From 45644ab77c7793db78ef9c83b34e1f5438746bfd Mon Sep 17 00:00:00 2001
From: Roman Khimov <roman@nspcc.ru>
Date: Wed, 14 Aug 2024 18:58:39 +0300
Subject: [PATCH] api: drop useless key->issuer transformations

Signed-off-by: Roman Khimov <roman@nspcc.ru>
---
 api/handler/acl.go              | 26 ++++++++++++--------------
 api/handler/multipart_upload.go | 11 +++++------
 api/handler/put.go              | 12 ++++++------
 3 files changed, 23 insertions(+), 26 deletions(-)

diff --git a/api/handler/acl.go b/api/handler/acl.go
index b4848940..2b352aa3 100644
--- a/api/handler/acl.go
+++ b/api/handler/acl.go
@@ -3,7 +3,6 @@ package handler
 import (
 	"bytes"
 	"context"
-	"crypto/elliptic"
 	"encoding/json"
 	"encoding/xml"
 	"errors"
@@ -13,7 +12,6 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neofs-s3-gw/api"
 	"github.com/nspcc-dev/neofs-s3-gw/api/data"
 	"github.com/nspcc-dev/neofs-s3-gw/api/layer"
@@ -214,25 +212,25 @@ func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (h *handler) bearerTokenIssuerKey(ctx context.Context) (*keys.PublicKey, error) {
+func (h *handler) bearerTokenIssuer(ctx context.Context) (user.ID, error) {
 	box, err := layer.GetBoxData(ctx)
 	if err != nil {
-		return nil, err
+		return user.ID{}, err
 	}
 
-	key, err := keys.NewPublicKeyFromBytes(box.Gate.BearerToken.SigningKeyBytes(), elliptic.P256())
-	if err != nil {
-		return nil, fmt.Errorf("public key from bytes: %w", err)
+	iss := box.Gate.BearerToken.ResolveIssuer()
+	if iss.IsZero() {
+		return user.ID{}, errors.New("can't resolve issuer from bearer token")
 	}
 
-	return key, nil
+	return iss, nil
 }
 
 func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) {
 	reqInfo := api.GetReqInfo(r.Context())
-	key, err := h.bearerTokenIssuerKey(r.Context())
+	iss, err := h.bearerTokenIssuer(r.Context())
 	if err != nil {
-		h.logAndSendError(w, "couldn't get bearer token issuer key", reqInfo, err)
+		h.logAndSendError(w, "couldn't get bearer token issuer", reqInfo, err)
 		return
 	}
 
@@ -244,7 +242,7 @@ func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) {
 
 	list := &AccessControlPolicy{}
 	if r.ContentLength == 0 {
-		list, err = parseACLHeaders(r.Header, user.NewFromScriptHash(key.GetScriptHash()))
+		list, err = parseACLHeaders(r.Header, iss)
 		if err != nil {
 			h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
 			return
@@ -347,9 +345,9 @@ func (h *handler) GetObjectACLHandler(w http.ResponseWriter, r *http.Request) {
 func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
 	reqInfo := api.GetReqInfo(r.Context())
 	versionID := reqInfo.URL.Query().Get(api.QueryVersionID)
-	key, err := h.bearerTokenIssuerKey(r.Context())
+	iss, err := h.bearerTokenIssuer(r.Context())
 	if err != nil {
-		h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
+		h.logAndSendError(w, "couldn't get bearer token issues", reqInfo, err)
 		return
 	}
 
@@ -379,7 +377,7 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
 
 	list := &AccessControlPolicy{}
 	if r.ContentLength == 0 {
-		list, err = parseACLHeaders(r.Header, user.NewFromScriptHash(key.GetScriptHash()))
+		list, err = parseACLHeaders(r.Header, iss)
 		if err != nil {
 			h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
 			return
diff --git a/api/handler/multipart_upload.go b/api/handler/multipart_upload.go
index f9415099..44980142 100644
--- a/api/handler/multipart_upload.go
+++ b/api/handler/multipart_upload.go
@@ -12,7 +12,6 @@ import (
 	"github.com/nspcc-dev/neofs-s3-gw/api/layer"
 	"github.com/nspcc-dev/neofs-s3-gw/api/s3errors"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
-	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"go.uber.org/zap"
 )
 
@@ -114,12 +113,12 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
 	}
 
 	if containsACLHeaders(r) {
-		key, err := h.bearerTokenIssuerKey(r.Context())
+		iss, err := h.bearerTokenIssuer(r.Context())
 		if err != nil {
-			h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
+			h.logAndSendError(w, "couldn't get bearer token issuer", reqInfo, err)
 			return
 		}
-		if _, err = parseACLHeaders(r.Header, user.NewFromScriptHash(key.GetScriptHash())); err != nil {
+		if _, err = parseACLHeaders(r.Header, iss); err != nil {
 			h.logAndSendError(w, "could not parse acl", reqInfo, err)
 			return
 		}
@@ -422,12 +421,12 @@ func (h *handler) CompleteMultipartUploadHandler(w http.ResponseWriter, r *http.
 	}
 
 	if len(uploadData.ACLHeaders) != 0 {
-		key, err := h.bearerTokenIssuerKey(r.Context())
+		iss, err := h.bearerTokenIssuer(r.Context())
 		if err != nil {
 			h.logAndSendError(w, "couldn't get gate key", reqInfo, err)
 			return
 		}
-		acl, err := parseACLHeaders(r.Header, user.NewFromScriptHash(key.GetScriptHash()))
+		acl, err := parseACLHeaders(r.Header, iss)
 		if err != nil {
 			h.logAndSendError(w, "could not parse acl", reqInfo, err)
 			return
diff --git a/api/handler/put.go b/api/handler/put.go
index 71466b56..7c65a047 100644
--- a/api/handler/put.go
+++ b/api/handler/put.go
@@ -25,7 +25,6 @@ import (
 	"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
 	"github.com/nspcc-dev/neofs-sdk-go/eacl"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
-	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"go.uber.org/zap"
 )
 
@@ -591,11 +590,12 @@ func containsACLHeaders(r *http.Request) bool {
 
 func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) {
 	var newEaclTable *eacl.Table
-	key, err := h.bearerTokenIssuerKey(r.Context())
+
+	iss, err := h.bearerTokenIssuer(r.Context())
 	if err != nil {
 		return nil, fmt.Errorf("get bearer token issuer: %w", err)
 	}
-	objectACL, err := parseACLHeaders(r.Header, user.NewFromScriptHash(key.GetScriptHash()))
+	objectACL, err := parseACLHeaders(r.Header, iss)
 	if err != nil {
 		return nil, fmt.Errorf("could not parse object acl: %w", err)
 	}
@@ -683,13 +683,13 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	key, err := h.bearerTokenIssuerKey(r.Context())
+	iss, err := h.bearerTokenIssuer(r.Context())
 	if err != nil {
-		h.logAndSendError(w, "couldn't get bearer token signature key", reqInfo, err)
+		h.logAndSendError(w, "couldn't get bearer token issuer", reqInfo, err)
 		return
 	}
 
-	bktACL, err := parseACLHeaders(r.Header, user.NewFromScriptHash(key.GetScriptHash()))
+	bktACL, err := parseACLHeaders(r.Header, iss)
 	if err != nil {
 		h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
 		return