node: Support wildcard for container sessions

Do not require container ID to be set if wildcard is true. Also, for all containers case check that a requested operation relates a container that belongs to the attached token's issuer. Signed-off-by: Pavel Karpy <[email protected]>
nspcc-dev · Feb 13, 2024 · 6500422 · 6500422
1 parent d54311b
commit 6500422
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,7 +6,8 @@ Changelog for NeoFS Node
 ### Added
 
 ### Fixed
-- Inability to deploy contract with non-standard zone via neofs-adm
+- Inability to deploy contract with non-standard zone via neofs-adm (#2740)
+- Container session token's `wildcard` field support (#2741) 
 
 ### Changed
 

diff --git a/pkg/services/container/morph/executor.go b/pkg/services/container/morph/executor.go
@@ -11,6 +11,7 @@ import (
 	"github.com/nspcc-dev/neofs-api-go/v2/refs"
 	sessionV2 "github.com/nspcc-dev/neofs-api-go/v2/session"
 	"github.com/nspcc-dev/neofs-api-go/v2/util/signature"
+	crypto "github.com/nspcc-dev/neofs-crypto"
 	containercore "github.com/nspcc-dev/neofs-node/pkg/core/container"
 	containerSvc "github.com/nspcc-dev/neofs-node/pkg/services/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
@@ -335,22 +336,45 @@ func (s *morphExecutor) validateToken(t *sessionV2.Token, cIDV2 *refs.ContainerI
 		return fmt.Errorf("incorrect token signature: %w", err)
 	}
 
-	if cIDV2 == nil { // can be nil for PUT or wildcard may be true
+	if cIDV2 == nil { // can be nil for PUT
 		return nil
 	}
 
-	if sessionCID := cc.ContainerID().GetValue(); !bytes.Equal(sessionCID, cIDV2.GetValue()) {
-		return fmt.Errorf("wrong container: %s", base58.Encode(sessionCID))
-	}
+	var cIDRequested cid.ID
 
-	var cID cid.ID
-
-	err = cID.ReadFromV2(*cIDV2)
+	err = cIDRequested.ReadFromV2(*cIDV2)
 	if err != nil {
 		return fmt.Errorf("invalid container ID: %w", err)
 	}
 
-	cnr, err := s.rdr.Get(cID)
+	if cc.Wildcard() {
+		keyFromToken := crypto.UnmarshalPublicKey(t.GetSignature().GetKey())
+		if keyFromToken == nil {
+			return errors.New("error while decoding public key from the token's signer")
+		}
+
+		userFromToken := user.ResolveFromECDSAPublicKey(*keyFromToken)
+
+		cIDs, err := s.rdr.List(&userFromToken)
+		if err != nil {
+			return fmt.Errorf("reading container list: %w", err)
+		}
+
+		for _, cIDRead := range cIDs {
+			if cIDRead.Equals(cIDRequested) {
+				return nil
+			}
+		}
+
+		return fmt.Errorf("requested container ID does not belong to the token's owner: cID: %s, owner: %s",
+			cIDRequested, userFromToken)
+	}
+
+	if sessionCID := cc.ContainerID().GetValue(); !bytes.Equal(sessionCID, cIDV2.GetValue()) {
+		return fmt.Errorf("wrong container: %s", base58.Encode(sessionCID))
+	}
+
+	cnr, err := s.rdr.Get(cIDRequested)
 	if err != nil {
 		return fmt.Errorf("reading container from the network: %w", err)
 	}

diff --git a/pkg/services/container/morph/executor_test.go b/pkg/services/container/morph/executor_test.go
@@ -2,9 +2,13 @@ package container_test
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/sha256"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neofs-api-go/v2/container"
 	"github.com/nspcc-dev/neofs-api-go/v2/refs"
@@ -17,6 +21,7 @@ import (
 	cidtest "github.com/nspcc-dev/neofs-sdk-go/container/id/test"
 	containertest "github.com/nspcc-dev/neofs-sdk-go/container/test"
 	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
+	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
 	sessionsdk "github.com/nspcc-dev/neofs-sdk-go/session"
 	sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
@@ -25,7 +30,8 @@ import (
 )
 
 type mock struct {
-	cnr containerSDK.Container
+	cnr  containerSDK.Container
+	list []cid.ID
 }
 
 func (m mock) Get(_ cid.ID) (*containerCore.Container, error) {
@@ -37,7 +43,7 @@ func (m mock) GetEACL(id cid.ID) (*containerCore.EACL, error) {
 }
 
 func (m mock) List(id *user.ID) ([]cid.ID, error) {
-	return nil, nil
+	return m.list, nil
 }
 
 func (m mock) Put(_ containerCore.Container) (*cid.ID, error) {
@@ -279,6 +285,44 @@ func TestValidateToken(t *testing.T) {
 		_, err = e.Delete(context.TODO(), &tokV2, &reqBody)
 		require.Error(t, err)
 	})
+
+	t.Run("wildcard support", func(t *testing.T) {
+		var reqBody container.DeleteRequestBody
+		reqBody.SetContainerID(&cIDV2)
+
+		var tok sessionsdk.Container
+
+		priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		require.NoError(t, err)
+
+		tok.SetExp(11)
+		tok.SetNbf(22)
+		tok.SetIat(33)
+		tok.ForVerb(sessionsdk.VerbContainerDelete)
+		tok.SetID(uuid.New())
+		tok.SetAuthKey((*neofsecdsa.PublicKey)(&priv.PublicKey))
+		require.NoError(t, tok.Sign(signer))
+
+		var tokV2 session.Token
+		tok.WriteToV2(&tokV2)
+
+		m := &mock{cnr: cnr}
+		e := containerSvcMorph.NewExecutor(m, m)
+
+		t.Run("wrong owner", func(t *testing.T) {
+			m.list = []cid.ID{cidtest.ID()}
+
+			_, err := e.Delete(context.TODO(), &tokV2, &reqBody)
+			require.Error(t, err)
+		})
+
+		t.Run("correct owner", func(t *testing.T) {
+			m.list = []cid.ID{cID}
+
+			_, err := e.Delete(context.TODO(), &tokV2, &reqBody)
+			require.NoError(t, err)
+		})
+	})
 }
 
 func generateToken(t *testing.T, ctx session.TokenContext, signer user.Signer) *session.Token {