[#525] ir/container: Verify operations with session token

Session token can be presented `Put`, `Delete` and `SetEACL` notification
events. IR should consider this case as issuing a power of attorney to a
third party. Thus, checking the eligibility for an operation should be
complicated:

 - token owner should be the owner of the related container;
 - the intent must be signed with a session key;
 - the power of attorney must be signed by the owner of the container.

Omitted checks (TBD):

 - session token should have container session context;
 - the verb of the context should correspond to the operation.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2021-05-27 15:07:39 +03:00 committed by Alex Vanin
parent 3e0eccb548
commit ead4513feb
3 changed files with 136 additions and 12 deletions

View file

@ -1,18 +1,51 @@
package container
import (
"bytes"
"crypto/ecdsa"
"crypto/elliptic"
"errors"
"fmt"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/nspcc-dev/neofs-api-go/pkg/owner"
"github.com/nspcc-dev/neofs-api-go/pkg/session"
"github.com/nspcc-dev/neofs-api-go/util/signature"
signature2 "github.com/nspcc-dev/neofs-api-go/v2/signature"
)
type ownerIDSource interface {
OwnerID() *owner.ID
}
func tokenFromEvent(src interface {
SessionToken() []byte
}) (*session.Token, error) {
binToken := src.SessionToken()
if len(binToken) == 0 {
return nil, nil
}
tok := session.NewToken()
err := tok.Unmarshal(binToken)
if err != nil {
return nil, fmt.Errorf("could not unmarshal session token: %w", err)
}
return tok, nil
}
func (cp *Processor) checkKeyOwnership(ownerIDSrc ownerIDSource, key *keys.PublicKey) error {
if tokenSrc, ok := ownerIDSrc.(interface {
SessionToken() *session.Token
}); ok {
if token := tokenSrc.SessionToken(); token != nil {
return cp.checkKeyOwnershipWithToken(ownerIDSrc, key, tokenSrc.SessionToken())
}
}
// TODO: need more convenient way to do this
w, err := owner.NEO3WalletFromPublicKey(&ecdsa.PublicKey{
X: key.X,
@ -40,3 +73,55 @@ func (cp *Processor) checkKeyOwnership(ownerIDSrc ownerIDSource, key *keys.Publi
return fmt.Errorf("key %s is not tied to the owner of the container", key)
}
func (cp *Processor) checkKeyOwnershipWithToken(ownerIDSrc ownerIDSource, key *keys.PublicKey, token *session.Token) error {
// check session key
if !bytes.Equal(
key.Bytes(),
token.SessionKey(),
) {
return errors.New("signed with a non-session key")
}
// check owner
// TODO: need Equal method on owner.ID
if token.OwnerID().String() != ownerIDSrc.OwnerID().String() {
return errors.New("owner differs with token owner")
}
err := cp.checkSessionToken(token)
if err != nil {
return fmt.Errorf("invalid session token: %w", err)
}
return nil
}
func (cp *Processor) checkSessionToken(token *session.Token) error {
// verify signature
// TODO: need more convenient way to do this
// e.g. provide VerifySignature method from Token
// FIXME: do all so as not to deepen in the version
tokenV2 := token.ToV2()
signWrapper := signature2.StableMarshalerWrapper{
SM: tokenV2.GetBody(),
}
if err := signature.VerifyDataWithSource(signWrapper, func() (key, sig []byte) {
tokenSignature := tokenV2.GetSignature()
return tokenSignature.GetKey(), tokenSignature.GetSign()
}); err != nil {
return errors.New("invalid signature")
}
// check token owner's key ownership
key, err := keys.NewPublicKeyFromBytes(token.Signature().Key(), elliptic.P256())
if err != nil {
return fmt.Errorf("invalid key: %w", err)
}
return cp.checkKeyOwnership(token, key)
}

View file

@ -61,6 +61,16 @@ func (cp *Processor) checkPutContainer(e *containerEvent.Put) error {
return fmt.Errorf("incorrect container format: %w", err)
}
// unmarshal session token if presented
tok, err := tokenFromEvent(e)
if err != nil {
return err
}
// TODO: check verb and CID
cnr.SetSessionToken(tok)
return cp.checkKeyOwnership(cnr, key)
}
@ -102,18 +112,42 @@ func (cp *Processor) checkDeleteContainer(e *containerEvent.Delete) error {
return fmt.Errorf("could not receive the container: %w", err)
}
// receive all owner keys
ownerKeys, err := cp.idClient.AccountKeys(cnr.OwnerID())
token, err := tokenFromEvent(e)
if err != nil {
return fmt.Errorf("could not received owner keys %s: %w", cnr.OwnerID(), err)
return err
}
var checkKeys keys.PublicKeys
if token != nil {
key, err := keys.NewPublicKeyFromBytes(token.SessionKey(), elliptic.P256())
if err != nil {
return fmt.Errorf("invalid session key: %w", err)
}
// TODO: check verb and container ID
// check token ownership
err = cp.checkKeyOwnershipWithToken(cnr, key, token)
if err != nil {
return err
}
checkKeys = keys.PublicKeys{key}
} else {
// receive all owner keys from NeoFS ID contract
checkKeys, err = cp.idClient.AccountKeys(cnr.OwnerID())
if err != nil {
return fmt.Errorf("could not received owner keys %s: %w", cnr.OwnerID(), err)
}
}
// verify signature
cidHash := sha256.Sum256(cid)
sig := e.Signature()
for _, ownerKey := range ownerKeys {
if ownerKey.Verify(sig, cidHash[:]) {
for _, key := range checkKeys {
if key.Verify(sig, cidHash[:]) {
return nil
}
}

View file

@ -38,22 +38,19 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
return fmt.Errorf("invalid key: %w", err)
}
table := e.Table()
tableHash := sha256.Sum256(table)
binTable := e.Table()
tableHash := sha256.Sum256(binTable)
if !key.Verify(e.Signature(), tableHash[:]) {
return errors.New("invalid signature")
}
// verify the identity of the container owner
return cp.checkEACLOwnership(table, key)
}
func (cp *Processor) checkEACLOwnership(binTable []byte, key *keys.PublicKey) error {
// unmarshal table
table := eacl.NewTable()
err := table.Unmarshal(binTable)
err = table.Unmarshal(binTable)
if err != nil {
return fmt.Errorf("invalid binary table: %w", err)
}
@ -64,8 +61,16 @@ func (cp *Processor) checkEACLOwnership(binTable []byte, key *keys.PublicKey) er
return fmt.Errorf("could not receive the container: %w", err)
}
// unmarshal session token if presented
tok, err := tokenFromEvent(e)
if err != nil {
return err
}
// TODO: check verb and container ID
// check key ownership
return cp.checkKeyOwnership(cnr, key)
return cp.checkKeyOwnershipWithToken(cnr, key, tok)
}
func (cp *Processor) approveSetEACL(e container.SetEACL) {