Merge pull request #176 from nspcc-dev/no-apigo

nspcc-dev · Apr 24, 2024 · 095f00c · 095f00c
2 parents 398f3cc + 1ecaa80
commit 095f00c
Show file tree

Hide file tree

Showing 12 changed files with 426 additions and 124 deletions.
diff --git a/cmd/neofs-rest-gw/integration_test.go b/cmd/neofs-rest-gw/integration_test.go
@@ -89,8 +89,7 @@ func runLocalTests(ctx context.Context, t *testing.T, key *keys.PrivateKey) {
 
 func runTestInContainer(rootCtx context.Context, t *testing.T, key *keys.PrivateKey) {
 	versions := []dockerImage{
-		{image: "nspccdev/neofs-aio", version: "0.37.0"},
-		{image: "nspccdev/neofs-aio", version: "0.38.1"},
+		{image: "nspccdev/neofs-aio", version: "0.41.0"},
 	}
 
 	for _, version := range versions {
@@ -153,7 +152,7 @@ func runTests(ctx context.Context, t *testing.T, key *keys.PrivateKey, node stri
 func createDockerContainer(ctx context.Context, t *testing.T, image, version string) testcontainers.Container {
 	req := testcontainers.ContainerRequest{
 		Image:      image,
-		WaitingFor: wait.NewLogStrategy("aio container started").WithStartupTimeout(30 * time.Second),
+		WaitingFor: wait.NewLogStrategy("aio container started").WithStartupTimeout(2 * time.Minute),
 		Name:       "restgw-aio-test-" + version,
 		Hostname:   "aio",
 		HostConfigModifier: func(hostConfig *dockerContainer.HostConfig) {

diff --git a/go.mod b/go.mod
@@ -7,8 +7,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/labstack/echo/v4 v4.11.4
 	github.com/nspcc-dev/neo-go v0.105.1
-	github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4
-	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11.0.20240326133951-7f940dcb37d8
+	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11.0.20240423143337-3cdb540f5511
 	github.com/oapi-codegen/echo-middleware v1.0.1
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/spf13/pflag v1.0.5
@@ -40,6 +39,7 @@ require (
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/nspcc-dev/hrw/v2 v2.0.1 // indirect
+	github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
 	github.com/perimeterx/marshmallow v1.1.4 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect

diff --git a/go.sum b/go.sum
@@ -135,8 +135,8 @@ github.com/nspcc-dev/neo-go v0.105.1 h1:r0b2yIwLBi+ARBKU94gHL9oTFEB/XMJ0YlS2HN9Q
 github.com/nspcc-dev/neo-go v0.105.1/go.mod h1:GNh0cRALV/cuj+/xg2ZHDsrFbqcInqG7jjhqsLEnlNc=
 github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4 h1:arN0Ypn+jawZpu1BND7TGRn44InAVIqKygndsx0y2no=
 github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4/go.mod h1:7Tm1NKEoUVVIUlkVwFrPh7GG5+Lmta2m7EGr4oVpBd8=
-github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11.0.20240326133951-7f940dcb37d8 h1:0qr5CEPXp94CRnYyikKu54lJgFLBVJ7Per+zXIBr6tc=
-github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11.0.20240326133951-7f940dcb37d8/go.mod h1:2XHytVt+AFQkwr6vpcYvdm13mA2rZxB+STrxtwSrtx8=
+github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11.0.20240423143337-3cdb540f5511 h1:g+UEnrsCBMrqZ/6+UIE3o6ObZzinK+4oQt91vOYmMV0=
+github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11.0.20240423143337-3cdb540f5511/go.mod h1:AApSmHoQ6o/4bz6Am2RmfX0mdgCTEPDDXpV/g4OFOlE=
 github.com/nspcc-dev/rfc6979 v0.2.1 h1:8wWxkamHWFmO790GsewSoKUSJjVnL1fmdRpokU/RgRM=
 github.com/nspcc-dev/rfc6979 v0.2.1/go.mod h1:Tk7h5kyUWkhjyO3zUgFFhy1v2vQv3BvQEntakdtqrWc=
 github.com/nspcc-dev/tzhash v1.8.0 h1:pJvzME2mZzP/h5rcy/Wb6amT9FJBFeKbJ3HEnWEeUpY=

diff --git a/handlers/api.go b/handlers/api.go
@@ -8,11 +8,11 @@ import (
 
 	"github.com/labstack/echo/v4"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
-	sessionv2 "github.com/nspcc-dev/neofs-api-go/v2/session"
 	"github.com/nspcc-dev/neofs-rest-gw/handlers/apiserver"
 	"github.com/nspcc-dev/neofs-rest-gw/internal/util"
 	"github.com/nspcc-dev/neofs-rest-gw/metrics"
 	"github.com/nspcc-dev/neofs-sdk-go/pool"
+	"github.com/nspcc-dev/neofs-sdk-go/session"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"go.uber.org/zap"
 )
@@ -39,7 +39,7 @@ type BearerToken struct {
 
 type SessionToken struct {
 	BearerToken
-	Verb sessionv2.ContainerSessionVerb
+	Verb session.ContainerVerb
 }
 
 const (

diff --git a/handlers/auth.go b/handlers/auth.go
@@ -9,9 +9,6 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
-	"github.com/nspcc-dev/neofs-api-go/v2/acl"
-	"github.com/nspcc-dev/neofs-api-go/v2/refs"
-	sessionv2 "github.com/nspcc-dev/neofs-api-go/v2/session"
 	"github.com/nspcc-dev/neofs-rest-gw/handlers/apiserver"
 	"github.com/nspcc-dev/neofs-rest-gw/internal/util"
 	"github.com/nspcc-dev/neofs-sdk-go/client"
@@ -145,6 +142,12 @@ func prepareObjectToken(ctx context.Context, params objectTokenParams, pool *poo
 		return nil, fmt.Errorf("couldn't transform token to native: %w", err)
 	}
 
+	var issuer user.ID
+	if err = issuer.DecodeString(params.XBearerOwnerID); err != nil {
+		return nil, fmt.Errorf("invalid bearer owner: %w", err)
+	}
+	btoken.SetIssuer(issuer)
+
 	if !params.XBearerForAllUsers {
 		btoken.ForUser(owner)
 	}
@@ -156,9 +159,7 @@ func prepareObjectToken(ctx context.Context, params objectTokenParams, pool *poo
 	btoken.SetIat(iat)
 	btoken.SetExp(exp)
 
-	var v2token acl.BearerToken
-	btoken.WriteToV2(&v2token)
-	binaryBearer := v2token.GetBody().StableMarshal(nil)
+	binaryBearer := btoken.SignedData()
 
 	return &apiserver.TokenResponse{
 		Name:  &params.Name,
@@ -192,15 +193,9 @@ func prepareContainerTokens(ctx context.Context, params containerTokenParams, po
 	stoken.SetExp(exp)
 
 	stoken.SetAuthKey(pubKey)
+	stoken.SetIssuer(ownerID)
 
-	var v2token sessionv2.Token
-	stoken.WriteToV2(&v2token)
-
-	var issuer refs.OwnerID
-	ownerID.WriteToV2(&issuer)
-	v2token.GetBody().SetOwnerID(&issuer)
-
-	binaryToken := v2token.GetBody().StableMarshal(nil)
+	binaryToken := stoken.SignedData()
 
 	return &apiserver.TokenResponse{
 		Name:  &params.Name,

diff --git a/handlers/auth_test.go b/handlers/auth_test.go
@@ -7,7 +7,6 @@ import (
 	"testing"
 
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
-	"github.com/nspcc-dev/neofs-api-go/v2/acl"
 	"github.com/nspcc-dev/neofs-rest-gw/handlers/apiserver"
 	"github.com/nspcc-dev/neofs-rest-gw/internal/util"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
@@ -40,11 +39,9 @@ func TestSign(t *testing.T) {
 	signer := user.NewAutoIDSigner(key.PrivateKey)
 	owner := signer.UserID()
 	btoken.ForUser(owner)
+	btoken.SetIssuer(signer.UserID())
 
-	var v2token acl.BearerToken
-	btoken.WriteToV2(&v2token)
-
-	binaryBearer := v2token.GetBody().StableMarshal(nil)
+	binaryBearer := btoken.SignedData()
 	bearerBase64 := base64.StdEncoding.EncodeToString(binaryBearer)
 
 	signatureData, err := signer.Sign(binaryBearer)

diff --git a/handlers/container_test.go b/handlers/container_test.go
@@ -1,9 +1,19 @@
 package handlers
 
 import (
+	"bytes"
+	"encoding/base64"
+	"encoding/hex"
 	"testing"
 
-	sessionv2 "github.com/nspcc-dev/neofs-api-go/v2/session"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
+	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
+	"github.com/nspcc-dev/neofs-sdk-go/crypto/test"
+	"github.com/nspcc-dev/neofs-sdk-go/session"
+	sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
+	usertest "github.com/nspcc-dev/neofs-sdk-go/user/test"
 	"github.com/stretchr/testify/require"
 )
 
@@ -44,9 +54,153 @@ func TestPrepareSessionToken(t *testing.T) {
 			Signature: "2ebdc1f2fea2bba397d1be6f982a6fe1b2bc9f46a348b700108fe2eba4e6531a1bb585febf9a40a3fa2e085fca5e2a75ca57f61166117c6d3e04a95ef9a2d2196f52648546784853e17c0b7ba762eae1",
 			Key:       "03bd9108c0b49f657e9eee50d1399022bd1e436118e5b7529a1b7cd606652f578f",
 		},
-		Verb: sessionv2.ContainerVerbSetEACL,
+		Verb: session.VerbContainerSetEACL,
 	}
 
 	_, err := prepareSessionToken(st, true)
 	require.NoError(t, err)
+
+	issuer := usertest.ID(t)
+	signer := user.NewSigner(test.RandomSigner(t), issuer)
+	token := sessiontest.Container()
+	token.SetIssuer(issuer)
+	const verb = session.VerbContainerPut
+	token.ForVerb(verb)
+
+	sig, err := signer.Sign(token.SignedData())
+	require.NoError(t, err)
+
+	err = token.Sign(user.NewSigner(neofscrypto.NewStaticSigner(signer.Scheme(), sig, signer.Public()), issuer))
+	require.NoError(t, err)
+	require.True(t, token.VerifySignature())
+
+	unsignedTokenB64 := base64.StdEncoding.EncodeToString(token.SignedData())
+	sigHex := hex.EncodeToString(sig)
+	keyHex := hex.EncodeToString(neofscrypto.PublicKeyBytes(signer.Public()))
+
+	t.Run("invalid base64", func(t *testing.T) {
+		_, err := prepareSessionToken(&SessionToken{
+			BearerToken: BearerToken{
+				Token: "not a base64 string",
+			},
+		}, false)
+		require.ErrorContains(t, err, "can't base64-decode session token")
+	})
+
+	res, err := prepareSessionToken(&SessionToken{
+		BearerToken: BearerToken{
+			Token:     unsignedTokenB64,
+			Signature: sigHex,
+			Key:       keyHex,
+		},
+		Verb: verb,
+	}, false)
+	require.NoError(t, err)
+	require.Equal(t, token, res)
+
+	t.Run("invalid signature hex", func(t *testing.T) {
+		_, err := prepareSessionToken(&SessionToken{
+			BearerToken: BearerToken{
+				Token:     unsignedTokenB64,
+				Signature: "not a hex string",
+			},
+			Verb: 0,
+		}, false)
+		require.ErrorContains(t, err, "couldn't decode signature")
+	})
+
+	t.Run("invalid public key", func(t *testing.T) {
+		_, err := prepareSessionToken(&SessionToken{
+			BearerToken: BearerToken{
+				Token:     unsignedTokenB64,
+				Signature: sigHex,
+				Key:       "not a public key",
+			},
+			Verb: 0,
+		}, false)
+		require.ErrorContains(t, err, "couldn't fetch session token owner key")
+	})
+
+	t.Run("invalid body binary", func(t *testing.T) {
+		_, err := prepareSessionToken(&SessionToken{
+			BearerToken: BearerToken{
+				Token:     base64.StdEncoding.EncodeToString([]byte("not a bearer token")),
+				Signature: sigHex,
+				Key:       keyHex,
+			},
+			Verb: 0,
+		}, false)
+		require.ErrorContains(t, err, "can't unmarshal session token")
+	})
+
+	t.Run("invalid signature", func(t *testing.T) {
+		tokenCp := token
+
+		err = tokenCp.Sign(user.NewSigner(neofscrypto.NewStaticSigner(signer.Scheme(), sig, signer.Public()), issuer))
+		require.NoError(t, err)
+		require.True(t, tokenCp.VerifySignature())
+
+		// corrupt signature
+		sig := bytes.Clone(sig)
+		sig[0]++
+
+		err = tokenCp.Sign(user.NewSigner(neofscrypto.NewStaticSigner(signer.Scheme(), sig, signer.Public()), issuer))
+		require.NoError(t, err)
+
+		_, err = prepareSessionToken(&SessionToken{
+			BearerToken: BearerToken{
+				Token:     unsignedTokenB64,
+				Signature: hex.EncodeToString(sig),
+				Key:       keyHex,
+			},
+			Verb: verb,
+		}, false)
+		require.ErrorContains(t, err, "invalid signature")
+	})
+
+	t.Run("WalletConnect", func(t *testing.T) {
+		key, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		signer := neofsecdsa.SignerWalletConnect(key.PrivateKey)
+		keyHex := hex.EncodeToString(key.PublicKey().Bytes())
+		var tokenCp session.Container
+		token.CopyTo(&tokenCp)
+		unsignedTokenB64 := base64.StdEncoding.EncodeToString(tokenCp.SignedData())
+
+		sig, err := signer.Sign(tokenCp.SignedData())
+		require.NoError(t, err)
+
+		sigHex := hex.EncodeToString(sig)
+
+		err = tokenCp.Sign(user.NewSigner(neofscrypto.NewStaticSigner(signer.Scheme(), sig, signer.Public()), issuer))
+		require.NoError(t, err)
+		require.True(t, tokenCp.VerifySignature())
+
+		res, err := prepareSessionToken(&SessionToken{
+			BearerToken: BearerToken{
+				Token:     unsignedTokenB64,
+				Signature: sigHex,
+				Key:       keyHex,
+			},
+			Verb: verb,
+		}, true)
+		require.NoError(t, err)
+		require.Equal(t, tokenCp, res)
+
+		// corrupt signature
+		sig[0]++
+
+		err = tokenCp.Sign(user.NewSigner(neofscrypto.NewStaticSigner(signer.Scheme(), sig, signer.Public()), issuer))
+		require.NoError(t, err)
+
+		_, err = prepareSessionToken(&SessionToken{
+			BearerToken: BearerToken{
+				Token:     unsignedTokenB64,
+				Signature: hex.EncodeToString(sig),
+				Key:       keyHex,
+			},
+			Verb: verb,
+		}, true)
+		require.ErrorContains(t, err, "invalid signature")
+	})
 }