[#525] ir/container: Verify operations with session token

Session token can be presented `Put`, `Delete` and `SetEACL` notification events. IR should consider this case as issuing a power of attorney to a third party. Thus, checking the eligibility for an operation should be complicated: - token owner should be the owner of the related container; - the intent must be signed with a session key; - the power of attorney must be signed by the owner of the container. Omitted checks (TBD): - session token should have container session context; - the verb of the context should correspond to the operation. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-05-27 15:07:39 +03:00 · 2021-05-27 15:07:39 +03:00 · ead4513feb
commit ead4513feb
parent 3e0eccb548
3 changed files with 136 additions and 12 deletions
--- a/pkg/innerring/processors/container/process_container.go
+++ b/pkg/innerring/processors/container/process_container.go
@ -61,6 +61,16 @@ func (cp *Processor) checkPutContainer(e *containerEvent.Put) error {
 		return fmt.Errorf("incorrect container format: %w", err)
 	}

+	// unmarshal session token if presented
+	tok, err := tokenFromEvent(e)
+	if err != nil {
+		return err
+	}
+
+	// TODO: check verb and CID
+
+	cnr.SetSessionToken(tok)
+
 	return cp.checkKeyOwnership(cnr, key)
 }

@ -102,18 +112,42 @@ func (cp *Processor) checkDeleteContainer(e *containerEvent.Delete) error {
 		return fmt.Errorf("could not receive the container: %w", err)
 	}

-	// receive all owner keys
-	ownerKeys, err := cp.idClient.AccountKeys(cnr.OwnerID())
+	token, err := tokenFromEvent(e)
 	if err != nil {
-		return fmt.Errorf("could not received owner keys %s: %w", cnr.OwnerID(), err)
+		return err
+	}
+
+	var checkKeys keys.PublicKeys
+
+	if token != nil {
+		key, err := keys.NewPublicKeyFromBytes(token.SessionKey(), elliptic.P256())
+		if err != nil {
+			return fmt.Errorf("invalid session key: %w", err)
+		}
+
+		// TODO: check verb and container ID
+
+		// check token ownership
+		err = cp.checkKeyOwnershipWithToken(cnr, key, token)
+		if err != nil {
+			return err
+		}
+
+		checkKeys = keys.PublicKeys{key}
+	} else {
+		// receive all owner keys from NeoFS ID contract
+		checkKeys, err = cp.idClient.AccountKeys(cnr.OwnerID())
+		if err != nil {
+			return fmt.Errorf("could not received owner keys %s: %w", cnr.OwnerID(), err)
+		}
 	}

 	// verify signature
 	cidHash := sha256.Sum256(cid)
 	sig := e.Signature()

-	for _, ownerKey := range ownerKeys {
-		if ownerKey.Verify(sig, cidHash[:]) {
+	for _, key := range checkKeys {
+		if key.Verify(sig, cidHash[:]) {
 			return nil
 		}
 	}