syntax = "proto3";

package neo.fs.v2.session;

option go_package = "github.com/nspcc-dev/neofs-api-go/v2/session/grpc;session";
option csharp_namespace = "Neo.FileStorage.API.Session";

import "refs/types.proto";
import "acl/types.proto";

// Context information for Session Tokens related to ObjectService requests
message ObjectSessionContext {
  // Object request verbs
  enum Verb {
    // Unknown verb
    VERB_UNSPECIFIED = 0;

    // Refers to object.Put RPC call
    PUT = 1;

    // Refers to object.Get RPC call
    GET = 2;

    // Refers to object.Head RPC call
    HEAD = 3;

    // Refers to object.Search RPC call
    SEARCH = 4;

    // Refers to object.Delete RPC call
    DELETE = 5;

    // Refers to object.GetRange RPC call
    RANGE = 6;

    // Refers to object.GetRangeHash RPC call
    RANGEHASH = 7;
  }
  // Type of request for which the token is issued
  Verb verb = 1 [json_name = "verb"];

  // Related Object address
  neo.fs.v2.refs.Address address = 2 [json_name = "address"];
}

// Context information for Session Tokens related to ContainerService requests.
message ContainerSessionContext {
    // Container request verbs
    enum Verb {
        // Unknown verb
        VERB_UNSPECIFIED = 0;

        // Refers to container.Put RPC call
        PUT = 1;

        // Refers to container.Delete RPC call
        DELETE = 2;

        // Refers to container.SetExtendedACL RPC call
        SETEACL = 3;
    }
    // Type of request for which the token is issued
    Verb verb = 1 [json_name = "verb"];

    // Spreads the action to all owner containers.
    // If set, container_id field is ignored.
    bool wildcard = 2 [json_name = "wildcard"];

    // Particular container to which the action applies.
    // Ignored if wildcard flag is set.
    refs.ContainerID container_id = 3 [json_name = "containerID"];
}

// NeoFS Session Token.
message SessionToken {
  // Session Token body
  message Body {
    // Token identifier is a valid UUIDv4 in binary form
    bytes id = 1 [json_name = "id"];

    // Identifier of the session initiator
    neo.fs.v2.refs.OwnerID owner_id = 2 [json_name = "ownerID"];

    // Lifetime parameters of the token. Field names taken from rfc7519.
    message TokenLifetime {
      // Expiration Epoch
      uint64 exp = 1 [json_name = "exp"];

      // Not valid before Epoch
      uint64 nbf = 2 [json_name = "nbf"];

      // Issued at Epoch
      uint64 iat = 3 [json_name = "iat"];
    }
    // Lifetime of the session
    TokenLifetime lifetime = 3 [json_name = "lifetime"];

    // Public key used in session
    bytes session_key = 4 [json_name = "sessionKey"];

    // Session Context information
    oneof context {
      // ObjectService session context
      ObjectSessionContext object = 5 [json_name = "object"];

      // ContainerService session context
      ContainerSessionContext container = 6 [json_name = "container"];
    }
  }
  // Session Token contains the proof of trust between peers to be attached in
  // requests for further verification. Please see corresponding section of
  // NeoFS Technical Specification for details.
  Body body = 1 [json_name = "body"];

  // Signature of `SessionToken` information
  neo.fs.v2.refs.Signature signature = 2 [json_name = "signature"];
}

// Extended headers for Request/Response. May contain any user-defined headers
// to be interpreted on application level.
//
// Key name must be unique valid UTF-8 string. Value can't be empty. Requests or
// Responses with duplicated header names or headers with empty values will be
// considered invalid.
//
// There are some "well-known" headers starting with `__NEOFS__` prefix that
// affect system behaviour:
//
// * __NEOFS__NETMAP_EPOCH \
//   Netmap epoch to use for object placement calculation. The `value` is string
//   encoded `uint64` in decimal presentation. If set to '0' or not set, the
//   current epoch only will be used.
// * __NEOFS__NETMAP_LOOKUP_DEPTH \
//   If object can't be found using current epoch's netmap, this header limits
//   how many past epochs back the node can lookup. The `value` is string
//   encoded `uint64` in decimal presentation. If set to '0' or not set, the
//   current epoch only will be used.
message XHeader {
  // Key of the X-Header
  string key = 1 [json_name = "key"];

  // Value of the X-Header
  string value = 2 [json_name = "value"];
}

// Meta information attached to the request. When forwarded between peers,
// request meta headers are folded in matryoshka style.
message RequestMetaHeader {
  // Peer's API version used
  neo.fs.v2.refs.Version version = 1 [json_name = "version"];

  // Peer's local epoch number. Set to 0 if unknown.
  uint64 epoch = 2 [json_name = "epoch"];

  // Maximum number of intermediate nodes in the request route
  uint32 ttl = 3 [json_name = "ttl"];

  // Request X-Headers
  repeated XHeader x_headers = 4 [json_name = "xHeaders"];

  // Session token within which the request is sent
  SessionToken session_token = 5 [json_name = "sessionToken"];

  // `BearerToken` with eACL overrides for the request
  neo.fs.v2.acl.BearerToken bearer_token = 6 [json_name = "bearerToken"];

  // `RequestMetaHeader` of the origin request
  RequestMetaHeader origin = 7 [json_name = "origin"];
}

// Information about the response
message ResponseMetaHeader {
  // Peer's API version used
  neo.fs.v2.refs.Version version = 1 [json_name = "version"];

  // Peer's local epoch number
  uint64 epoch = 2 [json_name = "epoch"];

  // Maximum number of intermediate nodes in the request route
  uint32 ttl = 3 [json_name = "ttl"];

  // Response X-Headers
  repeated XHeader x_headers = 4 [json_name = "xHeaders"];

  // `ResponseMetaHeader` of the origin request
  ResponseMetaHeader origin = 5 [json_name = "origin"];
}

// Verification info for request signed by all intermediate nodes.
message RequestVerificationHeader {
  // Request Body signature. Should be generated once by request initiator.
  neo.fs.v2.refs.Signature body_signature = 1 [json_name = "bodySignature"];
  // Request Meta signature is added and signed by each intermediate node
  neo.fs.v2.refs.Signature meta_signature = 2 [json_name = "metaSignature"];
  // Signature of previous hops
  neo.fs.v2.refs.Signature origin_signature = 3 [json_name = "originSignature"];

  // Chain of previous hops signatures
  RequestVerificationHeader origin = 4 [json_name = "origin"];
}

// Verification info for response signed by all intermediate nodes
message ResponseVerificationHeader {
  // Response Body signature. Should be generated once by answering node.
  neo.fs.v2.refs.Signature body_signature = 1 [json_name = "bodySignature"];
  // Response Meta signature is added and signed by each intermediate node
  neo.fs.v2.refs.Signature meta_signature = 2 [json_name = "metaSignature"];
  // Signature of previous hops
  neo.fs.v2.refs.Signature origin_signature = 3 [json_name = "originSignature"];

  // Chain of previous hops signatures
  ResponseVerificationHeader origin = 4 [json_name = "origin"];
}