From 369c12b702ade6477728bacc86ec9ebb5dcc090a Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Wed, 19 May 2021 19:42:29 +0300 Subject: [PATCH] [#505] morph/container: Verify signature of deleting container ID Get all owner keys and verify container ID signature until first success. If none of the keys match, then prohibit deletion. Thus, the delete operation is only allowed to the owner of the container. With this approach, a separate check for key ownership is not required. Signed-off-by: Leonard Lyubich --- .../processors/container/process_container.go | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/innerring/processors/container/process_container.go b/pkg/innerring/processors/container/process_container.go index ab85e20a..2ce325bc 100644 --- a/pkg/innerring/processors/container/process_container.go +++ b/pkg/innerring/processors/container/process_container.go @@ -96,7 +96,31 @@ func (cp *Processor) processContainerDelete(delete *containerEvent.Delete) { } func (cp *Processor) checkDeleteContainer(e *containerEvent.Delete) error { - return nil + cid := e.ContainerID() + + // receive owner of the related container + cnr, err := cp.cnrClient.Get(cid) + if err != nil { + return fmt.Errorf("could not receive the container: %w", err) + } + + // receive all owner keys + ownerKeys, err := cp.idClient.AccountKeys(cnr.OwnerID()) + if err != nil { + return fmt.Errorf("could not received owner keys %s: %w", cnr.OwnerID(), err) + } + + // verify signature + cidHash := sha256.Sum256(cid) + sig := e.Signature() + + for _, ownerKey := range ownerKeys { + if ownerKey.Verify(sig, cidHash[:]) { + return nil + } + } + + return errors.New("signature verification failed on all owner keys ") } func (cp *Processor) approveDeleteContainer(e *containerEvent.Delete) {