frostfs-rest-gw/handlers/auth_test.go

package handlers

import (
	"crypto/ecdsa"
	"encoding/base64"
	"encoding/hex"
	"fmt"
	"math"
	"testing"

	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
	"github.com/nspcc-dev/neofs-api-go/v2/acl"
	crypto "github.com/nspcc-dev/neofs-crypto"
	"github.com/nspcc-dev/neofs-rest-gw/gen/models"
	"github.com/nspcc-dev/neofs-rest-gw/internal/util"
	"github.com/nspcc-dev/neofs-sdk-go/user"
	"github.com/stretchr/testify/require"
)

const devenvPrivateKey = "1dd37fba80fec4e6a6f13fd708d8dcb3b29def768017052f6c930fa1c5d90bbb"

func TestSign(t *testing.T) {
	key, err := keys.NewPrivateKeyFromHex(devenvPrivateKey)
	require.NoError(t, err)

	pubKeyHex := hex.EncodeToString(key.PublicKey().Bytes())

	records := []*models.Record{{
		Operation: models.NewOperation(models.OperationPUT),
		Action:    models.NewAction(models.ActionALLOW),
		Filters:   []*models.Filter{},
		Targets: []*models.Target{{
			Role: models.NewRole(models.RoleOTHERS),
			Keys: []string{},
		}},
	}}

	btoken, err := util.ToNativeObjectToken(records)
	require.NoError(t, err)

	btoken.SetExp(math.MaxInt64)

	ownerKey, err := keys.NewPublicKeyFromString(pubKeyHex)
	require.NoError(t, err)

	var owner user.ID
	user.IDFromKey(&owner, *(*ecdsa.PublicKey)(ownerKey))
	btoken.ForUser(owner)

	var v2token acl.BearerToken
	btoken.WriteToV2(&v2token)

	binaryBearer := v2token.GetBody().StableMarshal(nil)
	bearerBase64 := base64.StdEncoding.EncodeToString(binaryBearer)

	signatureData, err := crypto.Sign(&key.PrivateKey, binaryBearer)
	require.NoError(t, err)

	bt := &BearerToken{
		Token:     bearerBase64,
		Signature: hex.EncodeToString(signatureData),
		Key:       pubKeyHex,
	}

	_, err = prepareBearerToken(bt, false, false)
	require.NoError(t, err)
}

func TestWalletConnect20Signature(t *testing.T) {
	stV10 := &SessionToken{
		BearerToken: BearerToken{
			Token:     "ChAMDRXN+epG44eLachkJJQKEhsKGTV0c7bhRT/GDdQsm7gPCNG63g4isq97/E8aBgixAhjNASIhAzFSJMOEdkH6YbJYhHN0w1wrgiz/QFPZvQ2D/8oqNrQjMgQIARAB",
			Signature: "87f54d849fc887dfda7546b4edde6f83397cea798a0c5edf979149659007fbe868e7d8a3b6813c56a81c266a5d28956b28b59ba87cd6aff09d518bcfe11474276e5c3d4d714eb13d43601cae70aef11e",
			Key:       "027e9b7e3b9f07b6bcb59b050f11616c78f433806d4314f7c72e5ac1d9f4d1fb02",
		},
		Verb: 1,
	}

	stV20 := &SessionToken{
		BearerToken: BearerToken{
			Token:     "ChBLgy6hRhBIpJVysyjM84OUEhsKGTV0c7bhRT/GDdQsm7gPCNG63g4isq97/E8aBgi0AhjQASIhAkwGSfK6lIf6HkuzG1YSSeFn5D/qIesknvBFTGN8qod5MgQIARAB",
			Signature: "e286951bfd1cc172b70fcd6a832d2121a5a635493a5b15c385b8001e676576df308898615cc25efc7fd649a7b3052453338b96671776d498c15cf032fdb072ec30f30aba0bb9375c6575fac8a4d4a19d",
			Key:       "027e9b7e3b9f07b6bcb59b050f11616c78f433806d4314f7c72e5ac1d9f4d1fb02",
		},
		Verb: 1,
	}

	_, err1 := prepareSessionToken(stV10, true)
	require.NoError(t, err1)

	err2 := prepareSessionToken2(stV20)
	require.NoError(t, err2)

}

func prepareSessionToken2(st *SessionToken) error {
	data := []byte(st.Token)

	signature, err := hex.DecodeString(st.Signature)
	if err != nil {
		return fmt.Errorf("couldn't decode signature: %w", err)
	}

	ownerKey, err := keys.NewPublicKeyFromString(st.Key)
	if err != nil {
		return fmt.Errorf("couldn't fetch session token owner key: %w", err)
	}

	if !Verify((*ecdsa.PublicKey)(ownerKey), data, signature) {
		return fmt.Errorf("invalid signature")
	}

	return nil
}
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`package handlers`

			`import (`
			`"crypto/ecdsa"`
			`"encoding/base64"`
			`"encoding/hex"`
[#78] POC wallet connect 2.0 verification 2022-11-30 11:54:57 +00:00			`"fmt"`
[#16] Update SDK to v1.0.0-rc.5 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-12 08:01:21 +00:00			`"math"`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`"testing"`

			`"github.com/nspcc-dev/neo-go/pkg/crypto/keys"`
[#16] Update SDK to v1.0.0-rc.5 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-12 08:01:21 +00:00			`"github.com/nspcc-dev/neofs-api-go/v2/acl"`
[#61] Fix tests Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-08-30 13:07:14 +00:00			`crypto "github.com/nspcc-dev/neofs-crypto"`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`"github.com/nspcc-dev/neofs-rest-gw/gen/models"`
[#1] Make walletconnect package internal Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-29 06:39:24 +00:00			`"github.com/nspcc-dev/neofs-rest-gw/internal/util"`
[#16] Update SDK to v1.0.0-rc.5 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-12 08:01:21 +00:00			`"github.com/nspcc-dev/neofs-sdk-go/user"`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`"github.com/stretchr/testify/require"`
			`)`

			`const devenvPrivateKey = "1dd37fba80fec4e6a6f13fd708d8dcb3b29def768017052f6c930fa1c5d90bbb"`

			`func TestSign(t *testing.T) {`
			`key, err := keys.NewPrivateKeyFromHex(devenvPrivateKey)`
			`require.NoError(t, err)`

			`pubKeyHex := hex.EncodeToString(key.PublicKey().Bytes())`

[#15] Accept list of tokens to sign Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-07 09:02:05 +00:00			`records := []*models.Record{{`
			`Operation: models.NewOperation(models.OperationPUT),`
			`Action: models.NewAction(models.ActionALLOW),`
			`Filters: []*models.Filter{},`
			`Targets: []*models.Target{{`
			`Role: models.NewRole(models.RoleOTHERS),`
			`Keys: []string{},`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`}},`
[#15] Accept list of tokens to sign Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-07 09:02:05 +00:00			`}}`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00
[#15] Accept list of tokens to sign Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-07 09:02:05 +00:00			`btoken, err := util.ToNativeObjectToken(records)`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`require.NoError(t, err)`

[#16] Update SDK to v1.0.0-rc.5 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-12 08:01:21 +00:00			`btoken.SetExp(math.MaxInt64)`

[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`ownerKey, err := keys.NewPublicKeyFromString(pubKeyHex)`
			`require.NoError(t, err)`

[#16] Update SDK to v1.0.0-rc.5 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-12 08:01:21 +00:00			`var owner user.ID`
			`user.IDFromKey(&owner, (ecdsa.PublicKey)(ownerKey))`
			`btoken.ForUser(owner)`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00
[#16] Update SDK to v1.0.0-rc.5 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-12 08:01:21 +00:00			`var v2token acl.BearerToken`
			`btoken.WriteToV2(&v2token)`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00
[#16] Update SDK to v1.0.0-rc.5 Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-07-12 08:01:21 +00:00			`binaryBearer := v2token.GetBody().StableMarshal(nil)`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`bearerBase64 := base64.StdEncoding.EncodeToString(binaryBearer)`

[#61] Fix tests Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-08-30 13:07:14 +00:00			`signatureData, err := crypto.Sign(&key.PrivateKey, binaryBearer)`
			`require.NoError(t, err)`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00
			`bt := &BearerToken{`
			`Token: bearerBase64,`
[#11] Receive hex encoded bearer token signature Signed-off-by: Alex Vanin <alexey@nspcc.ru> 2022-06-16 09:12:26 +00:00			`Signature: hex.EncodeToString(signatureData),`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`Key: pubKeyHex,`
			`}`

[#32] Support full bearer token for object routes Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-08-18 15:41:33 +00:00			`_, err = prepareBearerToken(bt, false, false)`
[#1] Add basic structure and operations Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-04-11 09:35:06 +00:00			`require.NoError(t, err)`
			`}`
[#78] POC wallet connect 2.0 verification 2022-11-30 11:54:57 +00:00
			`func TestWalletConnect20Signature(t *testing.T) {`
			`stV10 := &SessionToken{`
			`BearerToken: BearerToken{`
			`Token: "ChAMDRXN+epG44eLachkJJQKEhsKGTV0c7bhRT/GDdQsm7gPCNG63g4isq97/E8aBgixAhjNASIhAzFSJMOEdkH6YbJYhHN0w1wrgiz/QFPZvQ2D/8oqNrQjMgQIARAB",`
			`Signature: "87f54d849fc887dfda7546b4edde6f83397cea798a0c5edf979149659007fbe868e7d8a3b6813c56a81c266a5d28956b28b59ba87cd6aff09d518bcfe11474276e5c3d4d714eb13d43601cae70aef11e",`
			`Key: "027e9b7e3b9f07b6bcb59b050f11616c78f433806d4314f7c72e5ac1d9f4d1fb02",`
			`},`
			`Verb: 1,`
			`}`

			`stV20 := &SessionToken{`
			`BearerToken: BearerToken{`
			`Token: "ChBLgy6hRhBIpJVysyjM84OUEhsKGTV0c7bhRT/GDdQsm7gPCNG63g4isq97/E8aBgi0AhjQASIhAkwGSfK6lIf6HkuzG1YSSeFn5D/qIesknvBFTGN8qod5MgQIARAB",`
			`Signature: "e286951bfd1cc172b70fcd6a832d2121a5a635493a5b15c385b8001e676576df308898615cc25efc7fd649a7b3052453338b96671776d498c15cf032fdb072ec30f30aba0bb9375c6575fac8a4d4a19d",`
			`Key: "027e9b7e3b9f07b6bcb59b050f11616c78f433806d4314f7c72e5ac1d9f4d1fb02",`
			`},`
			`Verb: 1,`
			`}`

			`_, err1 := prepareSessionToken(stV10, true)`
			`require.NoError(t, err1)`

			`err2 := prepareSessionToken2(stV20)`
			`require.NoError(t, err2)`

			`}`

			`func prepareSessionToken2(st *SessionToken) error {`
			`data := []byte(st.Token)`

			`signature, err := hex.DecodeString(st.Signature)`
			`if err != nil {`
			`return fmt.Errorf("couldn't decode signature: %w", err)`
			`}`

			`ownerKey, err := keys.NewPublicKeyFromString(st.Key)`
			`if err != nil {`
			`return fmt.Errorf("couldn't fetch session token owner key: %w", err)`
			`}`

			`if !Verify((*ecdsa.PublicKey)(ownerKey), data, signature) {`
			`return fmt.Errorf("invalid signature")`
			`}`

			`return nil`
			`}`