[#260] Support frostfsid validation

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

api/middleware/auth.go

@@ -1,13 +1,18 @@
 package middleware
 
 import (
+	"crypto/elliptic"
 	stderrors "errors"
+	"fmt"
 	"net/http"
 	"time"
 
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"go.uber.org/zap"
 )
 
@@ -65,3 +70,45 @@ func Auth(center Center, log *zap.Logger) Func {
 		})
 	}
 }
+
+type FrostFSID interface {
+	ValidatePublicKey(key *keys.PublicKey) error
+}
+
+func FrostfsIDValidation(frostfsID FrostFSID, log *zap.Logger) Func {
+	return func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+			bd, err := GetBoxData(ctx)
+			if err != nil || bd.Gate.BearerToken == nil {
+				reqLogOrDefault(ctx, log).Debug(logs.AnonRequestSkipFrostfsIDValidation)
+				h.ServeHTTP(w, r)
+				return
+			}
+
+			if err = validateBearerToken(frostfsID, bd.Gate.BearerToken); err != nil {
+				reqLogOrDefault(ctx, log).Error(logs.FrostfsIDValidationFailed, zap.Error(err))
+				WriteErrorResponse(w, GetReqInfo(r.Context()), err)
+				return
+			}
+
+			h.ServeHTTP(w, r)
+		})
+	}
+}
+
+func validateBearerToken(frostfsID FrostFSID, bt *bearer.Token) error {
+	m := new(acl.BearerToken)
+	bt.WriteToV2(m)
+
+	pk, err := keys.NewPublicKeyFromBytes(m.GetSignature().GetKey(), elliptic.P256())
+	if err != nil {
+		return fmt.Errorf("invalid bearer token public key: %w", err)
+	}
+
+	if err = frostfsID.ValidatePublicKey(pk); err != nil {
+		return fmt.Errorf("validation data user key failed: %w", err)
+	}
+
+	return nil
+}