frostfs-node/services/public/object/bearer.go

package object

import (
	"context"

	"github.com/nspcc-dev/neofs-api-go/service"
	crypto "github.com/nspcc-dev/neofs-crypto"
	"github.com/nspcc-dev/neofs-node/lib/implementations"
	"github.com/pkg/errors"
)

type bearerTokenVerifier interface {
	verifyBearerToken(context.Context, CID, service.BearerToken) error
}

type complexBearerVerifier struct {
	items []bearerTokenVerifier
}

type bearerActualityVerifier struct {
	epochRecv EpochReceiver
}

type bearerOwnershipVerifier struct {
	cnrOwnerChecker implementations.ContainerOwnerChecker
}

type bearerSignatureVerifier struct{}

var errWrongBearerOwner = errors.New("bearer author is not a container owner")

func (s complexBearerVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
	for i := range s.items {
		if err := s.items[i].verifyBearerToken(ctx, cid, token); err != nil {
			return err
		}
	}

	return nil
}

func (s bearerActualityVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
	local := s.epochRecv.Epoch()
	validUntil := token.ExpirationEpoch()

	if local > validUntil {
		return errors.Errorf("bearer token is expired (local %d, valid until %d)",
			local,
			validUntil,
		)
	}

	return nil
}

func (s bearerOwnershipVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
	isOwner, err := s.cnrOwnerChecker.IsContainerOwner(ctx, cid, token.GetOwnerID())
	if err != nil {
		return err
	} else if !isOwner {
		return errWrongBearerOwner
	}

	return nil
}

func (s bearerSignatureVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
	return service.VerifySignatureWithKey(
		crypto.UnmarshalPublicKey(token.GetOwnerKey()),
		service.NewVerifiedBearerToken(token),
	)
}
Initial commit Initial public review release v0.10.0 2020-07-10 14:17:51 +00:00			`package object`

			`import (`
			`"context"`

			`"github.com/nspcc-dev/neofs-api-go/service"`
			`crypto "github.com/nspcc-dev/neofs-crypto"`
			`"github.com/nspcc-dev/neofs-node/lib/implementations"`
			`"github.com/pkg/errors"`
			`)`

			`type bearerTokenVerifier interface {`
			`verifyBearerToken(context.Context, CID, service.BearerToken) error`
			`}`

			`type complexBearerVerifier struct {`
			`items []bearerTokenVerifier`
			`}`

			`type bearerActualityVerifier struct {`
			`epochRecv EpochReceiver`
			`}`

			`type bearerOwnershipVerifier struct {`
			`cnrOwnerChecker implementations.ContainerOwnerChecker`
			`}`

			`type bearerSignatureVerifier struct{}`

			`var errWrongBearerOwner = errors.New("bearer author is not a container owner")`

			`func (s complexBearerVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {`
			`for i := range s.items {`
			`if err := s.items[i].verifyBearerToken(ctx, cid, token); err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

			`func (s bearerActualityVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {`
			`local := s.epochRecv.Epoch()`
			`validUntil := token.ExpirationEpoch()`

			`if local > validUntil {`
			`return errors.Errorf("bearer token is expired (local %d, valid until %d)",`
			`local,`
			`validUntil,`
			`)`
			`}`

			`return nil`
			`}`

			`func (s bearerOwnershipVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {`
			`isOwner, err := s.cnrOwnerChecker.IsContainerOwner(ctx, cid, token.GetOwnerID())`
			`if err != nil {`
			`return err`
			`} else if !isOwner {`
			`return errWrongBearerOwner`
			`}`

			`return nil`
			`}`

			`func (s bearerSignatureVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {`
			`return service.VerifySignatureWithKey(`
			`crypto.UnmarshalPublicKey(token.GetOwnerKey()),`
			`service.NewVerifiedBearerToken(token),`
			`)`
			`}`