[#185] ir: Refactor signature verification

Resolve funlen linter for verifySignature method

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
Dmitrii Stepanov 2023-03-30 10:46:43 +03:00 committed by Gitea
parent aeb4bbc51e
commit c1cbe6ff2d

View file

@ -46,8 +46,6 @@ type signatureVerificationData struct {
// - v.binPublicKey is a public session key // - v.binPublicKey is a public session key
// - session context corresponds to the container and verb in v // - session context corresponds to the container and verb in v
// - session is "alive" // - session is "alive"
//
// nolint: funlen
func (cp *Processor) verifySignature(v signatureVerificationData) error { func (cp *Processor) verifySignature(v signatureVerificationData) error {
var err error var err error
var key frostfsecdsa.PublicKeyRFC6979 var key frostfsecdsa.PublicKeyRFC6979
@ -61,45 +59,7 @@ func (cp *Processor) verifySignature(v signatureVerificationData) error {
} }
if len(v.binTokenSession) > 0 { if len(v.binTokenSession) > 0 {
var tok session.Container return cp.verifyByTokenSession(v, &key, keyProvided)
err = tok.Unmarshal(v.binTokenSession)
if err != nil {
return fmt.Errorf("decode session token: %w", err)
}
if !tok.VerifySignature() {
return errors.New("invalid session token signature")
}
// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
if keyProvided && !tok.AssertAuthKey(&key) {
return errors.New("signed with a non-session key")
}
if !tok.AssertVerb(v.verb) {
return errWrongSessionVerb
}
if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
return errWrongCID
}
if !session.IssuedBy(tok, v.ownerContainer) {
return errors.New("owner differs with token owner")
}
err = cp.checkTokenLifetime(tok)
if err != nil {
return fmt.Errorf("check session lifetime: %w", err)
}
if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
return errors.New("invalid signature calculated with session key")
}
return nil
} }
if keyProvided { if keyProvided {
@ -145,3 +105,45 @@ func (cp *Processor) checkTokenLifetime(token session.Container) error {
return nil return nil
} }
func (cp *Processor) verifyByTokenSession(v signatureVerificationData, key *frostfsecdsa.PublicKeyRFC6979, keyProvided bool) error {
var tok session.Container
err := tok.Unmarshal(v.binTokenSession)
if err != nil {
return fmt.Errorf("decode session token: %w", err)
}
if !tok.VerifySignature() {
return errors.New("invalid session token signature")
}
// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
if keyProvided && !tok.AssertAuthKey(key) {
return errors.New("signed with a non-session key")
}
if !tok.AssertVerb(v.verb) {
return errWrongSessionVerb
}
if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
return errWrongCID
}
if !session.IssuedBy(tok, v.ownerContainer) {
return errors.New("owner differs with token owner")
}
err = cp.checkTokenLifetime(tok)
if err != nil {
return fmt.Errorf("check session lifetime: %w", err)
}
if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
return errors.New("invalid signature calculated with session key")
}
return nil
}