72 lines
1.7 KiB
Go
72 lines
1.7 KiB
Go
package object
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/nspcc-dev/neofs-api-go/service"
|
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
|
"github.com/nspcc-dev/neofs-node/pkg/core/container/storage"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
type bearerTokenVerifier interface {
|
|
verifyBearerToken(context.Context, CID, service.BearerToken) error
|
|
}
|
|
|
|
type complexBearerVerifier struct {
|
|
items []bearerTokenVerifier
|
|
}
|
|
|
|
type bearerActualityVerifier struct {
|
|
epochRecv EpochReceiver
|
|
}
|
|
|
|
type bearerOwnershipVerifier struct {
|
|
cnrStorage storage.Storage
|
|
}
|
|
|
|
type bearerSignatureVerifier struct{}
|
|
|
|
var errWrongBearerOwner = errors.New("bearer author is not a container owner")
|
|
|
|
func (s complexBearerVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
|
|
for i := range s.items {
|
|
if err := s.items[i].verifyBearerToken(ctx, cid, token); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s bearerActualityVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
|
|
local := s.epochRecv.Epoch()
|
|
validUntil := token.ExpirationEpoch()
|
|
|
|
if local > validUntil {
|
|
return errors.Errorf("bearer token is expired (local %d, valid until %d)",
|
|
local,
|
|
validUntil,
|
|
)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s bearerOwnershipVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
|
|
isOwner, err := isContainerOwner(s.cnrStorage, cid, token.GetOwnerID())
|
|
if err != nil {
|
|
return err
|
|
} else if !isOwner {
|
|
return errWrongBearerOwner
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s bearerSignatureVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
|
|
return service.VerifySignatureWithKey(
|
|
crypto.UnmarshalPublicKey(token.GetOwnerKey()),
|
|
service.NewVerifiedBearerToken(token),
|
|
)
|
|
}
|