frostfs-node/pkg/innerring/processors/container/common.go

package container

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/elliptic"
	"errors"
	"fmt"

	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
	"github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid"
	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
	"github.com/nspcc-dev/neofs-sdk-go/owner"
	"github.com/nspcc-dev/neofs-sdk-go/session"
)

var (
	errWrongSessionContext = errors.New("wrong session context")
	errWrongSessionVerb    = errors.New("wrong token verb")
	errWrongCID            = errors.New("wrong container ID")
)

type ownerIDSource interface {
	OwnerID() *owner.ID
}

func tokenFromEvent(src interface {
	SessionToken() []byte
}) (*session.Token, error) {
	binToken := src.SessionToken()

	if len(binToken) == 0 {
		return nil, nil
	}

	tok := session.NewToken()

	err := tok.Unmarshal(binToken)
	if err != nil {
		return nil, fmt.Errorf("could not unmarshal session token: %w", err)
	}

	return tok, nil
}

func (cp *Processor) checkKeyOwnership(ownerIDSrc ownerIDSource, key *keys.PublicKey) error {
	if tokenSrc, ok := ownerIDSrc.(interface {
		SessionToken() *session.Token
	}); ok {
		if token := tokenSrc.SessionToken(); token != nil {
			return cp.checkKeyOwnershipWithToken(ownerIDSrc, key, tokenSrc.SessionToken())
		}
	}

	if ownerIDSrc.OwnerID().Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key))) {
		return nil
	}

	prm := neofsid.AccountKeysPrm{}
	prm.SetID(ownerIDSrc.OwnerID())

	ownerKeys, err := cp.idClient.AccountKeys(prm)
	if err != nil {
		return fmt.Errorf("could not received owner keys %s: %w", ownerIDSrc.OwnerID(), err)
	}

	for _, ownerKey := range ownerKeys {
		if ownerKey.Equal(key) {
			return nil
		}
	}

	return fmt.Errorf("key %s is not tied to the owner of the container", key)
}

func (cp *Processor) checkKeyOwnershipWithToken(ownerIDSrc ownerIDSource, key *keys.PublicKey, token *session.Token) error {
	// check session key
	if !bytes.Equal(
		key.Bytes(),
		token.SessionKey(),
	) {
		return errors.New("signed with a non-session key")
	}

	// check owner
	if !token.OwnerID().Equal(ownerIDSrc.OwnerID()) {
		return errors.New("owner differs with token owner")
	}

	err := cp.checkSessionToken(token)
	if err != nil {
		return fmt.Errorf("invalid session token: %w", err)
	}

	return nil
}

func (cp *Processor) checkSessionToken(token *session.Token) error {
	// verify signature
	if !token.VerifySignature() {
		return errors.New("invalid signature")
	}

	// check lifetime
	err := cp.checkTokenLifetime(token)
	if err != nil {
		return err
	}

	// check token owner's key ownership

	// FIXME(@cthulhu-rider): #1387 see neofs-sdk-go#233
	key, err := keys.NewPublicKeyFromBytes(token.ToV2().GetSignature().GetKey(), elliptic.P256())
	if err != nil {
		return fmt.Errorf("invalid key: %w", err)
	}

	return cp.checkKeyOwnership(token, key)
}

type verbAssert func(*session.ContainerContext) bool

func contextWithVerifiedVerb(tok *session.Token, verbAssert verbAssert) (*session.ContainerContext, error) {
	c := session.GetContainerContext(tok)
	if c == nil {
		return nil, errWrongSessionContext
	}

	if !verbAssert(c) {
		return nil, errWrongSessionVerb
	}

	return c, nil
}

func checkTokenContext(tok *session.Token, verbAssert verbAssert) error {
	_, err := contextWithVerifiedVerb(tok, verbAssert)
	return err
}

func checkTokenContextWithCID(tok *session.Token, id cid.ID, verbAssert verbAssert) error {
	c, err := contextWithVerifiedVerb(tok, verbAssert)
	if err != nil {
		return err
	}

	tokCID := c.Container()
	if tokCID != nil && !tokCID.Equals(id) {
		return errWrongCID
	}

	return nil
}

func (cp *Processor) checkTokenLifetime(token *session.Token) error {
	curEpoch, err := cp.netState.Epoch()
	if err != nil {
		return fmt.Errorf("could not read current epoch: %w", err)
	}

	nbf := token.Nbf()
	if curEpoch < nbf {
		return fmt.Errorf("token is not valid yet: nbf %d, cur %d", nbf, curEpoch)
	}

	iat := token.Iat()
	if curEpoch < iat {
		return fmt.Errorf("token is issued in future: iat %d, cur %d", iat, curEpoch)
	}

	exp := token.Exp()
	if curEpoch >= exp {
		return fmt.Errorf("token is expired: exp %d, cur %d", exp, curEpoch)
	}

	return nil
}
[#505] ir/container: Replace key ownership check into a separate method Method of key ownership verification is going to be reused by the handlers of the other events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 16:14:00 +00:00			`package container`

			`import (`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`"bytes"`
[#505] ir/container: Check key-to-owner mapping in key ownership check Owner identifier can be calculated from public key. If it matches, no additional verification of key ownership is required. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-25 09:09:44 +00:00			`"crypto/ecdsa"`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`"crypto/elliptic"`
			`"errors"`
[#505] ir/container: Replace key ownership check into a separate method Method of key ownership verification is going to be reused by the handlers of the other events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 16:14:00 +00:00			`"fmt"`

			`"github.com/nspcc-dev/neo-go/pkg/crypto/keys"`
[#625] client/neofsid: remove intermediate wrapper Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2022-01-31 11:04:59 +00:00			`"github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid"`
*: replace neofs-api-go with neofs-sdk-go Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru> 2021-11-10 07:08:33 +00:00			`cid "github.com/nspcc-dev/neofs-sdk-go/container/id"`
			`"github.com/nspcc-dev/neofs-sdk-go/owner"`
			`"github.com/nspcc-dev/neofs-sdk-go/session"`
[#505] ir/container: Replace key ownership check into a separate method Method of key ownership verification is going to be reused by the handlers of the other events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 16:14:00 +00:00			`)`

[#525] ir/container: Check session verb and container ID Token of the container session should be written out with container context. The context should have the verb corresponding to the operation. If an operation is performed on a fixed container, the session should be propagated to it or to all user containers Implement all described checks in validation of `Put` / `Delete` / `SetEACL` events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-28 12:39:27 +00:00			`var (`
			`errWrongSessionContext = errors.New("wrong session context")`
			`errWrongSessionVerb = errors.New("wrong token verb")`
			`errWrongCID = errors.New("wrong container ID")`
			`)`

[#505] ir/container: Replace key ownership check into a separate method Method of key ownership verification is going to be reused by the handlers of the other events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 16:14:00 +00:00			`type ownerIDSource interface {`
			`OwnerID() *owner.ID`
			`}`

[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`func tokenFromEvent(src interface {`
			`SessionToken() []byte`
			`}) (*session.Token, error) {`
			`binToken := src.SessionToken()`

			`if len(binToken) == 0 {`
			`return nil, nil`
			`}`

			`tok := session.NewToken()`

			`err := tok.Unmarshal(binToken)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not unmarshal session token: %w", err)`
			`}`

			`return tok, nil`
			`}`

[#505] ir/container: Replace key ownership check into a separate method Method of key ownership verification is going to be reused by the handlers of the other events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 16:14:00 +00:00			`func (cp Processor) checkKeyOwnership(ownerIDSrc ownerIDSource, key keys.PublicKey) error {`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`if tokenSrc, ok := ownerIDSrc.(interface {`
			`SessionToken() *session.Token`
			`}); ok {`
			`if token := tokenSrc.SessionToken(); token != nil {`
			`return cp.checkKeyOwnershipWithToken(ownerIDSrc, key, tokenSrc.SessionToken())`
			`}`
			`}`

[#1100] *: Adopt new SDK's `owner.ID` API Signed-off-by: Pavel Karpy <carpawell@nspcc.ru> 2022-01-21 12:15:10 +00:00			`if ownerIDSrc.OwnerID().Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key))) {`
[#505] ir/container: Check key-to-owner mapping in key ownership check Owner identifier can be calculated from public key. If it matches, no additional verification of key ownership is required. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-25 09:09:44 +00:00			`return nil`
			`}`

[#971] *: Add notification TX hash to neofsid morph client calls Add hash of the TX that generated notification to neofsid event structures. Adapt all neofsid wrapper calls to new structures. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru> 2021-11-11 08:59:14 +00:00			`prm := neofsid.AccountKeysPrm{}`
			`prm.SetID(ownerIDSrc.OwnerID())`

			`ownerKeys, err := cp.idClient.AccountKeys(prm)`
[#505] ir/container: Replace key ownership check into a separate method Method of key ownership verification is going to be reused by the handlers of the other events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 16:14:00 +00:00			`if err != nil {`
			`return fmt.Errorf("could not received owner keys %s: %w", ownerIDSrc.OwnerID(), err)`
			`}`

			`for _, ownerKey := range ownerKeys {`
			`if ownerKey.Equal(key) {`
			`return nil`
			`}`
			`}`

			`return fmt.Errorf("key %s is not tied to the owner of the container", key)`
			`}`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00
			`func (cp Processor) checkKeyOwnershipWithToken(ownerIDSrc ownerIDSource, key keys.PublicKey, token *session.Token) error {`
			`// check session key`
			`if !bytes.Equal(`
			`key.Bytes(),`
			`token.SessionKey(),`
			`) {`
			`return errors.New("signed with a non-session key")`
			`}`

			`// check owner`
[#525] ir/container: Compare owner IDs via Equal method In recent change of API Go library `owner.ID.Equal` signature was implemented. Replace the comparison of string representations with `Equal` method call and remove related TODOs. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-28 12:46:41 +00:00			`if !token.OwnerID().Equal(ownerIDSrc.OwnerID()) {`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`return errors.New("owner differs with token owner")`
			`}`

			`err := cp.checkSessionToken(token)`
			`if err != nil {`
			`return fmt.Errorf("invalid session token: %w", err)`
			`}`

			`return nil`
			`}`

			`func (cp Processor) checkSessionToken(token session.Token) error {`
			`// verify signature`
[#525] ir/container: Simplify the approach to verify token signature In recent change of API Go library `Token.Verify` signature was implemented. Replace previous version-casting approach with new method call in token signature check stage. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-28 12:45:10 +00:00			`if !token.VerifySignature() {`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`return errors.New("invalid signature")`
			`}`

[#589] ir/container: Verify session token lifetime Session tokens have limited lifetime in NeoFS. Container processor should verify lifetime of the incoming tokens. Define `NetworkState` interface with `Epoch` method to get number of the current epoch. Use Netmap contract client's wrapper as `NetworkState` of Container `Processor`. Check values of token lifetime, and deny if: * NBF value is gt the current epoch; * IAT is gt the current epoch; * EXP is le the current epoch. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-06-04 15:02:25 +00:00			`// check lifetime`
			`err := cp.checkTokenLifetime(token)`
			`if err != nil {`
			`return err`
			`}`

[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`// check token owner's key ownership`

[#1389] crypto: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-16 13:15:31 +00:00			`// FIXME(@cthulhu-rider): #1387 see neofs-sdk-go#233`
			`key, err := keys.NewPublicKeyFromBytes(token.ToV2().GetSignature().GetKey(), elliptic.P256())`
[#525] ir/container: Verify operations with session token Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-27 12:07:39 +00:00			`if err != nil {`
			`return fmt.Errorf("invalid key: %w", err)`
			`}`

			`return cp.checkKeyOwnership(token, key)`
			`}`
[#525] ir/container: Check session verb and container ID Token of the container session should be written out with container context. The context should have the verb corresponding to the operation. If an operation is performed on a fixed container, the session should be propagated to it or to all user containers Implement all described checks in validation of `Put` / `Delete` / `SetEACL` events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-28 12:39:27 +00:00
			`type verbAssert func(*session.ContainerContext) bool`

			`func contextWithVerifiedVerb(tok session.Token, verbAssert verbAssert) (session.ContainerContext, error) {`
			`c := session.GetContainerContext(tok)`
			`if c == nil {`
			`return nil, errWrongSessionContext`
			`}`

			`if !verbAssert(c) {`
			`return nil, errWrongSessionVerb`
			`}`

			`return c, nil`
			`}`

			`func checkTokenContext(tok *session.Token, verbAssert verbAssert) error {`
			`_, err := contextWithVerifiedVerb(tok, verbAssert)`
			`return err`
			`}`

[#1377] oid, cid: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-12 16:37:46 +00:00			`func checkTokenContextWithCID(tok *session.Token, id cid.ID, verbAssert verbAssert) error {`
[#525] ir/container: Check session verb and container ID Token of the container session should be written out with container context. The context should have the verb corresponding to the operation. If an operation is performed on a fixed container, the session should be propagated to it or to all user containers Implement all described checks in validation of `Put` / `Delete` / `SetEACL` events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-28 12:39:27 +00:00			`c, err := contextWithVerifiedVerb(tok, verbAssert)`
			`if err != nil {`
			`return err`
			`}`

			`tokCID := c.Container()`
[#1377] oid, cid: Upgrade SDK package Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2022-05-12 16:37:46 +00:00			`if tokCID != nil && !tokCID.Equals(id) {`
[#525] ir/container: Check session verb and container ID Token of the container session should be written out with container context. The context should have the verb corresponding to the operation. If an operation is performed on a fixed container, the session should be propagated to it or to all user containers Implement all described checks in validation of `Put` / `Delete` / `SetEACL` events. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-28 12:39:27 +00:00			`return errWrongCID`
			`}`

			`return nil`
			`}`
[#589] ir/container: Verify session token lifetime Session tokens have limited lifetime in NeoFS. Container processor should verify lifetime of the incoming tokens. Define `NetworkState` interface with `Epoch` method to get number of the current epoch. Use Netmap contract client's wrapper as `NetworkState` of Container `Processor`. Check values of token lifetime, and deny if: * NBF value is gt the current epoch; * IAT is gt the current epoch; * EXP is le the current epoch. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-06-04 15:02:25 +00:00
			`func (cp Processor) checkTokenLifetime(token session.Token) error {`
			`curEpoch, err := cp.netState.Epoch()`
			`if err != nil {`
			`return fmt.Errorf("could not read current epoch: %w", err)`
			`}`

			`nbf := token.Nbf()`
			`if curEpoch < nbf {`
			`return fmt.Errorf("token is not valid yet: nbf %d, cur %d", nbf, curEpoch)`
			`}`

			`iat := token.Iat()`
			`if curEpoch < iat {`
			`return fmt.Errorf("token is issued in future: iat %d, cur %d", iat, curEpoch)`
			`}`

			`exp := token.Exp()`
			`if curEpoch >= exp {`
			`return fmt.Errorf("token is expired: exp %d, cur %d", exp, curEpoch)`
			`}`

			`return nil`
			`}`