diff --git a/pkg/innerring/processors/container/common.go b/pkg/innerring/processors/container/common.go index 56adc0ce..375e4c17 100644 --- a/pkg/innerring/processors/container/common.go +++ b/pkg/innerring/processors/container/common.go @@ -46,8 +46,6 @@ type signatureVerificationData struct { // - v.binPublicKey is a public session key // - session context corresponds to the container and verb in v // - session is "alive" -// -// nolint: funlen func (cp *Processor) verifySignature(v signatureVerificationData) error { var err error var key frostfsecdsa.PublicKeyRFC6979 @@ -61,45 +59,7 @@ func (cp *Processor) verifySignature(v signatureVerificationData) error { } if len(v.binTokenSession) > 0 { - var tok session.Container - - err = tok.Unmarshal(v.binTokenSession) - if err != nil { - return fmt.Errorf("decode session token: %w", err) - } - - if !tok.VerifySignature() { - return errors.New("invalid session token signature") - } - - // FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233 - - if keyProvided && !tok.AssertAuthKey(&key) { - return errors.New("signed with a non-session key") - } - - if !tok.AssertVerb(v.verb) { - return errWrongSessionVerb - } - - if v.idContainerSet && !tok.AppliedTo(v.idContainer) { - return errWrongCID - } - - if !session.IssuedBy(tok, v.ownerContainer) { - return errors.New("owner differs with token owner") - } - - err = cp.checkTokenLifetime(tok) - if err != nil { - return fmt.Errorf("check session lifetime: %w", err) - } - - if !tok.VerifySessionDataSignature(v.signedData, v.signature) { - return errors.New("invalid signature calculated with session key") - } - - return nil + return cp.verifyByTokenSession(v, &key, keyProvided) } if keyProvided { @@ -145,3 +105,45 @@ func (cp *Processor) checkTokenLifetime(token session.Container) error { return nil } + +func (cp *Processor) verifyByTokenSession(v signatureVerificationData, key *frostfsecdsa.PublicKeyRFC6979, keyProvided bool) error { + var tok session.Container + + err := tok.Unmarshal(v.binTokenSession) + if err != nil { + return fmt.Errorf("decode session token: %w", err) + } + + if !tok.VerifySignature() { + return errors.New("invalid session token signature") + } + + // FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233 + + if keyProvided && !tok.AssertAuthKey(key) { + return errors.New("signed with a non-session key") + } + + if !tok.AssertVerb(v.verb) { + return errWrongSessionVerb + } + + if v.idContainerSet && !tok.AppliedTo(v.idContainer) { + return errWrongCID + } + + if !session.IssuedBy(tok, v.ownerContainer) { + return errors.New("owner differs with token owner") + } + + err = cp.checkTokenLifetime(tok) + if err != nil { + return fmt.Errorf("check session lifetime: %w", err) + } + + if !tok.VerifySessionDataSignature(v.signedData, v.signature) { + return errors.New("invalid signature calculated with session key") + } + + return nil +}