frostfs-node/pkg/network/transport/object/grpc/bearer.go

73 lines
1.7 KiB
Go
Raw Normal View History

package object
import (
"context"
"github.com/nspcc-dev/neofs-api-go/service"
crypto "github.com/nspcc-dev/neofs-crypto"
2020-07-24 13:54:03 +00:00
"github.com/nspcc-dev/neofs-node/pkg/core/container/storage"
"github.com/pkg/errors"
)
type bearerTokenVerifier interface {
verifyBearerToken(context.Context, CID, service.BearerToken) error
}
type complexBearerVerifier struct {
items []bearerTokenVerifier
}
type bearerActualityVerifier struct {
epochRecv EpochReceiver
}
type bearerOwnershipVerifier struct {
2020-07-24 13:54:03 +00:00
cnrStorage storage.Storage
}
type bearerSignatureVerifier struct{}
var errWrongBearerOwner = errors.New("bearer author is not a container owner")
func (s complexBearerVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
for i := range s.items {
if err := s.items[i].verifyBearerToken(ctx, cid, token); err != nil {
return err
}
}
return nil
}
func (s bearerActualityVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
local := s.epochRecv.Epoch()
validUntil := token.ExpirationEpoch()
if local > validUntil {
return errors.Errorf("bearer token is expired (local %d, valid until %d)",
local,
validUntil,
)
}
return nil
}
func (s bearerOwnershipVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
2020-07-24 13:54:03 +00:00
isOwner, err := isContainerOwner(s.cnrStorage, cid, token.GetOwnerID())
if err != nil {
return err
} else if !isOwner {
return errWrongBearerOwner
}
return nil
}
func (s bearerSignatureVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
return service.VerifySignatureWithKey(
crypto.UnmarshalPublicKey(token.GetOwnerKey()),
service.NewVerifiedBearerToken(token),
)
}