From 2a1a8aa3791daa85900cda06fd9a493414fca9e6 Mon Sep 17 00:00:00 2001
From: Pavel Korotkov <pkorotkov@gmail.com>
Date: Wed, 8 Jul 2020 02:37:27 +0300
Subject: [PATCH] Move auth file to layer; add RSA keys

---
 go.mod              |  4 ++--
 go.sum              |  2 ++
 neofs/auth.go       | 23 ------------------
 neofs/layer/auth.go | 57 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 61 insertions(+), 25 deletions(-)
 delete mode 100644 neofs/auth.go
 create mode 100644 neofs/layer/auth.go

diff --git a/go.mod b/go.mod
index f022317d..c4b9a179 100644
--- a/go.mod
+++ b/go.mod
@@ -30,6 +30,7 @@ require (
 	github.com/gogo/protobuf v1.3.1
 	github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6 // indirect
 	github.com/gomodule/redigo v2.0.0+incompatible
+	github.com/google/brotli/go/cbrotli v0.0.0-20200702174557-fc823290a76a
 	github.com/google/uuid v1.1.1
 	github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f // indirect
 	github.com/gorilla/handlers v1.4.2
@@ -41,7 +42,7 @@ require (
 	github.com/hashicorp/vault/api v1.0.4
 	github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf
 	github.com/json-iterator/go v1.1.10
-	github.com/klauspost/compress v1.10.4
+	github.com/klauspost/compress v1.10.10
 	github.com/klauspost/cpuid v1.3.0
 	github.com/klauspost/pgzip v1.2.1
 	github.com/klauspost/readahead v1.3.1
@@ -111,5 +112,4 @@ require (
 	gopkg.in/olivere/elastic.v5 v5.0.80
 	gopkg.in/yaml.v2 v2.2.8
 	honnef.co/go/tools v0.0.1-2020.1.3 // indirect
-	github.com/google/brotli/go/cbrotli v0.0.0-20200702174557-fc823290a76a
 )
diff --git a/go.sum b/go.sum
index d7e9e7db..e6250637 100644
--- a/go.sum
+++ b/go.sum
@@ -298,6 +298,8 @@ github.com/klauspost/compress v1.9.4/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0
 github.com/klauspost/compress v1.10.1/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.10.4 h1:jFzIFaf586tquEB5EhzQG0HwGNSlgAJpG53G6Ss11wc=
 github.com/klauspost/compress v1.10.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I=
+github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/cpuid v1.2.2 h1:1xAgYebNnsb9LKCdLOvFWtAxGU/33mjJtyOVbmUa0Us=
 github.com/klauspost/cpuid v1.2.2/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
diff --git a/neofs/auth.go b/neofs/auth.go
deleted file mode 100644
index bd9f388e..00000000
--- a/neofs/auth.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package neofs
-
-import (
-	br "github.com/google/brotli/go/cbrotli"
-	"github.com/nspcc-dev/neofs-api-go/service"
-	"github.com/pkg/errors"
-)
-
-func UnpackBearerToken(packedCredentials []byte) (service.BearerToken, error) {
-	// secretHash := packedCredentials[:32]
-	_ = packedCredentials[:32]
-	compressedKeyID := packedCredentials[32:]
-	keyID, err := br.Decode(compressedKeyID)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to decompress key ID")
-	}
-	bearerToken := new(service.BearerTokenMsg)
-	if err = bearerToken.Unmarshal(keyID); err != nil {
-		return nil, errors.Wrap(err, "failed to unmarshal embedded bearer token")
-	}
-	// TODO
-	return bearerToken, nil
-}
diff --git a/neofs/layer/auth.go b/neofs/layer/auth.go
new file mode 100644
index 00000000..f4776cf8
--- /dev/null
+++ b/neofs/layer/auth.go
@@ -0,0 +1,57 @@
+package layer
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+
+	"github.com/klauspost/compress/zstd"
+	"github.com/nspcc-dev/neofs-api-go/service"
+	"github.com/pkg/errors"
+)
+
+type KeyPair struct {
+	PrivateKey *rsa.PrivateKey
+	PublicKey  *rsa.PublicKey
+}
+
+type AuthCenter struct {
+	gatewayKeys KeyPair
+}
+
+func NewAuthCenter() (*AuthCenter, error) {
+	var kp KeyPair
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	kp.PrivateKey = privateKey
+	kp.PublicKey = &privateKey.PublicKey
+	ac := &AuthCenter{
+		gatewayKeys: kp,
+	}
+	return ac, nil
+}
+
+func (ac *AuthCenter) PackBearerToken(bt service.BearerToken) ([]byte, error) {
+	// TODO
+	panic("unimplemented method")
+}
+
+func (ac *AuthCenter) UnpackBearerToken(packedCredentials []byte) (service.BearerToken, error) {
+	zstdDecoder, _ := zstd.NewReader(nil)
+	// secretHash := packedCredentials[:32]
+	_ = packedCredentials[:32]
+	compressedKeyID := packedCredentials[32:]
+	// Get an encrypted key.
+	var encryptedKeyID []byte
+	if _, err := zstdDecoder.DecodeAll(compressedKeyID, encryptedKeyID); err != nil {
+		return nil, errors.Wrap(err, "failed to decompress key ID")
+	}
+	// TODO: Decrypt the key ID.
+	var keyID []byte
+	bearerToken := new(service.BearerTokenMsg)
+	if err := bearerToken.Unmarshal(keyID); err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal embedded bearer token")
+	}
+	return bearerToken, nil
+}