sn/object: Do not add session token to EC part

The session token is in the parent object, but in the part it is
meaningless. Moreover, if the part object needs to be recreated, the
session token will no longer exist. Therefore, not adding a token
preserves the object ID which is good for deduplication.

For this to work, it was necessary to make an exception when checking
the signature against the object owner.

Refs #3628.

Signed-off-by: Leonard Lyubich <[email protected]>

Author: cthulhu-rider

internal/crypto/object.go

@@ -13,7 +13,7 @@ import (
 )
 
 // AuthenticateObject checks whether obj is signed correctly by its owner.
-func AuthenticateObject(obj object.Object, fsChain HistoricN3ScriptRunner) error {
+func AuthenticateObject(obj object.Object, fsChain HistoricN3ScriptRunner, ecPart bool) error {
 	sig := obj.Signature()
 	if sig == nil {
 		return errMissingSignature
@@ -57,7 +57,7 @@ func AuthenticateObject(obj object.Object, fsChain HistoricN3ScriptRunner) error
 		if !verifyECDSAFns[scheme](*ecdsaPub, sig.Value(), obj.GetID().Marshal()) {
 			return schemeError(scheme, errSignatureMismatch)
 		}
-		if sessionToken == nil && user.NewFromECDSAPublicKey(*ecdsaPub) != obj.Owner() {
+		if sessionToken == nil && !ecPart && user.NewFromECDSAPublicKey(*ecdsaPub) != obj.Owner() {
 			return errors.New("owner mismatches signature")
 		}
 	case neofscrypto.N3:

internal/crypto/object_test.go

@@ -20,14 +20,14 @@ import (
 func TestAuthenticateObject(t *testing.T) {
 	t.Run("without signature", func(t *testing.T) {
 		obj := getUnsignedObject()
-		require.EqualError(t, icrypto.AuthenticateObject(obj, nil), "missing signature")
+		require.EqualError(t, icrypto.AuthenticateObject(obj, nil, false), "missing signature")
 	})
 	t.Run("unsupported scheme", func(t *testing.T) {
 		obj := objectECDSASHA512
 		sig := *obj.Signature()
 		sig.SetScheme(4)
 		obj.SetSignature(&sig)
-		require.EqualError(t, icrypto.AuthenticateObject(obj, nil), "unsupported scheme 4")
+		require.EqualError(t, icrypto.AuthenticateObject(obj, nil, false), "unsupported scheme 4")
 	})
 	t.Run("invalid public key", func(t *testing.T) {
 		for _, tc := range []struct {
@@ -48,7 +48,7 @@ func TestAuthenticateObject(t *testing.T) {
 				sig := *obj.Signature()
 				sig.SetPublicKeyBytes(tc.changePub(sig.PublicKeyBytes()))
 				obj.SetSignature(&sig)
-				err := icrypto.AuthenticateObject(obj, nil)
+				err := icrypto.AuthenticateObject(obj, nil, false)
 				require.EqualError(t, err, "scheme ECDSA_SHA512: decode public key: "+tc.err)
 			})
 		}
@@ -70,7 +70,7 @@ func TestAuthenticateObject(t *testing.T) {
 					cp[i]++
 					sig.SetValue(cp)
 					tc.obj.SetSignature(&sig)
-					err := icrypto.AuthenticateObject(tc.obj, nil)
+					err := icrypto.AuthenticateObject(tc.obj, nil, false)
 					require.EqualError(t, err, fmt.Sprintf("scheme %s: signature mismatch", tc.scheme))
 				}
 			})
@@ -86,7 +86,7 @@ func TestAuthenticateObject(t *testing.T) {
 			{scheme: neofscrypto.ECDSA_WALLETCONNECT, object: wrongOwnerObjectECDSAWalletConnect},
 		} {
 			t.Run(tc.scheme.String(), func(t *testing.T) {
-				require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil), "owner mismatches signature")
+				require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil, false), "owner mismatches signature")
 			})
 		}
 	})
@@ -101,7 +101,7 @@ func TestAuthenticateObject(t *testing.T) {
 				{scheme: neofscrypto.ECDSA_WALLETCONNECT, object: objectWithNoIssuerSessionECDSAWalletConnect},
 			} {
 				t.Run(tc.scheme.String(), func(t *testing.T) {
-					require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil), "session token: missing issuer")
+					require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil, false), "session token: missing issuer")
 				})
 			}
 		})
@@ -115,7 +115,7 @@ func TestAuthenticateObject(t *testing.T) {
 				{scheme: neofscrypto.ECDSA_WALLETCONNECT, object: objectWithWrongIssuerSessionECDSAWalletConnect},
 			} {
 				t.Run(tc.scheme.String(), func(t *testing.T) {
-					require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil), "session token: issuer mismatches signature")
+					require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil, false), "session token: issuer mismatches signature")
 				})
 			}
 		})
@@ -129,7 +129,7 @@ func TestAuthenticateObject(t *testing.T) {
 				{scheme: neofscrypto.ECDSA_WALLETCONNECT, object: objectWithWrongSessionSubjectECDSAWalletConnect},
 			} {
 				t.Run(tc.scheme.String(), func(t *testing.T) {
-					require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil), "session token is not for object's signer")
+					require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil, false), "session token is not for object's signer")
 				})
 			}
 		})
@@ -143,7 +143,7 @@ func TestAuthenticateObject(t *testing.T) {
 				{scheme: neofscrypto.ECDSA_WALLETCONNECT, object: objectWithWrongOwnerSessionECDSAWalletConnect},
 			} {
 				t.Run(tc.scheme.String(), func(t *testing.T) {
-					require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil), "different object owner and session issuer")
+					require.EqualError(t, icrypto.AuthenticateObject(tc.object, nil, false), "different object owner and session issuer")
 				})
 			}
 		})
@@ -160,7 +160,7 @@ func TestAuthenticateObject(t *testing.T) {
 		{name: neofscrypto.ECDSA_WALLETCONNECT.String() + " with session", object: objectWithSessionECDSAWalletConnect},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			require.NoError(t, icrypto.AuthenticateObject(tc.object, nil))
+			require.NoError(t, icrypto.AuthenticateObject(tc.object, nil, false))
 		})
 	}
 }

internal/ec/object_test.go

@@ -149,7 +149,7 @@ func TestFormObjectForECPart(t *testing.T) {
 	require.Equal(t, parent.Owner(), obj.Owner())
 	require.Equal(t, parent.CreationEpoch(), obj.CreationEpoch())
 	require.Equal(t, object.TypeRegular, obj.Type())
-	require.Equal(t, parent.SessionToken(), obj.SessionToken())
+	require.Zero(t, obj.SessionToken())
 
 	_, ok = obj.PayloadHomomorphicHash()
 	require.False(t, ok)

internal/ec/objects.go

@@ -72,7 +72,6 @@ func FormObjectForECPart(signer neofscrypto.Signer, parent object.Object, part [
 	obj.SetOwner(parent.Owner())
 	obj.SetCreationEpoch(parent.CreationEpoch())
 	obj.SetType(object.TypeRegular)
-	obj.SetSessionToken(parent.SessionToken())
 
 	obj.SetParent(&parent)
 	iobject.SetIntAttribute(&obj, AttributeRuleIdx, partInfo.RuleIndex)

pkg/core/object/ec.go

@@ -73,6 +73,10 @@ func checkEC(hdr object.Object, rules []netmap.ECRule, blank bool, isParent bool
 }
 
 func checkECPart(part object.Object, rules []netmap.ECRule) error {
+	if part.SessionToken() != nil {
+		return errors.New("session token detected")
+	}
+
 	parent := part.Parent()
 	if parent == nil {
 		return errors.New("missing parent header")

pkg/core/object/ec_test.go

@@ -11,6 +11,7 @@ import (
 	cidtest "github.com/nspcc-dev/neofs-sdk-go/container/id/test"
 	"github.com/nspcc-dev/neofs-sdk-go/netmap"
 	"github.com/nspcc-dev/neofs-sdk-go/object"
+	"github.com/nspcc-dev/neofs-sdk-go/session"
 	usertest "github.com/nspcc-dev/neofs-sdk-go/user/test"
 	"github.com/nspcc-dev/neofs-sdk-go/version"
 	"github.com/stretchr/testify/require"
@@ -193,6 +194,9 @@ func TestFormatValidator_Validate_EC(t *testing.T) {
 		{name: "wrong payload len", err: "invalid regular EC part object: wrong part payload len: expected 342, got 343, parent 4096", corruptPart: func(obj *object.Object) {
 			obj.SetPayloadSize(343)
 		}},
+		{name: "session token in part", err: "invalid regular EC part object: session token detected", corruptPart: func(obj *object.Object) {
+			obj.SetSessionToken(new(session.Object))
+		}},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			if tc.corruptParent != nil {
@@ -249,6 +253,19 @@ func TestFormatValidator_Validate_EC(t *testing.T) {
 		require.EqualError(t, v.Validate(&cp, false), "object with EC attributes __NEOFS__EC_RULE_IDX in container without EC rules")
 	})
 
+	t.Run("part created by 3rd party", func(t *testing.T) {
+		otherCreator := usertest.User()
+		for i := range parts {
+			obj, err := iec.FormObjectForECPart(otherCreator, parent, parts[i], iec.PartInfo{
+				RuleIndex: ruleIdx,
+				Index:     i,
+			})
+			require.NoError(t, err)
+
+			require.NoError(t, v.Validate(&obj, false))
+		}
+	})
+
 	for i := range ecParts {
 		require.NoError(t, v.Validate(&ecParts[i], false))
 	}

pkg/core/object/fmt.go

@@ -235,7 +235,7 @@ func (v *FormatValidator) validate(obj *object.Object, unprepared, isParent bool
 		if err := icrypto.AuthenticateObject(*obj, historicN3ScriptRunner{
 			FSChain:        v.fsChain,
 			NetmapContract: v.netmapContract,
-		}); err != nil {
+		}, isEC); err != nil {
 			return fmt.Errorf("authenticate: %w", err)
 		}
 

pkg/services/object/put/service_test.go

@@ -977,8 +977,6 @@ func assertObjectIntegrity(t *testing.T, obj object.Object) {
 
 	require.NotZero(t, obj.Owner())
 
-	require.NotZero(t, obj.SessionToken())
-
 	payload := obj.Payload()
 	require.EqualValues(t, obj.PayloadSize(), len(payload))
 
@@ -1004,6 +1002,7 @@ func checkAndGetObjectFromECParts(t *testing.T, limit uint64, rule iec.Rule, par
 
 	for _, part := range parts {
 		assertObjectIntegrity(t, part)
+		require.Zero(t, part.SessionToken())
 		require.LessOrEqual(t, part.PayloadSize(), limit)
 	}
 
@@ -1080,7 +1079,7 @@ func checkAndCutParentHeaderFromECPart(t *testing.T, part object.Object) object.
 	require.Equal(t, par.Owner(), part.Owner())
 	require.Equal(t, par.CreationEpoch(), part.CreationEpoch())
 	require.Equal(t, object.TypeRegular, part.Type())
-	require.Equal(t, par.SessionToken(), part.SessionToken())
+	require.NotZero(t, par.SessionToken())
 
 	return *par
 }