cli option to disable SS ACL check

This commit is contained in:
Svyatoslav Nikolsky 2017-07-27 15:48:07 +03:00
parent 7c05a906d0
commit c345bc3d85
13 changed files with 53 additions and 37 deletions

View File

@ -79,6 +79,7 @@ pass = "test_pass"
[secretstore]
disable = false
disable_http = false
disable_acl_check = false
nodes = []
http_interface = "local"
http_port = 8082

View File

@ -218,6 +218,8 @@ usage! {
or |c: &Config| otry!(c.secretstore).disable.clone(),
flag_no_secretstore_http: bool = false,
or |c: &Config| otry!(c.secretstore).disable_http.clone(),
flag_no_secretstore_acl_check: bool = false,
or |c: &Config| otry!(c.secretstore).disable_acl_check.clone(),
flag_secretstore_secret: Option<String> = None,
or |c: &Config| otry!(c.secretstore).self_secret.clone().map(Some),
flag_secretstore_nodes: String = "",
@ -513,6 +515,7 @@ struct Dapps {
struct SecretStore {
disable: Option<bool>,
disable_http: Option<bool>,
disable_acl_check: Option<bool>,
self_secret: Option<String>,
nodes: Option<Vec<String>>,
interface: Option<String>,
@ -783,6 +786,7 @@ mod tests {
flag_no_secretstore: false,
flag_no_secretstore_http: false,
flag_no_secretstore_acl_check: false,
flag_secretstore_secret: None,
flag_secretstore_nodes: "".into(),
flag_secretstore_interface: "local".into(),
@ -1014,6 +1018,7 @@ mod tests {
secretstore: Some(SecretStore {
disable: None,
disable_http: None,
disable_acl_check: None,
self_secret: None,
nodes: None,
interface: None,

View File

@ -229,6 +229,7 @@ API and Console Options:
Secret Store Options:
--no-secretstore Disable Secret Store functionality. (default: {flag_no_secretstore})
--no-secretstore-http Disable Secret Store HTTP API. (default: {flag_no_secretstore_http})
--no-acl-check Disable ACL check (useful for test environments). (default: {flag_no_secretstore_acl_check})
--secretstore-secret SECRET Hex-encoded secret key of this node.
(required, default: {flag_secretstore_secret:?}).
--secretstore-nodes NODES Comma-separated list of other secret store cluster nodes in form

View File

@ -587,6 +587,7 @@ impl Configuration {
Ok(SecretStoreConfiguration {
enabled: self.secretstore_enabled(),
http_enabled: self.secretstore_http_enabled(),
acl_check_enabled: self.secretstore_acl_check_enabled(),
self_secret: self.secretstore_self_secret()?,
nodes: self.secretstore_nodes()?,
interface: self.secretstore_interface(),
@ -1055,6 +1056,10 @@ impl Configuration {
!self.args.flag_no_secretstore_http && cfg!(feature = "secretstore")
}
fn secretstore_acl_check_enabled(&self) -> bool {
!self.args.flag_no_secretstore_acl_check
}
fn ui_enabled(&self) -> bool {
if self.args.flag_force_ui {
return true;

View File

@ -39,6 +39,8 @@ pub struct Configuration {
pub enabled: bool,
/// Is HTTP API enabled?
pub http_enabled: bool,
/// Is ACL check enabled.
pub acl_check_enabled: bool,
/// This node secret.
pub self_secret: Option<NodeSecretKey>,
/// Other nodes IDs + addresses.
@ -126,6 +128,7 @@ mod server {
port: conf.http_port,
}) } else { None },
data_path: conf.data_path.clone(),
acl_check_enabled: conf.acl_check_enabled,
cluster_config: ethcore_secretstore::ClusterConfiguration {
threads: 4,
listener_address: ethcore_secretstore::NodeAddress {
@ -160,6 +163,7 @@ impl Default for Configuration {
Configuration {
enabled: true,
http_enabled: true,
acl_check_enabled: true,
self_secret: None,
nodes: BTreeMap::new(),
interface: "127.0.0.1".to_owned(),

View File

@ -15,8 +15,9 @@
// along with Parity. If not, see <http://www.gnu.org/licenses/>.
use std::sync::{Arc, Weak};
use std::collections::{HashMap, HashSet};
use futures::{future, Future};
use parking_lot::Mutex;
use parking_lot::{Mutex, RwLock};
use ethkey::public_to_address;
use ethcore::client::{Client, BlockChainClient, BlockId, ChainNotify};
use native_contracts::SecretStoreAclStorage;
@ -47,6 +48,12 @@ struct CachedContract {
contract: Option<SecretStoreAclStorage>,
}
#[derive(Default, Debug)]
/// Dummy ACL storage implementation (check always passed).
pub struct DummyAclStorage {
prohibited: RwLock<HashMap<Public, HashSet<ServerKeyId>>>,
}
impl OnChainAclStorage {
pub fn new(client: &Arc<Client>) -> Arc<Self> {
let acl_storage = Arc::new(OnChainAclStorage {
@ -113,19 +120,6 @@ impl CachedContract {
}
}
#[cfg(test)]
pub mod tests {
use std::collections::{HashMap, HashSet};
use parking_lot::RwLock;
use types::all::{Error, ServerKeyId, Public};
use super::AclStorage;
#[derive(Default, Debug)]
/// Dummy ACL storage implementation
pub struct DummyAclStorage {
prohibited: RwLock<HashMap<Public, HashSet<ServerKeyId>>>,
}
impl DummyAclStorage {
#[cfg(test)]
/// Prohibit given requestor access to given document
@ -145,4 +139,3 @@ pub mod tests {
.unwrap_or(true))
}
}
}

View File

@ -196,7 +196,7 @@ pub mod tests {
use std::collections::BTreeMap;
use ethcrypto;
use ethkey::{self, Secret, Random, Generator};
use acl_storage::tests::DummyAclStorage;
use acl_storage::DummyAclStorage;
use key_storage::tests::DummyKeyStorage;
use node_key_pair::PlainNodeKeyPair;
use key_server_set::tests::MapKeyServerSet;

View File

@ -467,7 +467,7 @@ impl Ord for DecryptionSessionId {
mod tests {
use std::sync::Arc;
use std::collections::BTreeMap;
use super::super::super::acl_storage::tests::DummyAclStorage;
use super::super::super::acl_storage::DummyAclStorage;
use ethkey::{self, KeyPair, Random, Generator, Public, Secret};
use key_server_cluster::{NodeId, DocumentKeyShare, SessionId, Error, EncryptedDocumentKeyShadow, SessionMeta};
use key_server_cluster::cluster::tests::DummyCluster;

View File

@ -36,7 +36,7 @@ pub use super::node_key_pair::PlainNodeKeyPair;
#[cfg(test)]
pub use super::key_storage::tests::DummyKeyStorage;
#[cfg(test)]
pub use super::acl_storage::tests::DummyAclStorage;
pub use super::acl_storage::DummyAclStorage;
#[cfg(test)]
pub use super::key_server_set::tests::MapKeyServerSet;

View File

@ -572,7 +572,7 @@ mod tests {
use std::collections::{BTreeMap, VecDeque};
use ethkey::{self, Random, Generator, Public};
use util::H256;
use super::super::super::acl_storage::tests::DummyAclStorage;
use super::super::super::acl_storage::DummyAclStorage;
use key_server_cluster::{NodeId, SessionId, SessionMeta, Error, KeyStorage};
use key_server_cluster::cluster::tests::DummyCluster;
use key_server_cluster::generation_session::{Session as GenerationSession};

View File

@ -235,6 +235,7 @@ pub mod tests {
let path = RandomTempPath::create_dir();
let config = ServiceConfiguration {
listener_address: None,
acl_check_enabled: true,
data_path: path.as_str().to_owned(),
cluster_config: ClusterConfiguration {
threads: 1,

View File

@ -73,7 +73,11 @@ pub use self::node_key_pair::{PlainNodeKeyPair, KeyStoreNodeKeyPair};
pub fn start(client: Arc<Client>, self_key_pair: Arc<NodeKeyPair>, config: ServiceConfiguration) -> Result<Box<KeyServer>, Error> {
use std::sync::Arc;
let acl_storage = acl_storage::OnChainAclStorage::new(&client);
let acl_storage: Arc<acl_storage::AclStorage> = if config.acl_check_enabled {
acl_storage::OnChainAclStorage::new(&client)
} else {
Arc::new(acl_storage::DummyAclStorage::default())
};
let key_server_set = key_server_set::OnChainKeyServerSet::new(&client, config.cluster_config.nodes.clone())?;
let key_storage = Arc::new(key_storage::PersistentKeyStorage::new(&config)?);
let key_server = key_server::KeyServerImpl::new(&config.cluster_config, key_server_set, self_key_pair, acl_storage, key_storage)?;

View File

@ -71,6 +71,8 @@ pub struct NodeAddress {
pub struct ServiceConfiguration {
/// HTTP listener address. If None, HTTP API is disabled.
pub listener_address: Option<NodeAddress>,
/// Is ACL check enabled. If false, everyone has access to all keys. Useful for tests only.
pub acl_check_enabled: bool,
/// Data directory path for secret store
pub data_path: String,
/// Cluster configuration.