package tree

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"errors"
	"fmt"

	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
	"github.com/nspcc-dev/neofs-api-go/v2/signature"
	cidSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
	"github.com/nspcc-dev/neofs-sdk-go/user"
)

func (s *Service) verifyClient(req interface{}, cid cidSDK.ID, rawKey []byte) error {
	// TODO(@fyrchik): #1328 access control
	return nil
	//nolint:govet
	err := signature.VerifyServiceMessage(req)
	if err != nil {
		return err
	}

	cnr, err := s.cnrSource.Get(cid)
	if err != nil {
		return fmt.Errorf("can't get container %s: %w", cid, err)
	}

	ownerID := cnr.Value.Owner()

	pub, err := keys.NewPublicKeyFromBytes(rawKey, elliptic.P256())
	if err != nil {
		return fmt.Errorf("invalid public key: %w", err)
	}

	var actualID user.ID
	user.IDFromKey(&actualID, (ecdsa.PublicKey)(*pub))

	if !actualID.Equals(ownerID) {
		return errors.New("`Move` request must be signed by a container owner")
	}

	return nil
}