package v2 import ( "crypto/ecdsa" "crypto/elliptic" "errors" "fmt" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" objectV2 "github.com/nspcc-dev/neofs-api-go/v2/object" refsV2 "github.com/nspcc-dev/neofs-api-go/v2/refs" sessionV2 "github.com/nspcc-dev/neofs-api-go/v2/session" "github.com/nspcc-dev/neofs-sdk-go/bearer" containerIDSDK "github.com/nspcc-dev/neofs-sdk-go/container/id" eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl" oidSDK "github.com/nspcc-dev/neofs-sdk-go/object/id" "github.com/nspcc-dev/neofs-sdk-go/owner" sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session" "github.com/nspcc-dev/neofs-sdk-go/signature" ) func getContainerIDFromRequest(req interface{}) (id *containerIDSDK.ID, err error) { switch v := req.(type) { case *objectV2.GetRequest: return containerIDSDK.NewFromV2(v.GetBody().GetAddress().GetContainerID()), nil case *objectV2.PutRequest: objPart := v.GetBody().GetObjectPart() if part, ok := objPart.(*objectV2.PutObjectPartInit); ok { return containerIDSDK.NewFromV2(part.GetHeader().GetContainerID()), nil } return nil, errors.New("can't get container ID in chunk") case *objectV2.HeadRequest: return containerIDSDK.NewFromV2(v.GetBody().GetAddress().GetContainerID()), nil case *objectV2.SearchRequest: return containerIDSDK.NewFromV2(v.GetBody().GetContainerID()), nil case *objectV2.DeleteRequest: return containerIDSDK.NewFromV2(v.GetBody().GetAddress().GetContainerID()), nil case *objectV2.GetRangeRequest: return containerIDSDK.NewFromV2(v.GetBody().GetAddress().GetContainerID()), nil case *objectV2.GetRangeHashRequest: return containerIDSDK.NewFromV2(v.GetBody().GetAddress().GetContainerID()), nil default: return nil, errors.New("unknown request type") } } // originalBearerToken goes down to original request meta header and fetches // bearer token from there. func originalBearerToken(header *sessionV2.RequestMetaHeader) *bearer.Token { for header.GetOrigin() != nil { header = header.GetOrigin() } tokV2 := header.GetBearerToken() if tokV2 == nil { return nil } var tok bearer.Token tok.ReadFromV2(*tokV2) return &tok } // originalSessionToken goes down to original request meta header and fetches // session token from there. func originalSessionToken(header *sessionV2.RequestMetaHeader) *sessionSDK.Token { for header.GetOrigin() != nil { header = header.GetOrigin() } return sessionSDK.NewTokenFromV2(header.GetSessionToken()) } func getObjectIDFromRequestBody(body interface{}) *oidSDK.ID { switch v := body.(type) { default: return nil case interface { GetObjectID() *refsV2.ObjectID }: return oidSDK.NewIDFromV2(v.GetObjectID()) case interface { GetAddress() *refsV2.Address }: return oidSDK.NewIDFromV2(v.GetAddress().GetObjectID()) } } func getObjectOwnerFromMessage(req interface{}) (id *owner.ID, err error) { switch v := req.(type) { case *objectV2.PutRequest: objPart := v.GetBody().GetObjectPart() if part, ok := objPart.(*objectV2.PutObjectPartInit); ok { return owner.NewIDFromV2(part.GetHeader().GetOwnerID()), nil } return nil, errors.New("can't get container ID in chunk") case *objectV2.GetResponse: objPart := v.GetBody().GetObjectPart() if part, ok := objPart.(*objectV2.GetObjectPartInit); ok { return owner.NewIDFromV2(part.GetHeader().GetOwnerID()), nil } return nil, errors.New("can't get container ID in chunk") default: return nil, errors.New("unsupported request type") } } // sourceVerbOfRequest looks for verb in session token and if it is not found, // returns reqVerb. Second return value is true if operation is unknown. func sourceVerbOfRequest(tok *sessionSDK.Token, reqVerb eaclSDK.Operation) (eaclSDK.Operation, bool) { ctx, ok := tok.Context().(*sessionSDK.ObjectContext) if ok { op := tokenVerbToOperation(ctx) if op != eaclSDK.OperationUnknown { return op, false } } return reqVerb, true } func useObjectIDFromSession(req *RequestInfo, token *sessionSDK.Token) { if token == nil { return } objCtx, ok := token.Context().(*sessionSDK.ObjectContext) if !ok { return } req.oid = objCtx.Address().ObjectID() } func tokenVerbToOperation(ctx *sessionSDK.ObjectContext) eaclSDK.Operation { switch { case ctx.IsForGet(): return eaclSDK.OperationGet case ctx.IsForPut(): return eaclSDK.OperationPut case ctx.IsForHead(): return eaclSDK.OperationHead case ctx.IsForSearch(): return eaclSDK.OperationSearch case ctx.IsForDelete(): return eaclSDK.OperationDelete case ctx.IsForRange(): return eaclSDK.OperationRange case ctx.IsForRangeHash(): return eaclSDK.OperationRangeHash default: return eaclSDK.OperationUnknown } } func ownerFromToken(token *sessionSDK.Token) (*owner.ID, *keys.PublicKey, error) { // 1. First check signature of session token. if !token.VerifySignature() { return nil, nil, fmt.Errorf("%w: invalid session token signature", ErrMalformedRequest) } // 2. Then check if session token owner issued the session token tokenIssuerKey := unmarshalPublicKey(token.Signature().Key()) tokenOwner := token.OwnerID() if !isOwnerFromKey(tokenOwner, tokenIssuerKey) { // TODO: #767 in this case we can issue all owner keys from neofs.id and check once again return nil, nil, fmt.Errorf("%w: invalid session token owner", ErrMalformedRequest) } return tokenOwner, tokenIssuerKey, nil } func originalBodySignature(v *sessionV2.RequestVerificationHeader) *signature.Signature { if v == nil { return nil } for v.GetOrigin() != nil { v = v.GetOrigin() } return signature.NewFromV2(v.GetBodySignature()) } func unmarshalPublicKey(bs []byte) *keys.PublicKey { pub, err := keys.NewPublicKeyFromBytes(bs, elliptic.P256()) if err != nil { return nil } return pub } func isOwnerFromKey(id *owner.ID, key *keys.PublicKey) bool { if id == nil || key == nil { return false } return id.Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key))) } // isVerbCompatible checks that tokenVerb operation can create auxiliary op operation. func isVerbCompatible(tokenVerb, op eaclSDK.Operation) bool { switch tokenVerb { case eaclSDK.OperationGet: return op == eaclSDK.OperationGet || op == eaclSDK.OperationHead case eaclSDK.OperationDelete: return op == eaclSDK.OperationPut || op == eaclSDK.OperationHead || op == eaclSDK.OperationSearch case eaclSDK.OperationRange, eaclSDK.OperationRangeHash: return op == eaclSDK.OperationRange || op == eaclSDK.OperationHead default: return tokenVerb == op } }