From c1cbe6ff2d48bd19b0fa375e70e25ac78590ccbc Mon Sep 17 00:00:00 2001
From: Dmitrii Stepanov <d.stepanov@yadro.com>
Date: Thu, 30 Mar 2023 10:46:43 +0300
Subject: [PATCH] [#185] ir: Refactor signature verification

Resolve funlen linter for verifySignature method

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
---
 pkg/innerring/processors/container/common.go | 84 ++++++++++----------
 1 file changed, 43 insertions(+), 41 deletions(-)

diff --git a/pkg/innerring/processors/container/common.go b/pkg/innerring/processors/container/common.go
index 56adc0ce..375e4c17 100644
--- a/pkg/innerring/processors/container/common.go
+++ b/pkg/innerring/processors/container/common.go
@@ -46,8 +46,6 @@ type signatureVerificationData struct {
 //   - v.binPublicKey is a public session key
 //   - session context corresponds to the container and verb in v
 //   - session is "alive"
-//
-// nolint: funlen
 func (cp *Processor) verifySignature(v signatureVerificationData) error {
 	var err error
 	var key frostfsecdsa.PublicKeyRFC6979
@@ -61,45 +59,7 @@ func (cp *Processor) verifySignature(v signatureVerificationData) error {
 	}
 
 	if len(v.binTokenSession) > 0 {
-		var tok session.Container
-
-		err = tok.Unmarshal(v.binTokenSession)
-		if err != nil {
-			return fmt.Errorf("decode session token: %w", err)
-		}
-
-		if !tok.VerifySignature() {
-			return errors.New("invalid session token signature")
-		}
-
-		// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
-
-		if keyProvided && !tok.AssertAuthKey(&key) {
-			return errors.New("signed with a non-session key")
-		}
-
-		if !tok.AssertVerb(v.verb) {
-			return errWrongSessionVerb
-		}
-
-		if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
-			return errWrongCID
-		}
-
-		if !session.IssuedBy(tok, v.ownerContainer) {
-			return errors.New("owner differs with token owner")
-		}
-
-		err = cp.checkTokenLifetime(tok)
-		if err != nil {
-			return fmt.Errorf("check session lifetime: %w", err)
-		}
-
-		if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
-			return errors.New("invalid signature calculated with session key")
-		}
-
-		return nil
+		return cp.verifyByTokenSession(v, &key, keyProvided)
 	}
 
 	if keyProvided {
@@ -145,3 +105,45 @@ func (cp *Processor) checkTokenLifetime(token session.Container) error {
 
 	return nil
 }
+
+func (cp *Processor) verifyByTokenSession(v signatureVerificationData, key *frostfsecdsa.PublicKeyRFC6979, keyProvided bool) error {
+	var tok session.Container
+
+	err := tok.Unmarshal(v.binTokenSession)
+	if err != nil {
+		return fmt.Errorf("decode session token: %w", err)
+	}
+
+	if !tok.VerifySignature() {
+		return errors.New("invalid session token signature")
+	}
+
+	// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
+
+	if keyProvided && !tok.AssertAuthKey(key) {
+		return errors.New("signed with a non-session key")
+	}
+
+	if !tok.AssertVerb(v.verb) {
+		return errWrongSessionVerb
+	}
+
+	if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
+		return errWrongCID
+	}
+
+	if !session.IssuedBy(tok, v.ownerContainer) {
+		return errors.New("owner differs with token owner")
+	}
+
+	err = cp.checkTokenLifetime(tok)
+	if err != nil {
+		return fmt.Errorf("check session lifetime: %w", err)
+	}
+
+	if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
+		return errors.New("invalid signature calculated with session key")
+	}
+
+	return nil
+}