2021-05-19 16:14:00 +00:00
|
|
|
package container
|
|
|
|
|
|
|
|
import (
|
2021-05-27 12:07:39 +00:00
|
|
|
"bytes"
|
2021-05-25 09:09:44 +00:00
|
|
|
"crypto/ecdsa"
|
2021-05-27 12:07:39 +00:00
|
|
|
"crypto/elliptic"
|
|
|
|
"errors"
|
2021-05-19 16:14:00 +00:00
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
2022-01-31 11:04:59 +00:00
|
|
|
"github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid"
|
2021-11-10 07:08:33 +00:00
|
|
|
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
|
|
|
|
"github.com/nspcc-dev/neofs-sdk-go/session"
|
2022-05-17 13:59:46 +00:00
|
|
|
"github.com/nspcc-dev/neofs-sdk-go/user"
|
2021-05-19 16:14:00 +00:00
|
|
|
)
|
|
|
|
|
2021-05-28 12:39:27 +00:00
|
|
|
var (
|
|
|
|
errWrongSessionContext = errors.New("wrong session context")
|
|
|
|
errWrongSessionVerb = errors.New("wrong token verb")
|
|
|
|
errWrongCID = errors.New("wrong container ID")
|
|
|
|
)
|
|
|
|
|
2021-05-19 16:14:00 +00:00
|
|
|
type ownerIDSource interface {
|
2022-05-17 13:59:46 +00:00
|
|
|
OwnerID() *user.ID
|
2021-05-19 16:14:00 +00:00
|
|
|
}
|
|
|
|
|
2021-05-27 12:07:39 +00:00
|
|
|
func tokenFromEvent(src interface {
|
|
|
|
SessionToken() []byte
|
|
|
|
}) (*session.Token, error) {
|
|
|
|
binToken := src.SessionToken()
|
|
|
|
|
|
|
|
if len(binToken) == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
tok := session.NewToken()
|
|
|
|
|
|
|
|
err := tok.Unmarshal(binToken)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not unmarshal session token: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return tok, nil
|
|
|
|
}
|
|
|
|
|
2021-05-19 16:14:00 +00:00
|
|
|
func (cp *Processor) checkKeyOwnership(ownerIDSrc ownerIDSource, key *keys.PublicKey) error {
|
2021-05-27 12:07:39 +00:00
|
|
|
if tokenSrc, ok := ownerIDSrc.(interface {
|
|
|
|
SessionToken() *session.Token
|
|
|
|
}); ok {
|
|
|
|
if token := tokenSrc.SessionToken(); token != nil {
|
|
|
|
return cp.checkKeyOwnershipWithToken(ownerIDSrc, key, tokenSrc.SessionToken())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-05-17 13:59:46 +00:00
|
|
|
ownerSrc := ownerIDSrc.OwnerID()
|
|
|
|
if ownerSrc == nil {
|
|
|
|
return errors.New("missing owner")
|
|
|
|
}
|
|
|
|
|
|
|
|
var ownerKey user.ID
|
|
|
|
user.IDFromKey(&ownerKey, (ecdsa.PublicKey)(*key))
|
|
|
|
|
|
|
|
if ownerSrc.Equals(ownerKey) {
|
2021-05-25 09:09:44 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-11-11 08:59:14 +00:00
|
|
|
prm := neofsid.AccountKeysPrm{}
|
|
|
|
prm.SetID(ownerIDSrc.OwnerID())
|
|
|
|
|
|
|
|
ownerKeys, err := cp.idClient.AccountKeys(prm)
|
2021-05-19 16:14:00 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("could not received owner keys %s: %w", ownerIDSrc.OwnerID(), err)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, ownerKey := range ownerKeys {
|
|
|
|
if ownerKey.Equal(key) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return fmt.Errorf("key %s is not tied to the owner of the container", key)
|
|
|
|
}
|
2021-05-27 12:07:39 +00:00
|
|
|
|
|
|
|
func (cp *Processor) checkKeyOwnershipWithToken(ownerIDSrc ownerIDSource, key *keys.PublicKey, token *session.Token) error {
|
|
|
|
// check session key
|
|
|
|
if !bytes.Equal(
|
|
|
|
key.Bytes(),
|
|
|
|
token.SessionKey(),
|
|
|
|
) {
|
|
|
|
return errors.New("signed with a non-session key")
|
|
|
|
}
|
|
|
|
|
2022-05-17 13:59:46 +00:00
|
|
|
ownerToken, ownerSrc := token.OwnerID(), ownerIDSrc.OwnerID()
|
|
|
|
|
2021-05-27 12:07:39 +00:00
|
|
|
// check owner
|
2022-05-17 13:59:46 +00:00
|
|
|
if ownerToken == nil || ownerSrc == nil || !ownerToken.Equals(*ownerSrc) {
|
2021-05-27 12:07:39 +00:00
|
|
|
return errors.New("owner differs with token owner")
|
|
|
|
}
|
|
|
|
|
|
|
|
err := cp.checkSessionToken(token)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("invalid session token: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cp *Processor) checkSessionToken(token *session.Token) error {
|
|
|
|
// verify signature
|
2021-05-28 12:45:10 +00:00
|
|
|
if !token.VerifySignature() {
|
2021-05-27 12:07:39 +00:00
|
|
|
return errors.New("invalid signature")
|
|
|
|
}
|
|
|
|
|
2021-06-04 15:02:25 +00:00
|
|
|
// check lifetime
|
|
|
|
err := cp.checkTokenLifetime(token)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2021-05-27 12:07:39 +00:00
|
|
|
// check token owner's key ownership
|
|
|
|
|
2022-05-16 13:15:31 +00:00
|
|
|
// FIXME(@cthulhu-rider): #1387 see neofs-sdk-go#233
|
|
|
|
key, err := keys.NewPublicKeyFromBytes(token.ToV2().GetSignature().GetKey(), elliptic.P256())
|
2021-05-27 12:07:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("invalid key: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return cp.checkKeyOwnership(token, key)
|
|
|
|
}
|
2021-05-28 12:39:27 +00:00
|
|
|
|
|
|
|
type verbAssert func(*session.ContainerContext) bool
|
|
|
|
|
|
|
|
func contextWithVerifiedVerb(tok *session.Token, verbAssert verbAssert) (*session.ContainerContext, error) {
|
|
|
|
c := session.GetContainerContext(tok)
|
|
|
|
if c == nil {
|
|
|
|
return nil, errWrongSessionContext
|
|
|
|
}
|
|
|
|
|
|
|
|
if !verbAssert(c) {
|
|
|
|
return nil, errWrongSessionVerb
|
|
|
|
}
|
|
|
|
|
|
|
|
return c, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkTokenContext(tok *session.Token, verbAssert verbAssert) error {
|
|
|
|
_, err := contextWithVerifiedVerb(tok, verbAssert)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-05-12 16:37:46 +00:00
|
|
|
func checkTokenContextWithCID(tok *session.Token, id cid.ID, verbAssert verbAssert) error {
|
2021-05-28 12:39:27 +00:00
|
|
|
c, err := contextWithVerifiedVerb(tok, verbAssert)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
tokCID := c.Container()
|
2022-05-12 16:37:46 +00:00
|
|
|
if tokCID != nil && !tokCID.Equals(id) {
|
2021-05-28 12:39:27 +00:00
|
|
|
return errWrongCID
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2021-06-04 15:02:25 +00:00
|
|
|
|
|
|
|
func (cp *Processor) checkTokenLifetime(token *session.Token) error {
|
|
|
|
curEpoch, err := cp.netState.Epoch()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("could not read current epoch: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
nbf := token.Nbf()
|
|
|
|
if curEpoch < nbf {
|
|
|
|
return fmt.Errorf("token is not valid yet: nbf %d, cur %d", nbf, curEpoch)
|
|
|
|
}
|
|
|
|
|
|
|
|
iat := token.Iat()
|
|
|
|
if curEpoch < iat {
|
|
|
|
return fmt.Errorf("token is issued in future: iat %d, cur %d", iat, curEpoch)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := token.Exp()
|
|
|
|
if curEpoch >= exp {
|
|
|
|
return fmt.Errorf("token is expired: exp %d, cur %d", exp, curEpoch)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|