[#72] authmate: Add session token

Signed-off-by: Angira Kekteeva <kira@nspcc.ru>

README.md

@@ -231,13 +231,18 @@ used to create new AWS credentials.
 
 #### Issuance of a secret
 
-To issue a secret means to create a Bearer token and put it as an object into
+To issue a secret means to create a Bearer and  (optionally) Session tokens and 
-container on the NeoFS network. The token is encrypted by a set of gateway
+put them as an object into container on the NeoFS network. The tokens are 
-keys, so you need to pass them as well.
+encrypted by a set of gateway keys, so you need to pass them as well.
 
 If a parameter `container-id`  is not set, a new container will be created.
 
-If a parameter `rules` is not set, it will be auto-generated with values: 
+Creation of the bearer token is mandatory, and creation of the session token is 
+optional. If you want to add the session token you need to add a parameter 
+`create-session-token`. 
+
+Rules for bearer token can be set via param `bearer-rules`, if it is not set, 
+it will be auto-generated with values: 
 
 ```
 {
@@ -264,13 +269,27 @@ If a parameter `rules` is not set, it will be auto-generated with values:
 }
 ```
 
+Rules for session token can be set via param `session-rules`, default value is:
+```
+{
+    "verb": "PUT",
+    "wildcard": true,
+    "containerID": null
+}
+```
+
+If `session-rules` is set, but `create-session-token` is not, the session
+token will not be created.
+
 Example of a command to issue a secret with custom rules for multiple gates:
 ```
 $ ./neofs-authmate issue-secret --neofs-key user.key \
 --peer 192.168.130.71:8080 \ 
---rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \ 
+--bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \ 
 --gate-public-key dd34f6dce9a4ce0990869ec6bd33a40e102a5798881cfe61d03a5659ceee1a64 \
---gate-public-key 20453af9d7f245ff6fdfb1260eaa411ae3be9c519a2a9bf1c98233522cbd0156
+--gate-public-key 20453af9d7f245ff6fdfb1260eaa411ae3be9c519a2a9bf1c98233522cbd0156 \
+--create-session-token \
+--session-rules '{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}'
 
 {
   "access_key_id": "5g933dyLEkXbbAspouhPPTiyLZRg4axBW1axSPD87eVT_AiXsH4AjYy1iTJ4C1WExzjBrSobJsQFWEyKLREe5sQYM",

authmate/authmate.go

@@ -12,12 +12,14 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/google/uuid"
 	"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
 	"github.com/nspcc-dev/neofs-api-go/pkg/container"
 	cid "github.com/nspcc-dev/neofs-api-go/pkg/container/id"
 	"github.com/nspcc-dev/neofs-api-go/pkg/netmap"
 	"github.com/nspcc-dev/neofs-api-go/pkg/object"
 	"github.com/nspcc-dev/neofs-api-go/pkg/owner"
+	"github.com/nspcc-dev/neofs-api-go/pkg/session"
 	"github.com/nspcc-dev/neofs-api-go/pkg/token"
 	"github.com/nspcc-dev/neofs-node/pkg/policy"
 	"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
@@ -53,6 +55,8 @@ type (
 		OwnerPrivateKey       hcs.PrivateKey
 		GatesPublicKeys       []hcs.PublicKey
 		EACLRules             []byte
+		ContextRules          []byte
+		SessionTkn            bool
 	}
 
 	// ObtainSecretOptions contains options for passing to Agent.ObtainSecret method.
@@ -138,35 +142,64 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
 		return err
 	}
 
-	a.log.Info("prepare eACL table")
+	box.SetOwnerPublicKey(options.OwnerPrivateKey.PublicKey())
 
-	table, err := buildEACLTable(cid, options.EACLRules)
+	oid, err := ownerIDFromNeoFSKey(&options.NeoFSKey.PublicKey)
+	if err != nil {
+		return err
+	}
+
+	a.log.Info("prepare eACL table")
+	bearerRules, err := buildEACLTable(cid, options.EACLRules)
 	if err != nil {
 		return fmt.Errorf("failed to build eacl table: %w", err)
 	}
 
-	tkn, err := buildBearerToken(options.NeoFSKey, table)
+	bearerTkn, err := buildBearerToken(options.NeoFSKey, oid, bearerRules)
 	if err != nil {
 		return fmt.Errorf("failed to build bearer token: %w", err)
 	}
 
-	box.SetOwnerPublicKey(options.OwnerPrivateKey.PublicKey())
+	err = box.AddBearerToken(bearerTkn, options.OwnerPrivateKey, options.GatesPublicKeys...)
-	err = box.AddBearerToken(tkn, options.OwnerPrivateKey, options.GatesPublicKeys...)
 	if err != nil {
-		return fmt.Errorf("failed to add token to accessbox: %w", err)
+		return fmt.Errorf("failed to add bearer token to accessbox: %w", err)
+	}
+	a.log.Info("store bearer token into NeoFS",
+		zap.Stringer("owner_tkn", bearerTkn.Issuer()))
+
+	if options.SessionTkn {
+		sessionRules, err := buildContext(options.ContextRules)
+		if err != nil {
+			return fmt.Errorf("failed to build context for session token: %w", err)
+		}
+
+		sessionTkn, err := buildSessionToken(options.NeoFSKey, oid, sessionRules)
+		if err != nil {
+			return fmt.Errorf("failed to create session token: %w", err)
+		}
+
+		err = box.AddSessionToken(sessionTkn, options.OwnerPrivateKey, options.GatesPublicKeys...)
+		if err != nil {
+			return fmt.Errorf("failed to add session token to accessbox: %w", err)
+		}
 	}
 
-	a.log.Info("store bearer token into NeoFS",
+	if !options.SessionTkn && len(options.ContextRules) > 0 {
-		zap.Stringer("owner_tkn", tkn.Issuer()))
+		_, err := w.Write([]byte("Warning: rules for session token were set but --create-session flag wasn't, " +
+			"so session token was not created\n"))
+		if err != nil {
+			return err
+		}
+	}
 
 	address, err := tokens.
 		New(a.pool, options.OwnerPrivateKey).
-		Put(ctx, cid, tkn.Issuer(), &box, options.GatesPublicKeys...)
+		Put(ctx, cid, oid, &box, options.GatesPublicKeys...)
 	if err != nil {
 		return fmt.Errorf("failed to put bearer token: %w", err)
 	}
 
-	secret, err := BearerToAccessKey(tkn)
+	secret, err := BearerToAccessKey(bearerTkn)
 	if err != nil {
 		return fmt.Errorf("failed to get bearer token secret key: %w", err)
 	}
@@ -267,13 +300,23 @@ func buildEACLTable(cid *cid.ID, eaclTable []byte) (*eacl.Table, error) {
 	return table, nil
 }
 
-func buildBearerToken(key *ecdsa.PrivateKey, table *eacl.Table) (*token.BearerToken, error) {
+func buildContext(rules []byte) (*session.ContainerContext, error) {
-	wallet, err := owner.NEO3WalletFromPublicKey(&key.PublicKey)
+	sessionCtx := session.NewContainerContext() // wildcard == true on by default
-	if err != nil {
-		return nil, err
-	}
-	oid := owner.NewIDFromNeo3Wallet(wallet)
 
+	if len(rules) != 0 {
+		// cast ToV2 temporary, because there is no method for unmarshalling in ContainerContext in api-go
+		err := sessionCtx.ToV2().UnmarshalJSON(rules)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read rules for session token: %w", err)
+		}
+		return sessionCtx, nil
+	}
+	sessionCtx.ForPut()
+	sessionCtx.ApplyTo(nil)
+	return sessionCtx, nil
+}
+
+func buildBearerToken(key *ecdsa.PrivateKey, oid *owner.ID, table *eacl.Table) (*token.BearerToken, error) {
 	bearerToken := token.NewBearerToken()
 	bearerToken.SetEACLTable(table)
 	bearerToken.SetOwner(oid)
@@ -282,6 +325,19 @@ func buildBearerToken(key *ecdsa.PrivateKey, table *eacl.Table) (*token.BearerTo
 	return bearerToken, bearerToken.SignToken(key)
 }
 
+func buildSessionToken(key *ecdsa.PrivateKey, oid *owner.ID, ctx *session.ContainerContext) (*session.Token, error) {
+	tok := session.NewToken()
+	tok.SetContext(ctx)
+	uid, err := uuid.New().MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+	tok.SetID(uid)
+	tok.SetOwnerID(oid)
+
+	return tok, tok.Sign(key)
+}
+
 // BearerToAccessKey returns secret access key generated from given BearerToken.
 func BearerToAccessKey(tkn *token.BearerToken) (string, error) {
 	data, err := tkn.Marshal()
@@ -292,3 +348,11 @@ func BearerToAccessKey(tkn *token.BearerToken) (string, error) {
 	hash := sha256.Sum256(data)
 	return hex.EncodeToString(hash[:]), nil
 }
+
+func ownerIDFromNeoFSKey(key *ecdsa.PublicKey) (*owner.ID, error) {
+	wallet, err := owner.NEO3WalletFromPublicKey(key)
+	if err != nil {
+		return nil, err
+	}
+	return owner.NewIDFromNeo3Wallet(wallet), nil
+}

cmd/authmate/main.go

@@ -37,6 +37,7 @@ var (
 	neoFSKeyPathFlag      string
 	peerAddressFlag       string
 	eaclRulesFlag         string
+	contextRulesFlag      string
 	gatePrivateKeyFlag    string
 	accessKeyIDFlag       string
 	ownerPrivateKeyFlag   string
@@ -46,6 +47,7 @@ var (
 	gatesKeysCountFlag    int
 	logEnabledFlag        bool
 	logDebugEnabledFlag   bool
+	sessionTokenFlag      bool
 )
 
 var zapConfig = zap.Config{
@@ -198,11 +200,17 @@ func issueSecret() *cli.Command {
 				Destination: &peerAddressFlag,
 			},
 			&cli.StringFlag{
-				Name:        "rules",
+				Name:        "bearer-rules",
-				Usage:       "eacl rules as plain json string",
+				Usage:       "rules for bearer token as plain json string",
 				Required:    false,
 				Destination: &eaclRulesFlag,
 			},
+			&cli.StringFlag{
+				Name:        "session-rules",
+				Usage:       "rules for session token as plain json string",
+				Required:    false,
+				Destination: &contextRulesFlag,
+			},
 			&cli.StringSliceFlag{
 				Name:        "gate-public-key",
 				Usage:       "public x25519 key of a gate (use flags repeatedly for multiple gates)",
@@ -228,6 +236,13 @@ func issueSecret() *cli.Command {
 				Destination: &containerFriendlyName,
 				Value:       "auth-container",
 			},
+			&cli.BoolFlag{
+				Name:        "create-session-token",
+				Usage:       "create session token",
+				Required:    false,
+				Destination: &sessionTokenFlag,
+				Value:       false,
+			},
 		},
 		Action: func(c *cli.Context) error {
 			ctx, log := prepare()
@@ -275,6 +290,8 @@ func issueSecret() *cli.Command {
 				OwnerPrivateKey:       owner.PrivateKey(),
 				GatesPublicKeys:       gatesPublicKeys,
 				EACLRules:             []byte(eaclRulesFlag),
+				ContextRules:          []byte(contextRulesFlag),
+				SessionTkn:            sessionTokenFlag,
 			}
 
 			if err = agent.IssueSecret(ctx, os.Stdout, issueSecretOptions); err != nil {

go.sum

@@ -342,10 +342,6 @@ github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnB
 github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
 github.com/nspcc-dev/neofs-node v1.22.0 h1:TJ4d5zopItYYWMEajegVWBgAw8HjZFe12IkNm3Tt+rk=
 github.com/nspcc-dev/neofs-node v1.22.0/go.mod h1:ecpXrzIe1vcp5FBjPsIaHKVIVvxsv4GVBCw21WYcY3c=
-github.com/nspcc-dev/neofs-sdk-go v0.0.0-20210604112451-f16d38c7b92a h1:bVvyR+Y+UmElTFKY0ifjtvWteYSm93jihKV1rh4wW5s=
-github.com/nspcc-dev/neofs-sdk-go v0.0.0-20210604112451-f16d38c7b92a/go.mod h1:1djNrOkpTTbNUlJM/MvTmohJUaWKUMy9JHSCCA8rJEc=
-github.com/nspcc-dev/neofs-sdk-go v0.0.0-20210609143631-0d3c078a0d9b h1:2alc6tGPHScEATOxlrYuHCTl+DbhVaqigT5Bo1QXY90=
-github.com/nspcc-dev/neofs-sdk-go v0.0.0-20210609143631-0d3c078a0d9b/go.mod h1:1djNrOkpTTbNUlJM/MvTmohJUaWKUMy9JHSCCA8rJEc=
 github.com/nspcc-dev/neofs-sdk-go v0.0.0-20210615074944-86a9aa92599b h1:l99sCKR/mt+iFb4p1836qtoXUQEGYlEzqWAeAliEaE8=
 github.com/nspcc-dev/neofs-sdk-go v0.0.0-20210615074944-86a9aa92599b/go.mod h1:1djNrOkpTTbNUlJM/MvTmohJUaWKUMy9JHSCCA8rJEc=
 github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=