[#529] objectcore: Fix object content validation

There are old objects where the owner of the object
may not match the one who issued the token.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>

pkg/core/object/fmt_test.go

@@ -3,12 +3,17 @@ package object
 import (
 	"context"
 	"crypto/ecdsa"
+	"fmt"
 	"strconv"
 	"testing"
 
 	objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
+	containerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
 	frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
@@ -106,34 +111,6 @@ func TestFormatValidator_Validate(t *testing.T) {
 		require.NoError(t, v.Validate(context.Background(), obj, false))
 	})
 
-	t.Run("invalid w/ session token", func(t *testing.T) {
-		var idOwner user.ID
-		user.IDFromKey(&idOwner, ownerKey.PrivateKey.PublicKey)
-
-		var randomUserID user.ID
-		randPrivKey, err := keys.NewPrivateKey()
-		require.NoError(t, err)
-		user.IDFromKey(&randomUserID, randPrivKey.PrivateKey.PublicKey)
-
-		tok := sessiontest.Object()
-		fsPubKey := frostfsecdsa.PublicKey(*ownerKey.PublicKey())
-		tok.SetID(uuid.New())
-		tok.SetAuthKey(&fsPubKey)
-		tok.SetExp(100500)
-		tok.SetIat(1)
-		tok.SetNbf(1)
-		err = tok.Sign(ownerKey.PrivateKey)
-		require.NoError(t, err)
-
-		obj := objectSDK.New()
-		obj.SetContainerID(cidtest.ID())
-		obj.SetSessionToken(tok)
-		obj.SetOwnerID(&randomUserID)
-		require.NoError(t, objectSDK.SetIDWithSignature(ownerKey.PrivateKey, obj))
-
-		require.Error(t, v.Validate(context.Background(), obj, false)) //invalid owner
-	})
-
 	t.Run("correct w/o session token", func(t *testing.T) {
 		obj := blankValidObject(&ownerKey.PrivateKey)
 
@@ -284,3 +261,334 @@ func TestFormatValidator_Validate(t *testing.T) {
 		})
 	})
 }
+
+func TestFormatValidator_ValidateTokenIssuer(t *testing.T) {
+	const curEpoch = 13
+
+	ls := testLockSource{
+		m: make(map[oid.Address]bool),
+	}
+
+	signer, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+
+	var owner user.ID
+	ownerPrivKey, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+	user.IDFromKey(&owner, ownerPrivKey.PrivateKey.PublicKey)
+
+	t.Run("different issuer and owner, verify issuer disabled", func(t *testing.T) {
+		t.Parallel()
+		v := NewFormatValidator(
+			WithNetState(testNetState{
+				epoch: curEpoch,
+			}),
+			WithLockSource(ls),
+			WithVerifySessionTokenIssuer(false),
+		)
+
+		tok := sessiontest.Object()
+		fsPubKey := frostfsecdsa.PublicKey(*signer.PublicKey())
+		tok.SetID(uuid.New())
+		tok.SetAuthKey(&fsPubKey)
+		tok.SetExp(100500)
+		tok.SetIat(1)
+		tok.SetNbf(1)
+		require.NoError(t, tok.Sign(signer.PrivateKey))
+
+		obj := objectSDK.New()
+		obj.SetContainerID(cidtest.ID())
+		obj.SetSessionToken(tok)
+		obj.SetOwnerID(&owner)
+		require.NoError(t, objectSDK.SetIDWithSignature(signer.PrivateKey, obj))
+
+		require.NoError(t, v.Validate(context.Background(), obj, false))
+	})
+
+	t.Run("different issuer and owner, issuer is IR node, verify issuer enabled", func(t *testing.T) {
+		t.Parallel()
+		v := NewFormatValidator(
+			WithNetState(testNetState{
+				epoch: curEpoch,
+			}),
+			WithLockSource(ls),
+			WithVerifySessionTokenIssuer(true),
+			WithInnerRing(&testIRSource{
+				irNodes: [][]byte{signer.PublicKey().Bytes()},
+			}),
+		)
+
+		tok := sessiontest.Object()
+		fsPubKey := frostfsecdsa.PublicKey(*signer.PublicKey())
+		tok.SetID(uuid.New())
+		tok.SetAuthKey(&fsPubKey)
+		tok.SetExp(100500)
+		tok.SetIat(1)
+		tok.SetNbf(1)
+		require.NoError(t, tok.Sign(signer.PrivateKey))
+
+		obj := objectSDK.New()
+		obj.SetContainerID(cidtest.ID())
+		obj.SetSessionToken(tok)
+		obj.SetOwnerID(&owner)
+		require.NoError(t, objectSDK.SetIDWithSignature(signer.PrivateKey, obj))
+
+		require.NoError(t, v.Validate(context.Background(), obj, false))
+	})
+
+	t.Run("different issuer and owner, issuer is container node in current epoch, verify issuer enabled", func(t *testing.T) {
+		t.Parallel()
+
+		tok := sessiontest.Object()
+		fsPubKey := frostfsecdsa.PublicKey(*signer.PublicKey())
+		tok.SetID(uuid.New())
+		tok.SetAuthKey(&fsPubKey)
+		tok.SetExp(100500)
+		tok.SetIat(1)
+		tok.SetNbf(1)
+		require.NoError(t, tok.Sign(signer.PrivateKey))
+
+		cnrID := cidtest.ID()
+		cont := containerSDK.Container{}
+		cont.Init()
+		pp := netmap.PlacementPolicy{}
+		require.NoError(t, pp.DecodeString("REP 1"))
+		cont.SetPlacementPolicy(pp)
+
+		var node netmap.NodeInfo
+		node.SetPublicKey(signer.PublicKey().Bytes())
+		currentEpochNM := &netmap.NetMap{}
+		currentEpochNM.SetEpoch(curEpoch)
+		currentEpochNM.SetNodes([]netmap.NodeInfo{node})
+
+		obj := objectSDK.New()
+		obj.SetContainerID(cnrID)
+		obj.SetSessionToken(tok)
+		obj.SetOwnerID(&owner)
+		require.NoError(t, objectSDK.SetIDWithSignature(signer.PrivateKey, obj))
+
+		v := NewFormatValidator(
+			WithNetState(testNetState{
+				epoch: curEpoch,
+			}),
+			WithLockSource(ls),
+			WithVerifySessionTokenIssuer(true),
+			WithInnerRing(&testIRSource{
+				irNodes: [][]byte{},
+			}),
+			WithContainersSource(
+				&testContainerSource{
+					containers: map[cid.ID]*container.Container{
+						cnrID: {
+							Value: cont,
+						},
+					},
+				},
+			),
+			WithNetmapSource(
+				&testNetmapSource{
+					netmaps: map[uint64]*netmap.NetMap{
+						curEpoch: currentEpochNM,
+					},
+					currentEpoch: curEpoch,
+				},
+			),
+		)
+
+		require.NoError(t, v.Validate(context.Background(), obj, false))
+	})
+
+	t.Run("different issuer and owner, issuer is container node in previous epoch, verify issuer enabled", func(t *testing.T) {
+		t.Parallel()
+
+		tok := sessiontest.Object()
+		fsPubKey := frostfsecdsa.PublicKey(*signer.PublicKey())
+		tok.SetID(uuid.New())
+		tok.SetAuthKey(&fsPubKey)
+		tok.SetExp(100500)
+		tok.SetIat(1)
+		tok.SetNbf(1)
+		require.NoError(t, tok.Sign(signer.PrivateKey))
+
+		cnrID := cidtest.ID()
+		cont := containerSDK.Container{}
+		cont.Init()
+		pp := netmap.PlacementPolicy{}
+		require.NoError(t, pp.DecodeString("REP 1"))
+		cont.SetPlacementPolicy(pp)
+
+		var issuerNode netmap.NodeInfo
+		issuerNode.SetPublicKey(signer.PublicKey().Bytes())
+
+		var nonIssuerNode netmap.NodeInfo
+		nonIssuerKey, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		nonIssuerNode.SetPublicKey(nonIssuerKey.PublicKey().Bytes())
+
+		currentEpochNM := &netmap.NetMap{}
+		currentEpochNM.SetEpoch(curEpoch)
+		currentEpochNM.SetNodes([]netmap.NodeInfo{nonIssuerNode})
+
+		previousEpochNM := &netmap.NetMap{}
+		previousEpochNM.SetEpoch(curEpoch - 1)
+		previousEpochNM.SetNodes([]netmap.NodeInfo{issuerNode})
+
+		obj := objectSDK.New()
+		obj.SetContainerID(cnrID)
+		obj.SetSessionToken(tok)
+		obj.SetOwnerID(&owner)
+		require.NoError(t, objectSDK.SetIDWithSignature(signer.PrivateKey, obj))
+
+		v := NewFormatValidator(
+			WithNetState(testNetState{
+				epoch: curEpoch,
+			}),
+			WithLockSource(ls),
+			WithVerifySessionTokenIssuer(true),
+			WithInnerRing(&testIRSource{
+				irNodes: [][]byte{},
+			}),
+			WithContainersSource(
+				&testContainerSource{
+					containers: map[cid.ID]*container.Container{
+						cnrID: {
+							Value: cont,
+						},
+					},
+				},
+			),
+			WithNetmapSource(
+				&testNetmapSource{
+					netmaps: map[uint64]*netmap.NetMap{
+						curEpoch:     currentEpochNM,
+						curEpoch - 1: previousEpochNM,
+					},
+					currentEpoch: curEpoch,
+				},
+			),
+		)
+
+		require.NoError(t, v.Validate(context.Background(), obj, false))
+	})
+
+	t.Run("different issuer and owner, issuer is unknown, verify issuer enabled", func(t *testing.T) {
+		t.Parallel()
+
+		tok := sessiontest.Object()
+		fsPubKey := frostfsecdsa.PublicKey(*signer.PublicKey())
+		tok.SetID(uuid.New())
+		tok.SetAuthKey(&fsPubKey)
+		tok.SetExp(100500)
+		tok.SetIat(1)
+		tok.SetNbf(1)
+		require.NoError(t, tok.Sign(signer.PrivateKey))
+
+		cnrID := cidtest.ID()
+		cont := containerSDK.Container{}
+		cont.Init()
+		pp := netmap.PlacementPolicy{}
+		require.NoError(t, pp.DecodeString("REP 1"))
+		cont.SetPlacementPolicy(pp)
+
+		var nonIssuerNode1 netmap.NodeInfo
+		nonIssuerKey1, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		nonIssuerNode1.SetPublicKey(nonIssuerKey1.PublicKey().Bytes())
+
+		var nonIssuerNode2 netmap.NodeInfo
+		nonIssuerKey2, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		nonIssuerNode2.SetPublicKey(nonIssuerKey2.PublicKey().Bytes())
+
+		currentEpochNM := &netmap.NetMap{}
+		currentEpochNM.SetEpoch(curEpoch)
+		currentEpochNM.SetNodes([]netmap.NodeInfo{nonIssuerNode1})
+
+		previousEpochNM := &netmap.NetMap{}
+		previousEpochNM.SetEpoch(curEpoch - 1)
+		previousEpochNM.SetNodes([]netmap.NodeInfo{nonIssuerNode2})
+
+		obj := objectSDK.New()
+		obj.SetContainerID(cnrID)
+		obj.SetSessionToken(tok)
+		obj.SetOwnerID(&owner)
+		require.NoError(t, objectSDK.SetIDWithSignature(signer.PrivateKey, obj))
+
+		v := NewFormatValidator(
+			WithNetState(testNetState{
+				epoch: curEpoch,
+			}),
+			WithLockSource(ls),
+			WithVerifySessionTokenIssuer(true),
+			WithInnerRing(&testIRSource{
+				irNodes: [][]byte{},
+			}),
+			WithContainersSource(
+				&testContainerSource{
+					containers: map[cid.ID]*container.Container{
+						cnrID: {
+							Value: cont,
+						},
+					},
+				},
+			),
+			WithNetmapSource(
+				&testNetmapSource{
+					netmaps: map[uint64]*netmap.NetMap{
+						curEpoch:     currentEpochNM,
+						curEpoch - 1: previousEpochNM,
+					},
+					currentEpoch: curEpoch,
+				},
+			),
+		)
+
+		require.Error(t, v.Validate(context.Background(), obj, false))
+	})
+}
+
+type testIRSource struct {
+	irNodes [][]byte
+}
+
+func (s *testIRSource) InnerRingKeys() ([][]byte, error) {
+	return s.irNodes, nil
+}
+
+type testContainerSource struct {
+	containers map[cid.ID]*container.Container
+}
+
+func (s *testContainerSource) Get(cnrID cid.ID) (*container.Container, error) {
+	if cnr, found := s.containers[cnrID]; found {
+		return cnr, nil
+	}
+	return nil, fmt.Errorf("container not found")
+}
+
+func (s *testContainerSource) DeletionInfo(cid.ID) (*container.DelInfo, error) {
+	return nil, nil
+}
+
+type testNetmapSource struct {
+	netmaps      map[uint64]*netmap.NetMap
+	currentEpoch uint64
+}
+
+func (s *testNetmapSource) GetNetMap(diff uint64) (*netmap.NetMap, error) {
+	if diff >= s.currentEpoch {
+		return nil, fmt.Errorf("invalid diff")
+	}
+	return s.GetNetMapByEpoch(s.currentEpoch - diff)
+}
+
+func (s *testNetmapSource) GetNetMapByEpoch(epoch uint64) (*netmap.NetMap, error) {
+	if nm, found := s.netmaps[epoch]; found {
+		return nm, nil
+	}
+	return nil, fmt.Errorf("netmap not found")
+}
+
+func (s *testNetmapSource) Epoch() (uint64, error) {
+	return s.currentEpoch, nil
+}