Merge pull request #67 from nspcc-dev/update-to-neofs-api-0.7.2
Update to neofs api 0.7.2
This commit is contained in:
commit
6c705e079f
29 changed files with 192 additions and 459 deletions
2
Makefile
2
Makefile
|
@ -1,4 +1,4 @@
|
||||||
PROTO_VERSION=v0.7.1
|
PROTO_VERSION=v0.7.2
|
||||||
PROTO_URL=https://github.com/nspcc-dev/neofs-api/archive/$(PROTO_VERSION).tar.gz
|
PROTO_URL=https://github.com/nspcc-dev/neofs-api/archive/$(PROTO_VERSION).tar.gz
|
||||||
|
|
||||||
B=\033[0;1m
|
B=\033[0;1m
|
||||||
|
|
|
@ -149,7 +149,6 @@ calculated for XORed data.
|
||||||
| ----- | ---- | ----- | ----------- |
|
| ----- | ---- | ----- | ----------- |
|
||||||
| Address | [refs.Address](#refs.Address) | | Address of object (container id + object id) |
|
| Address | [refs.Address](#refs.Address) | | Address of object (container id + object id) |
|
||||||
| OwnerID | [bytes](#bytes) | | OwnerID is a wallet address |
|
| OwnerID | [bytes](#bytes) | | OwnerID is a wallet address |
|
||||||
| Token | [session.Token](#session.Token) | | Token with session public key and user's signature |
|
|
||||||
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
||||||
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
||||||
|
|
||||||
|
@ -228,7 +227,6 @@ in distributed system.
|
||||||
| Field | Type | Label | Description |
|
| Field | Type | Label | Description |
|
||||||
| ----- | ---- | ----- | ----------- |
|
| ----- | ---- | ----- | ----------- |
|
||||||
| Address | [refs.Address](#refs.Address) | | Address of object (container id + object id) |
|
| Address | [refs.Address](#refs.Address) | | Address of object (container id + object id) |
|
||||||
| Raw | [bool](#bool) | | Raw is the request flag of a physically stored representation of an object |
|
|
||||||
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
||||||
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
||||||
|
|
||||||
|
@ -256,7 +254,6 @@ in distributed system.
|
||||||
| ----- | ---- | ----- | ----------- |
|
| ----- | ---- | ----- | ----------- |
|
||||||
| Address | [refs.Address](#refs.Address) | | Address of object (container id + object id) |
|
| Address | [refs.Address](#refs.Address) | | Address of object (container id + object id) |
|
||||||
| FullHeaders | [bool](#bool) | | FullHeaders can be set true for extended headers in the object |
|
| FullHeaders | [bool](#bool) | | FullHeaders can be set true for extended headers in the object |
|
||||||
| Raw | [bool](#bool) | | Raw is the request flag of a physically stored representation of an object |
|
|
||||||
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
||||||
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
||||||
|
|
||||||
|
@ -296,7 +293,6 @@ in distributed system.
|
||||||
| Field | Type | Label | Description |
|
| Field | Type | Label | Description |
|
||||||
| ----- | ---- | ----- | ----------- |
|
| ----- | ---- | ----- | ----------- |
|
||||||
| Object | [Object](#object.Object) | | Object with at least container id and owner id fields |
|
| Object | [Object](#object.Object) | | Object with at least container id and owner id fields |
|
||||||
| Token | [session.Token](#session.Token) | | Token with session public key and user's signature |
|
|
||||||
| CopiesNumber | [uint32](#uint32) | | Number of the object copies to store within the RPC call (zero is processed according to the placement rules) |
|
| CopiesNumber | [uint32](#uint32) | | Number of the object copies to store within the RPC call (zero is processed according to the placement rules) |
|
||||||
|
|
||||||
|
|
||||||
|
@ -378,7 +374,7 @@ in distributed system.
|
||||||
| UserHeader | [UserHeader](#object.UserHeader) | | UserHeader is a set of KV headers defined by user |
|
| UserHeader | [UserHeader](#object.UserHeader) | | UserHeader is a set of KV headers defined by user |
|
||||||
| Transform | [Transform](#object.Transform) | | Transform defines transform operation (e.g. payload split) |
|
| Transform | [Transform](#object.Transform) | | Transform defines transform operation (e.g. payload split) |
|
||||||
| Tombstone | [Tombstone](#object.Tombstone) | | Tombstone header that set up in deleted objects |
|
| Tombstone | [Tombstone](#object.Tombstone) | | Tombstone header that set up in deleted objects |
|
||||||
| Verify | [session.VerificationHeader](#session.VerificationHeader) | | Verify header that contains session public key and user's signature |
|
| Token | [service.Token](#service.Token) | | Token header contains token of the session within which the object was created |
|
||||||
| HomoHash | [bytes](#bytes) | | HomoHash is a homomorphic hash of original object payload |
|
| HomoHash | [bytes](#bytes) | | HomoHash is a homomorphic hash of original object payload |
|
||||||
| PayloadChecksum | [bytes](#bytes) | | PayloadChecksum of actual object's payload |
|
| PayloadChecksum | [bytes](#bytes) | | PayloadChecksum of actual object's payload |
|
||||||
| Integrity | [IntegrityHeader](#object.IntegrityHeader) | | Integrity header with checksum of all above headers in the object |
|
| Integrity | [IntegrityHeader](#object.IntegrityHeader) | | Integrity header with checksum of all above headers in the object |
|
||||||
|
|
|
@ -14,8 +14,9 @@
|
||||||
|
|
||||||
- Messages
|
- Messages
|
||||||
- [RequestVerificationHeader](#service.RequestVerificationHeader)
|
- [RequestVerificationHeader](#service.RequestVerificationHeader)
|
||||||
- [RequestVerificationHeader.Sign](#service.RequestVerificationHeader.Sign)
|
|
||||||
- [RequestVerificationHeader.Signature](#service.RequestVerificationHeader.Signature)
|
- [RequestVerificationHeader.Signature](#service.RequestVerificationHeader.Signature)
|
||||||
|
- [Token](#service.Token)
|
||||||
|
- [Token.Info](#service.Token.Info)
|
||||||
|
|
||||||
|
|
||||||
- [service/verify_test.proto](#service/verify_test.proto)
|
- [service/verify_test.proto](#service/verify_test.proto)
|
||||||
|
@ -49,6 +50,7 @@ RequestMetaHeader contains information about request meta headers
|
||||||
| TTL | [uint32](#uint32) | | TTL must be larger than zero, it decreased in every NeoFS Node |
|
| TTL | [uint32](#uint32) | | TTL must be larger than zero, it decreased in every NeoFS Node |
|
||||||
| Epoch | [uint64](#uint64) | | Epoch for user can be empty, because node sets epoch to the actual value |
|
| Epoch | [uint64](#uint64) | | Epoch for user can be empty, because node sets epoch to the actual value |
|
||||||
| Version | [uint32](#uint32) | | Version defines protocol version TODO: not used for now, should be implemented in future |
|
| Version | [uint32](#uint32) | | Version defines protocol version TODO: not used for now, should be implemented in future |
|
||||||
|
| Raw | [bool](#bool) | | Raw determines whether the request is raw or not |
|
||||||
|
|
||||||
|
|
||||||
<a name="service.ResponseMetaHeader"></a>
|
<a name="service.ResponseMetaHeader"></a>
|
||||||
|
@ -88,18 +90,7 @@ RequestVerificationHeader is a set of signatures of every NeoFS Node that proces
|
||||||
| Field | Type | Label | Description |
|
| Field | Type | Label | Description |
|
||||||
| ----- | ---- | ----- | ----------- |
|
| ----- | ---- | ----- | ----------- |
|
||||||
| Signatures | [RequestVerificationHeader.Signature](#service.RequestVerificationHeader.Signature) | repeated | Signatures is a set of signatures of every passed NeoFS Node |
|
| Signatures | [RequestVerificationHeader.Signature](#service.RequestVerificationHeader.Signature) | repeated | Signatures is a set of signatures of every passed NeoFS Node |
|
||||||
|
| Token | [Token](#service.Token) | | Token is a token of the session within which the request is sent |
|
||||||
|
|
||||||
<a name="service.RequestVerificationHeader.Sign"></a>
|
|
||||||
|
|
||||||
### Message RequestVerificationHeader.Sign
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
| Field | Type | Label | Description |
|
|
||||||
| ----- | ---- | ----- | ----------- |
|
|
||||||
| Sign | [bytes](#bytes) | | Sign is signature of the request or session key. |
|
|
||||||
| Peer | [bytes](#bytes) | | Peer is compressed public key used for signature. |
|
|
||||||
|
|
||||||
|
|
||||||
<a name="service.RequestVerificationHeader.Signature"></a>
|
<a name="service.RequestVerificationHeader.Signature"></a>
|
||||||
|
@ -110,11 +101,57 @@ RequestVerificationHeader is a set of signatures of every NeoFS Node that proces
|
||||||
|
|
||||||
| Field | Type | Label | Description |
|
| Field | Type | Label | Description |
|
||||||
| ----- | ---- | ----- | ----------- |
|
| ----- | ---- | ----- | ----------- |
|
||||||
| Sign | [RequestVerificationHeader.Sign](#service.RequestVerificationHeader.Sign) | | Sign is a signature and public key of the request. |
|
| Sign | [bytes](#bytes) | | Sign is signature of the request or session key. |
|
||||||
| Origin | [RequestVerificationHeader.Sign](#service.RequestVerificationHeader.Sign) | | Origin used for requests, when trusted node changes it and re-sign with session key. If session key used for signature request, then Origin should contain public key of user and signed session key. |
|
| Peer | [bytes](#bytes) | | Peer is compressed public key used for signature. |
|
||||||
|
|
||||||
|
|
||||||
|
<a name="service.Token"></a>
|
||||||
|
|
||||||
|
### Message Token
|
||||||
|
User token granting rights for object manipulation
|
||||||
|
|
||||||
|
|
||||||
|
| Field | Type | Label | Description |
|
||||||
|
| ----- | ---- | ----- | ----------- |
|
||||||
|
| TokenInfo | [Token.Info](#service.Token.Info) | | TokenInfo is a grouped information about token |
|
||||||
|
| Signature | [bytes](#bytes) | | Signature is a signature of session token information |
|
||||||
|
|
||||||
|
|
||||||
|
<a name="service.Token.Info"></a>
|
||||||
|
|
||||||
|
### Message Token.Info
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
| Field | Type | Label | Description |
|
||||||
|
| ----- | ---- | ----- | ----------- |
|
||||||
|
| ID | [bytes](#bytes) | | ID is a token identifier. valid UUIDv4 represented in bytes |
|
||||||
|
| OwnerID | [bytes](#bytes) | | OwnerID is an owner of manipulation object |
|
||||||
|
| verb | [Token.Info.Verb](#service.Token.Info.Verb) | | Verb is a type of request for which the token is issued |
|
||||||
|
| Address | [refs.Address](#refs.Address) | | Address is an object address for which token is issued |
|
||||||
|
| Created | [uint64](#uint64) | | Created is an initial epoch of token lifetime |
|
||||||
|
| ValidUntil | [uint64](#uint64) | | ValidUntil is a last epoch of token lifetime |
|
||||||
|
| SessionKey | [bytes](#bytes) | | SessionKey is a public key of session key |
|
||||||
|
|
||||||
<!-- end messages -->
|
<!-- end messages -->
|
||||||
|
|
||||||
|
|
||||||
|
<a name="service.Token.Info.Verb"></a>
|
||||||
|
|
||||||
|
### Token.Info.Verb
|
||||||
|
Verb is an enumeration of session request types
|
||||||
|
|
||||||
|
| Name | Number | Description |
|
||||||
|
| ---- | ------ | ----------- |
|
||||||
|
| Put | 0 | Put refers to object.Put RPC call |
|
||||||
|
| Get | 1 | Get refers to object.Get RPC call |
|
||||||
|
| Head | 2 | Head refers to object.Head RPC call |
|
||||||
|
| Search | 3 | Search refers to object.Search RPC call |
|
||||||
|
| Delete | 4 | Delete refers to object.Delete RPC call |
|
||||||
|
| Range | 5 | Range refers to object.GetRange RPC call |
|
||||||
|
| RangeHash | 6 | RangeHash refers to object.GetRangeHash RPC call |
|
||||||
|
|
||||||
|
|
||||||
<!-- end enums -->
|
<!-- end enums -->
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -12,13 +12,6 @@
|
||||||
- [CreateResponse](#session.CreateResponse)
|
- [CreateResponse](#session.CreateResponse)
|
||||||
|
|
||||||
|
|
||||||
- [session/types.proto](#session/types.proto)
|
|
||||||
|
|
||||||
- Messages
|
|
||||||
- [Token](#session.Token)
|
|
||||||
- [VerificationHeader](#session.VerificationHeader)
|
|
||||||
|
|
||||||
|
|
||||||
- [Scalar Value Types](#scalar-value-types)
|
- [Scalar Value Types](#scalar-value-types)
|
||||||
|
|
||||||
|
|
||||||
|
@ -68,8 +61,8 @@ session key. Session is established during 4-step handshake in one gRPC stream
|
||||||
|
|
||||||
| Field | Type | Label | Description |
|
| Field | Type | Label | Description |
|
||||||
| ----- | ---- | ----- | ----------- |
|
| ----- | ---- | ----- | ----------- |
|
||||||
| Init | [Token](#session.Token) | | Init is a message to initialize session opening. Carry: owner of manipulation object; ID of manipulation object; token lifetime bounds. |
|
| Init | [service.Token](#service.Token) | | Init is a message to initialize session opening. Carry: owner of manipulation object; ID of manipulation object; token lifetime bounds. |
|
||||||
| Signed | [Token](#session.Token) | | Signed Init message response (Unsigned) from server with user private key |
|
| Signed | [service.Token](#service.Token) | | Signed Init message response (Unsigned) from server with user private key |
|
||||||
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
|
||||||
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
|
||||||
|
|
||||||
|
@ -82,52 +75,8 @@ session key. Session is established during 4-step handshake in one gRPC stream
|
||||||
|
|
||||||
| Field | Type | Label | Description |
|
| Field | Type | Label | Description |
|
||||||
| ----- | ---- | ----- | ----------- |
|
| ----- | ---- | ----- | ----------- |
|
||||||
| Unsigned | [Token](#session.Token) | | Unsigned token with token ID and session public key generated on server side |
|
| Unsigned | [service.Token](#service.Token) | | Unsigned token with token ID and session public key generated on server side |
|
||||||
| Result | [Token](#session.Token) | | Result is a resulting token which can be used for object placing through an trusted intermediary |
|
| Result | [service.Token](#service.Token) | | Result is a resulting token which can be used for object placing through an trusted intermediary |
|
||||||
|
|
||||||
<!-- end messages -->
|
|
||||||
|
|
||||||
<!-- end enums -->
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<a name="session/types.proto"></a>
|
|
||||||
<p align="right"><a href="#top">Top</a></p>
|
|
||||||
|
|
||||||
## session/types.proto
|
|
||||||
|
|
||||||
|
|
||||||
<!-- end services -->
|
|
||||||
|
|
||||||
|
|
||||||
<a name="session.Token"></a>
|
|
||||||
|
|
||||||
### Message Token
|
|
||||||
User token granting rights for object manipulation
|
|
||||||
|
|
||||||
|
|
||||||
| Field | Type | Label | Description |
|
|
||||||
| ----- | ---- | ----- | ----------- |
|
|
||||||
| Header | [VerificationHeader](#session.VerificationHeader) | | Header carries verification data of session key |
|
|
||||||
| OwnerID | [bytes](#bytes) | | OwnerID is an owner of manipulation object |
|
|
||||||
| FirstEpoch | [uint64](#uint64) | | FirstEpoch is an initial epoch of token lifetime |
|
|
||||||
| LastEpoch | [uint64](#uint64) | | LastEpoch is a last epoch of token lifetime |
|
|
||||||
| ObjectID | [bytes](#bytes) | repeated | ObjectID is an object identifier of manipulation object |
|
|
||||||
| Signature | [bytes](#bytes) | | Signature is a token signature, signed by owner of manipulation object |
|
|
||||||
| ID | [bytes](#bytes) | | ID is a token identifier. valid UUIDv4 represented in bytes |
|
|
||||||
| PublicKeys | [bytes](#bytes) | repeated | PublicKeys associated with owner |
|
|
||||||
|
|
||||||
|
|
||||||
<a name="session.VerificationHeader"></a>
|
|
||||||
|
|
||||||
### Message VerificationHeader
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
| Field | Type | Label | Description |
|
|
||||||
| ----- | ---- | ----- | ----------- |
|
|
||||||
| PublicKey | [bytes](#bytes) | | PublicKey is a session public key |
|
|
||||||
| KeySignature | [bytes](#bytes) | | KeySignature is a session public key signature. Signed by trusted side |
|
|
||||||
|
|
||||||
<!-- end messages -->
|
<!-- end messages -->
|
||||||
|
|
||||||
|
|
|
@ -19,21 +19,6 @@ func (m Object) IsLinking() bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// VerificationHeader returns verification header if it is presented in extended headers.
|
|
||||||
func (m Object) VerificationHeader() (*VerificationHeader, error) {
|
|
||||||
_, vh := m.LastHeader(HeaderType(VerifyHdr))
|
|
||||||
if vh == nil {
|
|
||||||
return nil, ErrHeaderNotFound
|
|
||||||
}
|
|
||||||
return vh.Value.(*Header_Verify).Verify, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetVerificationHeader sets verification header in the object.
|
|
||||||
// It will replace existing verification header or add a new one.
|
|
||||||
func (m *Object) SetVerificationHeader(header *VerificationHeader) {
|
|
||||||
m.SetHeader(&Header{Value: &Header_Verify{Verify: header}})
|
|
||||||
}
|
|
||||||
|
|
||||||
// Links returns slice of ids of specified link type
|
// Links returns slice of ids of specified link type
|
||||||
func (m *Object) Links(t Link_Type) []ID {
|
func (m *Object) Links(t Link_Type) []ID {
|
||||||
var res []ID
|
var res []ID
|
||||||
|
|
Binary file not shown.
|
@ -5,7 +5,6 @@ option csharp_namespace = "NeoFS.API.Object";
|
||||||
|
|
||||||
import "refs/types.proto";
|
import "refs/types.proto";
|
||||||
import "object/types.proto";
|
import "object/types.proto";
|
||||||
import "session/types.proto";
|
|
||||||
import "service/meta.proto";
|
import "service/meta.proto";
|
||||||
import "service/verify.proto";
|
import "service/verify.proto";
|
||||||
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
||||||
|
@ -58,8 +57,6 @@ service Service {
|
||||||
message GetRequest {
|
message GetRequest {
|
||||||
// Address of object (container id + object id)
|
// Address of object (container id + object id)
|
||||||
refs.Address Address = 1 [(gogoproto.nullable) = false];
|
refs.Address Address = 1 [(gogoproto.nullable) = false];
|
||||||
// Raw is the request flag of a physically stored representation of an object
|
|
||||||
bool Raw = 2;
|
|
||||||
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
|
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
|
||||||
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
||||||
// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
|
// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
|
||||||
|
@ -82,10 +79,8 @@ message PutRequest {
|
||||||
message PutHeader {
|
message PutHeader {
|
||||||
// Object with at least container id and owner id fields
|
// Object with at least container id and owner id fields
|
||||||
Object Object = 1;
|
Object Object = 1;
|
||||||
// Token with session public key and user's signature
|
|
||||||
session.Token Token = 2;
|
|
||||||
// Number of the object copies to store within the RPC call (zero is processed according to the placement rules)
|
// Number of the object copies to store within the RPC call (zero is processed according to the placement rules)
|
||||||
uint32 CopiesNumber = 3;
|
uint32 CopiesNumber = 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
oneof R {
|
oneof R {
|
||||||
|
@ -112,8 +107,6 @@ message DeleteRequest {
|
||||||
refs.Address Address = 1 [(gogoproto.nullable) = false];
|
refs.Address Address = 1 [(gogoproto.nullable) = false];
|
||||||
// OwnerID is a wallet address
|
// OwnerID is a wallet address
|
||||||
bytes OwnerID = 2 [(gogoproto.nullable) = false, (gogoproto.customtype) = "OwnerID"];
|
bytes OwnerID = 2 [(gogoproto.nullable) = false, (gogoproto.customtype) = "OwnerID"];
|
||||||
// Token with session public key and user's signature
|
|
||||||
session.Token Token = 3;
|
|
||||||
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
|
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
|
||||||
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
||||||
// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
|
// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
|
||||||
|
@ -132,8 +125,6 @@ message HeadRequest {
|
||||||
refs.Address Address = 1 [(gogoproto.nullable) = false, (gogoproto.customtype) = "Address"];
|
refs.Address Address = 1 [(gogoproto.nullable) = false, (gogoproto.customtype) = "Address"];
|
||||||
// FullHeaders can be set true for extended headers in the object
|
// FullHeaders can be set true for extended headers in the object
|
||||||
bool FullHeaders = 2;
|
bool FullHeaders = 2;
|
||||||
// Raw is the request flag of a physically stored representation of an object
|
|
||||||
bool Raw = 3;
|
|
||||||
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
|
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
|
||||||
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
||||||
// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
|
// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
|
||||||
|
|
|
@ -16,8 +16,8 @@ func TestRequest(t *testing.T) {
|
||||||
&DeleteRequest{},
|
&DeleteRequest{},
|
||||||
&GetRangeRequest{},
|
&GetRangeRequest{},
|
||||||
&GetRangeHashRequest{},
|
&GetRangeHashRequest{},
|
||||||
MakePutRequestHeader(nil, nil),
|
MakePutRequestHeader(nil),
|
||||||
MakePutRequestHeader(&Object{}, nil),
|
MakePutRequestHeader(&Object{}),
|
||||||
}
|
}
|
||||||
|
|
||||||
types := []RequestType{
|
types := []RequestType{
|
||||||
|
|
|
@ -7,7 +7,6 @@ import (
|
||||||
"github.com/gogo/protobuf/proto"
|
"github.com/gogo/protobuf/proto"
|
||||||
"github.com/nspcc-dev/neofs-api-go/internal"
|
"github.com/nspcc-dev/neofs-api-go/internal"
|
||||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||||
"github.com/nspcc-dev/neofs-api-go/session"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
|
@ -19,9 +18,6 @@ type (
|
||||||
// Address is a type alias of object Address.
|
// Address is a type alias of object Address.
|
||||||
Address = refs.Address
|
Address = refs.Address
|
||||||
|
|
||||||
// VerificationHeader is a type alias of session's verification header.
|
|
||||||
VerificationHeader = session.VerificationHeader
|
|
||||||
|
|
||||||
// PositionReader defines object reader that returns slice of bytes
|
// PositionReader defines object reader that returns slice of bytes
|
||||||
// for specified object and data range.
|
// for specified object and data range.
|
||||||
PositionReader interface {
|
PositionReader interface {
|
||||||
|
@ -60,8 +56,8 @@ const (
|
||||||
TransformHdr
|
TransformHdr
|
||||||
// TombstoneHdr is a tombstone header type.
|
// TombstoneHdr is a tombstone header type.
|
||||||
TombstoneHdr
|
TombstoneHdr
|
||||||
// VerifyHdr is a verification header type.
|
// TokenHdr is a token header type.
|
||||||
VerifyHdr
|
TokenHdr
|
||||||
// HomoHashHdr is a homomorphic hash header type.
|
// HomoHashHdr is a homomorphic hash header type.
|
||||||
HomoHashHdr
|
HomoHashHdr
|
||||||
// PayloadChecksumHdr is a payload checksum header type.
|
// PayloadChecksumHdr is a payload checksum header type.
|
||||||
|
@ -175,8 +171,8 @@ func (m Header) typeOf(t isHeader_Value) (ok bool) {
|
||||||
_, ok = m.Value.(*Header_Transform)
|
_, ok = m.Value.(*Header_Transform)
|
||||||
case *Header_Tombstone:
|
case *Header_Tombstone:
|
||||||
_, ok = m.Value.(*Header_Tombstone)
|
_, ok = m.Value.(*Header_Tombstone)
|
||||||
case *Header_Verify:
|
case *Header_Token:
|
||||||
_, ok = m.Value.(*Header_Verify)
|
_, ok = m.Value.(*Header_Token)
|
||||||
case *Header_HomoHash:
|
case *Header_HomoHash:
|
||||||
_, ok = m.Value.(*Header_HomoHash)
|
_, ok = m.Value.(*Header_HomoHash)
|
||||||
case *Header_PayloadChecksum:
|
case *Header_PayloadChecksum:
|
||||||
|
@ -205,8 +201,8 @@ func HeaderType(t headerType) Pred {
|
||||||
return func(h *Header) bool { _, ok := h.Value.(*Header_Transform); return ok }
|
return func(h *Header) bool { _, ok := h.Value.(*Header_Transform); return ok }
|
||||||
case TombstoneHdr:
|
case TombstoneHdr:
|
||||||
return func(h *Header) bool { _, ok := h.Value.(*Header_Tombstone); return ok }
|
return func(h *Header) bool { _, ok := h.Value.(*Header_Tombstone); return ok }
|
||||||
case VerifyHdr:
|
case TokenHdr:
|
||||||
return func(h *Header) bool { _, ok := h.Value.(*Header_Verify); return ok }
|
return func(h *Header) bool { _, ok := h.Value.(*Header_Token); return ok }
|
||||||
case HomoHashHdr:
|
case HomoHashHdr:
|
||||||
return func(h *Header) bool { _, ok := h.Value.(*Header_HomoHash); return ok }
|
return func(h *Header) bool { _, ok := h.Value.(*Header_HomoHash); return ok }
|
||||||
case PayloadChecksumHdr:
|
case PayloadChecksumHdr:
|
||||||
|
|
Binary file not shown.
|
@ -4,7 +4,7 @@ option go_package = "github.com/nspcc-dev/neofs-api-go/object";
|
||||||
option csharp_namespace = "NeoFS.API.Object";
|
option csharp_namespace = "NeoFS.API.Object";
|
||||||
|
|
||||||
import "refs/types.proto";
|
import "refs/types.proto";
|
||||||
import "session/types.proto";
|
import "service/verify.proto";
|
||||||
import "storagegroup/types.proto";
|
import "storagegroup/types.proto";
|
||||||
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
||||||
|
|
||||||
|
@ -36,8 +36,8 @@ message Header {
|
||||||
Transform Transform = 4;
|
Transform Transform = 4;
|
||||||
// Tombstone header that set up in deleted objects
|
// Tombstone header that set up in deleted objects
|
||||||
Tombstone Tombstone = 5;
|
Tombstone Tombstone = 5;
|
||||||
// Verify header that contains session public key and user's signature
|
// Token header contains token of the session within which the object was created
|
||||||
session.VerificationHeader Verify = 6;
|
service.Token Token = 6;
|
||||||
// HomoHash is a homomorphic hash of original object payload
|
// HomoHash is a homomorphic hash of original object payload
|
||||||
bytes HomoHash = 7 [(gogoproto.customtype) = "Hash"];
|
bytes HomoHash = 7 [(gogoproto.customtype) = "Hash"];
|
||||||
// PayloadChecksum of actual object's payload
|
// PayloadChecksum of actual object's payload
|
||||||
|
|
|
@ -4,7 +4,6 @@ import (
|
||||||
"io"
|
"io"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/session"
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -46,11 +45,10 @@ func (b ByteSize) String() string {
|
||||||
|
|
||||||
// MakePutRequestHeader combines object and session token value
|
// MakePutRequestHeader combines object and session token value
|
||||||
// into header of object put request.
|
// into header of object put request.
|
||||||
func MakePutRequestHeader(obj *Object, token *session.Token) *PutRequest {
|
func MakePutRequestHeader(obj *Object) *PutRequest {
|
||||||
return &PutRequest{
|
return &PutRequest{
|
||||||
R: &PutRequest_Header{Header: &PutRequest_PutHeader{
|
R: &PutRequest_Header{Header: &PutRequest_PutHeader{
|
||||||
Object: obj,
|
Object: obj,
|
||||||
Token: token,
|
|
||||||
}},
|
}},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -77,7 +77,7 @@ func (m Object) Verify() error {
|
||||||
integrity := ih.Value.(*Header_Integrity).Integrity
|
integrity := ih.Value.(*Header_Integrity).Integrity
|
||||||
|
|
||||||
// Prepare structures
|
// Prepare structures
|
||||||
_, vh := m.LastHeader(HeaderType(VerifyHdr))
|
_, vh := m.LastHeader(HeaderType(TokenHdr))
|
||||||
if vh == nil {
|
if vh == nil {
|
||||||
_, pkh := m.LastHeader(HeaderType(PublicKeyHdr))
|
_, pkh := m.LastHeader(HeaderType(PublicKeyHdr))
|
||||||
if pkh == nil {
|
if pkh == nil {
|
||||||
|
@ -85,7 +85,7 @@ func (m Object) Verify() error {
|
||||||
}
|
}
|
||||||
pubkey = pkh.Value.(*Header_PublicKey).PublicKey.Value
|
pubkey = pkh.Value.(*Header_PublicKey).PublicKey.Value
|
||||||
} else {
|
} else {
|
||||||
pubkey = vh.Value.(*Header_Verify).Verify.PublicKey
|
pubkey = vh.Value.(*Header_Token).Token.SessionKey
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify signature
|
// Verify signature
|
||||||
|
|
|
@ -6,7 +6,7 @@ import (
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"github.com/nspcc-dev/neofs-api-go/container"
|
"github.com/nspcc-dev/neofs-api-go/container"
|
||||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||||
"github.com/nspcc-dev/neofs-api-go/session"
|
"github.com/nspcc-dev/neofs-api-go/service"
|
||||||
crypto "github.com/nspcc-dev/neofs-crypto"
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
||||||
"github.com/nspcc-dev/neofs-crypto/test"
|
"github.com/nspcc-dev/neofs-crypto/test"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
@ -77,11 +77,13 @@ func TestObject_Verify(t *testing.T) {
|
||||||
|
|
||||||
dataPK := crypto.MarshalPublicKey(&sessionkey.PublicKey)
|
dataPK := crypto.MarshalPublicKey(&sessionkey.PublicKey)
|
||||||
signature, err = crypto.Sign(key, dataPK)
|
signature, err = crypto.Sign(key, dataPK)
|
||||||
vh := &session.VerificationHeader{
|
tok := &service.Token{
|
||||||
PublicKey: dataPK,
|
Token_Info: service.Token_Info{
|
||||||
KeySignature: signature,
|
SessionKey: dataPK,
|
||||||
|
},
|
||||||
|
Signature: signature,
|
||||||
}
|
}
|
||||||
obj.SetVerificationHeader(vh)
|
obj.AddHeader(&Header{Value: &Header_Token{Token: tok}})
|
||||||
|
|
||||||
// validation header is not last
|
// validation header is not last
|
||||||
t.Run("error validation header is not last", func(t *testing.T) {
|
t.Run("error validation header is not last", func(t *testing.T) {
|
||||||
|
@ -90,7 +92,7 @@ func TestObject_Verify(t *testing.T) {
|
||||||
})
|
})
|
||||||
|
|
||||||
obj.Headers = obj.Headers[:len(obj.Headers)-2]
|
obj.Headers = obj.Headers[:len(obj.Headers)-2]
|
||||||
obj.SetVerificationHeader(vh)
|
obj.AddHeader(&Header{Value: &Header_Token{Token: tok}})
|
||||||
obj.SetHeader(&Header{Value: &Header_Integrity{ih}})
|
obj.SetHeader(&Header{Value: &Header_Integrity{ih}})
|
||||||
|
|
||||||
t.Run("error invalid header checksum", func(t *testing.T) {
|
t.Run("error invalid header checksum", func(t *testing.T) {
|
||||||
|
@ -115,7 +117,7 @@ func TestObject_Verify(t *testing.T) {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
obj.SetHeader(genIH)
|
obj.SetHeader(genIH)
|
||||||
|
|
||||||
t.Run("correct with vh", func(t *testing.T) {
|
t.Run("correct with tok", func(t *testing.T) {
|
||||||
err = obj.Verify()
|
err = obj.Verify()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
})
|
})
|
||||||
|
@ -123,7 +125,7 @@ func TestObject_Verify(t *testing.T) {
|
||||||
pkh := Header{Value: &Header_PublicKey{&PublicKey{
|
pkh := Header{Value: &Header_PublicKey{&PublicKey{
|
||||||
Value: crypto.MarshalPublicKey(&key.PublicKey),
|
Value: crypto.MarshalPublicKey(&key.PublicKey),
|
||||||
}}}
|
}}}
|
||||||
// replace vh with pkh
|
// replace tok with pkh
|
||||||
obj.Headers[len(obj.Headers)-2] = pkh
|
obj.Headers[len(obj.Headers)-2] = pkh
|
||||||
// re-sign object
|
// re-sign object
|
||||||
obj.Sign(sessionkey)
|
obj.Sign(sessionkey)
|
||||||
|
|
14
service/alias.go
Normal file
14
service/alias.go
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
package service
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TokenID is type alias of UUID ref.
|
||||||
|
type TokenID = refs.UUID
|
||||||
|
|
||||||
|
// OwnerID is type alias of OwnerID ref.
|
||||||
|
type OwnerID = refs.OwnerID
|
||||||
|
|
||||||
|
// Address is type alias of Address ref.
|
||||||
|
type Address = refs.Address
|
Binary file not shown.
|
@ -17,6 +17,8 @@ message RequestMetaHeader {
|
||||||
// Version defines protocol version
|
// Version defines protocol version
|
||||||
// TODO: not used for now, should be implemented in future
|
// TODO: not used for now, should be implemented in future
|
||||||
uint32 Version = 3;
|
uint32 Version = 3;
|
||||||
|
// Raw determines whether the request is raw or not
|
||||||
|
bool Raw = 4;
|
||||||
}
|
}
|
||||||
|
|
||||||
// ResponseMetaHeader contains meta information based on request processing by server
|
// ResponseMetaHeader contains meta information based on request processing by server
|
||||||
|
|
|
@ -53,18 +53,6 @@ func (m *RequestVerificationHeader) AddSignature(sig *RequestVerificationHeader_
|
||||||
m.Signatures = append(m.Signatures, sig)
|
m.Signatures = append(m.Signatures, sig)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetOwner adds origin (sign and public key) of owner (client) into first signature.
|
|
||||||
func (m *RequestVerificationHeader) SetOwner(pub *ecdsa.PublicKey, sign []byte) {
|
|
||||||
if len(m.Signatures) == 0 || pub == nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
m.Signatures[0].Origin = &RequestVerificationHeader_Sign{
|
|
||||||
Sign: sign,
|
|
||||||
Peer: crypto.MarshalPublicKey(pub),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// CheckOwner validates, that passed OwnerID is equal to present PublicKey of owner.
|
// CheckOwner validates, that passed OwnerID is equal to present PublicKey of owner.
|
||||||
func (m *RequestVerificationHeader) CheckOwner(owner refs.OwnerID) error {
|
func (m *RequestVerificationHeader) CheckOwner(owner refs.OwnerID) error {
|
||||||
if key, err := m.GetOwner(); err != nil {
|
if key, err := m.GetOwner(); err != nil {
|
||||||
|
@ -83,18 +71,6 @@ func (m *RequestVerificationHeader) CheckOwner(owner refs.OwnerID) error {
|
||||||
func (m *RequestVerificationHeader) GetOwner() (*ecdsa.PublicKey, error) {
|
func (m *RequestVerificationHeader) GetOwner() (*ecdsa.PublicKey, error) {
|
||||||
if len(m.Signatures) == 0 {
|
if len(m.Signatures) == 0 {
|
||||||
return nil, ErrCannotFindOwner
|
return nil, ErrCannotFindOwner
|
||||||
}
|
|
||||||
|
|
||||||
// if first signature contains origin, we should try to validate session key
|
|
||||||
if m.Signatures[0].Origin != nil {
|
|
||||||
owner := crypto.UnmarshalPublicKey(m.Signatures[0].Origin.Peer)
|
|
||||||
if owner == nil {
|
|
||||||
return nil, ErrCannotLoadPublicKey
|
|
||||||
} else if err := crypto.Verify(owner, m.Signatures[0].Peer, m.Signatures[0].Origin.Sign); err != nil {
|
|
||||||
return nil, errors.Wrap(err, "could not verify session token")
|
|
||||||
}
|
|
||||||
|
|
||||||
return owner, nil
|
|
||||||
} else if key := crypto.UnmarshalPublicKey(m.Signatures[0].Peer); key != nil {
|
} else if key := crypto.UnmarshalPublicKey(m.Signatures[0].Peer); key != nil {
|
||||||
return key, nil
|
return key, nil
|
||||||
}
|
}
|
||||||
|
@ -128,10 +104,8 @@ func newSignature(key *ecdsa.PrivateKey, data []byte) (*RequestVerificationHeade
|
||||||
}
|
}
|
||||||
|
|
||||||
return &RequestVerificationHeader_Signature{
|
return &RequestVerificationHeader_Signature{
|
||||||
RequestVerificationHeader_Sign: RequestVerificationHeader_Sign{
|
Sign: sign,
|
||||||
Sign: sign,
|
Peer: crypto.MarshalPublicKey(&key.PublicKey),
|
||||||
Peer: crypto.MarshalPublicKey(&key.PublicKey),
|
|
||||||
},
|
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Binary file not shown.
|
@ -3,6 +3,7 @@ package service;
|
||||||
option go_package = "github.com/nspcc-dev/neofs-api-go/service";
|
option go_package = "github.com/nspcc-dev/neofs-api-go/service";
|
||||||
option csharp_namespace = "NeoFS.API.Service";
|
option csharp_namespace = "NeoFS.API.Service";
|
||||||
|
|
||||||
|
import "refs/types.proto";
|
||||||
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
||||||
|
|
||||||
option (gogoproto.stable_marshaler_all) = true;
|
option (gogoproto.stable_marshaler_all) = true;
|
||||||
|
@ -10,22 +11,74 @@ option (gogoproto.stable_marshaler_all) = true;
|
||||||
// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request
|
// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request
|
||||||
// (should be embedded into message).
|
// (should be embedded into message).
|
||||||
message RequestVerificationHeader {
|
message RequestVerificationHeader {
|
||||||
message Sign {
|
message Signature {
|
||||||
// Sign is signature of the request or session key.
|
// Sign is signature of the request or session key.
|
||||||
bytes Sign = 1;
|
bytes Sign = 1;
|
||||||
// Peer is compressed public key used for signature.
|
// Peer is compressed public key used for signature.
|
||||||
bytes Peer = 2;
|
bytes Peer = 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
message Signature {
|
|
||||||
// Sign is a signature and public key of the request.
|
|
||||||
Sign Sign = 1 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
|
||||||
// Origin used for requests, when trusted node changes it and re-sign with session key.
|
|
||||||
// If session key used for signature request, then Origin should contain
|
|
||||||
// public key of user and signed session key.
|
|
||||||
Sign Origin = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Signatures is a set of signatures of every passed NeoFS Node
|
// Signatures is a set of signatures of every passed NeoFS Node
|
||||||
repeated Signature Signatures = 1;
|
repeated Signature Signatures = 1;
|
||||||
|
|
||||||
|
// Token is a token of the session within which the request is sent
|
||||||
|
Token Token = 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// User token granting rights for object manipulation
|
||||||
|
message Token {
|
||||||
|
message Info {
|
||||||
|
// ID is a token identifier. valid UUIDv4 represented in bytes
|
||||||
|
bytes ID = 1 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
|
||||||
|
|
||||||
|
// OwnerID is an owner of manipulation object
|
||||||
|
bytes OwnerID = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
|
||||||
|
|
||||||
|
// Verb is an enumeration of session request types
|
||||||
|
enum Verb {
|
||||||
|
// Put refers to object.Put RPC call
|
||||||
|
Put = 0;
|
||||||
|
// Get refers to object.Get RPC call
|
||||||
|
Get = 1;
|
||||||
|
// Head refers to object.Head RPC call
|
||||||
|
Head = 2;
|
||||||
|
// Search refers to object.Search RPC call
|
||||||
|
Search = 3;
|
||||||
|
// Delete refers to object.Delete RPC call
|
||||||
|
Delete = 4;
|
||||||
|
// Range refers to object.GetRange RPC call
|
||||||
|
Range = 5;
|
||||||
|
// RangeHash refers to object.GetRangeHash RPC call
|
||||||
|
RangeHash = 6;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verb is a type of request for which the token is issued
|
||||||
|
Verb verb = 3 [(gogoproto.customname) = "Verb"];
|
||||||
|
|
||||||
|
// Address is an object address for which token is issued
|
||||||
|
refs.Address Address = 4 [(gogoproto.nullable) = false, (gogoproto.customtype) = "Address"];
|
||||||
|
|
||||||
|
// Created is an initial epoch of token lifetime
|
||||||
|
uint64 Created = 5;
|
||||||
|
|
||||||
|
// ValidUntil is a last epoch of token lifetime
|
||||||
|
uint64 ValidUntil = 6;
|
||||||
|
|
||||||
|
// SessionKey is a public key of session key
|
||||||
|
bytes SessionKey = 7;
|
||||||
|
}
|
||||||
|
|
||||||
|
// TokenInfo is a grouped information about token
|
||||||
|
Info TokenInfo = 1 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
||||||
|
|
||||||
|
// Signature is a signature of session token information
|
||||||
|
bytes Signature = 8;
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: for variable token types and version redefine message
|
||||||
|
// Example:
|
||||||
|
// message Token {
|
||||||
|
// TokenType TokenType = 1;
|
||||||
|
// uint32 Version = 2;
|
||||||
|
// bytes Data = 3;
|
||||||
|
// }
|
||||||
|
|
|
@ -119,15 +119,13 @@ func TestMaintainableRequest(t *testing.T) {
|
||||||
req.TTL--
|
req.TTL--
|
||||||
|
|
||||||
key := test.DecodeKey(i)
|
key := test.DecodeKey(i)
|
||||||
require.NoError(t, SignRequestHeader(key, req))
|
|
||||||
|
|
||||||
// sign first key (session key) by owner key
|
// sign first key (session key) by owner key
|
||||||
if i == 0 {
|
if i == 0 {
|
||||||
sign, err := crypto.Sign(owner, crypto.MarshalPublicKey(&key.PublicKey))
|
key = owner
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
req.SetOwner(&owner.PublicKey, sign)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
require.NoError(t, SignRequestHeader(key, req))
|
||||||
}
|
}
|
||||||
|
|
||||||
{ // Validate owner
|
{ // Validate owner
|
||||||
|
@ -150,17 +148,8 @@ func TestMaintainableRequest(t *testing.T) {
|
||||||
require.Equal(t, &owner.PublicKey, pub)
|
require.Equal(t, &owner.PublicKey, pub)
|
||||||
}
|
}
|
||||||
|
|
||||||
{ // wrong owner:
|
|
||||||
req.Signatures[0].Origin = nil
|
|
||||||
|
|
||||||
pub, err := req.GetOwner()
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
require.NotEqual(t, &owner.PublicKey, pub)
|
|
||||||
}
|
|
||||||
|
|
||||||
{ // Wrong signatures:
|
{ // Wrong signatures:
|
||||||
copy(req.Signatures[count-1].Sign, req.Signatures[count-1].Peer)
|
copy(req.Signatures[count-1].Sign, req.Signatures[count-2].Sign)
|
||||||
err := VerifyRequestHeader(req)
|
err := VerifyRequestHeader(req)
|
||||||
require.EqualError(t, errors.Cause(err), crypto.ErrInvalidSignature.Error())
|
require.EqualError(t, errors.Cause(err), crypto.ErrInvalidSignature.Error())
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,7 +5,6 @@ import (
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||||
crypto "github.com/nspcc-dev/neofs-crypto"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
|
@ -31,9 +30,9 @@ type (
|
||||||
TokenParams struct {
|
TokenParams struct {
|
||||||
FirstEpoch uint64
|
FirstEpoch uint64
|
||||||
LastEpoch uint64
|
LastEpoch uint64
|
||||||
ObjectID []ObjectID
|
Address Address
|
||||||
OwnerID OwnerID
|
OwnerID OwnerID
|
||||||
PublicKeys [][]byte
|
Verb Verb
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -46,13 +45,3 @@ func NewInitRequest(t *Token) *CreateRequest {
|
||||||
func NewSignedRequest(t *Token) *CreateRequest {
|
func NewSignedRequest(t *Token) *CreateRequest {
|
||||||
return &CreateRequest{Message: &CreateRequest_Signed{Signed: t}}
|
return &CreateRequest{Message: &CreateRequest_Signed{Signed: t}}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sign signs contents of the header with the private key.
|
|
||||||
func (m *VerificationHeader) Sign(key *ecdsa.PrivateKey) error {
|
|
||||||
s, err := crypto.Sign(key, m.PublicKey)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
m.KeySignature = s
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
Binary file not shown.
|
@ -3,7 +3,6 @@ package session;
|
||||||
option go_package = "github.com/nspcc-dev/neofs-api-go/session";
|
option go_package = "github.com/nspcc-dev/neofs-api-go/session";
|
||||||
option csharp_namespace = "NeoFS.API.Session";
|
option csharp_namespace = "NeoFS.API.Session";
|
||||||
|
|
||||||
import "session/types.proto";
|
|
||||||
import "service/meta.proto";
|
import "service/meta.proto";
|
||||||
import "service/verify.proto";
|
import "service/verify.proto";
|
||||||
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
||||||
|
@ -33,9 +32,9 @@ message CreateRequest {
|
||||||
// owner of manipulation object;
|
// owner of manipulation object;
|
||||||
// ID of manipulation object;
|
// ID of manipulation object;
|
||||||
// token lifetime bounds.
|
// token lifetime bounds.
|
||||||
session.Token Init = 1;
|
service.Token Init = 1;
|
||||||
// Signed Init message response (Unsigned) from server with user private key
|
// Signed Init message response (Unsigned) from server with user private key
|
||||||
session.Token Signed = 2;
|
service.Token Signed = 2;
|
||||||
}
|
}
|
||||||
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
|
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
|
||||||
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
|
||||||
|
@ -46,8 +45,8 @@ message CreateRequest {
|
||||||
message CreateResponse {
|
message CreateResponse {
|
||||||
oneof Message {
|
oneof Message {
|
||||||
// Unsigned token with token ID and session public key generated on server side
|
// Unsigned token with token ID and session public key generated on server side
|
||||||
session.Token Unsigned = 1;
|
service.Token Unsigned = 1;
|
||||||
// Result is a resulting token which can be used for object placing through an trusted intermediary
|
// Result is a resulting token which can be used for object placing through an trusted intermediary
|
||||||
session.Token Result = 2;
|
service.Token Result = 2;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||||
|
"github.com/nspcc-dev/neofs-api-go/service"
|
||||||
crypto "github.com/nspcc-dev/neofs-crypto"
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -48,13 +49,15 @@ func (s *simpleStore) New(p TokenParams) *PToken {
|
||||||
t := &PToken{
|
t := &PToken{
|
||||||
mtx: new(sync.Mutex),
|
mtx: new(sync.Mutex),
|
||||||
Token: Token{
|
Token: Token{
|
||||||
ID: tid,
|
Token_Info: service.Token_Info{
|
||||||
Header: VerificationHeader{PublicKey: crypto.MarshalPublicKey(&key.PublicKey)},
|
ID: tid,
|
||||||
FirstEpoch: p.FirstEpoch,
|
OwnerID: p.OwnerID,
|
||||||
LastEpoch: p.LastEpoch,
|
Verb: p.Verb,
|
||||||
ObjectID: p.ObjectID,
|
Address: p.Address,
|
||||||
OwnerID: p.OwnerID,
|
Created: p.FirstEpoch,
|
||||||
PublicKeys: p.PublicKeys,
|
ValidUntil: p.LastEpoch,
|
||||||
|
SessionKey: crypto.MarshalPublicKey(&key.PublicKey),
|
||||||
|
},
|
||||||
},
|
},
|
||||||
PrivateKey: key,
|
PrivateKey: key,
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,96 +1,3 @@
|
||||||
package session
|
package session
|
||||||
|
|
||||||
import (
|
// TODO: write unit tests
|
||||||
"crypto/ecdsa"
|
|
||||||
"crypto/rand"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
|
||||||
crypto "github.com/nspcc-dev/neofs-crypto"
|
|
||||||
"github.com/stretchr/testify/require"
|
|
||||||
)
|
|
||||||
|
|
||||||
type testClient struct {
|
|
||||||
*ecdsa.PrivateKey
|
|
||||||
OwnerID OwnerID
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *testClient) Sign(data []byte) ([]byte, error) {
|
|
||||||
return crypto.Sign(c.PrivateKey, data)
|
|
||||||
}
|
|
||||||
|
|
||||||
func newTestClient(t *testing.T) *testClient {
|
|
||||||
key, err := ecdsa.GenerateKey(defaultCurve(), rand.Reader)
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
owner, err := refs.NewOwnerID(&key.PublicKey)
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
return &testClient{PrivateKey: key, OwnerID: owner}
|
|
||||||
}
|
|
||||||
|
|
||||||
func signToken(t *testing.T, token *PToken, c *testClient) {
|
|
||||||
require.NotNil(t, token)
|
|
||||||
token.SetPublicKeys(&c.PublicKey)
|
|
||||||
|
|
||||||
signH, err := c.Sign(token.Header.PublicKey)
|
|
||||||
require.NoError(t, err)
|
|
||||||
require.NotNil(t, signH)
|
|
||||||
|
|
||||||
// data is not yet signed
|
|
||||||
keys := UnmarshalPublicKeys(&token.Token)
|
|
||||||
require.False(t, token.Verify(keys...))
|
|
||||||
|
|
||||||
signT, err := c.Sign(token.verificationData())
|
|
||||||
require.NoError(t, err)
|
|
||||||
require.NotNil(t, signT)
|
|
||||||
|
|
||||||
token.AddSignatures(signH, signT)
|
|
||||||
require.True(t, token.Verify(keys...))
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestTokenStore(t *testing.T) {
|
|
||||||
s := NewSimpleStore()
|
|
||||||
|
|
||||||
oid, err := refs.NewObjectID()
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
c := newTestClient(t)
|
|
||||||
require.NotNil(t, c)
|
|
||||||
pk := [][]byte{crypto.MarshalPublicKey(&c.PublicKey)}
|
|
||||||
|
|
||||||
// create new token
|
|
||||||
token := s.New(TokenParams{
|
|
||||||
ObjectID: []ObjectID{oid},
|
|
||||||
OwnerID: c.OwnerID,
|
|
||||||
PublicKeys: pk,
|
|
||||||
})
|
|
||||||
signToken(t, token, c)
|
|
||||||
|
|
||||||
// check that it can be fetched
|
|
||||||
t1 := s.Fetch(token.ID)
|
|
||||||
require.NotNil(t, t1)
|
|
||||||
require.Equal(t, token, t1)
|
|
||||||
|
|
||||||
// create and sign another token by the same client
|
|
||||||
t1 = s.New(TokenParams{
|
|
||||||
ObjectID: []ObjectID{oid},
|
|
||||||
OwnerID: c.OwnerID,
|
|
||||||
PublicKeys: pk,
|
|
||||||
})
|
|
||||||
|
|
||||||
signToken(t, t1, c)
|
|
||||||
|
|
||||||
data := []byte{1, 2, 3}
|
|
||||||
sign, err := t1.SignData(data)
|
|
||||||
require.NoError(t, err)
|
|
||||||
require.Error(t, token.Header.VerifyData(data, sign))
|
|
||||||
|
|
||||||
sign, err = token.SignData(data)
|
|
||||||
require.NoError(t, err)
|
|
||||||
require.NoError(t, token.Header.VerifyData(data, sign))
|
|
||||||
|
|
||||||
s.Remove(token.ID)
|
|
||||||
require.Nil(t, s.Fetch(token.ID))
|
|
||||||
require.NotNil(t, s.Fetch(t1.ID))
|
|
||||||
}
|
|
||||||
|
|
130
session/types.go
130
session/types.go
|
@ -2,14 +2,12 @@ package session
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
"encoding/binary"
|
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/chain"
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/internal"
|
"github.com/nspcc-dev/neofs-api-go/internal"
|
||||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||||
|
"github.com/nspcc-dev/neofs-api-go/service"
|
||||||
crypto "github.com/nspcc-dev/neofs-crypto"
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
||||||
"github.com/pkg/errors"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
|
@ -19,6 +17,12 @@ type (
|
||||||
OwnerID = refs.OwnerID
|
OwnerID = refs.OwnerID
|
||||||
// TokenID type alias.
|
// TokenID type alias.
|
||||||
TokenID = refs.UUID
|
TokenID = refs.UUID
|
||||||
|
// Token type alias
|
||||||
|
Token = service.Token
|
||||||
|
// Address type alias
|
||||||
|
Address = refs.Address
|
||||||
|
// Verb is Token_Info_Verb type alias
|
||||||
|
Verb = service.Token_Info_Verb
|
||||||
|
|
||||||
// PToken is a wrapper around Token that allows to sign data
|
// PToken is a wrapper around Token that allows to sign data
|
||||||
// and to do thread-safe manipulations.
|
// and to do thread-safe manipulations.
|
||||||
|
@ -55,127 +59,7 @@ const (
|
||||||
ErrInvalidSignature = internal.Error("invalid signature")
|
ErrInvalidSignature = internal.Error("invalid signature")
|
||||||
)
|
)
|
||||||
|
|
||||||
// verificationData returns byte array to sign.
|
|
||||||
// Note: protobuf serialization is inconsistent as
|
|
||||||
// wire order is unspecified.
|
|
||||||
func (m *Token) verificationData() (data []byte) {
|
|
||||||
var size int
|
|
||||||
if l := len(m.ObjectID); l > 0 {
|
|
||||||
size = m.ObjectID[0].Size()
|
|
||||||
data = make([]byte, 16+l*size)
|
|
||||||
} else {
|
|
||||||
data = make([]byte, 16)
|
|
||||||
}
|
|
||||||
binary.BigEndian.PutUint64(data, m.FirstEpoch)
|
|
||||||
binary.BigEndian.PutUint64(data[8:], m.LastEpoch)
|
|
||||||
for i := range m.ObjectID {
|
|
||||||
copy(data[16+i*size:], m.ObjectID[i].Bytes())
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// IsSame checks if the passed token is valid and equal to current token
|
|
||||||
func (m *Token) IsSame(t *Token) error {
|
|
||||||
switch {
|
|
||||||
case m.FirstEpoch != t.FirstEpoch:
|
|
||||||
return ErrWrongFirstEpoch
|
|
||||||
case m.LastEpoch != t.LastEpoch:
|
|
||||||
return ErrWrongLastEpoch
|
|
||||||
case !m.OwnerID.Equal(t.OwnerID):
|
|
||||||
return ErrWrongOwner
|
|
||||||
case m.Header.PublicKey == nil:
|
|
||||||
return ErrEmptyPublicKey
|
|
||||||
case len(m.ObjectID) != len(t.ObjectID):
|
|
||||||
return ErrWrongObjectsCount
|
|
||||||
default:
|
|
||||||
for i := range m.ObjectID {
|
|
||||||
if !m.ObjectID[i].Equal(t.ObjectID[i]) {
|
|
||||||
return errors.Wrapf(ErrWrongObjects, "expect %s, actual: %s", m.ObjectID[i], t.ObjectID[i])
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Sign tries to sign current Token data and stores signature inside it.
|
|
||||||
func (m *Token) Sign(key *ecdsa.PrivateKey) error {
|
|
||||||
if err := m.Header.Sign(key); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
s, err := crypto.Sign(key, m.verificationData())
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
m.Signature = s
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetPublicKeys sets owner's public keys to the token
|
|
||||||
func (m *Token) SetPublicKeys(keys ...*ecdsa.PublicKey) {
|
|
||||||
m.PublicKeys = m.PublicKeys[:0]
|
|
||||||
for i := range keys {
|
|
||||||
m.PublicKeys = append(m.PublicKeys, crypto.MarshalPublicKey(keys[i]))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Verify checks if token is correct and signed.
|
|
||||||
func (m *Token) Verify(keys ...*ecdsa.PublicKey) bool {
|
|
||||||
if m.FirstEpoch > m.LastEpoch {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
ownerFromKeys := chain.KeysToAddress(keys...)
|
|
||||||
if m.OwnerID.String() != ownerFromKeys {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
for i := range keys {
|
|
||||||
if m.Header.Verify(keys[i]) && crypto.Verify(keys[i], m.verificationData(), m.Signature) == nil {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
// AddSignatures adds token signatures.
|
|
||||||
func (t *PToken) AddSignatures(signH, signT []byte) {
|
|
||||||
t.mtx.Lock()
|
|
||||||
|
|
||||||
t.Header.KeySignature = signH
|
|
||||||
t.Signature = signT
|
|
||||||
|
|
||||||
t.mtx.Unlock()
|
|
||||||
}
|
|
||||||
|
|
||||||
// SignData signs data with session private key.
|
// SignData signs data with session private key.
|
||||||
func (t *PToken) SignData(data []byte) ([]byte, error) {
|
func (t *PToken) SignData(data []byte) ([]byte, error) {
|
||||||
return crypto.Sign(t.PrivateKey, data)
|
return crypto.Sign(t.PrivateKey, data)
|
||||||
}
|
}
|
||||||
|
|
||||||
// VerifyData checks if signature of data by token is equal to sign.
|
|
||||||
func (m *VerificationHeader) VerifyData(data, sign []byte) error {
|
|
||||||
if crypto.Verify(crypto.UnmarshalPublicKey(m.PublicKey), data, sign) != nil {
|
|
||||||
return ErrInvalidSignature
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Verify checks if verification header was issued by id.
|
|
||||||
func (m *VerificationHeader) Verify(keys ...*ecdsa.PublicKey) bool {
|
|
||||||
for i := range keys {
|
|
||||||
if crypto.Verify(keys[i], m.PublicKey, m.KeySignature) == nil {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
// UnmarshalPublicKeys returns unmarshal public keys from the token
|
|
||||||
func UnmarshalPublicKeys(t *Token) []*ecdsa.PublicKey {
|
|
||||||
r := make([]*ecdsa.PublicKey, 0, len(t.PublicKeys))
|
|
||||||
for i := range t.PublicKeys {
|
|
||||||
r = append(r, crypto.UnmarshalPublicKey(t.PublicKeys[i]))
|
|
||||||
}
|
|
||||||
return r
|
|
||||||
}
|
|
||||||
|
|
Binary file not shown.
|
@ -1,35 +0,0 @@
|
||||||
syntax = "proto3";
|
|
||||||
package session;
|
|
||||||
option go_package = "github.com/nspcc-dev/neofs-api-go/session";
|
|
||||||
option csharp_namespace = "NeoFS.API.Session";
|
|
||||||
|
|
||||||
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
|
||||||
|
|
||||||
option (gogoproto.stable_marshaler_all) = true;
|
|
||||||
|
|
||||||
message VerificationHeader {
|
|
||||||
// PublicKey is a session public key
|
|
||||||
bytes PublicKey = 1;
|
|
||||||
// KeySignature is a session public key signature. Signed by trusted side
|
|
||||||
bytes KeySignature = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
// User token granting rights for object manipulation
|
|
||||||
message Token {
|
|
||||||
// Header carries verification data of session key
|
|
||||||
VerificationHeader Header = 1 [(gogoproto.nullable) = false];
|
|
||||||
// OwnerID is an owner of manipulation object
|
|
||||||
bytes OwnerID = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
|
|
||||||
// FirstEpoch is an initial epoch of token lifetime
|
|
||||||
uint64 FirstEpoch = 3;
|
|
||||||
// LastEpoch is a last epoch of token lifetime
|
|
||||||
uint64 LastEpoch = 4;
|
|
||||||
// ObjectID is an object identifier of manipulation object
|
|
||||||
repeated bytes ObjectID = 5 [(gogoproto.customtype) = "ObjectID", (gogoproto.nullable) = false];
|
|
||||||
// Signature is a token signature, signed by owner of manipulation object
|
|
||||||
bytes Signature = 6;
|
|
||||||
// ID is a token identifier. valid UUIDv4 represented in bytes
|
|
||||||
bytes ID = 7 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
|
|
||||||
// PublicKeys associated with owner
|
|
||||||
repeated bytes PublicKeys = 8;
|
|
||||||
}
|
|
Loading…
Reference in a new issue