[#185] ir: Refactor signature verification
Resolve funlen linter for verifySignature method Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>pull/168/head
Gitea
parent
aeb4bbc51e
commit
c1cbe6ff2d
|
|
@ -46,8 +46,6 @@ type signatureVerificationData struct {
|
|||
// - v.binPublicKey is a public session key
|
||||
// - session context corresponds to the container and verb in v
|
||||
// - session is "alive"
|
||||
//
|
||||
// nolint: funlen
|
||||
func (cp *Processor) verifySignature(v signatureVerificationData) error {
|
||||
var err error
|
||||
var key frostfsecdsa.PublicKeyRFC6979
|
||||
|
|
@ -61,45 +59,7 @@ func (cp *Processor) verifySignature(v signatureVerificationData) error {
|
|||
}
|
||||
|
||||
if len(v.binTokenSession) > 0 {
|
||||
var tok session.Container
|
||||
|
||||
err = tok.Unmarshal(v.binTokenSession)
|
||||
if err != nil {
|
||||
return fmt.Errorf("decode session token: %w", err)
|
||||
}
|
||||
|
||||
if !tok.VerifySignature() {
|
||||
return errors.New("invalid session token signature")
|
||||
}
|
||||
|
||||
// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
|
||||
|
||||
if keyProvided && !tok.AssertAuthKey(&key) {
|
||||
return errors.New("signed with a non-session key")
|
||||
}
|
||||
|
||||
if !tok.AssertVerb(v.verb) {
|
||||
return errWrongSessionVerb
|
||||
}
|
||||
|
||||
if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
|
||||
return errWrongCID
|
||||
}
|
||||
|
||||
if !session.IssuedBy(tok, v.ownerContainer) {
|
||||
return errors.New("owner differs with token owner")
|
||||
}
|
||||
|
||||
err = cp.checkTokenLifetime(tok)
|
||||
if err != nil {
|
||||
return fmt.Errorf("check session lifetime: %w", err)
|
||||
}
|
||||
|
||||
if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
|
||||
return errors.New("invalid signature calculated with session key")
|
||||
}
|
||||
|
||||
return nil
|
||||
return cp.verifyByTokenSession(v, &key, keyProvided)
|
||||
}
|
||||
|
||||
if keyProvided {
|
||||
|
|
@ -145,3 +105,45 @@ func (cp *Processor) checkTokenLifetime(token session.Container) error {
|
|||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (cp *Processor) verifyByTokenSession(v signatureVerificationData, key *frostfsecdsa.PublicKeyRFC6979, keyProvided bool) error {
|
||||
var tok session.Container
|
||||
|
||||
err := tok.Unmarshal(v.binTokenSession)
|
||||
if err != nil {
|
||||
return fmt.Errorf("decode session token: %w", err)
|
||||
}
|
||||
|
||||
if !tok.VerifySignature() {
|
||||
return errors.New("invalid session token signature")
|
||||
}
|
||||
|
||||
// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
|
||||
|
||||
if keyProvided && !tok.AssertAuthKey(key) {
|
||||
return errors.New("signed with a non-session key")
|
||||
}
|
||||
|
||||
if !tok.AssertVerb(v.verb) {
|
||||
return errWrongSessionVerb
|
||||
}
|
||||
|
||||
if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
|
||||
return errWrongCID
|
||||
}
|
||||
|
||||
if !session.IssuedBy(tok, v.ownerContainer) {
|
||||
return errors.New("owner differs with token owner")
|
||||
}
|
||||
|
||||
err = cp.checkTokenLifetime(tok)
|
||||
if err != nil {
|
||||
return fmt.Errorf("check session lifetime: %w", err)
|
||||
}
|
||||
|
||||
if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
|
||||
return errors.New("invalid signature calculated with session key")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue