galaxy-game/gateway/internal/grpcapi/signature.go

package grpcapi

import (
	"context"
	"errors"

	"galaxy/gateway/authn"
	edgev1 "galaxy/gateway/proto/edge/v1"

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"
)

// signatureVerifyingService applies client-signature verification after
// payload integrity checks and before later auth or routing steps run.
type signatureVerifyingService struct {
	edgev1.UnimplementedGatewayServer

	delegate edgev1.GatewayServer
}

// ExecuteCommand verifies req client signature before delegating to the
// configured service implementation.
func (s signatureVerifyingService) ExecuteCommand(ctx context.Context, req *edgev1.ExecuteCommandRequest) (*edgev1.ExecuteCommandResponse, error) {
	if err := verifyRequestSignature(ctx); err != nil {
		return nil, err
	}

	return s.delegate.ExecuteCommand(ctx, req)
}

// SubscribeEvents verifies req client signature before delegating to the
// configured service implementation.
func (s signatureVerifyingService) SubscribeEvents(req *edgev1.SubscribeEventsRequest, stream grpc.ServerStreamingServer[edgev1.GatewayEvent]) error {
	if err := verifyRequestSignature(stream.Context()); err != nil {
		return err
	}

	return s.delegate.SubscribeEvents(req, stream)
}

// newSignatureVerifyingService wraps delegate with the client-signature
// verification gate.
func newSignatureVerifyingService(delegate edgev1.GatewayServer) edgev1.GatewayServer {
	return signatureVerifyingService{delegate: delegate}
}

func verifyRequestSignature(ctx context.Context) error {
	envelope, ok := parsedEnvelopeFromContext(ctx)
	if !ok {
		return status.Error(codes.Internal, "authenticated request context is incomplete")
	}

	record, ok := resolvedSessionFromContext(ctx)
	if !ok {
		return status.Error(codes.Internal, "authenticated request context is incomplete")
	}

	err := authn.VerifyRequestSignature(record.ClientPublicKey, envelope.Signature, authn.RequestSigningFields{
		ProtocolVersion: envelope.ProtocolVersion,
		DeviceSessionID: envelope.DeviceSessionID,
		MessageType:     envelope.MessageType,
		TimestampMS:     envelope.TimestampMS,
		RequestID:       envelope.RequestID,
		PayloadHash:     envelope.PayloadHash,
	})
	switch {
	case err == nil:
		return nil
	case errors.Is(err, authn.ErrInvalidClientPublicKey):
		return status.Error(codes.Unavailable, "session cache is unavailable")
	case errors.Is(err, authn.ErrInvalidRequestSignature):
		return status.Error(codes.Unauthenticated, "invalid request signature")
	default:
		return status.Error(codes.Internal, "request signature verification failed")
	}
}

var _ edgev1.GatewayServer = signatureVerifyingService{}