frostfs-node/pkg/innerring/processors/container/process_eacl.go

package container

import (
	"crypto/elliptic"
	"crypto/sha256"
	"errors"
	"fmt"

	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
	"github.com/nspcc-dev/neofs-node/pkg/morph/event/container"
	"go.uber.org/zap"
)

func (cp *Processor) processSetEACL(e container.SetEACL) {
	if !cp.alphabetState.IsAlphabet() {
		cp.log.Info("non alphabet mode, ignore set EACL")
		return
	}

	err := cp.checkSetEACL(e)
	if err != nil {
		cp.log.Error("set EACL check failed",
			zap.String("error", err.Error()),
		)

		return
	}

	cp.approveSetEACL(e)
}

func (cp *Processor) checkSetEACL(e container.SetEACL) error {
	// verify signature
	key, err := keys.NewPublicKeyFromBytes(e.PublicKey(), elliptic.P256())
	if err != nil {
		return fmt.Errorf("invalid key: %w", err)
	}

	table := e.Table()
	tableHash := sha256.Sum256(table)

	if !key.Verify(e.Signature(), tableHash[:]) {
		return errors.New("invalid signature")
	}

	// TODO: check key ownership

	return nil
}

func (cp *Processor) approveSetEACL(e container.SetEACL) {
	err := cp.cnrClient.PutEACLBinary(e.Table(), e.PublicKey(), e.Signature())
	if err != nil {
		cp.log.Error("could not approve set EACL",
			zap.String("error", err.Error()),
		)
	}
}
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`package container`

			`import (`
[#505] ir/container: Verify signature of binary eACL tables Add signature check to `checkSetEACL` method of the `setEACL` notification handler in Container processor. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:26:41 +00:00			`"crypto/elliptic"`
			`"crypto/sha256"`
			`"errors"`
			`"fmt"`

			`"github.com/nspcc-dev/neo-go/pkg/crypto/keys"`
[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`"github.com/nspcc-dev/neofs-node/pkg/morph/event/container"`
			`"go.uber.org/zap"`
			`)`

			`func (cp *Processor) processSetEACL(e container.SetEACL) {`
			`if !cp.alphabetState.IsAlphabet() {`
			`cp.log.Info("non alphabet mode, ignore set EACL")`
			`return`
			`}`

			`err := cp.checkSetEACL(e)`
			`if err != nil {`
			`cp.log.Error("set EACL check failed",`
			`zap.String("error", err.Error()),`
			`)`

			`return`
			`}`

			`cp.approveSetEACL(e)`
			`}`

			`func (cp *Processor) checkSetEACL(e container.SetEACL) error {`
[#505] ir/container: Verify signature of binary eACL tables Add signature check to `checkSetEACL` method of the `setEACL` notification handler in Container processor. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:26:41 +00:00			`// verify signature`
			`key, err := keys.NewPublicKeyFromBytes(e.PublicKey(), elliptic.P256())`
			`if err != nil {`
			`return fmt.Errorf("invalid key: %w", err)`
			`}`

			`table := e.Table()`
			`tableHash := sha256.Sum256(table)`

			`if !key.Verify(e.Signature(), tableHash[:]) {`
			`return errors.New("invalid signature")`
			`}`

			`// TODO: check key ownership`

[#505] ir/container: Implement simplified handling of SetEACL event Implement `handleSetEACL` method similar to other handling methods in Container processor. To begin with, the validation logic is skipped, and all tables will be sent to the contract. In the future, the necessary checks will be implemented. Listening for events in the IR node will also be added. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru> 2021-05-19 12:18:07 +00:00			`return nil`
			`}`

			`func (cp *Processor) approveSetEACL(e container.SetEACL) {`
			`err := cp.cnrClient.PutEACLBinary(e.Table(), e.PublicKey(), e.Signature())`
			`if err != nil {`
			`cp.log.Error("could not approve set EACL",`
			`zap.String("error", err.Error()),`
			`)`
			`}`
			`}`