From f236f6bc5969ce7b5292a4d17dee95b86a3ca881 Mon Sep 17 00:00:00 2001
From: Stanislav Bogatyrev <stanislav@nspcc.ru>
Date: Tue, 11 Aug 2020 18:21:45 +0300
Subject: [PATCH] [#37] Move Bearer and Session Tokens to -Meta headers

It may be more convenient to have tokens in request Meta headers. Mostly
to simplify handling of verification headers.

Signed-off-by: Stanislav Bogatyrev <stanislav@nspcc.ru>
---
 service/meta.proto   |  79 +++++++++++++++++++++++++++++++-
 service/verify.proto | 105 ++++++-------------------------------------
 2 files changed, 90 insertions(+), 94 deletions(-)

diff --git a/service/meta.proto b/service/meta.proto
index 77e5793..2e51d92 100644
--- a/service/meta.proto
+++ b/service/meta.proto
@@ -6,6 +6,7 @@ option go_package = "github.com/nspcc-dev/neofs-api-go/service";
 option csharp_namespace = "NeoFS.API.Service";
 
 import "acl/types.proto";
+import "refs/types.proto";
 import "service/verify.proto";
 
 message XHeader {
@@ -23,6 +24,76 @@ message Version {
   uint32 minor = 2;
 }
 
+// Lifetime parameters of the token. Filed names taken from rfc7519.
+message TokenLifetime {
+  // Expiration Epoch
+  uint64 exp = 1;
+  // Not valid before Epoch
+  uint64 nbf = 2;
+  // Issued at Epoch
+  uint64 iat = 3;
+}
+
+// NeoFS session token.
+message SessionToken {
+  message Body {
+    // ID is a token identifier. valid UUIDv4 represented in bytes
+    bytes id = 1;
+    // OwnerID carries identifier of the session initiator.
+    refs.OwnerID owner_id = 2;
+    // Verb is an enumeration of session request types
+    enum Verb {
+      // Refers to object.Put RPC call
+      OBJECT_PUT = 0;
+      // Refers to object.Get RPC call
+      OBJECT_GET = 1;
+      // Refers to object.Head RPC call
+      OBJECT_HEAD = 2;
+      // Refers to object.Search RPC call
+      OBJECT_SEARCH = 3;
+      // Refers to object.Delete RPC call
+      OBJECT_DELETE = 4;
+      // Refers to object.GetRange RPC call
+      OBJECT_RANGE = 5;
+      // Refers to object.GetRangeHash RPC call
+      OBJECT_RANGEHASH = 6;
+    }
+    // Verb is a type of request for which the token is issued
+    Verb verb = 3;
+    // Lifetime is a lifetime of the session
+    TokenLifetime lifetime = 4;
+    // SessionKey is a public key of session key
+    bytes session_key = 5;
+    // Carries context of the session.
+    oneof context {
+      // object_address represents the object session context.
+      refs.Address object_address = 6;
+    }
+  }
+  // Session Token body
+  Body token = 1;
+
+  // Signature is a signature of session token information
+  Signature signature = 2;
+}
+
+// BearerToken has information about request ACL rules with limited lifetime
+message BearerToken {
+  message Body {
+    // EACLTable carries table of extended ACL rules
+    acl.EACLTable eacl_table = 1;
+    // OwnerID carries identifier of the token owner
+    refs.OwnerID owner_id = 2;
+    // Token expiration and valid time period parameters
+    TokenLifetime lifetime = 3;
+  }
+  // Bearer Token body
+  Body token = 1;
+
+  // Signature of BearerToken body
+  Signature signature = 2;
+}
+
 // Information about the request
 message RequestMetaHeader {
   // Client API version.
@@ -33,9 +104,13 @@ message RequestMetaHeader {
   uint32 ttl = 3;
   // Request X-Headers.
   repeated XHeader x_headers = 4;
+  // Token is a token of the session within which the request is sent
+  SessionToken token = 5;
+  // Bearer is a Bearer token of the request
+  BearerToken bearer = 6;
 
   // RequestMetaHeader of the origin request.
-  RequestMetaHeader origin = 98;
+  RequestMetaHeader origin = 7;
 }
 
 // Information about the response
@@ -50,5 +125,5 @@ message ResponseMetaHeader {
   repeated XHeader x_headers = 4;
 
   // Carries response meta header of the origin response.
-  ResponseMetaHeader origin = 98;
+  ResponseMetaHeader origin = 5;
 }
diff --git a/service/verify.proto b/service/verify.proto
index a1deab8..0c8e39f 100644
--- a/service/verify.proto
+++ b/service/verify.proto
@@ -8,6 +8,7 @@ option csharp_namespace = "NeoFS.API.Service";
 import "acl/types.proto";
 import "refs/types.proto";
 
+// Signature of something in NeoFS
 message Signature {
   // Public key used for signing.
   bytes key = 1;
@@ -17,106 +18,26 @@ message Signature {
 
 // Verification info for request signed by all intermediate nodes
 message RequestVerificationHeader {
+  // Request Body signature. Should be generated once by request initiator.
   Signature body_signature = 1;
+  // Request Meta signature is added and signed by any intermediate node
   Signature meta_signature = 2;
+  // Sign previous hops
+  Signature origin_signature = 3;
 
-  // Token is a token of the session within which the request is sent
-  SessionToken token = 3;
-  // Bearer is a Bearer token of the request
-  BearerTokenMsg bearer = 4;
-
-  RequestVerificationHeader origin = 5;
-}
-
-// Represents the NeoFS session token.
-message SessionToken {
-  message Info {
-    // ID is a token identifier. valid UUIDv4 represented in bytes
-    bytes id = 1;
-
-    // OwnerID carries identifier of the session initiator.
-    refs.OwnerID owner_id = 2;
-
-    // Verb is an enumeration of session request types
-    enum Verb {
-      // Refers to object.Put RPC call
-      OBJECT_PUT = 0;
-      // Refers to object.Get RPC call
-      OBJECT_GET = 1;
-      // Refers to object.Head RPC call
-      OBJECT_HEAD = 2;
-      // Refers to object.Search RPC call
-      OBJECT_SEARCH = 3;
-      // Refers to object.Delete RPC call
-      OBJECT_DELETE = 4;
-      // Refers to object.GetRange RPC call
-      OBJECT_RANGE = 5;
-      // Refers to object.GetRangeHash RPC call
-      OBJECT_RANGEHASH = 6;
-    }
-
-    // Verb is a type of request for which the token is issued
-    Verb verb = 3;
-
-    // Lifetime is a lifetime of the session
-    TokenLifetime lifetime = 4;
-
-    // SessionKey is a public key of session key
-    bytes session_key = 5;
-
-    // OwnerKey is a public key of the token owner
-    bytes owner_key = 6;
-
-    // Carries context of the session.
-    oneof context {
-      // object_address represents the object session context.
-      refs.Address object_address = 7;
-    }
-  }
-
-  // token_info is a grouped information about token
-  Info token_info = 1;
-
-  // Signature is a signature of session token information
-  bytes signature = 2;
-}
-
-// TokenLifetime carries a group of lifetime parameters of the token
-message TokenLifetime {
-  // created carries an initial epoch of token lifetime
-  uint64 created = 1;
-
-  // valid_until carries a last epoch of token lifetime
-  uint64 valid_until = 2;
-}
-
-// BearerTokenMsg carries information about request ACL rules with limited lifetime
-message BearerTokenMsg {
-  message Info {
-    // EACLTable carries table of extended ACL rules.
-    acl.EACLTable eacl_table = 1;
-
-    // OwnerID carries identifier of the token owner.
-    refs.OwnerID owner_id = 2;
-
-    // ValidUntil carries a last epoch of token lifetime
-    uint64 valid_until = 3;
-  }
-
-  // token_info is a grouped information about token
-  Info token_info = 1;
-
-  // owner_key is a public key of the token owner
-  bytes owner_key = 2;
-
-  // Signature is a signature of token information
-  bytes signature = 3;
+  // Chain of previous hops signatures
+  RequestVerificationHeader origin = 4;
 }
 
 // Verification info for response signed by all intermediate nodes
 message ResponseVerificationHeader {
+  // Response Body signature. Should be generated once by answering node.
   Signature body_signature = 1;
+  // Response Meta signature is added and signed by any intermediate node
   Signature meta_signature = 2;
+  // Sign previous hops
+  Signature origin_signature = 3;
 
-  ResponseVerificationHeader origin = 3;
+  // Chain of previous hops signatures
+  ResponseVerificationHeader origin = 4;
 }