Skip to content

Commit

Permalink
WIP ir/container: Support Neo N3 auth scheme
Browse files Browse the repository at this point in the history 
Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
  • Loading branch information
@cthulhu-rider
cthulhu-rider committed Mar 10, 2025
1 parent c05184a commit e077364
Showing 1 changed file with 40 additions and 0 deletions.
40 changes: 40 additions & 0 deletions pkg/innerring/processors/container/common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,11 @@ import (
"crypto/ecdsa"
"errors"
"fmt"
"slices"

"github.com/nspcc-dev/neo-go/pkg/io"
"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
"github.com/nspcc-dev/neo-go/pkg/vm/emit"
"github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid"
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
Expand Down Expand Up @@ -88,6 +92,42 @@ func (cp *Processor) verifySignature(v signatureVerificationData) error {
if user.NewFromECDSAPublicKey(ecdsa.PublicKey(signerPub)) != v.ownerContainer {
return errors.New("session token is not signed by the container owner")
}
case 3: // TODO: use const after SDK upgrade
// call contract func Verify(height uint32, dataHash interop.Hash256, sig []byte, other ...any) bool
height, err := cp.cnrClient.Morph().BlockCount()
if err != nil {
return fmt.Errorf("get current FS chain height: %w", err)
}

Check warning on line 100 in pkg/innerring/processors/container/common.go

View check run for this annotation

Codecov / codecov/patch

pkg/innerring/processors/container/common.go#L92-L100 

Added lines #L92 - L100 were not covered by tests

// sys:
w := io.NewBufBinWriter()
emit.Int(w.BinWriter, int64(height))
emit.Bytes(w.BinWriter, tok.SignedData())

// user:
//
// invocation script:
// emit.Bytes(w.BinWriter, sig)
//
// verification script
// emit.Any(w, arg1)
// ...
// emit.Any(w, argN)
// emit.Opcodes(w, 3+N)
// emit.AppCallNoArgs(w, contract, method, callflag.ReadStates)

// FIXME: user scripts must be verified:
// - they must have expected format
// - verification one must call allowed contract and its method
// Now any dummy contract always returning 'true' allows to bypass authorization
script := slices.Concat(w.Bytes(), v.signature, v.binPublicKey)
ok, err := unwrap.Bool(cp.cnrClient.Morph().InvokeScript(script, nil)) // TODO: need signers?
if err != nil {
return fmt.Errorf("run contract auth script: %w", err)
}
if !ok {
return errors.New("contract auth script returned false")
}

Check warning on line 130 in pkg/innerring/processors/container/common.go

View check run for this annotation

Codecov / codecov/patch

pkg/innerring/processors/container/common.go#L103-L130 

Added lines #L103 - L130 were not covered by tests
}

if keyProvided && !tok.AssertAuthKey(&key) {
Expand Down

0 comments on commit e077364

Please sign in to comment.