cli option to disable SS ACL check
This commit is contained in:
parent
7c05a906d0
commit
c345bc3d85
@ -79,6 +79,7 @@ pass = "test_pass"
|
||||
[secretstore]
|
||||
disable = false
|
||||
disable_http = false
|
||||
disable_acl_check = false
|
||||
nodes = []
|
||||
http_interface = "local"
|
||||
http_port = 8082
|
||||
|
@ -218,6 +218,8 @@ usage! {
|
||||
or |c: &Config| otry!(c.secretstore).disable.clone(),
|
||||
flag_no_secretstore_http: bool = false,
|
||||
or |c: &Config| otry!(c.secretstore).disable_http.clone(),
|
||||
flag_no_secretstore_acl_check: bool = false,
|
||||
or |c: &Config| otry!(c.secretstore).disable_acl_check.clone(),
|
||||
flag_secretstore_secret: Option<String> = None,
|
||||
or |c: &Config| otry!(c.secretstore).self_secret.clone().map(Some),
|
||||
flag_secretstore_nodes: String = "",
|
||||
@ -513,6 +515,7 @@ struct Dapps {
|
||||
struct SecretStore {
|
||||
disable: Option<bool>,
|
||||
disable_http: Option<bool>,
|
||||
disable_acl_check: Option<bool>,
|
||||
self_secret: Option<String>,
|
||||
nodes: Option<Vec<String>>,
|
||||
interface: Option<String>,
|
||||
@ -783,6 +786,7 @@ mod tests {
|
||||
|
||||
flag_no_secretstore: false,
|
||||
flag_no_secretstore_http: false,
|
||||
flag_no_secretstore_acl_check: false,
|
||||
flag_secretstore_secret: None,
|
||||
flag_secretstore_nodes: "".into(),
|
||||
flag_secretstore_interface: "local".into(),
|
||||
@ -1014,6 +1018,7 @@ mod tests {
|
||||
secretstore: Some(SecretStore {
|
||||
disable: None,
|
||||
disable_http: None,
|
||||
disable_acl_check: None,
|
||||
self_secret: None,
|
||||
nodes: None,
|
||||
interface: None,
|
||||
|
@ -229,6 +229,7 @@ API and Console Options:
|
||||
Secret Store Options:
|
||||
--no-secretstore Disable Secret Store functionality. (default: {flag_no_secretstore})
|
||||
--no-secretstore-http Disable Secret Store HTTP API. (default: {flag_no_secretstore_http})
|
||||
--no-acl-check Disable ACL check (useful for test environments). (default: {flag_no_secretstore_acl_check})
|
||||
--secretstore-secret SECRET Hex-encoded secret key of this node.
|
||||
(required, default: {flag_secretstore_secret:?}).
|
||||
--secretstore-nodes NODES Comma-separated list of other secret store cluster nodes in form
|
||||
|
@ -587,6 +587,7 @@ impl Configuration {
|
||||
Ok(SecretStoreConfiguration {
|
||||
enabled: self.secretstore_enabled(),
|
||||
http_enabled: self.secretstore_http_enabled(),
|
||||
acl_check_enabled: self.secretstore_acl_check_enabled(),
|
||||
self_secret: self.secretstore_self_secret()?,
|
||||
nodes: self.secretstore_nodes()?,
|
||||
interface: self.secretstore_interface(),
|
||||
@ -1055,6 +1056,10 @@ impl Configuration {
|
||||
!self.args.flag_no_secretstore_http && cfg!(feature = "secretstore")
|
||||
}
|
||||
|
||||
fn secretstore_acl_check_enabled(&self) -> bool {
|
||||
!self.args.flag_no_secretstore_acl_check
|
||||
}
|
||||
|
||||
fn ui_enabled(&self) -> bool {
|
||||
if self.args.flag_force_ui {
|
||||
return true;
|
||||
|
@ -39,6 +39,8 @@ pub struct Configuration {
|
||||
pub enabled: bool,
|
||||
/// Is HTTP API enabled?
|
||||
pub http_enabled: bool,
|
||||
/// Is ACL check enabled.
|
||||
pub acl_check_enabled: bool,
|
||||
/// This node secret.
|
||||
pub self_secret: Option<NodeSecretKey>,
|
||||
/// Other nodes IDs + addresses.
|
||||
@ -126,6 +128,7 @@ mod server {
|
||||
port: conf.http_port,
|
||||
}) } else { None },
|
||||
data_path: conf.data_path.clone(),
|
||||
acl_check_enabled: conf.acl_check_enabled,
|
||||
cluster_config: ethcore_secretstore::ClusterConfiguration {
|
||||
threads: 4,
|
||||
listener_address: ethcore_secretstore::NodeAddress {
|
||||
@ -160,6 +163,7 @@ impl Default for Configuration {
|
||||
Configuration {
|
||||
enabled: true,
|
||||
http_enabled: true,
|
||||
acl_check_enabled: true,
|
||||
self_secret: None,
|
||||
nodes: BTreeMap::new(),
|
||||
interface: "127.0.0.1".to_owned(),
|
||||
|
@ -15,8 +15,9 @@
|
||||
// along with Parity. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
use std::sync::{Arc, Weak};
|
||||
use std::collections::{HashMap, HashSet};
|
||||
use futures::{future, Future};
|
||||
use parking_lot::Mutex;
|
||||
use parking_lot::{Mutex, RwLock};
|
||||
use ethkey::public_to_address;
|
||||
use ethcore::client::{Client, BlockChainClient, BlockId, ChainNotify};
|
||||
use native_contracts::SecretStoreAclStorage;
|
||||
@ -47,6 +48,12 @@ struct CachedContract {
|
||||
contract: Option<SecretStoreAclStorage>,
|
||||
}
|
||||
|
||||
#[derive(Default, Debug)]
|
||||
/// Dummy ACL storage implementation (check always passed).
|
||||
pub struct DummyAclStorage {
|
||||
prohibited: RwLock<HashMap<Public, HashSet<ServerKeyId>>>,
|
||||
}
|
||||
|
||||
impl OnChainAclStorage {
|
||||
pub fn new(client: &Arc<Client>) -> Arc<Self> {
|
||||
let acl_storage = Arc::new(OnChainAclStorage {
|
||||
@ -113,36 +120,22 @@ impl CachedContract {
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
pub mod tests {
|
||||
use std::collections::{HashMap, HashSet};
|
||||
use parking_lot::RwLock;
|
||||
use types::all::{Error, ServerKeyId, Public};
|
||||
use super::AclStorage;
|
||||
|
||||
#[derive(Default, Debug)]
|
||||
/// Dummy ACL storage implementation
|
||||
pub struct DummyAclStorage {
|
||||
prohibited: RwLock<HashMap<Public, HashSet<ServerKeyId>>>,
|
||||
}
|
||||
|
||||
impl DummyAclStorage {
|
||||
#[cfg(test)]
|
||||
/// Prohibit given requestor access to given document
|
||||
pub fn prohibit(&self, public: Public, document: ServerKeyId) {
|
||||
self.prohibited.write()
|
||||
.entry(public)
|
||||
.or_insert_with(Default::default)
|
||||
.insert(document);
|
||||
}
|
||||
}
|
||||
|
||||
impl AclStorage for DummyAclStorage {
|
||||
fn check(&self, public: &Public, document: &ServerKeyId) -> Result<bool, Error> {
|
||||
Ok(self.prohibited.read()
|
||||
.get(public)
|
||||
.map(|docs| !docs.contains(document))
|
||||
.unwrap_or(true))
|
||||
}
|
||||
impl DummyAclStorage {
|
||||
#[cfg(test)]
|
||||
/// Prohibit given requestor access to given document
|
||||
pub fn prohibit(&self, public: Public, document: ServerKeyId) {
|
||||
self.prohibited.write()
|
||||
.entry(public)
|
||||
.or_insert_with(Default::default)
|
||||
.insert(document);
|
||||
}
|
||||
}
|
||||
|
||||
impl AclStorage for DummyAclStorage {
|
||||
fn check(&self, public: &Public, document: &ServerKeyId) -> Result<bool, Error> {
|
||||
Ok(self.prohibited.read()
|
||||
.get(public)
|
||||
.map(|docs| !docs.contains(document))
|
||||
.unwrap_or(true))
|
||||
}
|
||||
}
|
||||
|
@ -196,7 +196,7 @@ pub mod tests {
|
||||
use std::collections::BTreeMap;
|
||||
use ethcrypto;
|
||||
use ethkey::{self, Secret, Random, Generator};
|
||||
use acl_storage::tests::DummyAclStorage;
|
||||
use acl_storage::DummyAclStorage;
|
||||
use key_storage::tests::DummyKeyStorage;
|
||||
use node_key_pair::PlainNodeKeyPair;
|
||||
use key_server_set::tests::MapKeyServerSet;
|
||||
|
@ -467,7 +467,7 @@ impl Ord for DecryptionSessionId {
|
||||
mod tests {
|
||||
use std::sync::Arc;
|
||||
use std::collections::BTreeMap;
|
||||
use super::super::super::acl_storage::tests::DummyAclStorage;
|
||||
use super::super::super::acl_storage::DummyAclStorage;
|
||||
use ethkey::{self, KeyPair, Random, Generator, Public, Secret};
|
||||
use key_server_cluster::{NodeId, DocumentKeyShare, SessionId, Error, EncryptedDocumentKeyShadow, SessionMeta};
|
||||
use key_server_cluster::cluster::tests::DummyCluster;
|
||||
|
@ -36,7 +36,7 @@ pub use super::node_key_pair::PlainNodeKeyPair;
|
||||
#[cfg(test)]
|
||||
pub use super::key_storage::tests::DummyKeyStorage;
|
||||
#[cfg(test)]
|
||||
pub use super::acl_storage::tests::DummyAclStorage;
|
||||
pub use super::acl_storage::DummyAclStorage;
|
||||
#[cfg(test)]
|
||||
pub use super::key_server_set::tests::MapKeyServerSet;
|
||||
|
||||
|
@ -572,7 +572,7 @@ mod tests {
|
||||
use std::collections::{BTreeMap, VecDeque};
|
||||
use ethkey::{self, Random, Generator, Public};
|
||||
use util::H256;
|
||||
use super::super::super::acl_storage::tests::DummyAclStorage;
|
||||
use super::super::super::acl_storage::DummyAclStorage;
|
||||
use key_server_cluster::{NodeId, SessionId, SessionMeta, Error, KeyStorage};
|
||||
use key_server_cluster::cluster::tests::DummyCluster;
|
||||
use key_server_cluster::generation_session::{Session as GenerationSession};
|
||||
|
@ -235,6 +235,7 @@ pub mod tests {
|
||||
let path = RandomTempPath::create_dir();
|
||||
let config = ServiceConfiguration {
|
||||
listener_address: None,
|
||||
acl_check_enabled: true,
|
||||
data_path: path.as_str().to_owned(),
|
||||
cluster_config: ClusterConfiguration {
|
||||
threads: 1,
|
||||
|
@ -73,7 +73,11 @@ pub use self::node_key_pair::{PlainNodeKeyPair, KeyStoreNodeKeyPair};
|
||||
pub fn start(client: Arc<Client>, self_key_pair: Arc<NodeKeyPair>, config: ServiceConfiguration) -> Result<Box<KeyServer>, Error> {
|
||||
use std::sync::Arc;
|
||||
|
||||
let acl_storage = acl_storage::OnChainAclStorage::new(&client);
|
||||
let acl_storage: Arc<acl_storage::AclStorage> = if config.acl_check_enabled {
|
||||
acl_storage::OnChainAclStorage::new(&client)
|
||||
} else {
|
||||
Arc::new(acl_storage::DummyAclStorage::default())
|
||||
};
|
||||
let key_server_set = key_server_set::OnChainKeyServerSet::new(&client, config.cluster_config.nodes.clone())?;
|
||||
let key_storage = Arc::new(key_storage::PersistentKeyStorage::new(&config)?);
|
||||
let key_server = key_server::KeyServerImpl::new(&config.cluster_config, key_server_set, self_key_pair, acl_storage, key_storage)?;
|
||||
|
@ -71,6 +71,8 @@ pub struct NodeAddress {
|
||||
pub struct ServiceConfiguration {
|
||||
/// HTTP listener address. If None, HTTP API is disabled.
|
||||
pub listener_address: Option<NodeAddress>,
|
||||
/// Is ACL check enabled. If false, everyone has access to all keys. Useful for tests only.
|
||||
pub acl_check_enabled: bool,
|
||||
/// Data directory path for secret store
|
||||
pub data_path: String,
|
||||
/// Cluster configuration.
|
||||
|
Loading…
Reference in New Issue
Block a user