node: Validate session tokens attached to objects

CHANGELOG.md

@@ -15,6 +15,7 @@ Changelog for NeoFS Node
 - IR compares and logs public keys difference, not hash of keys difference at SN verification check (#2711)
 - Incorrect handling of notary request leading to inability to collect signatures in some cases (#2715)
 - Deadlock in autodeploy routine (#2720)
+- SN now validates session tokens attached to objects (#1159)
 
 ### Changed
 - Created files are not group writable (#2589)

pkg/core/object/fmt.go

@@ -137,7 +137,22 @@
 		return errors.New("missing signature")
 	}
 
-	// FIXME: #1159 perform token verification
+	token := obj.SessionToken()
+	if token == nil {
+		return nil
+	}
+
+	if !token.AssertAuthKey(sig.PublicKey()) {
+		return errors.New("session token is not for object's signer")
+	}
+
+	if !token.VerifySignature() {
+		return errors.New("incorrect session token signature")
+	}
+
+	if issuer, owner := token.Issuer(), obj.OwnerID(); !issuer.Equals(*owner) { // nil check was performed above
+		return fmt.Errorf("different object owner %s and session issuer %s", owner, issuer)
+	}
 
 	return nil
 }

pkg/core/object/fmt_test.go

@@ -6,13 +6,14 @@ import (
 
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	cidtest "github.com/nspcc-dev/neofs-sdk-go/container/id/test"
+	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
+	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
 	"github.com/nspcc-dev/neofs-sdk-go/object"
 	oid "github.com/nspcc-dev/neofs-sdk-go/object/id"
 	oidtest "github.com/nspcc-dev/neofs-sdk-go/object/id/test"
 	sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
 	"github.com/nspcc-dev/neofs-sdk-go/storagegroup"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
-	usertest "github.com/nspcc-dev/neofs-sdk-go/user/test"
 	"github.com/stretchr/testify/require"
 )
 
@@ -89,16 +90,53 @@ func TestFormatValidator_Validate(t *testing.T) {
 
 		obj := object.New()
 		obj.SetContainerID(cidtest.ID())
-		tok := sessiontest.ObjectSigned(signer)
+		tok := sessiontest.Object()
+		tok.SetAuthKey((*neofsecdsa.PublicKey)(&ownerKey.PrivateKey.PublicKey))
+		require.NoError(t, tok.Sign(signer))
 		obj.SetSessionToken(&tok)
-		owner := usertest.ID(t)
+		owner := signer.UserID()
 		obj.SetOwnerID(&owner)
 
 		require.NoError(t, obj.SetIDWithSignature(signer))
 
 		require.NoError(t, v.Validate(obj, false))
 	})
 
+	t.Run("incorrect session token", func(t *testing.T) {
+		signer := user.NewAutoIDSignerRFC6979(ownerKey.PrivateKey)
+
+		obj := object.New()
+		obj.SetContainerID(cidtest.ID())
+		tok := sessiontest.ObjectSigned(signer)
+		obj.SetSessionToken(&tok)
+		owner := signer.UserID()
+		obj.SetOwnerID(&owner)
+
+		t.Run("wrong signature", func(t *testing.T) {
+			require.NoError(t, obj.SetIDWithSignature(signer))
+
+			obj.SetSignature(&neofscrypto.Signature{})
+			require.Error(t, v.Validate(obj, false))
+		})
+
+		t.Run("wrong owner", func(t *testing.T) {
+			obj.SetOwnerID(&user.ID{})
+
+			require.NoError(t, obj.SetIDWithSignature(signer))
+			require.Error(t, v.Validate(obj, false))
+		})
+
+		t.Run("wrong signer", func(t *testing.T) {
+			wrongOwner, err := keys.NewPrivateKey()
+			require.NoError(t, err)
+
+			wrongSigner := user.NewAutoIDSignerRFC6979(wrongOwner.PrivateKey)
+
+			require.NoError(t, obj.SetIDWithSignature(wrongSigner))
+			require.Error(t, v.Validate(obj, false))
+		})
+	})
+
 	t.Run("correct w/o session token", func(t *testing.T) {
 		signer := user.NewAutoIDSigner(ownerKey.PrivateKey)
 		obj := blankValidObject(signer)