storj/uplink/piecestore/verification.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package piecestore

import (
	"bytes"
	"context"
	"time"

	"github.com/zeebo/errs"

	"storj.io/storj/pkg/identity"
	"storj.io/storj/pkg/pb"
	"storj.io/storj/pkg/signing"
)

const pieceHashExpiration = 24 * time.Hour

var (
	// ErrInternal is an error class for internal errors.
	ErrInternal = errs.Class("internal")
	// ErrProtocol is an error class for unexpected protocol sequence.
	ErrProtocol = errs.Class("protocol")
	// ErrVerifyUntrusted is an error in case there is a trust issue.
	ErrVerifyUntrusted = errs.Class("untrusted")
	// ErrStorageNodeInvalidResponse is an error when a storage node returns a response with invalid data
	ErrStorageNodeInvalidResponse = errs.Class("storage node has returned an invalid response")
)

// VerifyPieceHash verifies piece hash which is sent by peer.
func (client *Client) VerifyPieceHash(ctx context.Context, peer *identity.PeerIdentity, limit *pb.OrderLimit, hash *pb.PieceHash, expectedHash []byte) (err error) {
	defer mon.Task()(&ctx)(&err)
	if peer == nil || limit == nil || hash == nil || len(expectedHash) == 0 {
		return ErrProtocol.New("invalid arguments")
	}
	if limit.PieceId != hash.PieceId {
		return ErrProtocol.New("piece id changed") // TODO: report rpc status bad message
	}
	if !bytes.Equal(hash.Hash, expectedHash) {
		return ErrVerifyUntrusted.New("hashes don't match") // TODO: report rpc status bad message
	}

	if err := signing.VerifyPieceHashSignature(ctx, signing.SigneeFromPeerIdentity(peer), hash); err != nil {
		return ErrVerifyUntrusted.New("invalid hash signature: %v", err) // TODO: report rpc status bad message
	}

	if hash.Timestamp.Before(time.Now().Add(-pieceHashExpiration)) {
		return ErrStorageNodeInvalidResponse.New("piece has timestamp is too old (%v). Required to be not older than %s",
			hash.Timestamp, pieceHashExpiration,
		)
	}

	return nil
}
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`// Copyright (C) 2019 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package piecestore`

			`import (`
			`"bytes"`
			`"context"`
uplink/piecestore: Check SN piece hash timestamp (#3246) Uplink must verify that every piece upload to a storage node return a hash whose timestamp isn't older than the maximum elapsed time allowed by the Satellite. We cannot leave this check only to the Satellite site, because if there is no error reported by this matter, the uplink cuts down the long tail. When uplink submits the result uploads including these invalid ones, the Satellite filters out the invalid ones and that can provoke that it gets less than the optimal threshold amount of valid upload results, so it rejects the request. Detecting the error at this stage will allow the uplink to detect these uploads as invalid and avoid to cut down the long tail prematurely. 2019-10-15 15:07:18 +01:00			`"time"`
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00
			`"github.com/zeebo/errs"`

			`"storj.io/storj/pkg/identity"`
			`"storj.io/storj/pkg/pb"`
rename all the things (#2531) * rename pkg/linksharing to linksharing * rename pkg/httpserver to linksharing/httpserver * rename pkg/eestream to uplink/eestream * rename pkg/stream to uplink/stream * rename pkg/metainfo/kvmetainfo to uplink/metainfo/kvmetainfo * rename pkg/auth/signing to pkg/signing * rename pkg/storage to uplink/storage * rename pkg/accounting to satellite/accounting * rename pkg/audit to satellite/audit * rename pkg/certdb to satellite/certdb * rename pkg/discovery to satellite/discovery * rename pkg/overlay to satellite/overlay * rename pkg/datarepair to satellite/repair 2019-07-28 06:55:36 +01:00			`"storj.io/storj/pkg/signing"`
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`)`

Satellite/PieceHashValidation: Increase time window from 2h to 24h to avoid timezone issues (#3291) 2019-10-16 13:47:08 +01:00			`const pieceHashExpiration = 24 * time.Hour`
uplink/piecestore: Check SN piece hash timestamp (#3246) Uplink must verify that every piece upload to a storage node return a hash whose timestamp isn't older than the maximum elapsed time allowed by the Satellite. We cannot leave this check only to the Satellite site, because if there is no error reported by this matter, the uplink cuts down the long tail. When uplink submits the result uploads including these invalid ones, the Satellite filters out the invalid ones and that can provoke that it gets less than the optimal threshold amount of valid upload results, so it rejects the request. Detecting the error at this stage will allow the uplink to detect these uploads as invalid and avoid to cut down the long tail prematurely. 2019-10-15 15:07:18 +01:00
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`var (`
			`// ErrInternal is an error class for internal errors.`
			`ErrInternal = errs.Class("internal")`
			`// ErrProtocol is an error class for unexpected protocol sequence.`
			`ErrProtocol = errs.Class("protocol")`
			`// ErrVerifyUntrusted is an error in case there is a trust issue.`
			`ErrVerifyUntrusted = errs.Class("untrusted")`
uplink/piecestore: Check SN piece hash timestamp (#3246) Uplink must verify that every piece upload to a storage node return a hash whose timestamp isn't older than the maximum elapsed time allowed by the Satellite. We cannot leave this check only to the Satellite site, because if there is no error reported by this matter, the uplink cuts down the long tail. When uplink submits the result uploads including these invalid ones, the Satellite filters out the invalid ones and that can provoke that it gets less than the optimal threshold amount of valid upload results, so it rejects the request. Detecting the error at this stage will allow the uplink to detect these uploads as invalid and avoid to cut down the long tail prematurely. 2019-10-15 15:07:18 +01:00			`// ErrStorageNodeInvalidResponse is an error when a storage node returns a response with invalid data`
			`ErrStorageNodeInvalidResponse = errs.Class("storage node has returned an invalid response")`
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`)`

			`// VerifyPieceHash verifies piece hash which is sent by peer.`
pkg/pb: rename Order2 to Order, OrderLimit2 to OrderLimit (#2406) 2019-07-01 16:54:11 +01:00			`func (client Client) VerifyPieceHash(ctx context.Context, peer identity.PeerIdentity, limit pb.OrderLimit, hash pb.PieceHash, expectedHash []byte) (err error) {`
internal,lib,uplink: add monkit task to missing places (#2118) * internal,lib,uplink: add monkit task to missing places Change-Id: I490053eee4ed517502f9fe00c6394f0095bd13d0 * Include Monkit * Add missing context * Another missing ctx * More ctx missing * Linting * go imports Change-Id: Ibf0ed072eba339f027727ed8039f7bce1f223fa7 * fix semantic merge conflict Change-Id: I67fb1f4e7b6cd5e89d69987ed7b3966b7d30ee37 2019-06-05 16:03:11 +01:00			`defer mon.Task()(&ctx)(&err)`
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`if peer == nil \|\| limit == nil \|\| hash == nil \|\| len(expectedHash) == 0 {`
			`return ErrProtocol.New("invalid arguments")`
			`}`
			`if limit.PieceId != hash.PieceId {`
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`return ErrProtocol.New("piece id changed") // TODO: report rpc status bad message`
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`}`
			`if !bytes.Equal(hash.Hash, expectedHash) {`
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`return ErrVerifyUntrusted.New("hashes don't match") // TODO: report rpc status bad message`
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`}`

pkg/auth: add monkit task to missing places (#2123) What: add monkit.Task to a bunch of functions that are missing it Why: this will significantly help our instrumentation, data collection, and tracing about what's going on in the network 2019-06-05 14:47:01 +01:00			`if err := signing.VerifyPieceHashSignature(ctx, signing.SigneeFromPeerIdentity(peer), hash); err != nil {`
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`return ErrVerifyUntrusted.New("invalid hash signature: %v", err) // TODO: report rpc status bad message`
Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`}`

uplink/piecestore: Check SN piece hash timestamp (#3246) Uplink must verify that every piece upload to a storage node return a hash whose timestamp isn't older than the maximum elapsed time allowed by the Satellite. We cannot leave this check only to the Satellite site, because if there is no error reported by this matter, the uplink cuts down the long tail. When uplink submits the result uploads including these invalid ones, the Satellite filters out the invalid ones and that can provoke that it gets less than the optimal threshold amount of valid upload results, so it rejects the request. Detecting the error at this stage will allow the uplink to detect these uploads as invalid and avoid to cut down the long tail prematurely. 2019-10-15 15:07:18 +01:00			`if hash.Timestamp.Before(time.Now().Add(-pieceHashExpiration)) {`
			`return ErrStorageNodeInvalidResponse.New("piece has timestamp is too old (%v). Required to be not older than %s",`
			`hash.Timestamp, pieceHashExpiration,`
			`)`
			`}`

Storage node and upload/download protocol refactor (#1422) refactor storage node server refactor upload and download protocol 2019-03-18 10:55:06 +00:00			`return nil`
			`}`