Alexander Chuprov
9b113c3156
Some checks failed
DCO action / DCO (pull_request) Successful in 59s
Vulncheck / Vulncheck (pull_request) Successful in 1m4s
Pre-commit hooks / Pre-commit (pull_request) Successful in 1m55s
Build / Build Components (pull_request) Successful in 2m4s
Tests and linters / Staticcheck (pull_request) Successful in 2m38s
Tests and linters / Lint (pull_request) Successful in 3m16s
Tests and linters / Run gofumpt (pull_request) Successful in 3m54s
Tests and linters / Tests (pull_request) Successful in 4m12s
Tests and linters / gopls check (pull_request) Successful in 4m31s
Tests and linters / Tests with -race (pull_request) Successful in 4m38s
OCI image / Build container images (push) Failing after 18s
Vulncheck / Vulncheck (push) Successful in 1m2s
Pre-commit hooks / Pre-commit (push) Successful in 1m39s
Build / Build Components (push) Successful in 1m45s
Tests and linters / Staticcheck (push) Successful in 2m18s
Tests and linters / Run gofumpt (push) Successful in 2m46s
Tests and linters / Lint (push) Successful in 3m5s
Tests and linters / Tests with -race (push) Successful in 3m23s
Tests and linters / Tests (push) Successful in 3m52s
Tests and linters / gopls check (push) Successful in 4m18s
Signed-off-by: Alexander Chuprov <a.chuprov@yadro.com>
132 lines
3.3 KiB
Go
132 lines
3.3 KiB
Go
package container
|
|
|
|
import (
|
|
"context"
|
|
"crypto/ecdsa"
|
|
"errors"
|
|
"fmt"
|
|
|
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
|
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
|
)
|
|
|
|
var (
|
|
errWrongSessionVerb = errors.New("wrong token verb")
|
|
errWrongCID = errors.New("wrong container ID")
|
|
)
|
|
|
|
type signatureVerificationData struct {
|
|
ownerContainer user.ID
|
|
|
|
verb session.ContainerVerb
|
|
|
|
idContainerSet bool
|
|
idContainer cid.ID
|
|
|
|
binTokenSession []byte
|
|
|
|
binPublicKey []byte
|
|
|
|
signature []byte
|
|
|
|
signedData []byte
|
|
}
|
|
|
|
// verifySignature is a common method of Container service authentication. Asserts that:
|
|
// - for trusted parties: session is valid (*) and issued by container owner
|
|
// - operation data is signed by container owner or trusted party
|
|
// - operation data signature is correct
|
|
//
|
|
// (*) includes:
|
|
// - session token decodes correctly
|
|
// - signature is valid
|
|
// - session issued by the container owner
|
|
// - v.binPublicKey is a public session key
|
|
// - session context corresponds to the container and verb in v
|
|
// - session is "alive"
|
|
func (cp *Processor) verifySignature(ctx context.Context, v signatureVerificationData) error {
|
|
var err error
|
|
var key frostfsecdsa.PublicKeyRFC6979
|
|
keyProvided := v.binPublicKey != nil
|
|
|
|
if keyProvided {
|
|
err = key.Decode(v.binPublicKey)
|
|
if err != nil {
|
|
return fmt.Errorf("decode public key: %w", err)
|
|
}
|
|
}
|
|
|
|
if len(v.binTokenSession) > 0 {
|
|
return cp.verifyByTokenSession(ctx, v, &key, keyProvided)
|
|
}
|
|
|
|
if keyProvided {
|
|
var idFromKey user.ID
|
|
user.IDFromKey(&idFromKey, (ecdsa.PublicKey)(key))
|
|
|
|
if v.ownerContainer.Equals(idFromKey) {
|
|
if key.Verify(v.signedData, v.signature) {
|
|
return nil
|
|
}
|
|
|
|
return errors.New("invalid signature calculated by container owner's key")
|
|
}
|
|
}
|
|
|
|
return errors.New("signature is invalid or calculated with the key not bound to the container owner")
|
|
}
|
|
|
|
func (cp *Processor) checkTokenLifetime(ctx context.Context, token session.Container) error {
|
|
curEpoch, err := cp.netState.Epoch(ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("could not read current epoch: %w", err)
|
|
}
|
|
|
|
if token.InvalidAt(curEpoch) {
|
|
return fmt.Errorf("token is not valid at %d", curEpoch)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (cp *Processor) verifyByTokenSession(ctx context.Context, v signatureVerificationData, key *frostfsecdsa.PublicKeyRFC6979, keyProvided bool) error {
|
|
var tok session.Container
|
|
|
|
err := tok.Unmarshal(v.binTokenSession)
|
|
if err != nil {
|
|
return fmt.Errorf("decode session token: %w", err)
|
|
}
|
|
|
|
if !tok.VerifySignature() {
|
|
return errors.New("invalid session token signature")
|
|
}
|
|
|
|
if keyProvided && !tok.AssertAuthKey(key) {
|
|
return errors.New("signed with a non-session key")
|
|
}
|
|
|
|
if !tok.AssertVerb(v.verb) {
|
|
return errWrongSessionVerb
|
|
}
|
|
|
|
if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
|
|
return errWrongCID
|
|
}
|
|
|
|
if !session.IssuedBy(tok, v.ownerContainer) {
|
|
return errors.New("owner differs with token owner")
|
|
}
|
|
|
|
err = cp.checkTokenLifetime(ctx, tok)
|
|
if err != nil {
|
|
return fmt.Errorf("check session lifetime: %w", err)
|
|
}
|
|
|
|
if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
|
|
return errors.New("invalid signature calculated with session key")
|
|
}
|
|
|
|
return nil
|
|
}
|