[#185] ir: Refactor signature verification

Resolve funlen linter for verifySignature method Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-03-30 10:46:43 +03:00 · 2023-03-30 10:46:43 +03:00 · c1cbe6ff2d
commit c1cbe6ff2d
parent aeb4bbc51e
1 changed files with 43 additions and 41 deletions
--- a/pkg/innerring/processors/container/common.go
+++ b/pkg/innerring/processors/container/common.go
@ -46,8 +46,6 @@ type signatureVerificationData struct {
 //   - v.binPublicKey is a public session key
 //   - session context corresponds to the container and verb in v
 //   - session is "alive"
 //
 // nolint: funlen
 func (cp *Processor) verifySignature(v signatureVerificationData) error {
 	var err error
 	var key frostfsecdsa.PublicKeyRFC6979
@ -61,45 +59,7 @@ func (cp *Processor) verifySignature(v signatureVerificationData) error {
 	}
 	if len(v.binTokenSession) > 0 {
-		var tok session.Container
+		return cp.verifyByTokenSession(v, &key, keyProvided)
 		err = tok.Unmarshal(v.binTokenSession)
 		if err != nil {
 			return fmt.Errorf("decode session token: %w", err)
 		}
 		if !tok.VerifySignature() {
 			return errors.New("invalid session token signature")
 		}
 		// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
 		if keyProvided && !tok.AssertAuthKey(&key) {
 			return errors.New("signed with a non-session key")
 		}
 		if !tok.AssertVerb(v.verb) {
 			return errWrongSessionVerb
 		}
 		if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
 			return errWrongCID
 		}
 		if !session.IssuedBy(tok, v.ownerContainer) {
 			return errors.New("owner differs with token owner")
 		}
 		err = cp.checkTokenLifetime(tok)
 		if err != nil {
 			return fmt.Errorf("check session lifetime: %w", err)
 		}
 		if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
 			return errors.New("invalid signature calculated with session key")
 		}
 		return nil
 	}
 	if keyProvided {
@ -145,3 +105,45 @@ func (cp *Processor) checkTokenLifetime(token session.Container) error {
 	return nil
 }
 func (cp *Processor) verifyByTokenSession(v signatureVerificationData, key *frostfsecdsa.PublicKeyRFC6979, keyProvided bool) error {
 	var tok session.Container
 	err := tok.Unmarshal(v.binTokenSession)
 	if err != nil {
 		return fmt.Errorf("decode session token: %w", err)
 	}
 	if !tok.VerifySignature() {
 		return errors.New("invalid session token signature")
 	}
 	// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
 	if keyProvided && !tok.AssertAuthKey(key) {
 		return errors.New("signed with a non-session key")
 	}
 	if !tok.AssertVerb(v.verb) {
 		return errWrongSessionVerb
 	}
 	if v.idContainerSet && !tok.AppliedTo(v.idContainer) {
 		return errWrongCID
 	}
 	if !session.IssuedBy(tok, v.ownerContainer) {
 		return errors.New("owner differs with token owner")
 	}
 	err = cp.checkTokenLifetime(tok)
 	if err != nil {
 		return fmt.Errorf("check session lifetime: %w", err)
 	}
 	if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
 		return errors.New("invalid signature calculated with session key")
 	}
 	return nil
 }