[#505] ir/container: Check key ownership during set eACL handling

Use NeoFS ID contract client to check if public key from notification event
is tied to the owner of the container for which the eACL is being changed.
Approve changes coming from the owner of the container only.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2021-05-19 15:28:10 +03:00 committed by Alex Vanin
parent b0271aa478
commit 372cba1fca
2 changed files with 36 additions and 2 deletions

View file

@ -7,6 +7,7 @@ import (
"fmt"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
"github.com/nspcc-dev/neofs-node/pkg/morph/event/container"
"go.uber.org/zap"
)
@ -43,9 +44,40 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
return errors.New("invalid signature")
}
// TODO: check key ownership
// verify the identity of the container owner
return cp.checkEACLOwnership(table, key)
}
return nil
func (cp *Processor) checkEACLOwnership(binTable []byte, key *keys.PublicKey) error {
// unmarshal table
table := eacl.NewTable()
err := table.Unmarshal(binTable)
if err != nil {
return fmt.Errorf("invalid binary table: %w", err)
}
// receive owner of the related container
cnr, err := cp.cnrClient.Get(table.CID())
if err != nil {
return fmt.Errorf("could not receive the container: %w", err)
}
ownerID := cnr.OwnerID()
// check key ownership
ownerKeys, err := cp.idClient.AccountKeys(ownerID)
if err != nil {
return fmt.Errorf("could not received owner keys %s: %w", ownerID, err)
}
for _, ownerKey := range ownerKeys {
if ownerKey.Equal(key) {
return nil
}
}
return fmt.Errorf("key %s is not tied to the owner of the container", key)
}
func (cp *Processor) approveSetEACL(e container.SetEACL) {

View file

@ -8,6 +8,7 @@ import (
"github.com/nspcc-dev/neofs-node/pkg/innerring/config"
"github.com/nspcc-dev/neofs-node/pkg/morph/client"
"github.com/nspcc-dev/neofs-node/pkg/morph/client/container/wrapper"
neofsid "github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid/wrapper"
"github.com/nspcc-dev/neofs-node/pkg/morph/event"
containerEvent "github.com/nspcc-dev/neofs-node/pkg/morph/event/container"
"github.com/panjf2000/ants/v2"
@ -29,6 +30,7 @@ type (
alphabetState AlphabetState
feeProvider *config.FeeConfig
cnrClient *wrapper.Wrapper
idClient *neofsid.ClientWrapper
}
// Params of the processor constructor.