frostfs-node/services/public/object/bearer.go

73 lines
1.8 KiB
Go
Raw Normal View History

package object
import (
"context"
"github.com/nspcc-dev/neofs-api-go/service"
crypto "github.com/nspcc-dev/neofs-crypto"
"github.com/nspcc-dev/neofs-node/lib/implementations"
"github.com/pkg/errors"
)
type bearerTokenVerifier interface {
verifyBearerToken(context.Context, CID, service.BearerToken) error
}
type complexBearerVerifier struct {
items []bearerTokenVerifier
}
type bearerActualityVerifier struct {
epochRecv EpochReceiver
}
type bearerOwnershipVerifier struct {
cnrOwnerChecker implementations.ContainerOwnerChecker
}
type bearerSignatureVerifier struct{}
var errWrongBearerOwner = errors.New("bearer author is not a container owner")
func (s complexBearerVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
for i := range s.items {
if err := s.items[i].verifyBearerToken(ctx, cid, token); err != nil {
return err
}
}
return nil
}
func (s bearerActualityVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
local := s.epochRecv.Epoch()
validUntil := token.ExpirationEpoch()
if local > validUntil {
return errors.Errorf("bearer token is expired (local %d, valid until %d)",
local,
validUntil,
)
}
return nil
}
func (s bearerOwnershipVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
isOwner, err := s.cnrOwnerChecker.IsContainerOwner(ctx, cid, token.GetOwnerID())
if err != nil {
return err
} else if !isOwner {
return errWrongBearerOwner
}
return nil
}
func (s bearerSignatureVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
return service.VerifySignatureWithKey(
crypto.UnmarshalPublicKey(token.GetOwnerKey()),
service.NewVerifiedBearerToken(token),
)
}