Support Neo N3 account auth

pkg/innerring/processors/container/common.go

@@ -4,9 +4,17 @@
 	"crypto/ecdsa"
 	"errors"
 	"fmt"
-
+	"slices"
+
+	"github.com/nspcc-dev/neo-go/pkg/core/block"
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
+	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
 	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
@@ -66,18 +74,65 @@
 			return fmt.Errorf("decode session token: %w", err)
 		}
 
-		if !tok.VerifySignature() {
-			return errors.New("invalid session token signature")
-		}
-
-		var signerPub neofsecdsa.PublicKeyRFC6979
-		if err = signerPub.Decode(tok.IssuerPublicKeyBytes()); err != nil {
-			return fmt.Errorf("invalid issuer public key: %w", err)
+		sig, ok := tok.Signature()
+		if !ok {
+			return errors.New("missing session token signature")
 		}
-
-		// TODO(@cthulhu-rider): #1387 check bound keys via NeoFSID contract?
-		if user.NewFromECDSAPublicKey(ecdsa.PublicKey(signerPub)) != v.ownerContainer {
-			return errors.New("session token is not signed by the container owner")
+		switch scheme := sig.Scheme(); scheme {
+		default:
+			return fmt.Errorf("unknown signature scheme %v", scheme)
+		case neofscrypto.ECDSA_SHA512, neofscrypto.ECDSA_WALLETCONNECT:
+			return fmt.Errorf("wrong signature scheme %v", scheme)
+		case neofscrypto.ECDSA_DETERMINISTIC_SHA256:
+			var signerPub neofsecdsa.PublicKeyRFC6979
+			if err = signerPub.Decode(sig.PublicKeyBytes()); err != nil {
+				return fmt.Errorf("invalid issuer public key: %w", err)
+			}
+			if !signerPub.Verify(tok.SignedData(), sig.Value()) {
+				return errors.New("session token signature mismatch")
+			}
+			// TODO(@cthulhu-rider): #1387 check bound keys via NeoFSID contract?
+			if user.NewFromECDSAPublicKey(ecdsa.PublicKey(signerPub)) != v.ownerContainer {
+				return errors.New("session token is not signed by the container owner")
+			}
+		case 3: // TODO: use const after SDK upgrade
+			invocScript, verifScript := sig.Value(), sig.PublicKeyBytes()
+			if len(verifScript) > 0 {
+				issuer := tok.Issuer()
+				acc := hash.Hash160(verifScript)
+				if inToken := util.Uint160(issuer[1:][:util.Uint160Size]); inToken != acc {
+					return fmt.Errorf("session token's issuer account %s not equals the verification script hash %s", inToken, acc)
+				}
+				// TODO: scripts may be stateless like simple- or multi-signature, they do not require exec on a VM
+				iatEpoch := tok.Iat()
+				iatHeight, err := interface {
+					HeightAtEpoch(uint64) (uint32, error)
+				}(nil).HeightAtEpoch(tok.Iat())
+				if err != nil {
+					return fmt.Errorf("get FS chain height (session iat: epoch#%d): %w", iatEpoch, err)
+				}
+				blkHdr, err := interface {
+					GetBlockHeaderByIndex(uint32) (block.Header, error)
+				}(nil).GetBlockHeaderByIndex(iatHeight)
+				if err != nil {
+					return fmt.Errorf("get FS chain block header (session iat: epoch#%d, height#%d): %w", iatHeight, iatEpoch, err)
+				}
+				// FIXME: add signed token data to the exec context
+				tx := &transaction.Transaction{
+					Script:  slices.Concat(invocScript, verifScript),
+					Signers: []transaction.Signer{{Account: acc}},
+					// FIXME: what else?
+				}
+				// w8 4 https://github.com/nspcc-dev/neo-go/issues/3836
+				ok, err := unwrap.Bool(cp.cnrClient.Morph().InvokeContainedScript(tx, blkHdr, trigger.Verification))
+				if err != nil {
+					return fmt.Errorf("invoke contained auth script on FS chain (session iat: epoch#%d, height#%d): %w", iatHeight, iatEpoch, err)
+				}
+				if !ok {
+					return fmt.Errorf("auth script run on FS chain resulted in false (session iat: epoch#%d, height#%d)", iatHeight, iatEpoch)
+				}
+			} else { // FIXME: what?
+			}
 		}
 
 		if keyProvided && !tok.AssertAuthKey(&key) {
@@ -101,6 +156,7 @@
 			return fmt.Errorf("check session lifetime: %w", err)
 		}
 
+		// TODO: support N3 accounts as well
 		if !tok.VerifySessionDataSignature(v.signedData, v.signature) {
 			return errors.New("invalid signature calculated with session key")
 		}