nspcc-dev · roman-khimov · Oct 7, 2024 · Oct 2, 2024 · Oct 2, 2024 · carpawell
@@ -14,6 +14,7 @@ attribute, which is used for container domain name in NNS contracts (#2954)
 
 ### Fixed
 - Do not search for tombstones when handling their expiration, use local indexes instead (#2929)
+- Unathorized container ops accepted by the IR (#2947)
 
 ### Changed
 - `ObjectService`'s `Put` RPC handler caches up to 10K lists of per-object sorted container nodes (#2901)

@@ -9,11 +9,18 @@
 	"github.com/nspcc-dev/neofs-node/cmd/neofs-cli/internal/common"
 	"github.com/nspcc-dev/neofs-node/cmd/neofs-cli/internal/commonflags"
 	"github.com/nspcc-dev/neofs-node/cmd/neofs-cli/internal/key"
+	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
+	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"github.com/spf13/cobra"
 )
 
+// signSessionCmd specific flags.
+const (
+	forceIssuerFlag = "force-issuer"
+)
+
 var signSessionCmd = &cobra.Command{
 	Use:   "session-token",
 	Short: "Sign session token to use it in requests",
@@ -31,6 +38,7 @@
 	_ = signSessionCmd.MarkFlagRequired(signFromFlag)
 
 	flags.String(signToFlag, "", "File to save signed session token (optional)")
+	flags.Bool(forceIssuerFlag, false, "Set configured account as the session issuer even if it is already specified")
 }
 
 func signSessionToken(cmd *cobra.Command, _ []string) error {
@@ -47,6 +55,7 @@
 		json.Marshaler
 		common.BinaryOrJSON
 		Sign(user.Signer) error
+		SetSignature(neofscrypto.Signer) error
 	}
 	var errLast error
 	var stok iTokenSession
@@ -71,7 +80,15 @@
 		return err
 	}
 
-	err = stok.Sign(user.NewAutoIDSignerRFC6979(*pk))
+	forceIss, err := cmd.Flags().GetBool(forceIssuerFlag)
+	if err != nil {
+		return err
+	}
+	if forceIss {
+		err = stok.Sign(user.NewAutoIDSignerRFC6979(*pk))
+	} else {
+		err = stok.SetSignature(neofsecdsa.SignerRFC6979(*pk))
+	}
 	if err != nil {
 		return fmt.Errorf("can't sign token: %w", err)
 	}

@@ -70,7 +70,15 @@
 			return errors.New("invalid session token signature")
 		}
 
-		// FIXME(@cthulhu-rider): #1387 check token is signed by container owner, see neofs-sdk-go#233
+		var signerPub neofsecdsa.PublicKeyRFC6979
+		if err = signerPub.Decode(tok.IssuerPublicKeyBytes()); err != nil {
+			return fmt.Errorf("invalid issuer public key: %w", err)
+		}
+
+		// TODO(@cthulhu-rider): #1387 check bound keys via NeoFSID contract?
+		if user.NewFromECDSAPublicKey(ecdsa.PublicKey(signerPub)) != v.ownerContainer {
+			return errors.New("session token is not signed by the container owner")
+		}
 
 		if keyProvided && !tok.AssertAuthKey(&key) {
 			return errors.New("signed with a non-session key")