eta_bridge/rpc/signature_interceptor.go

package rpc

import (
	"context"
	"crypto/hmac"
	"crypto/sha256"
	"fmt"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"
	"google.golang.org/protobuf/proto"
	"google.golang.org/protobuf/types/known/anypb"
)

// 自定义拦截器
func SignatureInterceptor(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return nil, status.Errorf(codes.InvalidArgument, "metadata is missing")
	}

	// 获取签名
	signature, ok := md["signature"]
	if !ok {
		return nil, status.Errorf(codes.Unauthenticated, "signature is missing")
	}

	// 验证签名
	if !verifySignature(req, signature[0]) {
		return nil, status.Errorf(codes.Unauthenticated, "invalid signature")
	}

	return handler(ctx, req)
}

// 验证签名
func verifySignature(req interface{}, signature string) bool {
	// 假设req是*pb.HelloRequest
	message := req.(proto.Message)
	reqData, _ := anypb.New(message)
	reqBytes, _ := proto.Marshal(reqData)

	key := []byte("secret-key") // 秘钥应该保密
	mac := hmac.New(sha256.New, key)
	mac.Write(reqBytes)
	expectedSignature := fmt.Sprintf("%x", mac.Sum(nil))

	return expectedSignature == signature
}