frostfs-node/pkg/services/control/server/sign.go

package control

import (
	"bytes"
	"errors"
	"fmt"

	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/server/ctrlmessage"
	frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
)

var errDisallowedKey = errors.New("key is not in the allowed list")

func (s *Server) isValidRequest(req ctrlmessage.SignedMessage) error {
	sign := req.GetSignature()
	if sign == nil {
		// TODO(@cthulhu-rider): #468 use "const" error
		return errors.New("missing signature")
	}

	var (
		key     = sign.GetKey()
		allowed = false
	)

	// check if key is allowed
	for i := range s.allowedKeys {
		if allowed = bytes.Equal(s.allowedKeys[i], key); allowed {
			break
		}
	}

	if !allowed {
		return errDisallowedKey
	}

	// verify signature
	binBody, err := req.ReadSignedData(nil)
	if err != nil {
		return fmt.Errorf("marshal request body: %w", err)
	}

	// TODO(@cthulhu-rider): #468 use Signature message from FrostFS API to avoid conversion
	var sigV2 refs.Signature
	sigV2.SetKey(sign.GetKey())
	sigV2.SetSign(sign.GetSign())
	sigV2.SetScheme(refs.ECDSA_SHA512)

	var sig frostfscrypto.Signature
	if err := sig.ReadFromV2(sigV2); err != nil {
		return fmt.Errorf("can't read signature: %w", err)
	}

	if !sig.Verify(binBody) {
		// TODO(@cthulhu-rider): #468 use "const" error
		return errors.New("invalid signature")
	}

	return nil
}
[#306] Rename Private service to Control service Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-01-13 13:46:39 +00:00			`package control`
[#306] private: Implement server of gRPC private node service Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-01-13 12:49:46 +00:00
			`import (`
			`"bytes"`
			`"errors"`
[#1389] crypto: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-16 13:15:31 +00:00			`"fmt"`
[#306] private: Implement server of gRPC private node service Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-01-13 12:49:46 +00:00
Rename package name Due to source code relocation from GitHub. Signed-off-by: Alex Vanin <a.vanin@yadro.com> 2023-03-07 13:38:26 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"`
[#1092] control: Move SignMessage to separate package Signed-off-by: Alexander Chuprov <a.chuprov@yadro.com> 2024-05-16 09:11:57 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/server/ctrlmessage"`
Rename package name Due to source code relocation from GitHub. Signed-off-by: Alex Vanin <a.vanin@yadro.com> 2023-03-07 13:38:26 +00:00			`frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"`
[#306] private: Implement server of gRPC private node service Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-01-13 12:49:46 +00:00			`)`

			`var errDisallowedKey = errors.New("key is not in the allowed list")`

[#1092] control: Move SignMessage to separate package Signed-off-by: Alexander Chuprov <a.chuprov@yadro.com> 2024-05-16 09:11:57 +00:00			`func (s *Server) isValidRequest(req ctrlmessage.SignedMessage) error {`
[#1389] crypto: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-16 13:15:31 +00:00			`sign := req.GetSignature()`
			`if sign == nil {`
[#468] *: replace outdated TODO crypto-related links Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-06-26 13:18:39 +00:00			`// TODO(@cthulhu-rider): #468 use "const" error`
[#1389] crypto: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-16 13:15:31 +00:00			`return errors.New("missing signature")`
			`}`

[#306] private: Implement server of gRPC private node service Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-01-13 12:49:46 +00:00			`var (`
			`key = sign.GetKey()`
			`allowed = false`
			`)`

			`// check if key is allowed`
			`for i := range s.allowedKeys {`
			`if allowed = bytes.Equal(s.allowedKeys[i], key); allowed {`
			`break`
			`}`
			`}`

			`if !allowed {`
			`return errDisallowedKey`
			`}`

			`// verify signature`
[#1389] crypto: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-16 13:15:31 +00:00			`binBody, err := req.ReadSignedData(nil)`
			`if err != nil {`
			`return fmt.Errorf("marshal request body: %w", err)`
			`}`

[#468] *: replace outdated TODO crypto-related links Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-06-26 13:18:39 +00:00			`// TODO(@cthulhu-rider): #468 use Signature message from FrostFS API to avoid conversion`
[#1389] crypto: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-16 13:15:31 +00:00			`var sigV2 refs.Signature`
			`sigV2.SetKey(sign.GetKey())`
			`sigV2.SetSign(sign.GetSign())`
			`sigV2.SetScheme(refs.ECDSA_SHA512)`

Move to frostfs-node Signed-off-by: Pavel Karpy <p.karpy@yadro.com> 2022-12-23 17:35:35 +00:00			`var sig frostfscrypto.Signature`
[#1624] go.mod: Update dependencies Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-07-22 14:04:37 +00:00			`if err := sig.ReadFromV2(sigV2); err != nil {`
			`return fmt.Errorf("can't read signature: %w", err)`
			`}`
[#1389] crypto: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-16 13:15:31 +00:00
			`if !sig.Verify(binBody) {`
[#468] *: replace outdated TODO crypto-related links Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com> 2023-06-26 13:18:39 +00:00			`// TODO(@cthulhu-rider): #468 use "const" error`
[#1389] crypto: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-16 13:15:31 +00:00			`return errors.New("invalid signature")`
			`}`

			`return nil`
[#306] private: Implement server of gRPC private node service Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-01-13 12:49:46 +00:00			`}`