diff --git a/CHANGELOG.md b/CHANGELOG.md index 8abbc145..bdb994e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,20 @@ # Changelog This is the changelog for NeoFS-API-Go +## [0.7.5] - 2020-05-16 + +### Added + +- Owner key to the `SessionToken` signed payload. + +### Changed + +- `OwnerKeyContainer` interface embedded to `SessionTokenInfo` interface. + +### Updated + +- NeoFS API v0.7.5 + ## [0.7.4] - 2020-05-12 ### Added @@ -290,3 +304,4 @@ Initial public release [0.7.0]: https://github.com/nspcc-dev/neofs-api-go/compare/v0.6.2...v0.7.0 [0.7.1]: https://github.com/nspcc-dev/neofs-api-go/compare/v0.7.0...v0.7.1 [0.7.4]: https://github.com/nspcc-dev/neofs-api-go/compare/v0.7.1...v0.7.4 +[0.7.5]: https://github.com/nspcc-dev/neofs-api-go/compare/v0.7.4...v0.7.5 diff --git a/Makefile b/Makefile index b99682bf..6b1ab7a6 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -PROTO_VERSION=v0.7.4 +PROTO_VERSION=v0.7.5 PROTO_URL=https://github.com/nspcc-dev/neofs-api/archive/$(PROTO_VERSION).tar.gz B=\033[0;1m diff --git a/docs/service.md b/docs/service.md index 9ed548ef..0765f044 100644 --- a/docs/service.md +++ b/docs/service.md @@ -132,6 +132,7 @@ User token granting rights for object manipulation | Address | [refs.Address](#refs.Address) | | Address is an object address for which token is issued | | Lifetime | [TokenLifetime](#service.TokenLifetime) | | Lifetime is a lifetime of the session | | SessionKey | [bytes](#bytes) | | SessionKey is a public key of session key | +| OwnerKey | [bytes](#bytes) | | OwnerKey is a public key of the token owner | diff --git a/service/token.go b/service/token.go index 32c390fc..a5dd5da3 100644 --- a/service/token.go +++ b/service/token.go @@ -26,6 +26,10 @@ type signDataReaderWithToken struct { token SessionToken } +type signedSessionToken struct { + SessionToken +} + const verbSize = 4 const fixedTokenDataSize = 0 + @@ -99,6 +103,11 @@ func (m *Token_Info) SetSessionKey(key []byte) { m.SessionKey = key } +// SetOwnerKey is an OwnerKey field setter. +func (m *Token_Info) SetOwnerKey(key []byte) { + m.OwnerKey = key +} + // SetSignature is a Signature field setter. func (m *Token) SetSignature(sig []byte) { m.Signature = sig @@ -116,40 +125,60 @@ func (x Token_Info_Verb) Bytes() []byte { return data } -// AddSignKey calls a Signature field setter with passed signature. -func (m *Token) AddSignKey(sig []byte, _ *ecdsa.PublicKey) { - m.SetSignature(sig) +// AddSignKey calls a Signature field setter of token with passed signature. +func (s signedSessionToken) AddSignKey(sig []byte, _ *ecdsa.PublicKey) { + if s.SessionToken != nil { + s.SessionToken.SetSignature(sig) + } } // SignedData returns token information in a binary representation. -func (m *Token) SignedData() ([]byte, error) { - return SignedDataFromReader(m) +func (s signedSessionToken) SignedData() ([]byte, error) { + return SignedDataFromReader(s) +} + +// SignedDataSize returns the length of signed token information slice. +func (s signedSessionToken) SignedDataSize() int { + return tokenInfoSize(s.SessionToken) } // ReadSignedData copies a binary representation of the token information to passed buffer. // // If buffer length is less than required, io.ErrUnexpectedEOF returns. -func (m *Token_Info) ReadSignedData(p []byte) (int, error) { - sz := m.SignedDataSize() +func (s signedSessionToken) ReadSignedData(p []byte) (int, error) { + sz := s.SignedDataSize() if len(p) < sz { return 0, io.ErrUnexpectedEOF } - copyTokenSignedData(p, m) + copyTokenSignedData(p, s.SessionToken) return sz, nil } -// SignedDataSize returns the length of signed token information slice. -func (m *Token_Info) SignedDataSize() int { - return tokenInfoSize(m) +// NewSignedSessionToken wraps passed SessionToken in a component suitable for signing. +// +// Result can be used in AddSignatureWithKey function. +func NewSignedSessionToken(token SessionToken) DataWithSignKeyAccumulator { + return &signedSessionToken{ + SessionToken: token, + } } -func tokenInfoSize(v SessionKeySource) int { +// NewVerifiedSessionToken wraps passed SessionToken in a component suitable for signature verification. +// +// Result can be used in VerifySignatureWithKey function. +func NewVerifiedSessionToken(token SessionToken) DataWithSignature { + return &signedSessionToken{ + SessionToken: token, + } +} + +func tokenInfoSize(v SessionTokenInfo) int { if v == nil { return 0 } - return fixedTokenDataSize + len(v.GetSessionKey()) + return fixedTokenDataSize + len(v.GetSessionKey()) + len(v.GetOwnerKey()) } // Fills passed buffer with signing token information bytes. @@ -179,7 +208,9 @@ func copyTokenSignedData(buf []byte, token SessionTokenInfo) { tokenEndianness.PutUint64(buf[off:], token.ExpirationEpoch()) off += 8 - copy(buf[off:], token.GetSessionKey()) + off += copy(buf[off:], token.GetSessionKey()) + + copy(buf[off:], token.GetOwnerKey()) } // SignedData concatenates signed data with session token information. Returns concatenation result. diff --git a/service/token_test.go b/service/token_test.go index ce3d2c86..43e380d7 100644 --- a/service/token_test.go +++ b/service/token_test.go @@ -77,6 +77,16 @@ func TestTokenGettersSetters(t *testing.T) { require.Equal(t, key, tok.GetSessionKey()) } + { + key := make([]byte, 10) + _, err := rand.Read(key) + require.NoError(t, err) + + tok.SetOwnerKey(key) + + require.Equal(t, key, tok.GetOwnerKey()) + } + { // Signature sig := make([]byte, 10) _, err := rand.Read(sig) @@ -89,7 +99,7 @@ func TestTokenGettersSetters(t *testing.T) { } func TestSignToken(t *testing.T) { - token := new(Token) + var token SessionToken = new(Token) // create private key for signing sk := test.DecodeKey(0) @@ -126,9 +136,17 @@ func TestSignToken(t *testing.T) { require.NoError(t, err) token.SetSessionKey(sessionKey) + ownerKey := make([]byte, 10) + _, err = rand.Read(ownerKey[:]) + require.NoError(t, err) + token.SetOwnerKey(ownerKey) + + signedToken := NewSignedSessionToken(token) + verifiedToken := NewVerifiedSessionToken(token) + // sign and verify token - require.NoError(t, AddSignatureWithKey(sk, token)) - require.NoError(t, VerifySignatureWithKey(pk, token)) + require.NoError(t, AddSignatureWithKey(sk, signedToken)) + require.NoError(t, VerifySignatureWithKey(pk, verifiedToken)) items := []struct { corrupt func() @@ -208,12 +226,24 @@ func TestSignToken(t *testing.T) { token.SetSessionKey(sessionKey) }, }, + { // Owner key + corrupt: func() { + ownerKey := token.GetOwnerKey() + ownerKey[0]++ + token.SetOwnerKey(ownerKey) + }, + restore: func() { + ownerKey := token.GetOwnerKey() + ownerKey[0]-- + token.SetOwnerKey(ownerKey) + }, + }, } for _, v := range items { v.corrupt() - require.Error(t, VerifySignatureWithKey(pk, token)) + require.Error(t, VerifySignatureWithKey(pk, verifiedToken)) v.restore() - require.NoError(t, VerifySignatureWithKey(pk, token)) + require.NoError(t, VerifySignatureWithKey(pk, verifiedToken)) } } diff --git a/service/types.go b/service/types.go index 31f45070..66582f56 100644 --- a/service/types.go +++ b/service/types.go @@ -158,6 +158,17 @@ type SignatureContainer interface { SetSignature([]byte) } +// OwnerKeySource is an interface of the container of owner key bytes with read access. +type OwnerKeySource interface { + GetOwnerKey() []byte +} + +// OwnerKeyContainer is an interface of the container of owner key bytes. +type OwnerKeyContainer interface { + OwnerKeySource + SetOwnerKey([]byte) +} + // SessionTokenSource is an interface of the container of a SessionToken with read access. type SessionTokenSource interface { GetSessionToken() SessionToken @@ -170,7 +181,8 @@ type SessionTokenSource interface { // - verb of the session; // - address of the session object; // - token lifetime; -// - public session key bytes. +// - public session key bytes; +// - owner's public key bytes. type SessionTokenInfo interface { TokenIDContainer OwnerIDContainer @@ -178,6 +190,7 @@ type SessionTokenInfo interface { AddressContainer LifetimeContainer SessionKeyContainer + OwnerKeyContainer } // SessionToken is an interface of token information and signature pair. diff --git a/service/verify.pb.go b/service/verify.pb.go index 3dadf0b5..d198302b 100644 Binary files a/service/verify.pb.go and b/service/verify.pb.go differ diff --git a/service/verify.proto b/service/verify.proto index ed360beb..a6619a6c 100644 --- a/service/verify.proto +++ b/service/verify.proto @@ -63,6 +63,9 @@ message Token { // SessionKey is a public key of session key bytes SessionKey = 6; + + // OwnerKey is a public key of the token owner + bytes OwnerKey = 7; } // TokenInfo is a grouped information about token