], keys2[1]) { |
|
OpenAPI ci task failing on wrong credentials. Pls fix ASAP to make CICD green |
@istae I believe this problem originates from the CI configuration. There are some other pull requests with OpenApi doc changes which failing with the same issue. Could you confirm this? |
|
@aranyia you may ignore the openAPI failed check. |
aranyia
force-pushed
the
act
branch
2 times, most recently
from
8f6be5b
to
20e42fa
Compare
|
If you need to test your changes against some other (specific) beekeeper branch, you can do it by changing the beekeeper branch on this line https://github.com/Solar-Punk-Ltd/bee/blob/3a7f51e25391504654f3b54ec458a9499fe523f9/.github/workflows/beekeeper.yml#L17 (replace with BEEKEEPER_BRANCH: "feat/act") Also to use new "act" check defined in beekeeper in this PR ethersphere/beekeeper#408, in the same beekeeper.yaml (bee repoistory), if new "act" check should be used, in Integration tests new step should be added(something like this): |
aranyia
force-pushed
the
act
branch
2 times, most recently
from
5cb87b6
to
cb80041
Compare
Makefile
Outdated
| ifeq ($(BEEKEEPER_USE_SUDO), true) | ||
| sudo mv beekeeper_src/dist/beekeeper $(BEEKEEPER_INSTALL_DIR) | ||
| else | ||
| mv beekeeper_src/dist/beekeeper $(BEEKEEPER_INSTALL_DIR) | ||
| endif | ||
| rm -rf beekeeper_src | ||
| endif | ||
| test -f ~/.beekeeper.yaml || curl -sSfL https://raw.githubusercontent.com/ethersphere/beekeeper/$(BEEKEEPER_BRANCH)/config/beekeeper-local.yaml -o ~/.beekeeper.yaml | ||
| mkdir -p ~/.beekeeper && curl -sSfL https://raw.githubusercontent.com/ethersphere/beekeeper/$(BEEKEEPER_BRANCH)/config/local.yaml -o ~/.beekeeper/local.yaml | ||
| test -f ~/.beekeeper.yaml || curl -sSfL https://raw.githubusercontent.com/Solar-Punk-Ltd/beekeeper/$(BEEKEEPER_BRANCH)/config/beekeeper-local.yaml -o ~/.beekeeper.yaml |
There was a problem hiding this comment.
i dont think this should be under SP
There was a problem hiding this comment.
Reverted to ethersphere (beekeeper 0.17.3 contains ACT tests)
Co-authored-by: Ferenc Sárai <[email protected]>
Co-authored-by: Ferenc Sárai <[email protected]>
Checklist
Description
Access control (ACT) implementation
The Access Control Trie (ACT) is a data structure that stores access control information for Swarm nodes. It is designed to provide access to personalised credentials permission to access a particular resource.
SWIP
See the ACT SWIP PR for more details.
See historical reviews and comments in the corresponding Solar Punk PR: Solar-Punk-Ltd#11
Open API Spec Version Changes (if applicable)
The version was not upgraded, but additions to the API spec can be review merged PR: Solar-Punk-Ltd#44
Motivation and Context (Optional)
See the ACT SWIP PR to understand the more motivation in more detail.