forked from TrueCloudLab/frostfs-api-go
Merge branch 'release/0.2.9'
This commit is contained in:
commit
e945525510
16 changed files with 190 additions and 38 deletions
18
CHANGELOG.md
18
CHANGELOG.md
|
@ -1,6 +1,23 @@
|
||||||
# Changelog
|
# Changelog
|
||||||
This is the changelog for NeoFS Proto
|
This is the changelog for NeoFS Proto
|
||||||
|
|
||||||
|
## [0.2.9] - 2020-01-17
|
||||||
|
|
||||||
|
### Added
|
||||||
|
- Docs for container ACL field
|
||||||
|
- Public key header in the object with docs
|
||||||
|
- Public key field in the session token with docs
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
- Routine to verify correct object checks if integrity header is last and
|
||||||
|
may use public key header if verification header is not present
|
||||||
|
- Routine to verify correct session token checks if keys in the token
|
||||||
|
associated with owner id
|
||||||
|
- Updated neofs-crypto to v0.2.3
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
- Timestamp in object tombstone header
|
||||||
|
|
||||||
## [0.2.8] - 2019-12-21
|
## [0.2.8] - 2019-12-21
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
@ -88,3 +105,4 @@ Initial public release
|
||||||
[0.2.6]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.5...v0.2.6
|
[0.2.6]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.5...v0.2.6
|
||||||
[0.2.7]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.6...v0.2.7
|
[0.2.7]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.6...v0.2.7
|
||||||
[0.2.8]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.7...v0.2.8
|
[0.2.8]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.7...v0.2.8
|
||||||
|
[0.2.9]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.8...v0.2.9
|
||||||
|
|
|
@ -21,6 +21,8 @@
|
||||||
- [container/types.proto](#container/types.proto)
|
- [container/types.proto](#container/types.proto)
|
||||||
|
|
||||||
- Messages
|
- Messages
|
||||||
|
- [AccessControlList](#container.AccessControlList)
|
||||||
|
- [AccessGroup](#container.AccessGroup)
|
||||||
- [Container](#container.Container)
|
- [Container](#container.Container)
|
||||||
|
|
||||||
|
|
||||||
|
@ -164,6 +166,7 @@ via consensus in inner ring nodes
|
||||||
| Capacity | [uint64](#uint64) | | Capacity defines amount of data that can be stored in the container (doesn't used for now). |
|
| Capacity | [uint64](#uint64) | | Capacity defines amount of data that can be stored in the container (doesn't used for now). |
|
||||||
| OwnerID | [bytes](#bytes) | | OwnerID is a wallet address |
|
| OwnerID | [bytes](#bytes) | | OwnerID is a wallet address |
|
||||||
| rules | [netmap.PlacementRule](#netmap.PlacementRule) | | Rules define storage policy for the object inside the container. |
|
| rules | [netmap.PlacementRule](#netmap.PlacementRule) | | Rules define storage policy for the object inside the container. |
|
||||||
|
| Group | [AccessGroup](#container.AccessGroup) | | Container ACL. |
|
||||||
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
||||||
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
||||||
|
|
||||||
|
@ -193,6 +196,29 @@ via consensus in inner ring nodes
|
||||||
<!-- end services -->
|
<!-- end services -->
|
||||||
|
|
||||||
|
|
||||||
|
<a name="container.AccessControlList"></a>
|
||||||
|
|
||||||
|
### Message AccessControlList
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
| Field | Type | Label | Description |
|
||||||
|
| ----- | ---- | ----- | ----------- |
|
||||||
|
| List | [AccessGroup](#container.AccessGroup) | repeated | List of access groups. |
|
||||||
|
|
||||||
|
|
||||||
|
<a name="container.AccessGroup"></a>
|
||||||
|
|
||||||
|
### Message AccessGroup
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
| Field | Type | Label | Description |
|
||||||
|
| ----- | ---- | ----- | ----------- |
|
||||||
|
| AccessMode | [uint32](#uint32) | | Group access mode. |
|
||||||
|
| UserGroup | [bytes](#bytes) | repeated | Group members. |
|
||||||
|
|
||||||
|
|
||||||
<a name="container.Container"></a>
|
<a name="container.Container"></a>
|
||||||
|
|
||||||
### Message Container
|
### Message Container
|
||||||
|
@ -205,6 +231,7 @@ The Container service definition.
|
||||||
| Salt | [bytes](#bytes) | | Salt is a nonce for unique container id calculation. |
|
| Salt | [bytes](#bytes) | | Salt is a nonce for unique container id calculation. |
|
||||||
| Capacity | [uint64](#uint64) | | Capacity defines amount of data that can be stored in the container (doesn't used for now). |
|
| Capacity | [uint64](#uint64) | | Capacity defines amount of data that can be stored in the container (doesn't used for now). |
|
||||||
| Rules | [netmap.PlacementRule](#netmap.PlacementRule) | | Rules define storage policy for the object inside the container. |
|
| Rules | [netmap.PlacementRule](#netmap.PlacementRule) | | Rules define storage policy for the object inside the container. |
|
||||||
|
| List | [AccessControlList](#container.AccessControlList) | | Container ACL. |
|
||||||
|
|
||||||
<!-- end messages -->
|
<!-- end messages -->
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,7 @@
|
||||||
- [IntegrityHeader](#object.IntegrityHeader)
|
- [IntegrityHeader](#object.IntegrityHeader)
|
||||||
- [Link](#object.Link)
|
- [Link](#object.Link)
|
||||||
- [Object](#object.Object)
|
- [Object](#object.Object)
|
||||||
|
- [PublicKey](#object.PublicKey)
|
||||||
- [Range](#object.Range)
|
- [Range](#object.Range)
|
||||||
- [SystemHeader](#object.SystemHeader)
|
- [SystemHeader](#object.SystemHeader)
|
||||||
- [Tombstone](#object.Tombstone)
|
- [Tombstone](#object.Tombstone)
|
||||||
|
@ -368,6 +369,7 @@ in distributed system.
|
||||||
| PayloadChecksum | [bytes](#bytes) | | PayloadChecksum of actual object's payload |
|
| PayloadChecksum | [bytes](#bytes) | | PayloadChecksum of actual object's payload |
|
||||||
| Integrity | [IntegrityHeader](#object.IntegrityHeader) | | Integrity header with checksum of all above headers in the object |
|
| Integrity | [IntegrityHeader](#object.IntegrityHeader) | | Integrity header with checksum of all above headers in the object |
|
||||||
| StorageGroup | [storagegroup.StorageGroup](#storagegroup.StorageGroup) | | StorageGroup contains meta information for the data audit |
|
| StorageGroup | [storagegroup.StorageGroup](#storagegroup.StorageGroup) | | StorageGroup contains meta information for the data audit |
|
||||||
|
| PublicKey | [PublicKey](#object.PublicKey) | | PublicKey of owner of the object. Key is used for verification and can be based on NeoID or x509 cert. |
|
||||||
|
|
||||||
|
|
||||||
<a name="object.IntegrityHeader"></a>
|
<a name="object.IntegrityHeader"></a>
|
||||||
|
@ -407,6 +409,17 @@ in distributed system.
|
||||||
| Payload | [bytes](#bytes) | | Payload is an object's payload |
|
| Payload | [bytes](#bytes) | | Payload is an object's payload |
|
||||||
|
|
||||||
|
|
||||||
|
<a name="object.PublicKey"></a>
|
||||||
|
|
||||||
|
### Message PublicKey
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
| Field | Type | Label | Description |
|
||||||
|
| ----- | ---- | ----- | ----------- |
|
||||||
|
| Value | [bytes](#bytes) | | Value contains marshaled ecdsa public key |
|
||||||
|
|
||||||
|
|
||||||
<a name="object.Range"></a>
|
<a name="object.Range"></a>
|
||||||
|
|
||||||
### Message Range
|
### Message Range
|
||||||
|
@ -441,10 +454,6 @@ in distributed system.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
| Field | Type | Label | Description |
|
|
||||||
| ----- | ---- | ----- | ----------- |
|
|
||||||
| Epoch | [uint64](#uint64) | | Epoch when tombstone was created |
|
|
||||||
|
|
||||||
|
|
||||||
<a name="object.Transform"></a>
|
<a name="object.Transform"></a>
|
||||||
|
|
||||||
|
|
|
@ -115,6 +115,7 @@ User token granting rights for object manipulation
|
||||||
| ObjectID | [bytes](#bytes) | repeated | ObjectID is an object identifier of manipulation object |
|
| ObjectID | [bytes](#bytes) | repeated | ObjectID is an object identifier of manipulation object |
|
||||||
| Signature | [bytes](#bytes) | | Signature is a token signature, signed by owner of manipulation object |
|
| Signature | [bytes](#bytes) | | Signature is a token signature, signed by owner of manipulation object |
|
||||||
| ID | [bytes](#bytes) | | ID is a token identifier. valid UUIDv4 represented in bytes |
|
| ID | [bytes](#bytes) | | ID is a token identifier. valid UUIDv4 represented in bytes |
|
||||||
|
| PublicKeys | [bytes](#bytes) | repeated | PublicKeys associated with owner |
|
||||||
|
|
||||||
|
|
||||||
<a name="session.VerificationHeader"></a>
|
<a name="session.VerificationHeader"></a>
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -7,7 +7,7 @@ require (
|
||||||
github.com/golang/protobuf v1.3.2
|
github.com/golang/protobuf v1.3.2
|
||||||
github.com/google/uuid v1.1.1
|
github.com/google/uuid v1.1.1
|
||||||
github.com/mr-tron/base58 v1.1.3
|
github.com/mr-tron/base58 v1.1.3
|
||||||
github.com/nspcc-dev/neofs-crypto v0.2.2
|
github.com/nspcc-dev/neofs-crypto v0.2.3
|
||||||
github.com/nspcc-dev/netmap v1.6.1
|
github.com/nspcc-dev/netmap v1.6.1
|
||||||
github.com/nspcc-dev/tzhash v1.3.0
|
github.com/nspcc-dev/tzhash v1.3.0
|
||||||
github.com/pkg/errors v0.8.1
|
github.com/pkg/errors v0.8.1
|
||||||
|
|
8
go.sum
8
go.sum
|
@ -106,12 +106,12 @@ github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjW
|
||||||
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
||||||
github.com/nspcc-dev/hrw v1.0.8 h1:vwRuJXZXgkMvf473vFzeWGCfY1WBVeSHAEHvR4u3/Cg=
|
github.com/nspcc-dev/hrw v1.0.8 h1:vwRuJXZXgkMvf473vFzeWGCfY1WBVeSHAEHvR4u3/Cg=
|
||||||
github.com/nspcc-dev/hrw v1.0.8/go.mod h1:l/W2vx83vMQo6aStyx2AuZrJ+07lGv2JQGlVkPG06MU=
|
github.com/nspcc-dev/hrw v1.0.8/go.mod h1:l/W2vx83vMQo6aStyx2AuZrJ+07lGv2JQGlVkPG06MU=
|
||||||
github.com/nspcc-dev/neofs-crypto v0.2.2 h1:jLc5O+Wdpaq7L4lNYFX7li+OP4I1FsvvcPW1NXm3erY=
|
github.com/nspcc-dev/neofs-crypto v0.2.3 h1:aca3X2aly92ENRbFK+kH6Hd+J9EQ4Eu6XMVoITSIKtc=
|
||||||
github.com/nspcc-dev/neofs-crypto v0.2.2/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA=
|
github.com/nspcc-dev/neofs-crypto v0.2.3/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
||||||
github.com/nspcc-dev/netmap v1.6.1 h1:Pigqpqi6QSdRiusbq5XlO20A18k6Eyu7j9MzOfAE3CM=
|
github.com/nspcc-dev/netmap v1.6.1 h1:Pigqpqi6QSdRiusbq5XlO20A18k6Eyu7j9MzOfAE3CM=
|
||||||
github.com/nspcc-dev/netmap v1.6.1/go.mod h1:mhV3UOg9ljQmu0teQShD6+JYX09XY5gu2I4hIByCH9M=
|
github.com/nspcc-dev/netmap v1.6.1/go.mod h1:mhV3UOg9ljQmu0teQShD6+JYX09XY5gu2I4hIByCH9M=
|
||||||
github.com/nspcc-dev/rfc6979 v0.1.0 h1:Lwg7esRRoyK1Up/IN1vAef1EmvrBeMHeeEkek2fAJ6c=
|
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
||||||
github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||||
github.com/nspcc-dev/tzhash v1.3.0 h1:n6FTHsfPYbMi5Jmo6SwGVVRQD8i2w1P2ScCaW6rz69Q=
|
github.com/nspcc-dev/tzhash v1.3.0 h1:n6FTHsfPYbMi5Jmo6SwGVVRQD8i2w1P2ScCaW6rz69Q=
|
||||||
github.com/nspcc-dev/tzhash v1.3.0/go.mod h1:Lc4DersKS8MNIrunTmsAzANO56qnG+LZ4GOE/WYGVzU=
|
github.com/nspcc-dev/tzhash v1.3.0/go.mod h1:Lc4DersKS8MNIrunTmsAzANO56qnG+LZ4GOE/WYGVzU=
|
||||||
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
|
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
package object
|
package object
|
||||||
|
// todo: all extensions must be transferred to the separate util library
|
||||||
|
|
||||||
import "github.com/nspcc-dev/neofs-proto/storagegroup"
|
import "github.com/nspcc-dev/neofs-proto/storagegroup"
|
||||||
|
|
||||||
|
|
|
@ -67,6 +67,8 @@ const (
|
||||||
IntegrityHdr
|
IntegrityHdr
|
||||||
// StorageGroupHdr is a storage group header type.
|
// StorageGroupHdr is a storage group header type.
|
||||||
StorageGroupHdr
|
StorageGroupHdr
|
||||||
|
// PublicKeyHdr is a public key header type.
|
||||||
|
PublicKeyHdr
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -140,6 +142,8 @@ func (m Header) typeOf(t isHeader_Value) (ok bool) {
|
||||||
_, ok = m.Value.(*Header_Integrity)
|
_, ok = m.Value.(*Header_Integrity)
|
||||||
case *Header_StorageGroup:
|
case *Header_StorageGroup:
|
||||||
_, ok = m.Value.(*Header_StorageGroup)
|
_, ok = m.Value.(*Header_StorageGroup)
|
||||||
|
case *Header_PublicKey:
|
||||||
|
_, ok = m.Value.(*Header_PublicKey)
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -168,6 +172,8 @@ func HeaderType(t headerType) Pred {
|
||||||
return func(h *Header) bool { _, ok := h.Value.(*Header_Integrity); return ok }
|
return func(h *Header) bool { _, ok := h.Value.(*Header_Integrity); return ok }
|
||||||
case StorageGroupHdr:
|
case StorageGroupHdr:
|
||||||
return func(h *Header) bool { _, ok := h.Value.(*Header_StorageGroup); return ok }
|
return func(h *Header) bool { _, ok := h.Value.(*Header_StorageGroup); return ok }
|
||||||
|
case PublicKeyHdr:
|
||||||
|
return func(h *Header) bool { _, ok := h.Value.(*Header_PublicKey); return ok }
|
||||||
default:
|
default:
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
|
@ -45,13 +45,12 @@ message Header {
|
||||||
IntegrityHeader Integrity = 9;
|
IntegrityHeader Integrity = 9;
|
||||||
// StorageGroup contains meta information for the data audit
|
// StorageGroup contains meta information for the data audit
|
||||||
storagegroup.StorageGroup StorageGroup = 10;
|
storagegroup.StorageGroup StorageGroup = 10;
|
||||||
|
// PublicKey of owner of the object. Key is used for verification and can be based on NeoID or x509 cert.
|
||||||
|
PublicKey PublicKey = 11;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
message Tombstone {
|
message Tombstone {}
|
||||||
// Epoch when tombstone was created
|
|
||||||
uint64 Epoch = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
message SystemHeader {
|
message SystemHeader {
|
||||||
// Version of the object structure
|
// Version of the object structure
|
||||||
|
@ -125,3 +124,8 @@ message Object {
|
||||||
// Payload is an object's payload
|
// Payload is an object's payload
|
||||||
bytes Payload = 3;
|
bytes Payload = 3;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
message PublicKey {
|
||||||
|
// Value contains marshaled ecdsa public key
|
||||||
|
bytes Value = 1;
|
||||||
|
}
|
||||||
|
|
|
@ -63,28 +63,35 @@ func (m Object) verifySignature(key []byte, ih *IntegrityHeader) error {
|
||||||
// Verify performs local integrity check by finding verification header and
|
// Verify performs local integrity check by finding verification header and
|
||||||
// integrity header. If header integrity is passed, function verifies
|
// integrity header. If header integrity is passed, function verifies
|
||||||
// checksum of the object payload.
|
// checksum of the object payload.
|
||||||
|
// todo: move this verification logic into separate library
|
||||||
func (m Object) Verify() error {
|
func (m Object) Verify() error {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
checksum []byte
|
checksum []byte
|
||||||
|
pubkey []byte
|
||||||
)
|
)
|
||||||
// Prepare structures
|
ind, ih := m.LastHeader(HeaderType(IntegrityHdr))
|
||||||
_, vh := m.LastHeader(HeaderType(VerifyHdr))
|
if ih == nil || ind != len(m.Headers) - 1{
|
||||||
if vh == nil {
|
|
||||||
return ErrHeaderNotFound
|
|
||||||
}
|
|
||||||
verify := vh.Value.(*Header_Verify).Verify
|
|
||||||
|
|
||||||
_, ih := m.LastHeader(HeaderType(IntegrityHdr))
|
|
||||||
if ih == nil {
|
|
||||||
return ErrHeaderNotFound
|
return ErrHeaderNotFound
|
||||||
}
|
}
|
||||||
integrity := ih.Value.(*Header_Integrity).Integrity
|
integrity := ih.Value.(*Header_Integrity).Integrity
|
||||||
|
|
||||||
|
// Prepare structures
|
||||||
|
_, vh := m.LastHeader(HeaderType(VerifyHdr))
|
||||||
|
if vh == nil {
|
||||||
|
_, pkh := m.LastHeader(HeaderType(PublicKeyHdr))
|
||||||
|
if pkh == nil {
|
||||||
|
return ErrHeaderNotFound
|
||||||
|
}
|
||||||
|
pubkey = pkh.Value.(*Header_PublicKey).PublicKey.Value
|
||||||
|
} else {
|
||||||
|
pubkey = vh.Value.(*Header_Verify).Verify.PublicKey
|
||||||
|
}
|
||||||
|
|
||||||
// Verify signature
|
// Verify signature
|
||||||
err = m.verifySignature(verify.PublicKey, integrity)
|
err = m.verifySignature(pubkey, integrity)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrapf(err, "public key: %x", verify.PublicKey)
|
return errors.Wrapf(err, "public key: %x", pubkey)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify checksum of header
|
// Verify checksum of header
|
||||||
|
@ -111,22 +118,32 @@ func (m Object) Verify() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sign creates new integrity header and adds it to the end of the list of
|
// CreateIntegrityHeader returns signed integrity header for the object
|
||||||
// extended headers.
|
func CreateIntegrityHeader(obj *Object, key *ecdsa.PrivateKey) (*Header, error) {
|
||||||
func (m *Object) Sign(key *ecdsa.PrivateKey) error {
|
headerChecksum, err := obj.headersChecksum(false)
|
||||||
headerChecksum, err := m.headersChecksum(false)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return nil, err
|
||||||
}
|
}
|
||||||
headerChecksumSignature, err := crypto.Sign(key, headerChecksum)
|
headerChecksumSignature, err := crypto.Sign(key, headerChecksum)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return nil, err
|
||||||
}
|
}
|
||||||
m.AddHeader(&Header{Value: &Header_Integrity{
|
|
||||||
|
return &Header{Value: &Header_Integrity{
|
||||||
Integrity: &IntegrityHeader{
|
Integrity: &IntegrityHeader{
|
||||||
HeadersChecksum: headerChecksum,
|
HeadersChecksum: headerChecksum,
|
||||||
ChecksumSignature: headerChecksumSignature,
|
ChecksumSignature: headerChecksumSignature,
|
||||||
},
|
},
|
||||||
}})
|
}}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign creates new integrity header and adds it to the end of the list of
|
||||||
|
// extended headers.
|
||||||
|
func (m *Object) Sign(key *ecdsa.PrivateKey) error {
|
||||||
|
ih, err := CreateIntegrityHeader(m, key)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
m.AddHeader(ih)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,7 +56,7 @@ func TestObject_Verify(t *testing.T) {
|
||||||
obj.SetPayload(payload)
|
obj.SetPayload(payload)
|
||||||
obj.SetHeader(&Header{Value: &Header_PayloadChecksum{[]byte("incorrect checksum")}})
|
obj.SetHeader(&Header{Value: &Header_PayloadChecksum{[]byte("incorrect checksum")}})
|
||||||
|
|
||||||
t.Run("error no integrity header", func(t *testing.T) {
|
t.Run("error no integrity header and pubkey", func(t *testing.T) {
|
||||||
err = obj.Verify()
|
err = obj.Verify()
|
||||||
require.EqualError(t, err, ErrHeaderNotFound.Error())
|
require.EqualError(t, err, ErrHeaderNotFound.Error())
|
||||||
})
|
})
|
||||||
|
@ -83,12 +83,25 @@ func TestObject_Verify(t *testing.T) {
|
||||||
}
|
}
|
||||||
obj.SetVerificationHeader(vh)
|
obj.SetVerificationHeader(vh)
|
||||||
|
|
||||||
|
// validation header is not last
|
||||||
|
t.Run("error validation header is not last", func(t *testing.T) {
|
||||||
|
err = obj.Verify()
|
||||||
|
require.EqualError(t, err, ErrHeaderNotFound.Error())
|
||||||
|
})
|
||||||
|
|
||||||
|
obj.Headers = obj.Headers[:len(obj.Headers)-2]
|
||||||
|
obj.SetVerificationHeader(vh)
|
||||||
|
obj.SetHeader(&Header{Value: &Header_Integrity{ih}})
|
||||||
|
|
||||||
t.Run("error invalid header checksum", func(t *testing.T) {
|
t.Run("error invalid header checksum", func(t *testing.T) {
|
||||||
err = obj.Verify()
|
err = obj.Verify()
|
||||||
require.EqualError(t, err, ErrVerifyHeader.Error())
|
require.EqualError(t, err, ErrVerifyHeader.Error())
|
||||||
})
|
})
|
||||||
|
|
||||||
require.NoError(t, obj.Sign(sessionkey))
|
obj.Headers = obj.Headers[:len(obj.Headers)-1]
|
||||||
|
genIH, err := CreateIntegrityHeader(obj, sessionkey)
|
||||||
|
require.NoError(t, err)
|
||||||
|
obj.SetHeader(genIH)
|
||||||
|
|
||||||
t.Run("error invalid payload checksum", func(t *testing.T) {
|
t.Run("error invalid payload checksum", func(t *testing.T) {
|
||||||
err = obj.Verify()
|
err = obj.Verify()
|
||||||
|
@ -96,10 +109,39 @@ func TestObject_Verify(t *testing.T) {
|
||||||
})
|
})
|
||||||
|
|
||||||
obj.SetHeader(&Header{Value: &Header_PayloadChecksum{obj.PayloadChecksum()}})
|
obj.SetHeader(&Header{Value: &Header_PayloadChecksum{obj.PayloadChecksum()}})
|
||||||
require.NoError(t, obj.Sign(sessionkey))
|
|
||||||
|
|
||||||
t.Run("correct", func(t *testing.T) {
|
obj.Headers = obj.Headers[:len(obj.Headers)-1]
|
||||||
|
genIH, err = CreateIntegrityHeader(obj, sessionkey)
|
||||||
|
require.NoError(t, err)
|
||||||
|
obj.SetHeader(genIH)
|
||||||
|
|
||||||
|
t.Run("correct with vh", func(t *testing.T) {
|
||||||
err = obj.Verify()
|
err = obj.Verify()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
pkh := Header{Value: &Header_PublicKey{&PublicKey{
|
||||||
|
Value: crypto.MarshalPublicKey(&key.PublicKey),
|
||||||
|
}}}
|
||||||
|
// replace vh with pkh
|
||||||
|
obj.Headers[len(obj.Headers)-2] = pkh
|
||||||
|
// re-sign object
|
||||||
|
obj.Sign(sessionkey)
|
||||||
|
|
||||||
|
|
||||||
|
t.Run("incorrect with bad public key", func(t *testing.T) {
|
||||||
|
err = obj.Verify()
|
||||||
|
require.Error(t, err)
|
||||||
|
})
|
||||||
|
|
||||||
|
obj.SetHeader(&Header{Value: &Header_PublicKey{&PublicKey{
|
||||||
|
Value: dataPK,
|
||||||
|
}}})
|
||||||
|
obj.Sign(sessionkey)
|
||||||
|
|
||||||
|
t.Run("correct with good public key", func(t *testing.T) {
|
||||||
|
err = obj.Verify()
|
||||||
|
require.NoError(t, err)
|
||||||
|
})
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,20 +31,22 @@ func newTestClient(t *testing.T) *testClient {
|
||||||
|
|
||||||
func signToken(t *testing.T, token *PToken, c *testClient) {
|
func signToken(t *testing.T, token *PToken, c *testClient) {
|
||||||
require.NotNil(t, token)
|
require.NotNil(t, token)
|
||||||
|
token.SetPublicKeys(&c.PublicKey)
|
||||||
|
|
||||||
signH, err := c.Sign(token.Header.PublicKey)
|
signH, err := c.Sign(token.Header.PublicKey)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, signH)
|
require.NotNil(t, signH)
|
||||||
|
|
||||||
// data is not yet signed
|
// data is not yet signed
|
||||||
require.False(t, token.Verify(&c.PublicKey))
|
keys := UnmarshalPublicKeys(&token.Token)
|
||||||
|
require.False(t, token.Verify(keys...))
|
||||||
|
|
||||||
signT, err := c.Sign(token.verificationData())
|
signT, err := c.Sign(token.verificationData())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, signT)
|
require.NotNil(t, signT)
|
||||||
|
|
||||||
token.AddSignatures(signH, signT)
|
token.AddSignatures(signH, signT)
|
||||||
require.True(t, token.Verify(&c.PublicKey))
|
require.True(t, token.Verify(keys...))
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTokenStore(t *testing.T) {
|
func TestTokenStore(t *testing.T) {
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
crypto "github.com/nspcc-dev/neofs-crypto"
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
||||||
|
"github.com/nspcc-dev/neofs-proto/chain"
|
||||||
"github.com/nspcc-dev/neofs-proto/internal"
|
"github.com/nspcc-dev/neofs-proto/internal"
|
||||||
"github.com/nspcc-dev/neofs-proto/refs"
|
"github.com/nspcc-dev/neofs-proto/refs"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
@ -111,11 +112,24 @@ func (m *Token) Sign(key *ecdsa.PrivateKey) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetPublicKeys sets owner's public keys to the token
|
||||||
|
func (m *Token) SetPublicKeys(keys... *ecdsa.PublicKey) {
|
||||||
|
m.PublicKeys = m.PublicKeys[:0]
|
||||||
|
for i := range keys {
|
||||||
|
m.PublicKeys = append(m.PublicKeys, crypto.MarshalPublicKey(keys[i]))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Verify checks if token is correct and signed.
|
// Verify checks if token is correct and signed.
|
||||||
func (m *Token) Verify(keys ...*ecdsa.PublicKey) bool {
|
func (m *Token) Verify(keys ...*ecdsa.PublicKey) bool {
|
||||||
if m.FirstEpoch > m.LastEpoch {
|
if m.FirstEpoch > m.LastEpoch {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
ownerFromKeys := chain.KeysToAddress(keys...)
|
||||||
|
if m.OwnerID.String() != ownerFromKeys {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
for i := range keys {
|
for i := range keys {
|
||||||
if m.Header.Verify(keys[i]) && crypto.Verify(keys[i], m.verificationData(), m.Signature) == nil {
|
if m.Header.Verify(keys[i]) && crypto.Verify(keys[i], m.verificationData(), m.Signature) == nil {
|
||||||
return true
|
return true
|
||||||
|
@ -156,3 +170,12 @@ func (m *VerificationHeader) Verify(keys ...*ecdsa.PublicKey) bool {
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// UnmarshalPublicKeys returns unmarshal public keys from the token
|
||||||
|
func UnmarshalPublicKeys(t *Token) []*ecdsa.PublicKey {
|
||||||
|
r := make([]*ecdsa.PublicKey, 0, len(t.PublicKeys))
|
||||||
|
for i := range t.PublicKeys {
|
||||||
|
r = append(r, crypto.UnmarshalPublicKey(t.PublicKeys[i]))
|
||||||
|
}
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
Binary file not shown.
|
@ -29,4 +29,6 @@ message Token {
|
||||||
bytes Signature = 6;
|
bytes Signature = 6;
|
||||||
// ID is a token identifier. valid UUIDv4 represented in bytes
|
// ID is a token identifier. valid UUIDv4 represented in bytes
|
||||||
bytes ID = 7 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
|
bytes ID = 7 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
|
||||||
|
// PublicKeys associated with owner
|
||||||
|
repeated bytes PublicKeys = 8;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue