[#589] ir/container: Verify session token lifetime

Session tokens have limited lifetime in NeoFS. Container processor should verify lifetime of the incoming tokens. Define `NetworkState` interface with `Epoch` method to get number of the current epoch. Use Netmap contract client's wrapper as `NetworkState` of Container `Processor`. Check values of token lifetime, and deny if: * NBF value is gt the current epoch; * IAT is gt the current epoch; * EXP is le the current epoch. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-06-04 18:02:25 +03:00 · 2021-06-04 18:02:25 +03:00 · 2f38fef31a
commit 2f38fef31a
parent 0bfa2dc88f
5 changed files with 51 additions and 3 deletions
--- a/pkg/innerring/processors/container/common.go
+++ b/pkg/innerring/processors/container/common.go
@ -106,6 +106,12 @@ func (cp *Processor) checkSessionToken(token *session.Token) error {
 		return errors.New("invalid signature")
 	}

+	// check lifetime
+	err := cp.checkTokenLifetime(token)
+	if err != nil {
+		return err
+	}
+
 	// check token owner's key ownership

 	key, err := keys.NewPublicKeyFromBytes(token.Signature().Key(), elliptic.P256())
@ -149,3 +155,27 @@ func checkTokenContextWithCID(tok *session.Token, id *cid.ID, verbAssert verbAss

 	return nil
 }
+
+func (cp *Processor) checkTokenLifetime(token *session.Token) error {
+	curEpoch, err := cp.netState.Epoch()
+	if err != nil {
+		return fmt.Errorf("could not read current epoch: %w", err)
+	}
+
+	nbf := token.Nbf()
+	if curEpoch < nbf {
+		return fmt.Errorf("token is not valid yet: nbf %d, cur %d", nbf, curEpoch)
+	}
+
+	iat := token.Iat()
+	if curEpoch < iat {
+		return fmt.Errorf("token is issued in future: iat %d, cur %d", iat, curEpoch)
+	}
+
+	exp := token.Exp()
+	if curEpoch >= exp {
+		return fmt.Errorf("token is expired: exp %d, cur %d", exp, curEpoch)
+	}
+
+	return nil
+}