feat: enhance authorization configuration with new signature algorithms and backward compatibility

sivo4kin · sivo4kin · commit 256fdab14c7e · 2025-10-11T11:20:12.000+03:00
diff --git a/pkg/identity/identity.go b/pkg/identity/identity.go
@@ -56,17 +56,33 @@ type Store interface {
 	DecryptMessage(cipher []byte, peerID string) ([]byte, error)
 }
 
+// SignatureAlgorithm represents supported signature algorithms
+type SignatureAlgorithm string
+
+const (
+	AlgorithmEd25519 SignatureAlgorithm = "ed25519"
+	AlgorithmP256    SignatureAlgorithm = "p256"
+)
+
 // AuthorizerInfo represents a single authorizer with their public key and algorithm
 type AuthorizerInfo struct {
-	PublicKey string `json:"public_key"`
-	Algorithm string `json:"algorithm"` // "ed25519" or "secp256k1"
+	PublicKey string             `json:"public_key"`
+	Algorithm SignatureAlgorithm `json:"algorithm"`
 }
 
 // AuthorizationConfig holds the cached authorization configuration
 type AuthorizationConfig struct {
-	Enabled              bool
-	RequiredAuthorizers  int
-	AuthorizerPublicKeys map[string]AuthorizerInfo // key is authorizer ID
+	Enabled              bool                      `mapstructure:"enabled"`
+	RequiredAuthorizers  int                       `mapstructure:"required_authorizers"`
+	AuthorizerPublicKeys map[string]AuthorizerInfo `mapstructure:"authorizer_public_keys"`
+	Authorizers          map[string]AuthorizerInfo `mapstructure:"authorizers"` // backward compatibility
+}
+
+// AuthorizerConfigEntry represents the raw configuration for an authorizer
+type AuthorizerConfigEntry struct {
+	PublicKey string `mapstructure:"public_key"`
+	Algorithm string `mapstructure:"algorithm"`
+	Pubkey    string `mapstructure:"pubkey"` // backward compatibility
 }
 
 // fileStore implements the Store interface using the filesystem
@@ -170,70 +186,87 @@ func NewFileStore(identityDir, nodeName string, decrypt bool) (*fileStore, error
 	}
 
 	// Load authorization configuration
-	store.authzConfig = AuthorizationConfig{
+	if err := store.loadAuthorizationConfig(); err != nil {
+		return nil, fmt.Errorf("failed to load authorization config: %w", err)
+	}
+
+	return store, nil
+}
+
+// loadAuthorizationConfig loads and caches the authorization configuration
+func (s *fileStore) loadAuthorizationConfig() error {
+	// Load base configuration
+	s.authzConfig = AuthorizationConfig{
 		Enabled:              viper.GetBool("authorization.enabled"),
 		RequiredAuthorizers:  viper.GetInt("authorization.required_authorizers"),
 		AuthorizerPublicKeys: make(map[string]AuthorizerInfo),
+		Authorizers:          make(map[string]AuthorizerInfo),
 	}
 
-	// Load authorizer public keys
-	authKeys := viper.GetStringMap("authorization.authorizer_public_keys")
-	for authID, authData := range authKeys {
-		if authInfo, ok := authData.(map[string]interface{}); ok {
-			info := AuthorizerInfo{
-				Algorithm: "ed25519", // default algorithm
-			}
-
-			if pubKey, ok := authInfo["public_key"].(string); ok && pubKey != "" {
-				info.PublicKey = pubKey
-			}
-
-			if algo, ok := authInfo["algorithm"].(string); ok && algo != "" {
-				info.Algorithm = algo
-			}
-
-			if info.PublicKey != "" {
-				store.authzConfig.AuthorizerPublicKeys[authID] = info
-				store.authorizerInfo[authID] = info
-			}
+	// Load authorizer public keys (new format)
+	authKeysConfig := viper.GetStringMap("authorization.authorizer_public_keys")
+	for authID, authData := range authKeysConfig {
+		info, err := parseAuthorizerConfig(authData, true)
+		if err != nil {
+			logger.Warn("Failed to parse authorizer config", "authorizerID", authID, "error", err)
+			continue
+		}
+		if info.PublicKey != "" {
+			s.authzConfig.AuthorizerPublicKeys[authID] = info
+			s.authorizerInfo[authID] = info
 		}
 	}
 
 	// Load global authorizer configuration (backward compatibility)
-	authzAuthorizers := viper.GetStringMap("authorization.authorizers")
-	for id, v := range authzAuthorizers {
-		// Skip if already loaded from operation-specific config
-		if _, exists := store.authorizerInfo[id]; exists {
+	authorizersConfig := viper.GetStringMap("authorization.authorizers")
+	for authID, authData := range authorizersConfig {
+		// Skip if already loaded from new format
+		if _, exists := s.authorizerInfo[authID]; exists {
 			continue
 		}
 
-		// v is expected to be a map with key "pubkey" and optional "algorithm"
-		if entry, ok := v.(map[string]interface{}); ok {
-			info := AuthorizerInfo{
-				Algorithm: "ed25519", // default algorithm
-			}
+		info, err := parseAuthorizerConfig(authData, false)
+		if err != nil {
+			logger.Warn("Failed to parse legacy authorizer config", "authorizerID", authID, "error", err)
+			continue
+		}
+		if info.PublicKey != "" {
+			s.authzConfig.Authorizers[authID] = info
+			s.authorizerInfo[authID] = info
+		}
+	}
 
-			if pubHexRaw, ok := entry["pubkey"]; ok {
-				if pubHex, ok := pubHexRaw.(string); ok && pubHex != "" {
-					info.PublicKey = pubHex
-				}
-			}
+	return nil
+}
 
-			if algoRaw, ok := entry["algorithm"]; ok {
-				if algo, ok := algoRaw.(string); ok && algo != "" {
-					info.Algorithm = algo
-				}
-			}
+// parseAuthorizerConfig parses authorizer configuration from interface{} to AuthorizerInfo
+func parseAuthorizerConfig(authData interface{}, isNewFormat bool) (AuthorizerInfo, error) {
+	info := AuthorizerInfo{
+		Algorithm: AlgorithmEd25519, // default algorithm
+	}
 
-			if info.PublicKey != "" {
-				store.authorizerInfo[id] = info
-			} else {
-				logger.Warn("Invalid or empty pubkey for authorizer", "authorizerID", id)
-			}
+	authMap, ok := authData.(map[string]interface{})
+	if !ok {
+		return info, fmt.Errorf("invalid authorizer config format")
+	}
+
+	// Parse public key (handle both new and legacy formats)
+	if isNewFormat {
+		if pubKey, ok := authMap["public_key"].(string); ok && pubKey != "" {
+			info.PublicKey = pubKey
+		}
+	} else {
+		if pubKey, ok := authMap["pubkey"].(string); ok && pubKey != "" {
+			info.PublicKey = pubKey
 		}
 	}
 
-	return store, nil
+	// Parse algorithm
+	if algo, ok := authMap["algorithm"].(string); ok && algo != "" {
+		info.Algorithm = SignatureAlgorithm(algo)
+	}
+
+	return info, nil
 }
 
 // loadPrivateKey loads the private key from file, decrypting if necessary
@@ -551,9 +584,9 @@ func (s *fileStore) AuthorizeInitiatorMessage(operation string, msg types.Initia
 }
 
 // verifySignatureByAlgorithm verifies a signature using the specified algorithm
-func verifySignatureByAlgorithm(publicKeyHex, algorithm string, message, signature []byte) (bool, error) {
+func verifySignatureByAlgorithm(publicKeyHex string, algorithm SignatureAlgorithm, message, signature []byte) (bool, error) {
 	switch algorithm {
-	case "ed25519":
+	case AlgorithmEd25519:
 		pubKeyBytes, err := hex.DecodeString(publicKeyHex)
 		if err != nil {
 			return false, fmt.Errorf("invalid ed25519 public key hex: %w", err)
@@ -563,21 +596,14 @@ func verifySignatureByAlgorithm(publicKeyHex, algorithm string, message, signatu
 		}
 		return ed25519.Verify(pubKeyBytes, message, signature), nil
 
-	case "secp256k1", "p256":
+	case AlgorithmP256:
 		pubKeyBytes, err := hex.DecodeString(publicKeyHex)
 		if err != nil {
 			return false, fmt.Errorf("invalid ecdsa public key hex: %w", err)
 		}
 
 		// Parse the public key
-		var curve elliptic.Curve
-		if algorithm == "secp256k1" {
-			// For secp256k1, we'd need to import a secp256k1 library
-			// For now, we'll use P256 as a placeholder
-			curve = elliptic.P256()
-		} else {
-			curve = elliptic.P256()
-		}
+		curve := elliptic.P256()
 
 		// Assume uncompressed point format (0x04 + 32 bytes x + 32 bytes y)
 		if len(pubKeyBytes) == 65 && pubKeyBytes[0] == 0x04 {
