package v2 import ( "crypto/ecdsa" "crypto/elliptic" "errors" "fmt" objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object" refsV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs" sessionV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" sessionSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" ) var errMissingContainerID = errors.New("missing container ID") func getContainerIDFromRequest(req any) (cid.ID, error) { var idV2 *refsV2.ContainerID var id cid.ID switch v := req.(type) { case *objectV2.GetRequest: idV2 = v.GetBody().GetAddress().GetContainerID() case *objectV2.PutRequest: part, ok := v.GetBody().GetObjectPart().(*objectV2.PutObjectPartInit) if !ok { return cid.ID{}, errors.New("can't get container ID in chunk") } idV2 = part.GetHeader().GetContainerID() case *objectV2.HeadRequest: idV2 = v.GetBody().GetAddress().GetContainerID() case *objectV2.SearchRequest: idV2 = v.GetBody().GetContainerID() case *objectV2.DeleteRequest: idV2 = v.GetBody().GetAddress().GetContainerID() case *objectV2.GetRangeRequest: idV2 = v.GetBody().GetAddress().GetContainerID() case *objectV2.GetRangeHashRequest: idV2 = v.GetBody().GetAddress().GetContainerID() case *objectV2.PutSingleRequest: idV2 = v.GetBody().GetObject().GetHeader().GetContainerID() case *objectV2.PatchRequest: idV2 = v.GetBody().GetAddress().GetContainerID() default: return cid.ID{}, errors.New("unknown request type") } if idV2 == nil { return cid.ID{}, errMissingContainerID } return id, id.ReadFromV2(*idV2) } // originalBearerToken goes down to original request meta header and fetches // bearer token from there. func originalBearerToken(header *sessionV2.RequestMetaHeader) (*bearer.Token, error) { for header.GetOrigin() != nil { header = header.GetOrigin() } tokV2 := header.GetBearerToken() if tokV2 == nil { return nil, nil } var tok bearer.Token return &tok, tok.ReadFromV2(*tokV2) } // originalSessionToken goes down to original request meta header and fetches // session token from there. func originalSessionToken(header *sessionV2.RequestMetaHeader) (*sessionSDK.Object, error) { for header.GetOrigin() != nil { header = header.GetOrigin() } tokV2 := header.GetSessionToken() if tokV2 == nil { return nil, nil } var tok sessionSDK.Object err := tok.ReadFromV2(*tokV2) if err != nil { return nil, fmt.Errorf("invalid session token: %w", err) } return &tok, nil } // getObjectIDFromRequestBody decodes oid.ID from the common interface of the // object reference's holders. Returns an error if object ID is missing in the request. func getObjectIDFromRequestBody(body interface{ GetAddress() *refsV2.Address }) (*oid.ID, error) { idV2 := body.GetAddress().GetObjectID() return getObjectIDFromRefObjectID(idV2) } func getObjectIDFromRefObjectID(idV2 *refsV2.ObjectID) (*oid.ID, error) { if idV2 == nil { return nil, errors.New("missing object ID") } var id oid.ID err := id.ReadFromV2(*idV2) if err != nil { return nil, err } return &id, nil } func ownerFromToken(token *sessionSDK.Object) (*user.ID, *keys.PublicKey, error) { // 1. First check signature of session token. if !token.VerifySignature() { return nil, nil, errInvalidSessionSig } // 2. Then check if session token owner issued the session token // TODO(@cthulhu-rider): #468 implement and use another approach to avoid conversion var tokV2 sessionV2.Token token.WriteToV2(&tokV2) tokenIssuerKey, err := unmarshalPublicKey(tokV2.GetSignature().GetKey()) if err != nil { return nil, nil, fmt.Errorf("invalid key in session token signature: %w", err) } tokenIssuer := token.Issuer() if !isOwnerFromKey(tokenIssuer, tokenIssuerKey) { // TODO: #767 in this case we can issue all owner keys from frostfs.id and check once again return nil, nil, errInvalidSessionOwner } return &tokenIssuer, tokenIssuerKey, nil } func originalBodySignature(v *sessionV2.RequestVerificationHeader) *refsV2.Signature { if v == nil { return nil } for v.GetOrigin() != nil { v = v.GetOrigin() } return v.GetBodySignature() } func unmarshalPublicKey(bs []byte) (*keys.PublicKey, error) { return keys.NewPublicKeyFromBytes(bs, elliptic.P256()) } func isOwnerFromKey(id user.ID, key *keys.PublicKey) bool { if key == nil { return false } var id2 user.ID user.IDFromKey(&id2, (ecdsa.PublicKey)(*key)) return id2.Equals(id) } // assertVerb checks that token verb corresponds to op. func assertVerb(tok sessionSDK.Object, op acl.Op) bool { switch op { case acl.OpObjectPut: return tok.AssertVerb(sessionSDK.VerbObjectPut, sessionSDK.VerbObjectDelete, sessionSDK.VerbObjectPatch) case acl.OpObjectDelete: return tok.AssertVerb(sessionSDK.VerbObjectDelete) case acl.OpObjectGet: return tok.AssertVerb(sessionSDK.VerbObjectGet) case acl.OpObjectHead: return tok.AssertVerb( sessionSDK.VerbObjectHead, sessionSDK.VerbObjectGet, sessionSDK.VerbObjectDelete, sessionSDK.VerbObjectRange, sessionSDK.VerbObjectRangeHash, sessionSDK.VerbObjectPatch, ) case acl.OpObjectSearch: return tok.AssertVerb(sessionSDK.VerbObjectSearch, sessionSDK.VerbObjectDelete) case acl.OpObjectRange: return tok.AssertVerb(sessionSDK.VerbObjectRange, sessionSDK.VerbObjectRangeHash, sessionSDK.VerbObjectPatch) case acl.OpObjectHash: return tok.AssertVerb(sessionSDK.VerbObjectRangeHash) } return false } // assertSessionRelation checks if given token describing the FrostFS session // relates to the given container and optional object. Missing object // means that the context isn't bound to any FrostFS object in the container. // Returns no error iff relation is correct. Criteria: // // session is bound to the given container // object is not specified or session is bound to this object // // Session MUST be bound to the particular container, otherwise behavior is undefined. func assertSessionRelation(tok sessionSDK.Object, cnr cid.ID, obj *oid.ID) error { if !tok.AssertContainer(cnr) { return errors.New("requested container is not related to the session") } if obj != nil && !tok.AssertObject(*obj) { return errors.New("requested object is not related to the session") } return nil }