package object import ( "context" "crypto/ecdsa" "github.com/nspcc-dev/neofs-api-go/service" crypto "github.com/nspcc-dev/neofs-crypto" "github.com/nspcc-dev/neofs-node/internal" "github.com/nspcc-dev/neofs-node/lib/core" ) type sessionTokenVerifier interface { verifySessionToken(context.Context, service.SessionToken) error } type complexTokenVerifier struct { verifiers []sessionTokenVerifier } type tokenSignatureVerifier struct { ownerKeys []*ecdsa.PublicKey } type tokenEpochsVerifier struct { epochRecv EpochReceiver } type tokenPreProcessor struct { keyVerifier core.OwnerKeyVerifier staticVerifier sessionTokenVerifier } const errCreatedAfterExpiration = internal.Error("creation epoch number is greater than expired one") const errTokenExpired = internal.Error("token is expired") const errForbiddenSpawn = internal.Error("request spawn is forbidden") func (s tokenPreProcessor) preProcess(ctx context.Context, req serviceRequest) error { token := req.GetSessionToken() if token == nil { return nil } if !allowedSpawn(token.GetVerb(), req.Type()) { return errForbiddenSpawn } if err := s.keyVerifier.VerifyKey(ctx, token); err != nil { return err } ownerKeyBytes := token.GetOwnerKey() verifier := newComplexTokenVerifier( s.staticVerifier, &tokenSignatureVerifier{ ownerKeys: []*ecdsa.PublicKey{ crypto.UnmarshalPublicKey(ownerKeyBytes), }, }, ) return verifier.verifySessionToken(ctx, token) } func newComplexTokenVerifier(verifiers ...sessionTokenVerifier) sessionTokenVerifier { return &complexTokenVerifier{ verifiers: verifiers, } } func (s complexTokenVerifier) verifySessionToken(ctx context.Context, token service.SessionToken) error { for i := range s.verifiers { if s.verifiers[i] == nil { continue } else if err := s.verifiers[i].verifySessionToken(ctx, token); err != nil { return err } } return nil } func (s tokenSignatureVerifier) verifySessionToken(ctx context.Context, token service.SessionToken) error { verifiedToken := service.NewVerifiedSessionToken(token) for i := range s.ownerKeys { if err := service.VerifySignatureWithKey(s.ownerKeys[i], verifiedToken); err != nil { return err } } return nil } func (s tokenEpochsVerifier) verifySessionToken(ctx context.Context, token service.SessionToken) error { if expired := token.ExpirationEpoch(); token.CreationEpoch() > expired { return errCreatedAfterExpiration } else if s.epochRecv.Epoch() > expired { return errTokenExpired } return nil }