frostfs-node/pkg/innerring/processors/container/process_eacl.go

101 lines
2.3 KiB
Go
Raw Normal View History

package container
import (
"crypto/elliptic"
"crypto/sha256"
"errors"
"fmt"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/nspcc-dev/neofs-node/pkg/morph/client/container/wrapper"
"github.com/nspcc-dev/neofs-node/pkg/morph/event/container"
"github.com/nspcc-dev/neofs-sdk-go/eacl"
"github.com/nspcc-dev/neofs-sdk-go/session"
"go.uber.org/zap"
)
func (cp *Processor) processSetEACL(e container.SetEACL) {
if !cp.alphabetState.IsAlphabet() {
cp.log.Info("non alphabet mode, ignore set EACL")
return
}
err := cp.checkSetEACL(e)
if err != nil {
cp.log.Error("set EACL check failed",
zap.String("error", err.Error()),
)
return
}
cp.approveSetEACL(e)
}
func (cp *Processor) checkSetEACL(e container.SetEACL) error {
// verify signature
key, err := keys.NewPublicKeyFromBytes(e.PublicKey(), elliptic.P256())
if err != nil {
return fmt.Errorf("invalid key: %w", err)
}
binTable := e.Table()
tableHash := sha256.Sum256(binTable)
if !key.Verify(e.Signature(), tableHash[:]) {
return errors.New("invalid signature")
}
// verify the identity of the container owner
// unmarshal table
table := eacl.NewTable()
err = table.Unmarshal(binTable)
if err != nil {
return fmt.Errorf("invalid binary table: %w", err)
}
// receive owner of the related container
cnr, err := wrapper.Get(cp.cnrClient, table.CID())
if err != nil {
return fmt.Errorf("could not receive the container: %w", err)
}
// unmarshal session token if presented
tok, err := tokenFromEvent(e)
if err != nil {
return err
}
if tok != nil {
// check token context
err = checkTokenContextWithCID(tok, table.CID(), func(c *session.ContainerContext) bool {
return c.IsForSetEACL()
})
if err != nil {
return err
}
}
// check key ownership
return cp.checkKeyOwnership(cnr, key)
}
func (cp *Processor) approveSetEACL(e container.SetEACL) {
var err error
if nr := e.NotaryRequest(); nr != nil {
// setEACL event was received via Notary service
err = cp.cnrClient.Morph().NotarySignAndInvokeTX(nr.MainTransaction)
} else {
// setEACL event was received via notification service
err = cp.cnrClient.PutEACL(e.Table(), e.PublicKey(), e.Signature(), e.SessionToken())
}
if err != nil {
cp.log.Error("could not approve set EACL",
zap.String("error", err.Error()),
)
}
}