[#544] Upgrade NeoFS SDK Go with another approach of container sessions

After recent changes in NeoFS SDK Go library session tokens aren't
embedded into `container.Container` and `eacl.Table` structures.
Instead, the operations of storing given values in NeoFS are
parameterized by elements of the corresponding type.

Add dedicated session parameters to operations of bucket and eACL
setting.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>

api/handler/acl.go

@@ -236,11 +236,10 @@ func (h *handler) updateBucketACL(r *http.Request, astChild *ast, bktInfo *data.
 		return false, fmt.Errorf("could not translate ast to table: %w", err)
 	}
 
-	table.SetSessionToken(sessionToken)
-
 	p := &layer.PutBucketACLParams{
 		BktInfo:      bktInfo,
 		EACL:         table,
+		SessionToken: sessionToken,
 	}
 
 	if err = h.obj.PutBucketACL(r.Context(), p); err != nil {

api/handler/copy.go

@@ -147,11 +147,11 @@ func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
 			h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
 			return
 		}
-		newEaclTable.SetSessionToken(sessionTokenEACL)
 
 		p := &layer.PutBucketACLParams{
 			BktInfo:      dstBktInfo,
 			EACL:         newEaclTable,
+			SessionToken: sessionTokenEACL,
 		}
 
 		if err = h.obj.PutBucketACL(r.Context(), p); err != nil {

api/handler/put.go

@@ -250,7 +250,6 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 			h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
 			return
 		}
-		newEaclTable.SetSessionToken(sessionTokenEACL)
 	}
 
 	if tagSet != nil {
@@ -264,6 +263,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 		p := &layer.PutBucketACLParams{
 			BktInfo:      bktInfo,
 			EACL:         newEaclTable,
+			SessionToken: sessionTokenEACL,
 		}
 
 		if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
@@ -382,11 +382,10 @@ func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if newEaclTable != nil {
-		newEaclTable.SetSessionToken(sessionTokenEACL)
-
 		p := &layer.PutBucketACLParams{
 			BktInfo:      bktInfo,
 			EACL:         newEaclTable,
+			SessionToken: sessionTokenEACL,
 		}
 
 		if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
@@ -609,16 +608,16 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
 	boxData, err := layer.GetBoxData(r.Context())
 	if err == nil {
 		policies = boxData.Policies
-		p.SessionToken = boxData.Gate.SessionTokenForPut()
-		p.EACL.SetSessionToken(boxData.Gate.SessionTokenForSetEACL())
+		p.SessionContainerCreation = boxData.Gate.SessionTokenForPut()
+		p.SessionEACL = boxData.Gate.SessionTokenForSetEACL()
 	}
 
-	if p.SessionToken == nil {
+	if p.SessionContainerCreation == nil {
 		h.logAndSendError(w, "couldn't find session token for put", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
 		return
 	}
 
-	if p.EACL.SessionToken() == nil {
+	if p.SessionEACL == nil {
 		h.logAndSendError(w, "couldn't find session token for setEACL", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
 		return
 	}

api/layer/container.go

@@ -147,7 +147,7 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
 		Creator:              bktInfo.Owner,
 		Policy:               p.Policy,
 		Name:                 p.Name,
-		SessionToken:         p.SessionToken,
+		SessionToken:         p.SessionContainerCreation,
 		AdditionalAttributes: attributes,
 	})
 	if err != nil {
@@ -156,7 +156,7 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
 
 	bktInfo.CID = *idCnr
 
-	if err = n.setContainerEACLTable(ctx, bktInfo.CID, p.EACL); err != nil {
+	if err = n.setContainerEACLTable(ctx, bktInfo.CID, p.EACL, p.SessionEACL); err != nil {
 		return nil, err
 	}
 
@@ -170,15 +170,10 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
 	return bktInfo, nil
 }
 
-func (n *layer) setContainerEACLTable(ctx context.Context, idCnr cid.ID, table *eacl.Table) error {
+func (n *layer) setContainerEACLTable(ctx context.Context, idCnr cid.ID, table *eacl.Table, sessionToken *session.Container) error {
 	table.SetCID(idCnr)
 
-	boxData, err := GetBoxData(ctx)
-	if err == nil {
-		table.SetSessionToken(boxData.Gate.SessionTokenForSetEACL())
-	}
-
-	return n.neoFS.SetContainerEACL(ctx, *table)
+	return n.neoFS.SetContainerEACL(ctx, *table, sessionToken)
 }
 
 func (n *layer) GetContainerEACL(ctx context.Context, idCnr cid.ID) (*eacl.Table, error) {

api/layer/layer.go

@@ -138,7 +138,8 @@ type (
 		Name                     string
 		Policy                   netmap.PlacementPolicy
 		EACL                     *eacl.Table
-		SessionToken       *session.Container
+		SessionContainerCreation *session.Container
+		SessionEACL              *session.Container
 		LocationConstraint       string
 		ObjectLockEnabled        bool
 	}
@@ -146,6 +147,7 @@ type (
 	PutBucketACLParams struct {
 		BktInfo      *data.BucketInfo
 		EACL         *eacl.Table
+		SessionToken *session.Container
 	}
 	// DeleteBucketParams stores delete bucket request parameters.
 	DeleteBucketParams struct {
@@ -368,7 +370,7 @@ func (n *layer) GetBucketACL(ctx context.Context, bktInfo *data.BucketInfo) (*Bu
 
 // PutBucketACL puts bucket acl by name.
 func (n *layer) PutBucketACL(ctx context.Context, param *PutBucketACLParams) error {
-	return n.setContainerEACLTable(ctx, param.BktInfo.CID, param.EACL)
+	return n.setContainerEACLTable(ctx, param.BktInfo.CID, param.EACL, param.SessionToken)
 }
 
 // ListBuckets returns all user containers. The name of the bucket is a container
@@ -630,7 +632,7 @@ func (n *layer) CreateBucket(ctx context.Context, p *CreateBucketParams) (*data.
 		return nil, err
 	}
 
-	if p.SessionToken != nil && session.IssuedBy(*p.SessionToken, bktInfo.Owner) {
+	if p.SessionContainerCreation != nil && session.IssuedBy(*p.SessionContainerCreation, bktInfo.Owner) {
 		return nil, errors.GetAPIError(errors.ErrBucketAlreadyOwnedByYou)
 	}
 

api/layer/neofs.go

@@ -162,10 +162,11 @@ type NeoFS interface {
 	// prevented the containers from being listed.
 	UserContainers(context.Context, user.ID) ([]cid.ID, error)
 
-	// SetContainerEACL saves the eACL table of the container in NeoFS.
+	// SetContainerEACL saves the eACL table of the container in NeoFS. The
+	// extended ACL is modified within session if session token is not nil.
 	//
 	// It returns any error encountered which prevented the eACL from being saved.
-	SetContainerEACL(context.Context, eacl.Table) error
+	SetContainerEACL(context.Context, eacl.Table, *session.Container) error
 
 	// ContainerEACL reads the container eACL from NeoFS by the container ID.
 	//

api/layer/neofs_mock.go

@@ -82,7 +82,6 @@ func (t *TestNeoFS) CreateContainer(_ context.Context, prm PrmContainerCreate) (
 	}
 
 	cnr := container.New(opts...)
-	cnr.SetSessionToken(prm.SessionToken)
 
 	if prm.Name != "" {
 		container.SetNativeName(cnr, prm.Name)

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/nats-io/nats.go v1.13.1-0.20220121202836-972a071d373d
 	github.com/nspcc-dev/neo-go v0.98.2
 	github.com/nspcc-dev/neofs-api-go/v2 v2.12.2
-	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220616082321-e986f4780721
+	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220621170307-721df386c599
 	github.com/prometheus/client_golang v1.11.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.7.1

go.sum

@@ -306,8 +306,8 @@ github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnB
 github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
 github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4=
 github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40=
-github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220616082321-e986f4780721 h1:5Al3dddr0SG3ONhfglTyc2GSnQS0vMmygCD00vLo/jU=
-github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220616082321-e986f4780721/go.mod h1:k58jgszGX3pws2yiOXu9m0i32BzRgi1T6Bpd/L1KrJU=
+github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220621170307-721df386c599 h1:EkwWrbzImpqtNJa8IZIsfk/EqbmPwpd0DfdenrJLSbc=
+github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220621170307-721df386c599/go.mod h1:k58jgszGX3pws2yiOXu9m0i32BzRgi1T6Bpd/L1KrJU=
 github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
 github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
 github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=

internal/neofs/neofs.go

@@ -137,7 +137,6 @@ func (x *NeoFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreat
 	}
 
 	cnr := container.New(cnrOptions...)
-	cnr.SetSessionToken(prm.SessionToken)
 
 	if prm.Name != "" {
 		container.SetNativeName(cnr, prm.Name)
@@ -147,6 +146,10 @@ func (x *NeoFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreat
 	prmPut.SetContainer(*cnr)
 	prmPut.SetWaitParams(x.await)
 
+	if prm.SessionToken != nil {
+		prmPut.WithinSession(*prm.SessionToken)
+	}
+
 	// send request to save the container
 	idCnr, err := x.pool.PutContainer(ctx, prmPut)
 	if err != nil {
@@ -170,11 +173,15 @@ func (x *NeoFS) UserContainers(ctx context.Context, id user.ID) ([]cid.ID, error
 }
 
 // SetContainerEACL implements neofs.NeoFS interface method.
-func (x *NeoFS) SetContainerEACL(ctx context.Context, table eacl.Table) error {
+func (x *NeoFS) SetContainerEACL(ctx context.Context, table eacl.Table, sessionToken *session.Container) error {
 	var prm pool.PrmContainerSetEACL
 	prm.SetTable(table)
 	prm.SetWaitParams(x.await)
 
+	if sessionToken != nil {
+		prm.WithinSession(*sessionToken)
+	}
+
 	err := x.pool.SetEACL(ctx, prm)
 	if err != nil {
 		return fmt.Errorf("save eACL via connection pool: %w", err)