commonclient/invoker.go

@@ -0,0 +1,20 @@
+package commonclient
+
+import (
+	"github.com/google/uuid"
+	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+)
+
+// Invoker is a subset of methods provided by struct invoker.Invoker. The subset contains only those
+// methods that are used by ActorWrapper and clients of the contracts.
+type Invoker interface {
+	Call(contract util.Uint160, method string, params ...any) (*result.Invoke, error)
+	TraverseIterator(sessionID uuid.UUID, iterator *result.Iterator, num int) ([]stackitem.Item, error)
+	TerminateSession(sessionID uuid.UUID) error
+}
+
+// Ensure the interface is compatible with the invoker.Invoker struct.
+var _ Invoker = (*invoker.Invoker)(nil)

commonclient/iterator.go

@@ -0,0 +1,35 @@
+package commonclient
+
+import (
+	"fmt"
+
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+)
+
+// ReadIteratorItems calls method that returns iterator and traverses the iterator until all items are read into array.
+func ReadIteratorItems(inv Invoker, batchSize int, contract util.Uint160, method string, params ...any) ([]stackitem.Item, error) {
+	if batchSize <= 0 {
+		panic("batch size must be positive")
+	}
+
+	sessionID, iter, err := unwrap.SessionIterator(inv.Call(contract, method, params...))
+	if err != nil {
+		return nil, fmt.Errorf("unwrap session iterator: %w", err)
+	}
+
+	var shouldStop bool
+	res := make([]stackitem.Item, 0, len(iter.Values))
+	for !shouldStop {
+		items, err := inv.TraverseIterator(sessionID, &iter, batchSize)
+		if err != nil {
+			return nil, err
+		}
+
+		res = append(res, items...)
+		shouldStop = len(items) < batchSize
+	}
+
+	return res, nil
+}

commonclient/transaction.go

@@ -0,0 +1,63 @@
+package commonclient
+
+import (
+	"errors"
+
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+)
+
+// Transaction allows to invoke several contract method at once.
+type Transaction struct {
+	writer   *io.BufBinWriter
+	buffer   *io.BufBinWriter
+	contract util.Uint160
+}
+
+var ErrTransactionTooLarge = errors.New("transaction/script size limit exceeded")
+
+// NewTransaction creates new transaction to accumulate contract invocations.
+func NewTransaction(contractHash util.Uint160) *Transaction {
+	return &Transaction{
+		writer:   io.NewBufBinWriter(),
+		buffer:   io.NewBufBinWriter(),
+		contract: contractHash,
+	}
+}
+
+// WrapCall accept methods and arguments to invoke.
+// Should be used with method on clients like Client.MethodNameCall.
+func (t Transaction) WrapCall(method string, args []any) error {
+	t.buffer.Reset()
+	emit.AppCall(t.buffer.BinWriter, t.contract, method, callflag.All, args...)
+
+	if t.writer.Len()+t.buffer.Len() > transaction.MaxScriptLength {
+		return ErrTransactionTooLarge
+	}
+
+	t.writer.WriteBytes(t.buffer.Bytes())
+
+	return t.writer.Err
+}
+
+// WrapCallErr accept methods, arguments and error to handle and invoke.
+// Should be used with method on clients like *CallErr.
+func (t Transaction) WrapCallErr(method string, args []any, err error) error {
+	if err != nil {
+		return err
+	}
+
+	return t.WrapCall(method, args)
+}
+
+// Bytes returns the resulting buffer and makes future writes return an error.
+func (t Transaction) Bytes() ([]byte, error) {
+	if t.writer.Len() > transaction.MaxScriptLength {
+		return nil, ErrTransactionTooLarge
+	}
+
+	return t.writer.Bytes(), nil
+}

container/config.yml

@@ -13,7 +13,6 @@ safemethods:
   - "version"
 permissions:
   - methods:
-    - "addKey"
     - "addRecord"
     - "deleteRecords"
     - "register"

container/container_contract.go

@@ -191,7 +191,6 @@ func PutNamed(container []byte, signature interop.Signature,
 
 	ownerID := ownerFromBinaryContainer(container)
 	containerID := crypto.Sha256(container)
-	frostfsIDContractAddr := storage.Get(ctx, frostfsIDContractKey).(interop.Hash160)
 	cnr := Container{
 		value: container,
 		sig:   signature,
@@ -264,10 +263,6 @@ func PutNamed(container []byte, signature interop.Signature,
 		storage.Put(ctx, key, domain)
 	}
 
-	if len(token) == 0 { // if container created directly without session
-		contract.Call(frostfsIDContractAddr, "addKey", contract.All, ownerID, [][]byte{publicKey})
-	}
-
 	runtime.Log("added new container")
 	runtime.Notify("PutSuccess", containerID, publicKey)
 }

frostfsid/client/client.go

@@ -0,0 +1,867 @@
+package client
+
+import (
+	"errors"
+	"fmt"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/commonclient"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+)
+
+type (
+	Client struct {
+		act      *actor.Actor
+		acc      *wallet.Account
+		contract util.Uint160
+	}
+
+	Options struct {
+		// todo add proxy params
+	}
+)
+
+type (
+	Subject struct {
+		PrimaryKey     *keys.PublicKey
+		AdditionalKeys keys.PublicKeys
+		Namespace      string
+		Name           string
+		KV             map[string]string
+	}
+
+	SubjectExtended struct {
+		PrimaryKey     *keys.PublicKey
+		AdditionalKeys keys.PublicKeys
+		Namespace      string
+		Name           string
+		KV             map[string]string
+		Groups         []*Group
+	}
+
+	Namespace struct {
+		Name string
+	}
+
+	NamespaceExtended struct {
+		Name          string
+		GroupsCount   int64
+		SubjectsCount int64
+	}
+
+	Group struct {
+		ID        int64
+		Name      string
+		Namespace string
+		KV        map[string]string
+	}
+
+	GroupExtended struct {
+		ID            int64
+		Name          string
+		Namespace     string
+		KV            map[string]string
+		SubjectsCount int64
+	}
+)
+
+const (
+	IAMPathKey         = "iam-path"
+	IAMARNKey          = "iam-arn"
+	IAMCreatedTimeKey  = "ctime"
+	IAMModifiedTimeKey = "mtime"
+)
+
+const iteratorBatchSize = 100
+
+const (
+	addOwnerMethod    = "addOwner"
+	deleteOwnerMethod = "deleteOwner"
+	listOwnersMethod  = "listOwners"
+
+	versionMethod = "version"
+
+	createSubjectMethod       = "createSubject"
+	getSubjectMethod          = "getSubject"
+	getSubjectExtendedMethod  = "getSubjectExtended"
+	listSubjectsMethod        = "listSubjects"
+	addSubjectKeyMethod       = "addSubjectKey"
+	removeSubjectKeyMethod    = "removeSubjectKey"
+	getSubjectByKeyMethod     = "getSubjectByKey"
+	getSubjectKeyByNameMethod = "getSubjectKeyByName"
+	setSubjectKVMethod        = "setSubjectKV"
+	setSubjectNameMethod      = "setSubjectName"
+	deleteSubjectKVMethod     = "deleteSubjectKV"
+	deleteSubjectMethod       = "deleteSubject"
+
+	createNamespaceMethod            = "createNamespace"
+	getNamespaceMethod               = "getNamespace"
+	getNamespaceExtendedMethod       = "getNamespaceExtended"
+	listNamespacesMethod             = "listNamespaces"
+	addSubjectToNamespaceMethod      = "addSubjectToNamespace"
+	removeSubjectFromNamespaceMethod = "removeSubjectFromNamespace"
+	listNamespaceSubjectsMethod      = "listNamespaceSubjects"
+
+	createGroupMethod            = "createGroup"
+	getGroupMethod               = "getGroup"
+	getGroupExtendedMethod       = "getGroupExtended"
+	getGroupIDByNameMethod       = "getGroupIDByName"
+	setGroupNameMethod           = "setGroupName"
+	setGroupKVMethod             = "setGroupKV"
+	deleteGroupKVMethod          = "deleteGroupKV"
+	listGroupsMethod             = "listGroups"
+	addSubjectToGroupMethod      = "addSubjectToGroup"
+	removeSubjectFromGroupMethod = "removeSubjectFromGroup"
+	listGroupSubjectsMethod      = "listGroupSubjects"
+	deleteGroupMethod            = "deleteGroup"
+)
+
+// New creates a new Client. Options can be nil.
+func New(ra actor.RPCActor, acc *wallet.Account, contract util.Uint160, _ *Options) (*Client, error) {
+	act, err := actor.NewSimple(ra, acc)
+	if err != nil {
+		return nil, fmt.Errorf("init actor: %w", err)
+	}
+
+	return &Client{
+		act:      act,
+		acc:      acc,
+		contract: contract,
+	}, nil
+}
+
+// StartTx inits transaction.
+func (c Client) StartTx() *commonclient.Transaction {
+	return commonclient.NewTransaction(c.contract)
+}
+
+// SendTx sends provided transaction to blockchain.
+func (c Client) SendTx(txn *commonclient.Transaction) (tx util.Uint256, vub uint32, err error) {
+	txBytes, err := txn.Bytes()
+	if err != nil {
+		return util.Uint256{}, 0, err
+	}
+
+	return c.act.SendRun(txBytes)
+}
+
+// Version returns version of contract.
+func (c Client) Version() (int64, error) {
+	return unwrap.Int64(c.act.Call(c.contract, versionMethod))
+}
+
+// AddOwner adds new address that can perform write operations on contract.
+// Must be invoked by committee.
+func (c Client) AddOwner(owner util.Uint160) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.AddOwnerCall(owner)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// AddOwnerCall provides args for AddOwner to use in commonclient.Transaction.
+func (c Client) AddOwnerCall(owner util.Uint160) (method string, args []any) {
+	return addOwnerMethod, []any{owner}
+}
+
+// DeleteOwner removes address from list of that can perform write operations on contract.
+// Must be invoked by committee.
+func (c Client) DeleteOwner(owner util.Uint160) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.DeleteOwnerCall(owner)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// DeleteOwnerCall provides args for DeleteOwner to use in commonclient.Transaction.
+func (c Client) DeleteOwnerCall(owner util.Uint160) (method string, args []any) {
+	return deleteOwnerMethod, []any{owner}
+}
+
+// ListOwners returns list of address that can perform write operations on contract.
+func (c Client) ListOwners() ([]util.Uint160, error) {
+	return unwrapArrayOfUint160(commonclient.ReadIteratorItems(c.act, iteratorBatchSize, c.contract, listOwnersMethod))
+}
+
+// CreateSubject creates new subject using public key.
+// Must be invoked by contract owner.
+func (c Client) CreateSubject(key *keys.PublicKey) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.CreateSubjectCall(key)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// CreateSubjectCall provides args for CreateSubject to use in commonclient.Transaction.
+func (c Client) CreateSubjectCall(key *keys.PublicKey) (method string, args []any) {
+	return createSubjectMethod, []any{key.Bytes()}
+}
+
+// GetSubject gets subject by address.
+func (c Client) GetSubject(addr util.Uint160) (*Subject, error) {
+	items, err := unwrap.Array(c.act.Call(c.contract, getSubjectMethod, addr))
+	if err != nil {
+		return nil, err
+	}
+
+	return parseSubject(items)
+}
+
+// GetSubjectExtended gets extended subject by address.
+func (c Client) GetSubjectExtended(addr util.Uint160) (*SubjectExtended, error) {
+	items, err := unwrap.Array(c.act.Call(c.contract, getSubjectExtendedMethod, addr))
+	if err != nil {
+		return nil, err
+	}
+
+	return parseSubjectExtended(items)
+}
+
+// ListSubjects gets all subjects.
+func (c Client) ListSubjects() ([]util.Uint160, error) {
+	return unwrapArrayOfUint160(commonclient.ReadIteratorItems(c.act, iteratorBatchSize, c.contract, listSubjectsMethod))
+}
+
+// AddSubjectKey adds extra public key to subject.
+// Must be invoked by contract owner.
+func (c Client) AddSubjectKey(addr util.Uint160, key *keys.PublicKey) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.AddSubjectKeyCall(addr, key)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// AddSubjectKeyCall provides args for AddSubjectKey to use in commonclient.Transaction.
+func (c Client) AddSubjectKeyCall(addr util.Uint160, key *keys.PublicKey) (method string, args []any) {
+	return addSubjectKeyMethod, []any{addr, key.Bytes()}
+}
+
+// RemoveSubjectKey removes extra public key from subject.
+// Must be invoked by contract owner.
+func (c Client) RemoveSubjectKey(addr util.Uint160, key *keys.PublicKey) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.RemoveSubjectKeyCall(addr, key)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// RemoveSubjectKeyCall provides args for RemoveSubjectKey to use in commonclient.Transaction.
+func (c Client) RemoveSubjectKeyCall(addr util.Uint160, key *keys.PublicKey) (method string, args []any) {
+	return removeSubjectKeyMethod, []any{addr, key.Bytes()}
+}
+
+// SetSubjectKV updates subject kv map.
+// Must be invoked by contract owner.
+// You can use some predefined key constants: IAMPathKey, IAMARNKey, IAMCreatedTimeKey, IAMModifiedTimeKey.
+func (c Client) SetSubjectKV(addr util.Uint160, key, val string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.SetSubjectKVCall(addr, key, val)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// SetSubjectKVCall provides args for SetSubjectKV to use in commonclient.Transaction.
+func (c Client) SetSubjectKVCall(addr util.Uint160, key, val string) (method string, args []any) {
+	return setSubjectKVMethod, []any{addr, key, val}
+}
+
+// SetSubjectName updates subject name.
+// Must be invoked by contract owner.
+func (c Client) SetSubjectName(addr util.Uint160, name string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.SetSubjectNameCall(addr, name)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// SetSubjectNameCall provides args for SetSubjectName to use in commonclient.Transaction.
+func (c Client) SetSubjectNameCall(addr util.Uint160, name string) (method string, args []any) {
+	return setSubjectNameMethod, []any{addr, name}
+}
+
+// DeleteSubjectKV removes subject kv map.
+// Must be invoked by contract owner.
+func (c Client) DeleteSubjectKV(addr util.Uint160, key string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.DeleteSubjectKVCall(addr, key)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// DeleteSubjectKVCall provides args for DeleteSubjectKV to use in commonclient.Transaction.
+func (c Client) DeleteSubjectKVCall(addr util.Uint160, key string) (method string, args []any) {
+	return deleteSubjectKVMethod, []any{addr, key}
+}
+
+// GetSubjectByKey gets subject by its primary or additional keys.
+func (c Client) GetSubjectByKey(key *keys.PublicKey) (*Subject, error) {
+	items, err := unwrap.Array(c.act.Call(c.contract, getSubjectByKeyMethod, key.Bytes()))
+	if err != nil {
+		return nil, err
+	}
+
+	return parseSubject(items)
+}
+
+// GetSubjectKeyByName gets subject public key by its name (namespace scope).
+func (c Client) GetSubjectKeyByName(namespace, subjectName string) (*keys.PublicKey, error) {
+	return unwrap.PublicKey(c.act.Call(c.contract, getSubjectKeyByNameMethod, namespace, subjectName))
+}
+
+// DeleteSubject delete subject and removes it from related namespaces and groups.
+// Must be invoked by contract owner.
+func (c Client) DeleteSubject(addr util.Uint160) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.DeleteSubjectCall(addr)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// DeleteSubjectCall provides args for DeleteSubject to use in commonclient.Transaction.
+func (c Client) DeleteSubjectCall(addr util.Uint160) (method string, args []any) {
+	return deleteSubjectMethod, []any{addr}
+}
+
+// CreateNamespace create new namespace.
+// Must be invoked by contract owner.
+func (c Client) CreateNamespace(namespace string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.CreateNamespaceCall(namespace)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// CreateNamespaceCall provides args for CreateNamespace to use in commonclient.Transaction.
+func (c Client) CreateNamespaceCall(namespace string) (method string, args []any) {
+	return createNamespaceMethod, []any{namespace}
+}
+
+// GetNamespace gets namespace.
+func (c Client) GetNamespace(namespace string) (*Namespace, error) {
+	items, err := unwrap.Array(c.act.Call(c.contract, getNamespaceMethod, namespace))
+	if err != nil {
+		return nil, err
+	}
+
+	return parseNamespace(items)
+}
+
+// GetNamespaceExtended gets extended namespace.
+func (c Client) GetNamespaceExtended(namespace string) (*NamespaceExtended, error) {
+	items, err := unwrap.Array(c.act.Call(c.contract, getNamespaceExtendedMethod, namespace))
+	if err != nil {
+		return nil, err
+	}
+
+	return parseNamespaceExtended(items)
+}
+
+// ListNamespaces gets all namespaces.
+func (c Client) ListNamespaces() ([]*Namespace, error) {
+	items, err := commonclient.ReadIteratorItems(c.act, iteratorBatchSize, c.contract, listNamespacesMethod)
+	if err != nil {
+		return nil, err
+	}
+
+	return parseNamespaces(items)
+}
+
+// AddSubjectToNamespace adds a subject to namespace.
+// Must be invoked by contract owner.
+func (c Client) AddSubjectToNamespace(addr util.Uint160, namespace string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.AddSubjectToNamespaceCall(addr, namespace)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// AddSubjectToNamespaceCall provides args for AddSubjectToNamespace to use in commonclient.Transaction.
+func (c Client) AddSubjectToNamespaceCall(addr util.Uint160, namespace string) (method string, args []any) {
+	return addSubjectToNamespaceMethod, []any{addr, namespace}
+}
+
+// RemoveSubjectFromNamespace removes a subject from namespace.
+// Must be invoked by contract owner.
+func (c Client) RemoveSubjectFromNamespace(addr util.Uint160) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.RemoveSubjectFromNamespaceCall(addr)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// RemoveSubjectFromNamespaceCall provides args for RemoveSubjectFromNamespace to use in commonclient.Transaction.
+func (c Client) RemoveSubjectFromNamespaceCall(addr util.Uint160) (method string, args []any) {
+	return removeSubjectFromNamespaceMethod, []any{addr}
+}
+
+// ListNamespaceSubjects gets all subjects from namespace.
+func (c Client) ListNamespaceSubjects(namespace string) ([]util.Uint160, error) {
+	return unwrapArrayOfUint160(commonclient.ReadIteratorItems(c.act, iteratorBatchSize, c.contract, listNamespaceSubjectsMethod, namespace))
+}
+
+// CreateGroup creates a new group in specific namespace.
+// Must be invoked by contract owner.
+func (c Client) CreateGroup(namespace, group string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.CreateGroupCall(namespace, group)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// CreateGroupCall provides args for CreateGroup to use in commonclient.Transaction.
+func (c Client) CreateGroupCall(namespace, group string) (method string, args []any) {
+	return createGroupMethod, []any{namespace, group}
+}
+
+// GetGroup gets group.
+func (c Client) GetGroup(namespace string, groupID int64) (*Group, error) {
+	items, err := unwrap.Array(c.act.Call(c.contract, getGroupMethod, namespace, groupID))
+	if err != nil {
+		return nil, err
+	}
+
+	return parseGroup(items)
+}
+
+// GetGroupExtended gets extended group.
+func (c Client) GetGroupExtended(namespace string, groupID int64) (*GroupExtended, error) {
+	items, err := unwrap.Array(c.act.Call(c.contract, getGroupExtendedMethod, namespace, groupID))
+	if err != nil {
+		return nil, err
+	}
+
+	return parseGroupExtended(items)
+}
+
+// SetGroupName updates subject name.
+// Must be invoked by contract owner.
+func (c Client) SetGroupName(namespace string, groupID int64, name string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.SetGroupNameCall(namespace, groupID, name)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// SetGroupNameCall provides args for SetGroupName to use in commonclient.Transaction.
+func (c Client) SetGroupNameCall(namespace string, groupID int64, name string) (method string, args []any) {
+	return setGroupNameMethod, []any{namespace, groupID, name}
+}
+
+// SetGroupKV updates group kv map.
+// Must be invoked by contract owner.
+// You can use some predefined key constants: IAMPathKey, IAMARNKey, IAMCreatedTimeKey, IAMModifiedTimeKey.
+func (c Client) SetGroupKV(namespace string, groupID int64, key, val string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.SetGroupKVCall(namespace, groupID, key, val)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// SetGroupKVCall provides args for SetGroupKV to use in commonclient.Transaction.
+func (c Client) SetGroupKVCall(namespace string, groupID int64, key, val string) (method string, args []any) {
+	return setGroupKVMethod, []any{namespace, groupID, key, val}
+}
+
+// DeleteGroupKV removes group kv map.
+// Must be invoked by contract owner.
+func (c Client) DeleteGroupKV(namespace string, groupID int64, key string) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.DeleteGroupKVCall(namespace, groupID, key)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// DeleteGroupKVCall provides args for DeleteGroupKV to use in commonclient.Transaction.
+func (c Client) DeleteGroupKVCall(namespace string, groupID int64, key string) (method string, args []any) {
+	return deleteGroupKVMethod, []any{namespace, groupID, key}
+}
+
+// GetGroupIDByName gets group id its name (namespace scope).
+func (c Client) GetGroupIDByName(namespace, groupName string) (int64, error) {
+	return unwrap.Int64(c.act.Call(c.contract, getGroupIDByNameMethod, namespace, groupName))
+}
+
+// ListGroups gets all groups in specific namespace.
+func (c Client) ListGroups(namespace string) ([]*Group, error) {
+	items, err := commonclient.ReadIteratorItems(c.act, iteratorBatchSize, c.contract, listGroupsMethod, namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	return parseGroups(items)
+}
+
+// AddSubjectToGroup adds a new subject to group.
+// Must be invoked by contract owner.
+func (c Client) AddSubjectToGroup(addr util.Uint160, groupID int64) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.AddSubjectToGroupCall(addr, groupID)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// AddSubjectToGroupCall provides args for AddSubjectToGroup to use in commonclient.Transaction.
+func (c Client) AddSubjectToGroupCall(addr util.Uint160, groupID int64) (method string, args []any) {
+	return addSubjectToGroupMethod, []any{addr, groupID}
+}
+
+// RemoveSubjectFromGroup removes subject from group.
+// Must be invoked by contract owner.
+func (c Client) RemoveSubjectFromGroup(addr util.Uint160, groupID int64) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.RemoveSubjectFromGroupCall(addr, groupID)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// RemoveSubjectFromGroupCall provides args for RemoveSubjectFromGroup to use in commonclient.Transaction.
+func (c Client) RemoveSubjectFromGroupCall(addr util.Uint160, groupID int64) (method string, args []any) {
+	return removeSubjectFromGroupMethod, []any{addr, groupID}
+}
+
+// ListGroupSubjects gets all subjects in specific group.
+func (c Client) ListGroupSubjects(namespace string, groupID int64) ([]util.Uint160, error) {
+	return unwrapArrayOfUint160(commonclient.ReadIteratorItems(c.act, iteratorBatchSize, c.contract, listGroupSubjectsMethod, namespace, groupID))
+}
+
+// DeleteGroup deletes group.
+// Must be invoked by contract owner.
+func (c Client) DeleteGroup(namespace string, groupID int64) (tx util.Uint256, vub uint32, err error) {
+	method, args := c.DeleteGroupCall(namespace, groupID)
+	return c.act.SendCall(c.contract, method, args...)
+}
+
+// DeleteGroupCall provides args for DeleteGroup to use in commonclient.Transaction.
+func (c Client) DeleteGroupCall(namespace string, groupID int64) (method string, args []any) {
+	return deleteGroupMethod, []any{namespace, groupID}
+}
+
+// ListNonEmptyNamespaces gets namespaces that contain at least one subject.
+func (c Client) ListNonEmptyNamespaces() ([]string, error) {
+	namespaces, err := c.ListNamespaces()
+	if err != nil {
+		return nil, err
+	}
+
+	var res []string
+
+	for _, namespace := range namespaces {
+		nsExt, err := c.GetNamespaceExtended(namespace.Name)
+		if err != nil {
+			return nil, err
+		}
+
+		if nsExt.SubjectsCount > 0 {
+			res = append(res, nsExt.Name)
+		}
+	}
+
+	return res, nil
+}
+
+// Wait invokes underlying wait method on actor.Actor.
+func (c Client) Wait(tx util.Uint256, vub uint32, err error) (*state.AppExecResult, error) {
+	return c.act.Wait(tx, vub, err)
+}
+
+// ParseGroupID fetch groupID from stack after creating group method invocation.
+func (c Client) ParseGroupID(res *state.AppExecResult, err error) (int64, error) {
+	if err != nil {
+		return 0, err
+	}
+
+	return unwrap.Int64(makeResFromAppExec(res))
+}
+
+// ListNonEmptyGroups gets groups that contain at least one subject.
+func (c Client) ListNonEmptyGroups(namespace string) ([]string, error) {
+	groups, err := c.ListGroups(namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	var res []string
+
+	for _, group := range groups {
+		groupExt, err := c.GetGroupExtended(namespace, group.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		if groupExt.SubjectsCount > 0 {
+			res = append(res, groupExt.Name)
+		}
+	}
+
+	return res, nil
+}
+
+func unwrapArrayOfUint160(items []stackitem.Item, err error) ([]util.Uint160, error) {
+	if err != nil {
+		return nil, err
+	}
+
+	return unwrap.ArrayOfUint160(makeValidRes(stackitem.NewArray(items)))
+}
+
+func makeValidRes(item stackitem.Item) (*result.Invoke, error) {
+	return &result.Invoke{
+		Stack: []stackitem.Item{item},
+		State: vmstate.Halt.String(),
+	}, nil
+}
+
+func makeResFromAppExec(res *state.AppExecResult) (*result.Invoke, error) {
+	return &result.Invoke{
+		Stack: res.Stack,
+		State: res.VMState.String(),
+	}, nil
+}
+
+func parseSubject(structArr []stackitem.Item) (*Subject, error) {
+	if len(structArr) < 5 {
+		return nil, errors.New("invalid response subject struct")
+	}
+
+	var (
+		err  error
+		subj Subject
+	)
+
+	subj.PrimaryKey, err = unwrap.PublicKey(makeValidRes(structArr[0]))
+	if err != nil {
+		return nil, err
+	}
+
+	if !structArr[1].Equals(stackitem.Null{}) {
+		subj.AdditionalKeys, err = unwrap.ArrayOfPublicKeys(makeValidRes(structArr[1]))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if !structArr[2].Equals(stackitem.Null{}) {
+		subj.Namespace, err = unwrap.UTF8String(makeValidRes(structArr[2]))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if !structArr[2].Equals(stackitem.Null{}) {
+		subj.Name, err = unwrap.UTF8String(makeValidRes(structArr[3]))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	subj.KV, err = parseMap(structArr[4])
+	if err != nil {
+		return nil, err
+	}
+
+	return &subj, nil
+}
+
+func parseSubjectExtended(structArr []stackitem.Item) (*SubjectExtended, error) {
+	if len(structArr) < 6 {
+		return nil, errors.New("invalid response subject extended struct")
+	}
+
+	var (
+		err  error
+		subj SubjectExtended
+	)
+
+	subj.PrimaryKey, err = unwrap.PublicKey(makeValidRes(structArr[0]))
+	if err != nil {
+		return nil, err
+	}
+
+	if !structArr[1].Equals(stackitem.Null{}) {
+		subj.AdditionalKeys, err = unwrap.ArrayOfPublicKeys(makeValidRes(structArr[1]))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	nsBytes, err := structArr[2].TryBytes()
+	if err != nil {
+		return nil, err
+	}
+	subj.Namespace = string(nsBytes)
+
+	nameBytes, err := structArr[3].TryBytes()
+	if err != nil {
+		return nil, err
+	}
+	subj.Name = string(nameBytes)
+
+	subj.KV, err = parseMap(structArr[4])
+	if err != nil {
+		return nil, err
+	}
+
+	if !structArr[5].Equals(stackitem.Null{}) {
+		groupItems, ok := structArr[5].Value().([]stackitem.Item)
+		if !ok {
+			return nil, fmt.Errorf("invalid groups field")
+		}
+
+		subj.Groups, err = parseGroups(groupItems)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &subj, nil
+}
+
+func parseMap(item stackitem.Item) (map[string]string, error) {
+	if item.Equals(stackitem.Null{}) {
+		return nil, nil
+	}
+
+	metaMap, err := unwrap.Map(makeValidRes(item))
+	if err != nil {
+		return nil, err
+	}
+
+	meta, ok := metaMap.Value().([]stackitem.MapElement)
+	if !ok {
+		return nil, errors.New("invalid map type")
+	}
+
+	res := make(map[string]string, len(meta))
+	for _, element := range meta {
+		key, err := element.Key.TryBytes()
+		if err != nil {
+			return nil, err
+		}
+		val, err := element.Value.TryBytes()
+		if err != nil {
+			return nil, err
+		}
+		res[string(key)] = string(val)
+	}
+
+	return res, nil
+}
+
+func parseNamespace(structArr []stackitem.Item) (*Namespace, error) {
+	if len(structArr) < 1 {
+		return nil, errors.New("invalid response namespace struct")
+	}
+
+	name, err := structArr[0].TryBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	return &Namespace{Name: string(name)}, nil
+}
+
+func parseNamespaceExtended(structArr []stackitem.Item) (*NamespaceExtended, error) {
+	if len(structArr) < 3 {
+		return nil, errors.New("invalid response namespace extended struct")
+	}
+
+	name, err := structArr[0].TryBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	groupCount, err := structArr[1].TryInteger()
+	if err != nil {
+		return nil, err
+	}
+
+	subjectCount, err := structArr[2].TryInteger()
+	if err != nil {
+		return nil, err
+	}
+
+	return &NamespaceExtended{
+		Name:          string(name),
+		GroupsCount:   groupCount.Int64(),
+		SubjectsCount: subjectCount.Int64(),
+	}, nil
+}
+
+func parseNamespaces(items []stackitem.Item) ([]*Namespace, error) {
+	var err error
+	res := make([]*Namespace, len(items))
+
+	for i := 0; i < len(items); i++ {
+		arr, ok := items[i].Value().([]stackitem.Item)
+		if !ok {
+			return nil, fmt.Errorf("invalid namespace type")
+		}
+		res[i], err = parseNamespace(arr)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return res, nil
+}
+
+func parseGroup(structArr []stackitem.Item) (*Group, error) {
+	if len(structArr) < 4 {
+		return nil, errors.New("invalid response group struct")
+	}
+
+	groupID, err := structArr[0].TryInteger()
+	if err != nil {
+		return nil, err
+	}
+
+	name, err := structArr[1].TryBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	namespace, err := structArr[2].TryBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	kvs, err := parseMap(structArr[3])
+	if err != nil {
+		return nil, err
+	}
+
+	return &Group{
+		ID:        groupID.Int64(),
+		Name:      string(name),
+		Namespace: string(namespace),
+		KV:        kvs,
+	}, nil
+}
+
+func parseGroupExtended(structArr []stackitem.Item) (*GroupExtended, error) {
+	if len(structArr) < 5 {
+		return nil, errors.New("invalid response group extended struct")
+	}
+
+	groupID, err := structArr[0].TryInteger()
+	if err != nil {
+		return nil, err
+	}
+
+	name, err := structArr[1].TryBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	namespace, err := structArr[2].TryBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	kvs, err := parseMap(structArr[3])
+	if err != nil {
+		return nil, err
+	}
+
+	subjectCount, err := structArr[4].TryInteger()
+	if err != nil {
+		return nil, err
+	}
+
+	return &GroupExtended{
+		ID:            groupID.Int64(),
+		Name:          string(name),
+		Namespace:     string(namespace),
+		KV:            kvs,
+		SubjectsCount: subjectCount.Int64(),
+	}, nil
+}
+
+func parseGroups(items []stackitem.Item) ([]*Group, error) {
+	var err error
+	res := make([]*Group, len(items))
+
+	for i := 0; i < len(items); i++ {
+		arr, ok := items[i].Value().([]stackitem.Item)
+		if !ok {
+			return nil, fmt.Errorf("invalid group type")
+		}
+		res[i], err = parseGroup(arr)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return res, nil
+}

frostfsid/config.yml

@@ -1,4 +1,115 @@
 name: "Identity"
-safemethods: ["key", "version"]
+safemethods: ["version"]
 permissions:
   - methods: ["update"]
+events:
+  - name: CreateSubject
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+  - name: AddSubjectKey
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: subjectKey
+        type: PublicKey
+  - name: RemoveSubjectKey
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: subjectKey
+        type: PublicKey
+  - name: SetSubjectName
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: name
+        type: String
+  - name: SetSubjectKV
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: key
+        type: String
+      - name: value
+        type: String
+  - name: DeleteSubjectKV
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: key
+        type: String
+  - name: DeleteSubject
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+  - name: CreateNamespace
+    parameters:
+      - name: namespace
+        type: String
+  - name: AddSubjectToNamespace
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: namespace
+        type: String
+  - name: RemoveSubjectFromNamespace
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: namespace
+        type: String
+  - name: CreateGroup
+    parameters:
+      - name: namespace
+        type: String
+      - name: group
+        type: String
+  - name: SetGroupName
+    parameters:
+      - name: namespace
+        type: String
+      - name: groupID
+        type: Integer
+      - name: name
+        type: String
+  - name: SetGroupKV
+    parameters:
+      - name: namespace
+        type: String
+      - name: groupID
+        type: Integer
+      - name: key
+        type: String
+      - name: value
+        type: String
+  - name: DeleteGroupKV
+    parameters:
+      - name: namespace
+        type: String
+      - name: groupID
+        type: Integer
+      - name: key
+        type: String
+  - name: AddSubjectToGroup
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: namespace
+        type: String
+      - name: groupID
+        type: Integer
+  - name: RemoveSubjectFromGroup
+    parameters:
+      - name: subjectAddress
+        type: Hash160
+      - name: namespace
+        type: String
+      - name: groupID
+        type: Integer
+  - name: DeleteGroup
+    parameters:
+      - name: namespace
+        type: String
+      - name: groupID
+        type: Integer

frostfsid/doc.go

@@ -1,28 +1,26 @@
+// Package frostfsid
 /*
 FrostFSID contract is a contract deployed in FrostFS sidechain.
 
-FrostFSID contract is used to store connection between an OwnerID and its public keys.
-OwnerID is a 25-byte N3 wallet address that can be produced from a public key.
-It is one-way conversion. In simple cases, FrostFS verifies ownership by checking
-signature and relation between a public key and an OwnerID.
-
-In more complex cases, a user can use public keys unrelated to the OwnerID to maintain
-secure access to the data. FrostFSID contract stores relation between an OwnerID and
-arbitrary public keys. Data owner can bind a public key with its account or unbind it
-by invoking Bind or Unbind methods of FrostFS contract in the mainchain. After that,
-Alphabet nodes produce multisigned AddKey and RemoveKey invocations of FrostFSID
-contract.
-
 # Contract notifications
 
 FrostFSID contract does not produce notifications to process.
 
 # Contract storage scheme
 
-	|   Key                       | Value      |           Description            |
-	|-----------------------------|------------|----------------------------------|
-	| `processingScriptHash`      | Hash160    | netmap contract hash             |
-	| `containerScriptHash`       | Hash160    | container contract hash          |
-	| `o` + ownerID + publicKey   | ByteArray  | it flags owner's public key      |
+ |   Key                                                                        | Value                          |           Description                         |
+ |------------------------------------------------------------------------------|--------------------------------|-----------------------------------------------|
+ | `o` + [ owner address ]                                                      | []byte{1}                      | contract owners that can invoke write methods |
+ | `s` + [ subject address ]                                                    | Serialized Subject structure   | subject into                                  |
+ | `a` + [ pk address ] + [ subject address ]                                   | []byte{1}                      | link extra public keys for subject            |
+ | `n` + [ RIPEMD160 of namespace ]                                             | Serialized Namespace structure | namespace info                                |
+ | `N` + [ RIPEMD160 of namespace ] + [ subject address ]                       | []byte{1}                      | subject that belongs to the namespace         |
+ | `l` + [ RIPEMD160 of namespace ] + [ RIPEMD160 of subject name ]             | Subject public key             | subject name to public key index              |
+ | `g` + [ RIPEMD160 of namespace ] + [ 8 byte group id ]                       | Serialized Group structure     | group into                                    |
+ | `G` + [ RIPEMD160 of namespace ] + [ 8 byte group id ] + [ subject address ] | []byte{1}                      | subject that belongs to the group             |
+ | `c`                                                                          | Int                            | group id counter                              |
+ | `m` + [ RIPEMD160 of namespace ] + [ RIPEMD160 of subject name ]             | Serialized group id int        | group name to group id index                  |
+
+
 */
 package frostfsid

go.mod

@@ -8,10 +8,10 @@ require (
 	github.com/nspcc-dev/neo-go v0.103.0
 	github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5
 	github.com/stretchr/testify v1.8.4
+	go.uber.org/zap v1.26.0
 )
 
 require (
-	github.com/benbjohnson/clock v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.8.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -28,8 +28,12 @@ require (
 	github.com/holiman/uint256 v1.2.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/mmcloughlin/addchain v0.4.0 // indirect
+	github.com/nspcc-dev/dbft v0.0.0-20230515113611-25db6ba61d5c // indirect
 	github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 // indirect
+	github.com/nspcc-dev/neofs-crypto v0.4.0 // indirect
 	github.com/nspcc-dev/rfc6979 v0.2.0 // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.13.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
@@ -42,9 +46,7 @@ require (
 	github.com/twmb/murmur3 v1.1.5 // indirect
 	github.com/urfave/cli v1.22.5 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.9.0 // indirect
-	go.uber.org/zap v1.24.0 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
@@ -52,7 +54,6 @@ require (
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	rsc.io/tmplfunc v0.0.3 // indirect

go.sum

@@ -39,8 +39,6 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20221202181307-76fa05c21b12 h1:npHgfD4Tl2WJS3AJaMUi5ynGDPUBfkg3U3fCzDyXZ+4=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -74,6 +72,7 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -177,8 +176,8 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
@@ -195,6 +194,7 @@ github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjW
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/nspcc-dev/dbft v0.0.0-20230515113611-25db6ba61d5c h1:uyK5aLbAhrnZtnvobJLN24gGUrlxIJAAFqiWl+liZuo=
+github.com/nspcc-dev/dbft v0.0.0-20230515113611-25db6ba61d5c/go.mod h1:kjBC9F8L25GR+kIHy/1KgG/KfcoGnVwIiyovgq1uszk=
 github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 h1:n4ZaFCKt1pQJd7PXoMJabZWK9ejjbLOVrkl/lOUmshg=
 github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22/go.mod h1:79bEUDEviBHJMFV6Iq6in57FEOCMcRhfQnfaf0ETA5U=
 github.com/nspcc-dev/hrw v1.0.9 h1:17VcAuTtrstmFppBjfRiia4K2wA/ukXZhLFS8Y8rz5Y=
@@ -204,6 +204,7 @@ github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 h1:09
 github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5/go.mod h1:J/Mk6+nKeKSW4wygkZQFLQ6SkLOSGX5Ga0RuuuktEag=
 github.com/nspcc-dev/neofs-api-go/v2 v2.14.0 h1:jhuN8Ldqz7WApvUJRFY0bjRXE1R3iCkboMX5QVZhHVk=
 github.com/nspcc-dev/neofs-crypto v0.4.0 h1:5LlrUAM5O0k1+sH/sktBtrgfWtq1pgpDs09fZo+KYi4=
+github.com/nspcc-dev/neofs-crypto v0.4.0/go.mod h1:6XJ8kbXgOfevbI2WMruOtI+qUJXNwSGM/E9eClXxPHs=
 github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11 h1:QOc8ZRN5DXlAeRPh5QG9u8rMLgoeRNiZF5/vL7QupWg=
 github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
 github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
@@ -218,6 +219,7 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
+github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -265,6 +267,7 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954 h1:xQdMZ1WLrgkkvOZ/LDQxjVxMLdby7osSh4ZEVa5sIjs=
@@ -285,13 +288,11 @@ go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
-go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
-go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
-go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
-go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
-go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
+go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
+go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -548,7 +549,6 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 h1:eSaPbMR4T7WfH9FvABk36NBMacoTUKdWCvV0dx+KfOg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5/go.mod h1:zBEcrKX2ZOcEkHWxBPAIvYUWOKKMIhYcmNiUIu2ji3I=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -592,6 +592,7 @@ gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

tests/frostfsid_client_test.go

@@ -0,0 +1,534 @@
+package tests
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/stretchr/testify/require"
+)
+
+type testFrostFSIDClientInvoker struct {
+	base *testFrostFSIDInvoker
+	cli  *client.Client
+	a    awaiter
+}
+
+func initFrostfsIFClientTest(t *testing.T) (clientInvoker *testFrostFSIDClientInvoker, cancelFn func()) {
+	f := newFrostFSIDInvoker(t)
+
+	wlt := initTmpWallet(t)
+	ctx, cancel := context.WithCancel(context.Background())
+	address := runRPC(ctx, t, f.e.Chain, wlt)
+
+	cli, rpc := frostfsidRPCClient(t, address, f.contractHash, f.owner)
+
+	clientInvoker = &testFrostFSIDClientInvoker{
+		base: f,
+		cli:  cli,
+		a: awaiter{
+			ctx: ctx,
+			t:   t,
+			rpc: rpc,
+		},
+	}
+
+	return clientInvoker, func() {
+		cancel()
+		err := os.Remove(wlt)
+		require.NoError(t, err)
+	}
+}
+
+func frostfsidRPCClient(t *testing.T, address string, contractHash util.Uint160, accs ...*wallet.Account) (*client.Client, *rpcclient.Client) {
+	rpcCli, err := rpcclient.New(context.Background(), "http://"+address, rpcclient.Options{})
+	require.NoError(t, err)
+
+	var acc *wallet.Account
+	if len(accs) == 0 {
+		acc, err = wallet.NewAccount()
+		require.NoError(t, err)
+	} else {
+		require.Len(t, accs, 1)
+		acc = accs[0]
+	}
+
+	cli, err := client.New(rpcCli, acc, contractHash, nil)
+	require.NoError(t, err)
+
+	return cli, rpcCli
+}
+
+func TestFrostFSID_Client_ContractOwnersManagement(t *testing.T) {
+	ffsid, cancel := initFrostfsIFClientTest(t)
+	defer cancel()
+
+	committeeInvoker := ffsid.base.CommitteeInvoker()
+	defaultOwnerAddress := ffsid.base.owner.ScriptHash()
+	_, newOwnerAddress := newKey(t)
+
+	checkListOwnersClient(t, ffsid.cli, defaultOwnerAddress)
+
+	_, _, err := ffsid.cli.AddOwner(newOwnerAddress)
+	require.ErrorContains(t, err, "not witnessed")
+	committeeInvoker.Invoke(t, stackitem.Null{}, addOwnerMethod, newOwnerAddress)
+
+	checkListOwnersClient(t, ffsid.cli, defaultOwnerAddress, newOwnerAddress)
+
+	_, _, err = ffsid.cli.DeleteOwner(newOwnerAddress)
+	require.ErrorContains(t, err, "not witnessed")
+	committeeInvoker.Invoke(t, stackitem.Null{}, deleteOwnerMethod, newOwnerAddress)
+
+	checkListOwnersClient(t, ffsid.cli, defaultOwnerAddress)
+}
+
+func newKey(t *testing.T) (*keys.PrivateKey, util.Uint160) {
+	key, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+	return key, key.PublicKey().GetScriptHash()
+}
+
+func checkListOwnersClient(t *testing.T, cli *client.Client, owners ...util.Uint160) {
+	addresses, err := cli.ListOwners()
+	require.NoError(t, err)
+	require.ElementsMatch(t, addresses, owners)
+}
+
+func TestFrostFSID_Client_SubjectManagement(t *testing.T) {
+	ffsid, cancel := initFrostfsIFClientTest(t)
+	defer cancel()
+
+	subjKey, subjAddr := newKey(t)
+	extraKey, _ := newKey(t)
+	subjLogin := "subj-login"
+	iamPathKV := "iam/path"
+
+	ffsid.a.await(ffsid.cli.CreateSubject(subjKey.PublicKey()))
+	ffsid.a.await(ffsid.cli.SetSubjectName(subjAddr, subjLogin))
+	ffsid.a.await(ffsid.cli.SetSubjectKV(subjAddr, client.IAMPathKey, iamPathKV))
+	ffsid.a.await(ffsid.cli.AddSubjectKey(subjAddr, extraKey.PublicKey()))
+
+	subj, err := ffsid.cli.GetSubject(subjAddr)
+	require.NoError(t, err)
+	require.True(t, subjKey.PublicKey().Equal(subj.PrimaryKey))
+	require.Equal(t, subj.Name, subjLogin)
+	require.Equal(t, map[string]string{client.IAMPathKey: iamPathKV}, subj.KV)
+	require.ElementsMatch(t, []*keys.PublicKey{extraKey.PublicKey()}, subj.AdditionalKeys)
+
+	ffsid.a.await(ffsid.cli.DeleteSubjectKV(subjAddr, client.IAMPathKey))
+	subj, err = ffsid.cli.GetSubject(subjAddr)
+	require.NoError(t, err)
+	require.Empty(t, subj.KV)
+
+	subjects, err := ffsid.cli.ListSubjects()
+	require.NoError(t, err)
+	require.ElementsMatch(t, subjects, []util.Uint160{subjAddr})
+
+	subj, err = ffsid.cli.GetSubjectByKey(extraKey.PublicKey())
+	require.NoError(t, err)
+	require.True(t, subjKey.PublicKey().Equal(subj.PrimaryKey))
+
+	ffsid.a.await(ffsid.cli.RemoveSubjectKey(subjAddr, extraKey.PublicKey()))
+	_, err = ffsid.cli.GetSubjectByKey(extraKey.PublicKey())
+	require.ErrorContains(t, err, "not found")
+
+	ffsid.a.await(ffsid.cli.DeleteSubject(subjAddr))
+
+	_, err = ffsid.cli.GetSubject(subjAddr)
+	require.ErrorContains(t, err, "not found")
+	subjects, err = ffsid.cli.ListSubjects()
+	require.NoError(t, err)
+	require.Empty(t, subjects)
+}
+
+func TestFrostFSID_Client_NamespaceManagement(t *testing.T) {
+	ffsid, cancel := initFrostfsIFClientTest(t)
+	defer cancel()
+
+	subjKey, subjAddr := newKey(t)
+	ffsid.a.await(ffsid.cli.CreateSubject(subjKey.PublicKey()))
+
+	namespace := "namespace"
+	ffsid.a.await(ffsid.cli.CreateNamespace(namespace))
+	_, _, err := ffsid.cli.CreateNamespace(namespace)
+	require.ErrorContains(t, err, "already exists")
+
+	ns, err := ffsid.cli.GetNamespace(namespace)
+	require.NoError(t, err)
+	require.Equal(t, namespace, ns.Name)
+
+	namespaces, err := ffsid.cli.ListNamespaces()
+	require.NoError(t, err)
+	require.ElementsMatch(t, []*client.Namespace{ns}, namespaces)
+
+	ffsid.a.await(ffsid.cli.AddSubjectToNamespace(subjAddr, namespace))
+	_, _, err = ffsid.cli.AddSubjectToNamespace(subjAddr, namespace)
+	require.ErrorContains(t, err, "already added")
+
+	subj, err := ffsid.cli.GetSubject(subjAddr)
+	require.NoError(t, err)
+	require.Equal(t, namespace, subj.Namespace)
+
+	subjects, err := ffsid.cli.ListNamespaceSubjects(namespace)
+	require.NoError(t, err)
+	require.ElementsMatch(t, []util.Uint160{subjAddr}, subjects)
+
+	ffsid.a.await(ffsid.cli.RemoveSubjectFromNamespace(subjAddr))
+
+	subj, err = ffsid.cli.GetSubject(subjAddr)
+	require.NoError(t, err)
+	require.Empty(t, subj.Namespace)
+
+	subjects, err = ffsid.cli.ListNamespaceSubjects(namespace)
+	require.NoError(t, err)
+	require.Empty(t, subjects)
+}
+
+func TestFrostFSID_Client_GroupManagement(t *testing.T) {
+	ffsid, cancel := initFrostfsIFClientTest(t)
+	defer cancel()
+
+	subjKey, subjAddr := newKey(t)
+	ffsid.a.await(ffsid.cli.CreateSubject(subjKey.PublicKey()))
+
+	namespace := "namespace"
+	ffsid.a.await(ffsid.cli.CreateNamespace(namespace))
+
+	groupName := "group"
+	groupID := int64(1)
+	actGroupID, err := ffsid.cli.ParseGroupID(ffsid.cli.Wait(ffsid.cli.CreateGroup(namespace, groupName)))
+	require.NoError(t, err)
+	require.Equal(t, groupID, actGroupID)
+
+	_, _, err = ffsid.cli.CreateGroup(namespace, groupName)
+	require.ErrorContains(t, err, "is not available")
+
+	iamARN := "arn"
+	ffsid.a.await(ffsid.cli.SetGroupKV(namespace, groupID, client.IAMARNKey, iamARN))
+
+	group, err := ffsid.cli.GetGroup(namespace, groupID)
+	require.NoError(t, err)
+	require.Equal(t, groupName, group.Name)
+	require.Equal(t, map[string]string{client.IAMARNKey: iamARN}, group.KV)
+
+	ffsid.a.await(ffsid.cli.DeleteGroupKV(namespace, groupID, client.IAMARNKey))
+
+	groupExt, err := ffsid.cli.GetGroupExtended(namespace, groupID)
+	require.NoError(t, err)
+	require.Zero(t, groupExt.SubjectsCount)
+
+	ffsid.a.await(ffsid.cli.AddSubjectToNamespace(subjAddr, namespace))
+	ffsid.a.await(ffsid.cli.AddSubjectToGroup(subjAddr, groupID))
+
+	subjExt, err := ffsid.cli.GetSubjectExtended(subjAddr)
+	require.NoError(t, err)
+	require.ElementsMatch(t, []*client.Group{{ID: groupID, Name: groupName, Namespace: namespace, KV: map[string]string{}}}, subjExt.Groups)
+
+	groupExt, err = ffsid.cli.GetGroupExtended(namespace, groupID)
+	require.NoError(t, err)
+	require.EqualValues(t, 1, groupExt.SubjectsCount)
+
+	subjects, err := ffsid.cli.ListGroupSubjects(namespace, groupID)
+	require.NoError(t, err)
+	require.ElementsMatch(t, []util.Uint160{subjAddr}, subjects)
+
+	ffsid.a.await(ffsid.cli.RemoveSubjectFromGroup(subjAddr, groupID))
+
+	subjects, err = ffsid.cli.ListGroupSubjects(namespace, groupID)
+	require.NoError(t, err)
+	require.Empty(t, subjects)
+
+	subjects, err = ffsid.cli.ListNamespaceSubjects(namespace)
+	require.NoError(t, err)
+	require.ElementsMatch(t, []util.Uint160{subjAddr}, subjects)
+
+	groups, err := ffsid.cli.ListGroups(namespace)
+	require.NoError(t, err)
+	require.ElementsMatch(t, []*client.Group{{ID: groupID, Name: groupName, Namespace: namespace, KV: map[string]string{}}}, groups)
+
+	ffsid.a.await(ffsid.cli.DeleteGroup(namespace, groupID))
+	_, err = ffsid.cli.GetGroup(namespace, groupID)
+	require.ErrorContains(t, err, "not found")
+
+	groups, err = ffsid.cli.ListGroups(namespace)
+	require.NoError(t, err)
+	require.Empty(t, groups)
+}
+
+type testSubject struct {
+	key  *keys.PrivateKey
+	addr util.Uint160
+}
+
+func TestFrostFSID_Client_Lists(t *testing.T) {
+	ffsid, cancel := initFrostfsIFClientTest(t)
+	defer cancel()
+
+	namespaces := []string{"empty-ns0", "ns1", "ns2", "ns3"}
+
+	tx := ffsid.cli.StartTx()
+	for _, namespace := range namespaces {
+		err := tx.WrapCall(ffsid.cli.CreateNamespaceCall(namespace))
+		require.NoError(t, err)
+	}
+	ffsid.a.await(ffsid.cli.SendTx(tx))
+
+	subjects := make([]testSubject, 10)
+	tx = ffsid.cli.StartTx()
+	for i := range subjects {
+		subjects[i].key, subjects[i].addr = newKey(t)
+		err := tx.WrapCall(ffsid.cli.CreateSubjectCall(subjects[i].key.PublicKey()))
+		require.NoError(t, err)
+	}
+	ffsid.a.await(ffsid.cli.SendTx(tx))
+
+	groups := []client.Group{
+		{
+			ID:        1,
+			Name:      "empty-group0",
+			Namespace: namespaces[0],
+		},
+		{
+			ID:        2,
+			Name:      "empty-group1",
+			Namespace: namespaces[1],
+		},
+		{
+			ID:        3,
+			Name:      "group2",
+			Namespace: namespaces[1],
+		},
+		{
+			ID:        4,
+			Name:      "group3",
+			Namespace: namespaces[2],
+		},
+		{
+			ID:        5,
+			Name:      "group4",
+			Namespace: namespaces[3],
+		},
+		{
+			ID:        6,
+			Name:      "group5",
+			Namespace: namespaces[3],
+		},
+	}
+
+	tx = ffsid.cli.StartTx()
+	for _, group := range groups[:3] {
+		err := tx.WrapCall(ffsid.cli.CreateGroupCall(group.Namespace, group.Name))
+		require.NoError(t, err)
+	}
+	ffsid.a.await(ffsid.cli.SendTx(tx))
+
+	// we split into two tx because of gas limit exceeded error
+	tx = ffsid.cli.StartTx()
+	for _, group := range groups[3:] {
+		err := tx.WrapCall(ffsid.cli.CreateGroupCall(group.Namespace, group.Name))
+		require.NoError(t, err)
+	}
+	ffsid.a.await(ffsid.cli.SendTx(tx))
+
+	addSubjectsToNamespaces(t, ffsid, namespaces, subjects)
+	addSubjectsToGroups(t, ffsid, groups, subjects)
+
+	nsList, err := ffsid.cli.ListNamespaces()
+	require.NoError(t, err)
+	require.ElementsMatch(t, []*client.Namespace{{Name: namespaces[0]}, {Name: namespaces[1]}, {Name: namespaces[2]}, {Name: namespaces[3]}}, nsList)
+
+	nonEmptyNs, err := ffsid.cli.ListNonEmptyNamespaces()
+	require.NoError(t, err)
+	require.ElementsMatch(t, namespaces[1:], nonEmptyNs)
+
+	checkNamespaceSubjects(t, ffsid.cli, namespaces[0], subjects, 0, 0)
+	checkNamespaceSubjects(t, ffsid.cli, namespaces[1], subjects, 0, 3)
+	checkNamespaceSubjects(t, ffsid.cli, namespaces[2], subjects, 3, 5)
+	checkNamespaceSubjects(t, ffsid.cli, namespaces[3], subjects, 5, 10)
+
+	nonEmptyGroups, err := ffsid.cli.ListNonEmptyGroups(namespaces[1])
+	require.NoError(t, err)
+	require.ElementsMatch(t, []string{groups[2].Name}, nonEmptyGroups)
+
+	checkGroupSubjects(t, ffsid.cli, groups[0], subjects, 0, 0)
+	checkGroupSubjects(t, ffsid.cli, groups[1], subjects, 0, 0)
+	checkGroupSubjects(t, ffsid.cli, groups[2], subjects, 2, 3)
+	checkGroupSubjects(t, ffsid.cli, groups[3], subjects, 3, 5)
+	checkGroupSubjects(t, ffsid.cli, groups[4], subjects, 6, 8)
+	checkGroupSubjects(t, ffsid.cli, groups[5], subjects, 8, 10)
+}
+
+func addSubjectsToNamespaces(t *testing.T, ffsid *testFrostFSIDClientInvoker, namespaces []string, subjects []testSubject) {
+	cli := ffsid.cli
+
+	tx := cli.StartTx()
+	for _, subject := range subjects[:3] {
+		err := tx.WrapCall(cli.AddSubjectToNamespaceCall(subject.addr, namespaces[1]))
+		require.NoError(t, err)
+	}
+	ffsid.a.await(cli.SendTx(tx))
+
+	tx = cli.StartTx()
+	for _, subject := range subjects[3:5] {
+		err := tx.WrapCall(cli.AddSubjectToNamespaceCall(subject.addr, namespaces[2]))
+		require.NoError(t, err)
+	}
+	ffsid.a.await(cli.SendTx(tx))
+
+	tx = cli.StartTx()
+	for _, subject := range subjects[5:] {
+		err := tx.WrapCall(cli.AddSubjectToNamespaceCall(subject.addr, namespaces[3]))
+		require.NoError(t, err)
+	}
+	ffsid.a.await(cli.SendTx(tx))
+}
+
+func addSubjectsToGroups(t *testing.T, ffsid *testFrostFSIDClientInvoker, groups []client.Group, subjects []testSubject) {
+	cli := ffsid.cli
+	tx := cli.StartTx()
+
+	err := tx.WrapCall(cli.AddSubjectToGroupCall(subjects[2].addr, groups[2].ID))
+	require.NoError(t, err)
+
+	err = tx.WrapCall(cli.AddSubjectToGroupCall(subjects[3].addr, groups[3].ID))
+	require.NoError(t, err)
+	err = tx.WrapCall(cli.AddSubjectToGroupCall(subjects[4].addr, groups[3].ID))
+	require.NoError(t, err)
+
+	ffsid.a.await(cli.SendTx(tx))
+
+	// we have to start new tx because of insufficient gas / gas limit exceeded error
+	tx = cli.StartTx()
+
+	err = tx.WrapCall(cli.AddSubjectToGroupCall(subjects[6].addr, groups[4].ID))
+	require.NoError(t, err)
+	err = tx.WrapCall(cli.AddSubjectToGroupCall(subjects[7].addr, groups[4].ID))
+	require.NoError(t, err)
+	err = tx.WrapCall(cli.AddSubjectToGroupCall(subjects[8].addr, groups[5].ID))
+	require.NoError(t, err)
+	err = tx.WrapCall(cli.AddSubjectToGroupCall(subjects[9].addr, groups[5].ID))
+	require.NoError(t, err)
+
+	ffsid.a.await(cli.SendTx(tx))
+}
+
+func checkNamespaceSubjects(t *testing.T, cli *client.Client, ns string, subjects []testSubject, start, end int) {
+	nsSubjects, err := cli.ListNamespaceSubjects(ns)
+	require.NoError(t, err)
+	require.ElementsMatch(t, subjSlice(subjects, start, end), nsSubjects)
+}
+
+func checkGroupSubjects(t *testing.T, cli *client.Client, group client.Group, subjects []testSubject, start, end int) {
+	groupSubjects, err := cli.ListGroupSubjects(group.Namespace, group.ID)
+	require.NoError(t, err)
+	require.ElementsMatch(t, subjSlice(subjects, start, end), groupSubjects)
+}
+
+func subjSlice(subjects []testSubject, start, end int) []util.Uint160 {
+	res := make([]util.Uint160, 0, end-start)
+	for i := start; i < end; i++ {
+		res = append(res, subjects[i].addr)
+	}
+	return res
+}
+
+func TestFrostFSID_Client_UseCaseWithS3GW(t *testing.T) {
+	ffsid, cancel := initFrostfsIFClientTest(t)
+	defer cancel()
+
+	namespace := "namespace"
+	login := "login"
+	dataUserKey, dataUserAddr := newKey(t)
+	extraDataUserKey, _ := newKey(t)
+
+	// admin
+	tx := ffsid.cli.StartTx()
+	err := tx.WrapCall(ffsid.cli.CreateNamespaceCall(namespace))
+	require.NoError(t, err)
+	err = tx.WrapCall(ffsid.cli.CreateSubjectCall(dataUserKey.PublicKey()))
+	require.NoError(t, err)
+	err = tx.WrapCall(ffsid.cli.SetSubjectNameCall(dataUserAddr, login))
+	require.NoError(t, err)
+	err = tx.WrapCall(ffsid.cli.AddSubjectKeyCall(dataUserAddr, extraDataUserKey.PublicKey()))
+	require.NoError(t, err)
+	err = tx.WrapCall(ffsid.cli.AddSubjectToNamespaceCall(dataUserAddr, namespace))
+	require.NoError(t, err)
+	ffsid.a.await(ffsid.cli.SendTx(tx))
+
+	// s3-gw
+	subj, err := ffsid.cli.GetSubjectByKey(extraDataUserKey.PublicKey())
+	require.NoError(t, err)
+	require.Equal(t, login, subj.Name)
+	require.True(t, dataUserKey.PublicKey().Equal(subj.PrimaryKey))
+	require.Equal(t, namespace, subj.Namespace)
+}
+
+func TestFrostFSID_Client_UseCaseListNSSubjects(t *testing.T) {
+	ffsid, cancel := initFrostfsIFClientTest(t)
+	defer cancel()
+
+	namespace := "namespace"
+	group := "group"
+	groupID := int64(1)
+
+	tx := ffsid.cli.StartTx()
+	err := tx.WrapCall(ffsid.cli.CreateNamespaceCall(namespace))
+	require.NoError(t, err)
+	err = tx.WrapCall(ffsid.cli.CreateGroupCall(namespace, group))
+	require.NoError(t, err)
+	ffsid.a.await(ffsid.cli.SendTx(tx))
+
+	// admin
+
+	subjects := make([]testSubject, 5)
+
+	for i := range subjects {
+		tx = ffsid.cli.StartTx()
+		subjects[i].key, subjects[i].addr = newKey(t)
+		err = tx.WrapCall(ffsid.cli.CreateSubjectCall(subjects[i].key.PublicKey()))
+		require.NoError(t, err)
+		err = tx.WrapCall(ffsid.cli.SetSubjectNameCall(subjects[i].addr, "login"+strconv.Itoa(i)))
+		require.NoError(t, err)
+		err = tx.WrapCall(ffsid.cli.AddSubjectToNamespaceCall(subjects[i].addr, namespace))
+		require.NoError(t, err)
+
+		if i > len(subjects)/2 {
+			err = tx.WrapCall(ffsid.cli.AddSubjectToGroupCall(subjects[i].addr, groupID))
+			require.NoError(t, err)
+		}
+		ffsid.a.await(ffsid.cli.SendTx(tx))
+	}
+
+	nsSubjects, err := ffsid.cli.ListNamespaceSubjects(namespace)
+	require.NoError(t, err)
+
+	res := make([]*client.SubjectExtended, len(nsSubjects))
+	for i, subj := range nsSubjects {
+		res[i], err = ffsid.cli.GetSubjectExtended(subj)
+		require.NoError(t, err)
+	}
+	prettyPrintExtendedSubjects(res)
+}
+
+func prettyPrintExtendedSubjects(subjects []*client.SubjectExtended) {
+	for _, subj := range subjects {
+		var sb strings.Builder
+		sb.WriteString(fmt.Sprintf("login: %s, namespace: %v, groups: [ ", subj.Name, subj.Namespace))
+
+		for _, group := range subj.Groups {
+			sb.WriteString(group.Namespace + ":" + group.Name + " ")
+		}
+
+		sb.WriteByte(']')
+		fmt.Println(sb.String())
+	}
+}

tests/frostfsid_test.go

@@ -1,110 +1,838 @@
 package tests
 
 import (
-	"bytes"
+	"errors"
 	"path"
-	"sort"
 	"testing"
 
-	"git.frostfs.info/TrueCloudLab/frostfs-contract/container"
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
+	"github.com/nspcc-dev/neo-go/pkg/core/interop/storage"
+	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
 	"github.com/nspcc-dev/neo-go/pkg/neotest"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/stretchr/testify/require"
 )
 
 const frostfsidPath = "../frostfsid"
 
-func deployFrostFSIDContract(t *testing.T, e *neotest.Executor, addrNetmap, addrContainer util.Uint160) util.Uint160 {
-	args := make([]any, 2)
-	args[0] = addrNetmap
-	args[1] = addrContainer
+const (
+	addOwnerMethod    = "addOwner"
+	deleteOwnerMethod = "deleteOwner"
+	listOwnersMethod  = "listOwners"
+
+	createSubjectMethod       = "createSubject"
+	getSubjectMethod          = "getSubject"
+	listSubjectsMethod        = "listSubjects"
+	addSubjectKeyMethod       = "addSubjectKey"
+	removeSubjectKeyMethod    = "removeSubjectKey"
+	getSubjectByKeyMethod     = "getSubjectByKey"
+	getSubjectKeyByNameMethod = "getSubjectKeyByName"
+	setSubjectNameMethod      = "setSubjectName"
+	setSubjectKVMethod        = "setSubjectKV"
+	deleteSubjectKVMethod     = "deleteSubjectKV"
+	deleteSubjectMethod       = "deleteSubject"
+
+	createNamespaceMethod            = "createNamespace"
+	getNamespaceMethod               = "getNamespace"
+	getNamespaceExtendedMethod       = "getNamespaceExtended"
+	listNamespacesMethod             = "listNamespaces"
+	addSubjectToNamespaceMethod      = "addSubjectToNamespace"
+	removeSubjectFromNamespaceMethod = "removeSubjectFromNamespace"
+	listNamespaceSubjectsMethod      = "listNamespaceSubjects"
+
+	createGroupMethod            = "createGroup"
+	getGroupMethod               = "getGroup"
+	getGroupExtendedMethod       = "getGroupExtended"
+	getGroupIDByNameMethod       = "getGroupIDByName"
+	setGroupNameMethod           = "setGroupName"
+	setGroupKVMethod             = "setGroupKV"
+	deleteGroupKVMethod          = "deleteGroupKV"
+	listGroupsMethod             = "listGroups"
+	addSubjectToGroupMethod      = "addSubjectToGroup"
+	removeSubjectFromGroupMethod = "removeSubjectFromGroup"
+	listGroupSubjectsMethod      = "listGroupSubjects"
+	deleteGroupMethod            = "deleteGroup"
+)
+
+const notWitnessedError = "not witnessed"
+
+type testFrostFSIDInvoker struct {
+	e            *neotest.Executor
+	contractHash util.Uint160
+	owner        *wallet.Account
+}
+
+func (f *testFrostFSIDInvoker) OwnerInvoker() *neotest.ContractInvoker {
+	return f.e.NewInvoker(f.contractHash, neotest.NewSingleSigner(f.owner))
+}
+
+func (f *testFrostFSIDInvoker) CommitteeInvoker() *neotest.ContractInvoker {
+	return f.e.CommitteeInvoker(f.contractHash)
+}
+
+func (f *testFrostFSIDInvoker) AnonInvoker(t *testing.T) *neotest.ContractInvoker {
+	acc, err := wallet.NewAccount()
+	require.NoError(t, err)
+
+	return f.e.NewInvoker(f.contractHash, newSigner(t, f.CommitteeInvoker(), acc))
+}
+
+func newSigner(t *testing.T, c *neotest.ContractInvoker, acc *wallet.Account) neotest.Signer {
+	amount := int64(100_0000_0000)
+
+	tx := c.NewTx(t, []neotest.Signer{c.Validator},
+		c.NativeHash(t, nativenames.Gas), "transfer",
+		c.Validator.ScriptHash(), acc.Contract.ScriptHash(), amount, nil)
+	c.AddNewBlock(t, tx)
+	c.CheckHalt(t, tx.Hash())
+	return neotest.NewSingleSigner(acc)
+}
+
+func deployFrostFSIDContract(t *testing.T, e *neotest.Executor, contractOwner util.Uint160) util.Uint160 {
+	args := make([]any, 5)
+	args[0] = []any{contractOwner}
 
 	c := neotest.CompileFile(t, e.CommitteeHash, frostfsidPath, path.Join(frostfsidPath, "config.yml"))
 	e.DeployContract(t, c, args)
 	return c.Hash
 }
 
-func newFrostFSIDInvoker(t *testing.T) *neotest.ContractInvoker {
+func newFrostFSIDInvoker(t *testing.T) *testFrostFSIDInvoker {
 	e := newExecutor(t)
 
-	ctrNNS := neotest.CompileFile(t, e.CommitteeHash, nnsPath, path.Join(nnsPath, "config.yml"))
-	ctrNetmap := neotest.CompileFile(t, e.CommitteeHash, netmapPath, path.Join(netmapPath, "config.yml"))
-	ctrBalance := neotest.CompileFile(t, e.CommitteeHash, balancePath, path.Join(balancePath, "config.yml"))
-	ctrContainer := neotest.CompileFile(t, e.CommitteeHash, containerPath, path.Join(containerPath, "config.yml"))
+	acc, err := wallet.NewAccount()
+	require.NoError(t, err)
 
-	e.DeployContract(t, ctrNNS, nil)
-	deployNetmapContract(t, e, ctrBalance.Hash, ctrContainer.Hash,
-		container.RegistrationFeeKey, int64(containerFee),
-		container.AliasFeeKey, int64(containerAliasFee))
-	deployBalanceContract(t, e, ctrNetmap.Hash, ctrContainer.Hash)
-	deployContainerContract(t, e, ctrNetmap.Hash, ctrBalance.Hash, ctrNNS.Hash)
-	h := deployFrostFSIDContract(t, e, ctrNetmap.Hash, ctrContainer.Hash)
-	return e.CommitteeInvoker(h)
+	h := deployFrostFSIDContract(t, e, acc.ScriptHash())
+
+	newSigner(t, e.CommitteeInvoker(h), acc)
+
+	return &testFrostFSIDInvoker{
+		e:            e,
+		contractHash: h,
+		owner:        acc,
+	}
 }
 
-func TestFrostFSID_AddKey(t *testing.T) {
-	e := newFrostFSIDInvoker(t)
+func TestFrostFSID_ContractOwnersManagement(t *testing.T) {
+	f := newFrostFSIDInvoker(t)
 
-	pubs := make([][]byte, 6)
-	for i := range pubs {
-		p, err := keys.NewPrivateKey()
+	anonInvoker := f.AnonInvoker(t)
+	anonInvokerHash := anonInvoker.Signers[0].ScriptHash()
+	invoker := f.OwnerInvoker()
+	invokerHash := invoker.Signers[0].ScriptHash()
+	committeeInvoker := f.CommitteeInvoker()
+
+	checkListOwners(t, anonInvoker, invokerHash)
+
+	anonInvoker.InvokeFail(t, notWitnessedError, createNamespaceMethod, "namespace")
+	invoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, "namespace")
+
+	invoker.InvokeFail(t, notWitnessedError, addOwnerMethod, anonInvokerHash)
+	committeeInvoker.Invoke(t, stackitem.Null{}, addOwnerMethod, anonInvokerHash)
+	anonInvoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, "namespace2")
+
+	checkListOwners(t, anonInvoker, invokerHash, anonInvokerHash)
+
+	anonInvoker.InvokeFail(t, notWitnessedError, deleteOwnerMethod, anonInvokerHash)
+	committeeInvoker.Invoke(t, stackitem.Null{}, deleteOwnerMethod, anonInvokerHash)
+	anonInvoker.InvokeFail(t, notWitnessedError, createNamespaceMethod, "namespace3")
+
+	checkListOwners(t, anonInvoker, invokerHash)
+}
+
+func checkListOwners(t *testing.T, invoker *neotest.ContractInvoker, expectedAddresses ...util.Uint160) {
+	s, err := invoker.TestInvoke(t, listOwnersMethod)
+	require.NoError(t, err)
+	addresses, err := unwrap.ArrayOfUint160(makeValidRes(stackitem.NewArray(readIteratorAll(s))), nil)
+	require.NoError(t, err)
+	require.ElementsMatch(t, addresses, expectedAddresses)
+}
+
+func TestFrostFSID_SubjectManagement(t *testing.T) {
+	f := newFrostFSIDInvoker(t)
+
+	subjKey, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+	subjKeyAddr := subjKey.PublicKey().GetScriptHash()
+
+	anonInvoker := f.AnonInvoker(t)
+	invoker := f.OwnerInvoker()
+
+	anonInvoker.InvokeFail(t, notWitnessedError, createSubjectMethod, subjKey.PublicKey().Bytes())
+	invoker.Invoke(t, stackitem.Null{}, createSubjectMethod, subjKey.PublicKey().Bytes())
+	invoker.InvokeFail(t, "already exists", createSubjectMethod, subjKey.PublicKey().Bytes())
+
+	s, err := anonInvoker.TestInvoke(t, getSubjectMethod, subjKeyAddr)
+	require.NoError(t, err)
+
+	subj := parseSubject(t, s)
+	require.True(t, subjKey.PublicKey().Equal(&subj.PrimaryKey))
+
+	t.Run("add subject key", func(t *testing.T) {
+		subjNewKey, err := keys.NewPrivateKey()
 		require.NoError(t, err)
-		pubs[i] = p.PublicKey().Bytes()
-	}
-	acc := e.NewAccount(t)
-	owner := signerToOwner(acc)
-	e.Invoke(t, stackitem.Null{}, "addKey", owner,
-		[]any{pubs[0], pubs[1]})
 
-	sort.Slice(pubs[:2], func(i, j int) bool {
-		return bytes.Compare(pubs[i], pubs[j]) == -1
-	})
-	arr := []stackitem.Item{
-		stackitem.NewBuffer(pubs[0]),
-		stackitem.NewBuffer(pubs[1]),
-	}
-	e.Invoke(t, stackitem.NewArray(arr), "key", owner)
+		anonInvoker.InvokeFail(t, notWitnessedError, addSubjectKeyMethod, subjKeyAddr, subjNewKey.PublicKey().Bytes())
+		invoker.Invoke(t, stackitem.Null{}, addSubjectKeyMethod, subjKeyAddr, subjNewKey.PublicKey().Bytes())
 
-	t.Run("multiple addKey per block", func(t *testing.T) {
-		tx1 := e.PrepareInvoke(t, "addKey", owner, []any{pubs[2]})
-		tx2 := e.PrepareInvoke(t, "addKey", owner, []any{pubs[3], pubs[4]})
-		e.AddNewBlock(t, tx1, tx2)
-		e.CheckHalt(t, tx1.Hash(), stackitem.Null{})
-		e.CheckHalt(t, tx2.Hash(), stackitem.Null{})
+		s, err = anonInvoker.TestInvoke(t, getSubjectMethod, subjKeyAddr)
+		require.NoError(t, err)
+		subj := parseSubject(t, s)
+		require.Len(t, subj.AdditionalKeys, 1)
+		require.True(t, subjNewKey.PublicKey().Equal(subj.AdditionalKeys[0]))
 
-		sort.Slice(pubs[:5], func(i, j int) bool {
-			return bytes.Compare(pubs[i], pubs[j]) == -1
+		t.Run("get subject by additional key", func(t *testing.T) {
+			s, err = anonInvoker.TestInvoke(t, getSubjectByKeyMethod, subjNewKey.PublicKey().Bytes())
+			require.NoError(t, err)
+			subj := parseSubject(t, s)
+			require.True(t, subjKey.PublicKey().Equal(&subj.PrimaryKey), "keys must be the same")
+
+			s, err = anonInvoker.TestInvoke(t, getSubjectByKeyMethod, subjKey.PublicKey().Bytes())
+			require.NoError(t, err)
+			subj = parseSubject(t, s)
+			require.True(t, subjKey.PublicKey().Equal(&subj.PrimaryKey), "keys must be the same")
+
+			t.Run("remove subject key", func(t *testing.T) {
+				anonInvoker.InvokeFail(t, notWitnessedError, removeSubjectKeyMethod, subjKeyAddr, subjNewKey.PublicKey().Bytes())
+				invoker.Invoke(t, stackitem.Null{}, removeSubjectKeyMethod, subjKeyAddr, subjNewKey.PublicKey().Bytes())
+
+				anonInvoker.InvokeFail(t, "not found", getSubjectByKeyMethod, subjNewKey.PublicKey().Bytes())
+			})
 		})
-		arr = []stackitem.Item{
-			stackitem.NewBuffer(pubs[0]),
-			stackitem.NewBuffer(pubs[1]),
-			stackitem.NewBuffer(pubs[2]),
-			stackitem.NewBuffer(pubs[3]),
-			stackitem.NewBuffer(pubs[4]),
-		}
-		e.Invoke(t, stackitem.NewArray(arr), "key", owner)
 	})
 
-	e.Invoke(t, stackitem.Null{}, "removeKey", owner,
-		[]any{pubs[1], pubs[5]})
-	arr = []stackitem.Item{
-		stackitem.NewBuffer(pubs[0]),
-		stackitem.NewBuffer(pubs[2]),
-		stackitem.NewBuffer(pubs[3]),
-		stackitem.NewBuffer(pubs[4]),
-	}
-	e.Invoke(t, stackitem.NewArray(arr), "key", owner)
+	t.Run("set subject name", func(t *testing.T) {
+		login := "some-login"
 
-	t.Run("multiple removeKey per block", func(t *testing.T) {
-		tx1 := e.PrepareInvoke(t, "removeKey", owner, []any{pubs[2]})
-		tx2 := e.PrepareInvoke(t, "removeKey", owner, []any{pubs[0], pubs[4]})
-		e.AddNewBlock(t, tx1, tx2)
-		e.CheckHalt(t, tx1.Hash(), stackitem.Null{})
-		e.CheckHalt(t, tx2.Hash(), stackitem.Null{})
+		anonInvoker.InvokeFail(t, notWitnessedError, setSubjectNameMethod, subjKeyAddr, login)
+		invoker.Invoke(t, stackitem.Null{}, setSubjectNameMethod, subjKeyAddr, login)
 
-		arr = []stackitem.Item{stackitem.NewBuffer(pubs[3])}
-		e.Invoke(t, stackitem.NewArray(arr), "key", owner)
+		s, err = anonInvoker.TestInvoke(t, getSubjectMethod, subjKeyAddr)
+		require.NoError(t, err)
+		subj = parseSubject(t, s)
+		require.Equal(t, login, subj.Name)
+	})
+
+	t.Run("set subject KVs", func(t *testing.T) {
+		iamPath := "iam/path"
+
+		anonInvoker.InvokeFail(t, notWitnessedError, setSubjectKVMethod, subjKeyAddr, client.IAMPathKey, iamPath)
+		invoker.Invoke(t, stackitem.Null{}, setSubjectKVMethod, subjKeyAddr, client.IAMPathKey, iamPath)
+
+		s, err = anonInvoker.TestInvoke(t, getSubjectMethod, subjKeyAddr)
+		require.NoError(t, err)
+		subj = parseSubject(t, s)
+		require.Equal(t, iamPath, subj.KV[client.IAMPathKey])
+
+		anonInvoker.InvokeFail(t, notWitnessedError, deleteSubjectKVMethod, subjKeyAddr, client.IAMPathKey)
+		invoker.Invoke(t, stackitem.Null{}, deleteSubjectKVMethod, subjKeyAddr, client.IAMPathKey)
+
+		s, err = anonInvoker.TestInvoke(t, getSubjectMethod, subjKeyAddr)
+		require.NoError(t, err)
+		subj = parseSubject(t, s)
+		require.Empty(t, subj.KV)
+	})
+
+	t.Run("list subjects", func(t *testing.T) {
+		newSubjKey, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+
+		invoker.Invoke(t, stackitem.Null{}, createSubjectMethod, newSubjKey.PublicKey().Bytes())
+
+		s, err = anonInvoker.TestInvoke(t, listSubjectsMethod)
+		require.NoError(t, err)
+
+		addresses, err := unwrap.ArrayOfUint160(makeValidRes(stackitem.NewArray(readIteratorAll(s))), nil)
+		require.NoError(t, err)
+		require.Len(t, addresses, 2)
+		require.ElementsMatch(t, addresses, []util.Uint160{subjKeyAddr, newSubjKey.PublicKey().GetScriptHash()})
+
+	})
+
+	anonInvoker.InvokeFail(t, notWitnessedError, deleteSubjectMethod, subjKeyAddr)
+	invoker.Invoke(t, stackitem.Null{}, deleteSubjectMethod, subjKeyAddr)
+
+	anonInvoker.InvokeFail(t, "subject not found", getSubjectMethod, subjKeyAddr)
+}
+
+func TestFrostFSIS_SubjectNameRelatedInvariants(t *testing.T) {
+	f := newFrostFSIDInvoker(t)
+
+	subjName1 := "subj1"
+	subjKey1, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+	subjKeyAddr1 := subjKey1.PublicKey().GetScriptHash()
+
+	subjName2 := "subj2"
+	subjKey2, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+	subjKeyAddr2 := subjKey2.PublicKey().GetScriptHash()
+
+	invoker := f.OwnerInvoker()
+
+	ns1, ns2 := "ns1", "ns2"
+
+	// Create two subject (one of them with name)
+	// Create two namespace.
+	// Add these subjects to ns1
+	invoker.Invoke(t, stackitem.Null{}, createSubjectMethod, subjKey1.PublicKey().Bytes())
+	invoker.Invoke(t, stackitem.Null{}, setSubjectNameMethod, subjKeyAddr1, subjName1)
+	invoker.Invoke(t, stackitem.Null{}, createSubjectMethod, subjKey2.PublicKey().Bytes())
+	invoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, ns1)
+	invoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, ns2)
+	invoker.Invoke(t, stackitem.Null{}, addSubjectToNamespaceMethod, subjKeyAddr1, ns1)
+	invoker.Invoke(t, stackitem.Null{}, addSubjectToNamespaceMethod, subjKeyAddr2, ns1)
+
+	// Check that we can find public key by name for subj1 (with name)
+	// and cannot find key for subj2 (without name)
+	s, err := invoker.TestInvoke(t, getSubjectKeyByNameMethod, ns1, subjName1)
+	checkPublicKeyResult(t, s, err, subjKey1)
+	s, err = invoker.TestInvoke(t, getSubjectKeyByNameMethod, ns1, subjName2)
+	checkPublicKeyResult(t, s, err, nil)
+
+	// Check that we can find public key for by name for subj2 when we set its name
+	invoker.Invoke(t, stackitem.Null{}, setSubjectNameMethod, subjKeyAddr2, subjName2)
+	s, err = invoker.TestInvoke(t, getSubjectKeyByNameMethod, ns1, subjName2)
+	checkPublicKeyResult(t, s, err, subjKey2)
+
+	// Check that we cannot set for second subject name that the first subject has already taken
+	invoker.InvokeFail(t, "not available", setSubjectNameMethod, subjKeyAddr2, subjName1)
+
+	// Check that we cannot move subject from one namespace to another
+	invoker.InvokeFail(t, "cannot be moved", addSubjectToNamespaceMethod, subjKeyAddr2, ns2)
+
+	// Check that we cannot find public key by name for subject that was removed from namespace
+	invoker.Invoke(t, stackitem.Null{}, removeSubjectFromNamespaceMethod, subjKeyAddr2)
+	s, err = invoker.TestInvoke(t, getSubjectKeyByNameMethod, ns1, subjName2)
+	checkPublicKeyResult(t, s, err, nil)
+
+	// Check that we can find public key by name for subject in new namespace
+	invoker.Invoke(t, stackitem.Null{}, addSubjectToNamespaceMethod, subjKeyAddr2, ns2)
+	s, err = invoker.TestInvoke(t, getSubjectKeyByNameMethod, ns2, subjName2)
+	checkPublicKeyResult(t, s, err, subjKey2)
+
+	// Check that subj2 can have the same name as subj1 if they belong to different namespaces
+	// Also check that after subject renaming its key cannot be found by old name
+	invoker.Invoke(t, stackitem.Null{}, setSubjectNameMethod, subjKeyAddr2, subjName1)
+	s, err = invoker.TestInvoke(t, getSubjectKeyByNameMethod, ns2, subjName1)
+	checkPublicKeyResult(t, s, err, subjKey2)
+	s, err = invoker.TestInvoke(t, getSubjectKeyByNameMethod, ns2, subjName2)
+	checkPublicKeyResult(t, s, err, nil)
+}
+
+func TestFrostFSIS_GroupNameRelatedInvariants(t *testing.T) {
+	f := newFrostFSIDInvoker(t)
+
+	groupName1, groupName2 := "group1", "group2"
+	groupID1, groupID2 := int64(1), int64(2)
+
+	invoker := f.OwnerInvoker()
+
+	ns1, ns2 := "ns1", "ns2"
+
+	// Create two group
+	// Create two namespace.
+	// Add these groups to ns1
+	invoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, ns1)
+	invoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, ns2)
+	invoker.Invoke(t, stackitem.Make(groupID1), createGroupMethod, ns1, groupName1)
+	invoker.Invoke(t, stackitem.Make(groupID2), createGroupMethod, ns1, groupName2)
+
+	// Check that we can find group id by name for group1 in ns1 and not in ns2
+	s, err := invoker.TestInvoke(t, getGroupIDByNameMethod, ns1, groupName1)
+	checkGroupIDResult(t, s, err, groupID1)
+	s, err = invoker.TestInvoke(t, getGroupIDByNameMethod, ns2, groupName1)
+	checkGroupIDResult(t, s, err, -1)
+
+	// Check that we cannot set for second group name that the first subject has already taken
+	invoker.InvokeFail(t, "not available", setGroupNameMethod, ns1, groupID1, groupName2)
+
+	// Check that we cannot create group with the same name in namespace, but can in another
+	invoker.InvokeFail(t, "not available", createGroupMethod, ns1, groupName2)
+	invoker.Invoke(t, stackitem.Make(3), createGroupMethod, ns2, groupName2)
+
+
+	// Check that we cannot find group id by name for group that was removed
+	invoker.Invoke(t, stackitem.Null{}, deleteGroupMethod, ns1, groupID2)
+	s, err = invoker.TestInvoke(t, getGroupIDByNameMethod, ns1, groupName2)
+	checkGroupIDResult(t, s, err, -1)
+
+	// Check that we can create group with the name that was freed after deleting
+	invoker.Invoke(t, stackitem.Make(4), createGroupMethod, ns1, groupName2)
+
+	// Check that after group renaming its id cannot be found by old name
+	newGroupName:= "new"
+	invoker.Invoke(t, stackitem.Null{}, setGroupNameMethod, ns1, groupID1, newGroupName)
+	s, err = invoker.TestInvoke(t, getGroupIDByNameMethod, ns1, groupName1)
+	checkGroupIDResult(t, s, err, -1)
+	s, err = invoker.TestInvoke(t, getGroupIDByNameMethod, ns1, newGroupName)
+	checkGroupIDResult(t, s, err, groupID1)
+}
+
+func TestFrostFSID_NamespaceManagement(t *testing.T) {
+	f := newFrostFSIDInvoker(t)
+
+	anonInvoker := f.AnonInvoker(t)
+	invoker := f.OwnerInvoker()
+
+	namespace := "some-namespace"
+
+	anonInvoker.InvokeFail(t, notWitnessedError, createNamespaceMethod, namespace)
+	invoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, namespace)
+	invoker.InvokeFail(t, "already exists", createNamespaceMethod, namespace)
+
+	s, err := anonInvoker.TestInvoke(t, getNamespaceMethod, namespace)
+	require.NoError(t, err)
+
+	ns := parseNamespace(t, s.Pop().Item())
+	require.Equal(t, namespace, ns.Name)
+
+	t.Run("add user to namespace", func(t *testing.T) {
+		subjKey, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		invoker.Invoke(t, stackitem.Null{}, createSubjectMethod, subjKey.PublicKey().Bytes())
+
+		subjName := "name"
+		subjAddress := subjKey.PublicKey().GetScriptHash()
+		invoker.Invoke(t, stackitem.Null{}, setSubjectNameMethod, subjAddress, subjName)
+
+		anonInvoker.InvokeFail(t, notWitnessedError, addSubjectToNamespaceMethod, subjAddress, namespace)
+		invoker.Invoke(t, stackitem.Null{}, addSubjectToNamespaceMethod, subjAddress, namespace)
+		invoker.InvokeFail(t, "already added", addSubjectToNamespaceMethod, subjAddress, namespace)
+
+		s, err := anonInvoker.TestInvoke(t, getSubjectMethod, subjAddress)
+		require.NoError(t, err)
+		subj := parseSubject(t, s)
+		require.Equal(t, namespace, subj.Namespace)
+
+		t.Run("list namespace subjects", func(t *testing.T) {
+			s, err := anonInvoker.TestInvoke(t, listNamespaceSubjectsMethod, namespace)
+			require.NoError(t, err)
+
+			addresses, err := unwrap.ArrayOfUint160(makeValidRes(stackitem.NewArray(readIteratorAll(s))), nil)
+			require.NoError(t, err)
+			require.ElementsMatch(t, addresses, []util.Uint160{subjAddress})
+		})
+
+		t.Run("get subject key by name", func(t *testing.T) {
+			s, err := anonInvoker.TestInvoke(t, getSubjectKeyByNameMethod, namespace, subjName)
+			require.NoError(t, err)
+
+			foundKey, err := unwrap.PublicKey(makeValidRes(s.Pop().Item()), nil)
+			require.NoError(t, err)
+			require.Equal(t, subjKey.PublicKey(), foundKey)
+		})
+
+		t.Run("list namespaces", func(t *testing.T) {
+			namespace2 := "some-namespace2"
+			invoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, namespace2)
+
+			s, err := anonInvoker.TestInvoke(t, listNamespacesMethod)
+			require.NoError(t, err)
+
+			namespaces := parseNamespaces(t, readIteratorAll(s))
+			require.NoError(t, err)
+			require.ElementsMatch(t, namespaces, []Namespace{{Name: namespace}, {Name: namespace2}})
+
+			t.Run("find namespaces with some subjects", func(t *testing.T) {
+				for _, ns := range namespaces {
+					s, err := anonInvoker.TestInvoke(t, getNamespaceExtendedMethod, ns.Name)
+					require.NoError(t, err)
+
+					nsExt := parseNamespaceExtended(t, s.Pop().Item())
+					if nsExt.SubjectsCount > 0 {
+						require.Equal(t, namespace, nsExt.Name)
+					}
+				}
+
+				t.Run("remove subject from namespace", func(t *testing.T) {
+					anonInvoker.InvokeFail(t, notWitnessedError, removeSubjectFromNamespaceMethod, subjAddress)
+					invoker.Invoke(t, stackitem.Null{}, removeSubjectFromNamespaceMethod, subjAddress)
+
+					s, err := anonInvoker.TestInvoke(t, getSubjectMethod, subjAddress)
+					require.NoError(t, err)
+					subj := parseSubject(t, s)
+					require.Empty(t, subj.Namespace)
+
+					s, err = anonInvoker.TestInvoke(t, getNamespaceExtendedMethod, namespace)
+					require.NoError(t, err)
+					nsExt := parseNamespaceExtended(t, s.Pop().Item())
+					require.Zero(t, nsExt.SubjectsCount)
+				})
+			})
+		})
 	})
 }
+
+func TestFrostFSID_GroupManagement(t *testing.T) {
+	f := newFrostFSIDInvoker(t)
+
+	anonInvoker := f.AnonInvoker(t)
+	invoker := f.OwnerInvoker()
+
+	nsName := "namespace"
+	invoker.Invoke(t, stackitem.Null{}, createNamespaceMethod, nsName)
+
+	groupID := int64(1)
+	groupName := "group"
+	anonInvoker.InvokeFail(t, notWitnessedError, createGroupMethod, nsName, groupName)
+	invoker.Invoke(t, stackitem.Make(groupID), createGroupMethod, nsName, groupName)
+
+	s, err := anonInvoker.TestInvoke(t, getGroupMethod, nsName, groupID)
+	require.NoError(t, err)
+	group := parseGroup(t, s.Pop().Item())
+	require.Equal(t, groupID, group.ID)
+	require.Equal(t, groupName, group.Name)
+
+	s, err = anonInvoker.TestInvoke(t, listGroupsMethod, nsName)
+	require.NoError(t, err)
+	groups := parseGroups(t, readIteratorAll(s))
+	require.ElementsMatch(t, groups, []Group{{ID: groupID, Name: groupName, Namespace: nsName}})
+
+	t.Run("add subjects to group", func(t *testing.T) {
+		subjKey, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		invoker.Invoke(t, stackitem.Null{}, createSubjectMethod, subjKey.PublicKey().Bytes())
+
+		subjAddress := subjKey.PublicKey().GetScriptHash()
+		invoker.Invoke(t, stackitem.Null{}, addSubjectToNamespaceMethod, subjAddress, nsName)
+		anonInvoker.InvokeFail(t, "not witnessed", addSubjectToGroupMethod, subjAddress, groupID)
+		invoker.Invoke(t, stackitem.Null{}, addSubjectToGroupMethod, subjAddress, groupID)
+
+		t.Run("list group subjects", func(t *testing.T) {
+			s, err = anonInvoker.TestInvoke(t, listGroupSubjectsMethod, nsName, groupID)
+			require.NoError(t, err)
+
+			addresses, err := unwrap.ArrayOfUint160(makeValidRes(stackitem.NewArray(readIteratorAll(s))), nil)
+			require.NoError(t, err)
+			require.ElementsMatch(t, addresses, []util.Uint160{subjAddress})
+
+			anonInvoker.InvokeFail(t, "not witnessed", removeSubjectFromGroupMethod, subjAddress, groupID)
+			invoker.Invoke(t, stackitem.Null{}, removeSubjectFromGroupMethod, subjAddress, groupID)
+
+			s, err = anonInvoker.TestInvoke(t, listGroupSubjectsMethod, nsName, groupID)
+			require.NoError(t, err)
+
+			addresses, err = unwrap.ArrayOfUint160(makeValidRes(stackitem.NewArray(readIteratorAll(s))), nil)
+			require.NoError(t, err)
+			require.Empty(t, addresses)
+
+			t.Run("get group extended", func(t *testing.T) {
+				subjectsCount := 10
+				for i := 0; i < subjectsCount; i++ {
+					subjKey, err := keys.NewPrivateKey()
+					require.NoError(t, err)
+					invoker.Invoke(t, stackitem.Null{}, createSubjectMethod, subjKey.PublicKey().Bytes())
+					invoker.Invoke(t, stackitem.Null{}, addSubjectToNamespaceMethod, subjKey.PublicKey().GetScriptHash(), nsName)
+					invoker.Invoke(t, stackitem.Null{}, addSubjectToGroupMethod, subjKey.PublicKey().GetScriptHash(), groupID)
+				}
+
+				s, err = anonInvoker.TestInvoke(t, getGroupExtendedMethod, nsName, groupID)
+				require.NoError(t, err)
+				groupExt := parseGroupExtended(t, s.Pop().Item())
+				require.Equal(t, groupID, groupExt.ID)
+				require.Equal(t, groupName, groupExt.Name)
+				require.Empty(t, groupExt.KV)
+				require.EqualValues(t, subjectsCount, groupExt.SubjectsCount)
+			})
+		})
+	})
+
+	t.Run("set group name", func(t *testing.T) {
+		newGroupName := "new-name"
+
+		anonInvoker.InvokeFail(t, notWitnessedError, setGroupNameMethod, nsName, groupID, newGroupName)
+		invoker.Invoke(t, stackitem.Null{}, setGroupNameMethod, nsName, groupID, newGroupName)
+
+		s, err = anonInvoker.TestInvoke(t, getGroupIDByNameMethod, nsName, newGroupName)
+		require.NoError(t, err)
+		require.Equal(t, groupID, s.Pop().BigInt().Int64())
+
+		s, err = anonInvoker.TestInvoke(t, getGroupMethod, nsName, groupID)
+		require.NoError(t, err)
+		group = parseGroup(t, s.Pop().Item())
+		require.Equal(t, newGroupName, group.Name)
+	})
+
+	t.Run("set group KVs", func(t *testing.T) {
+		iamARN := "arn"
+
+		anonInvoker.InvokeFail(t, notWitnessedError, setGroupKVMethod, nsName, groupID, client.IAMARNKey, iamARN)
+		invoker.Invoke(t, stackitem.Null{}, setGroupKVMethod, nsName, groupID, client.IAMARNKey, iamARN)
+
+		s, err = anonInvoker.TestInvoke(t, getGroupMethod, nsName, groupID)
+		require.NoError(t, err)
+		group = parseGroup(t, s.Pop().Item())
+		require.Equal(t, iamARN, group.KV[client.IAMARNKey])
+
+		anonInvoker.InvokeFail(t, notWitnessedError, deleteGroupKVMethod, nsName, groupID, client.IAMARNKey)
+		invoker.Invoke(t, stackitem.Null{}, deleteGroupKVMethod, nsName, groupID, client.IAMARNKey)
+
+		s, err = anonInvoker.TestInvoke(t, getGroupMethod, nsName, groupID)
+		require.NoError(t, err)
+		group = parseGroup(t, s.Pop().Item())
+		require.Empty(t, group.KV)
+	})
+
+	t.Run("delete group", func(t *testing.T) {
+		anonInvoker.InvokeFail(t, notWitnessedError, deleteGroupMethod, nsName, groupID)
+		invoker.Invoke(t, stackitem.Null{}, deleteGroupMethod, nsName, groupID)
+
+		anonInvoker.InvokeFail(t, "group not found", getGroupMethod, nsName, groupID)
+
+		s, err = anonInvoker.TestInvoke(t, listGroupsMethod, nsName)
+		require.NoError(t, err)
+		groups := parseGroups(t, readIteratorAll(s))
+		require.Empty(t, groups)
+	})
+}
+
+func checkPublicKeyResult(t *testing.T, s *vm.Stack, err error, key *keys.PrivateKey) {
+	if key == nil {
+		require.ErrorContains(t, err, "not found")
+		return
+	}
+
+	require.NoError(t, err)
+	foundKey, err := unwrap.PublicKey(makeValidRes(s.Pop().Item()), nil)
+	require.NoError(t, err)
+	require.Equal(t, key.PublicKey(), foundKey)
+}
+
+func checkGroupIDResult(t *testing.T, s *vm.Stack, err error, groupID int64) {
+	if groupID == -1 {
+		require.ErrorContains(t, err, "not found")
+		return
+	}
+
+	require.NoError(t, err)
+	foundGroupID, err := unwrap.Int64(makeValidRes(s.Pop().Item()), nil)
+	require.NoError(t, err)
+	require.Equal(t, groupID, foundGroupID)
+}
+
+func readIteratorAll(s *vm.Stack) []stackitem.Item {
+	iter := s.Pop().Value().(*storage.Iterator)
+
+	stackItems := make([]stackitem.Item, 0)
+	for iter.Next() {
+		stackItems = append(stackItems, iter.Value())
+	}
+
+	return stackItems
+}
+
+type Subject struct {
+	PrimaryKey     keys.PublicKey
+	AdditionalKeys keys.PublicKeys
+	Namespace      string
+	Name           string
+	KV             map[string]string
+}
+
+func parseSubject(t *testing.T, s *vm.Stack) Subject {
+	var subj Subject
+
+	subjStruct := s.Pop().Array()
+	require.Len(t, subjStruct, 5)
+
+	pkBytes, err := subjStruct[0].TryBytes()
+	require.NoError(t, err)
+	err = subj.PrimaryKey.DecodeBytes(pkBytes)
+	require.NoError(t, err)
+
+	if !subjStruct[1].Equals(stackitem.Null{}) {
+		subj.AdditionalKeys, err = unwrap.ArrayOfPublicKeys(makeValidRes(subjStruct[1]), nil)
+		require.NoError(t, err)
+	}
+
+	nsBytes, err := subjStruct[2].TryBytes()
+	require.NoError(t, err)
+	subj.Namespace = string(nsBytes)
+
+	nameBytes, err := subjStruct[3].TryBytes()
+	require.NoError(t, err)
+	subj.Name = string(nameBytes)
+
+	subj.KV, err = parseMap(subjStruct[4])
+	require.NoError(t, err)
+
+	return subj
+}
+
+func parseMap(item stackitem.Item) (map[string]string, error) {
+	if item.Equals(stackitem.Null{}) {
+		return nil, nil
+	}
+
+	metaMap, err := unwrap.Map(makeValidRes(item), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	meta, ok := metaMap.Value().([]stackitem.MapElement)
+	if !ok {
+		return nil, errors.New("invalid map type")
+	}
+
+	res := make(map[string]string, len(meta))
+	for _, element := range meta {
+		key, err := element.Key.TryBytes()
+		if err != nil {
+			return nil, err
+		}
+		val, err := element.Value.TryBytes()
+		if err != nil {
+			return nil, err
+		}
+		res[string(key)] = string(val)
+	}
+
+	return res, nil
+}
+
+type Namespace struct {
+	Name string
+}
+
+type NamespaceExtended struct {
+	Name          string
+	SubjectsCount int64
+	GroupsCount   int64
+}
+
+func parseNamespace(t *testing.T, item stackitem.Item) Namespace {
+	var ns Namespace
+
+	subjStruct := item.Value().([]stackitem.Item)
+	require.Len(t, subjStruct, 1)
+
+	nameBytes, err := subjStruct[0].TryBytes()
+	require.NoError(t, err)
+	ns.Name = string(nameBytes)
+
+	return ns
+}
+
+func parseNamespaceExtended(t *testing.T, item stackitem.Item) NamespaceExtended {
+	var ns NamespaceExtended
+
+	subjStruct := item.Value().([]stackitem.Item)
+	require.Len(t, subjStruct, 3)
+
+	nameBytes, err := subjStruct[0].TryBytes()
+	require.NoError(t, err)
+	ns.Name = string(nameBytes)
+
+	groupCountInt, err := subjStruct[1].TryInteger()
+	require.NoError(t, err)
+	ns.GroupsCount = groupCountInt.Int64()
+
+	subjectsCountInt, err := subjStruct[2].TryInteger()
+	require.NoError(t, err)
+	ns.SubjectsCount = subjectsCountInt.Int64()
+
+	return ns
+}
+
+func parseNamespaces(t *testing.T, items []stackitem.Item) []Namespace {
+	res := make([]Namespace, len(items))
+
+	for i := 0; i < len(items); i++ {
+		res[i] = parseNamespace(t, items[i])
+	}
+
+	return res
+}
+
+type Group struct {
+	ID        int64
+	Name      string
+	Namespace string
+	KV        map[string]string
+}
+
+type GroupExtended struct {
+	ID            int64
+	Name          string
+	Namespace     string
+	KV            map[string]string
+	SubjectsCount int64
+}
+
+func parseGroup(t *testing.T, item stackitem.Item) Group {
+	var group Group
+
+	subjStruct := item.Value().([]stackitem.Item)
+	require.Len(t, subjStruct, 4)
+
+	groupID, err := subjStruct[0].TryInteger()
+	require.NoError(t, err)
+	group.ID = groupID.Int64()
+
+	nameBytes, err := subjStruct[1].TryBytes()
+	require.NoError(t, err)
+	group.Name = string(nameBytes)
+
+	namespaceBytes, err := subjStruct[2].TryBytes()
+	require.NoError(t, err)
+	group.Namespace = string(namespaceBytes)
+
+	group.KV, err = parseMap(subjStruct[3])
+	require.NoError(t, err)
+
+	return group
+}
+
+func parseGroupExtended(t *testing.T, item stackitem.Item) GroupExtended {
+	var gr GroupExtended
+
+	subjStruct := item.Value().([]stackitem.Item)
+	require.Len(t, subjStruct, 5)
+
+	groupID, err := subjStruct[0].TryInteger()
+	require.NoError(t, err)
+	gr.ID = groupID.Int64()
+
+	nameBytes, err := subjStruct[1].TryBytes()
+	require.NoError(t, err)
+	gr.Name = string(nameBytes)
+
+	namespaceBytes, err := subjStruct[2].TryBytes()
+	require.NoError(t, err)
+	gr.Namespace = string(namespaceBytes)
+
+	gr.KV, err = parseMap(subjStruct[3])
+	require.NoError(t, err)
+
+	subjectsCountInt, err := subjStruct[4].TryInteger()
+	require.NoError(t, err)
+	gr.SubjectsCount = subjectsCountInt.Int64()
+
+	return gr
+}
+
+func parseGroups(t *testing.T, items []stackitem.Item) []Group {
+	res := make([]Group, len(items))
+
+	for i := 0; i < len(items); i++ {
+		res[i] = parseGroup(t, items[i])
+	}
+
+	return res
+}
+
+func makeValidRes(item stackitem.Item) *result.Invoke {
+	return &result.Invoke{
+		Stack: []stackitem.Item{item},
+		State: vmstate.Halt.String(),
+	}
+}

tests/util.go

@@ -1,14 +1,76 @@
 package tests
 
 import (
+	"context"
+	"net/http"
+	"os"
 	"testing"
+	"time"
 
+	"github.com/nspcc-dev/neo-go/pkg/config"
+	"github.com/nspcc-dev/neo-go/pkg/consensus"
+	"github.com/nspcc-dev/neo-go/pkg/core"
 	"github.com/nspcc-dev/neo-go/pkg/core/interop/storage"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	corestate "github.com/nspcc-dev/neo-go/pkg/core/stateroot"
+	"github.com/nspcc-dev/neo-go/pkg/core/storage/dbconfig"
 	"github.com/nspcc-dev/neo-go/pkg/neotest"
 	"github.com/nspcc-dev/neo-go/pkg/neotest/chain"
+	"github.com/nspcc-dev/neo-go/pkg/network"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/services/rpcsrv"
+	"github.com/nspcc-dev/neo-go/pkg/services/stateroot"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
 )
 
+type awaiter struct {
+	ctx context.Context
+	t   *testing.T
+	rpc *rpcclient.Client
+}
+
+func (a awaiter) await(tx util.Uint256, vub uint32, err error) *state.AppExecResult {
+	require.NoError(a.t, err)
+	return await(a.ctx, a.t, a.rpc, tx, vub)
+}
+
+const nodeWallet = `
+{
+  "version": "3.0",
+  "accounts": [
+    {
+      "address": "Nhfg3TbpwogLvDGVvAvqyThbsHgoSUKwtn",
+      "key": "6PYM8VdX2BSm7BSXKzV4Fz6S3R9cDLLWNrD9nMjxW352jEv3fsC8N3wNLY",
+      "label": "",
+      "contract": {
+        "script": "DCECs2Ir9AF73+MXxYrtX0x1PyBrfbiWBG+n13S7xL9/jcJBVuezJw==",
+        "parameters": [
+          {
+            "name": "parameter0",
+            "type": "Signature"
+          }
+        ],
+        "deployed": false
+      },
+      "lock": false,
+      "isdefault": false
+    }
+  ],
+  "scrypt": {
+    "n": 16384,
+    "r": 8,
+    "p": 8
+  },
+  "extra": {
+    "Tokens": null
+  }
+}
+`
+
 func iteratorToArray(iter *storage.Iterator) []stackitem.Item {
 	stackItems := make([]stackitem.Item, 0)
 	for iter.Next() {
@@ -21,3 +83,146 @@ func newExecutor(t *testing.T) *neotest.Executor {
 	bc, acc := chain.NewSingle(t)
 	return neotest.NewExecutor(t, bc, acc, acc)
 }
+
+func initTmpWallet(t *testing.T) string {
+	f, err := os.CreateTemp("", "tmp-neo-go-wallet")
+	require.NoError(t, err)
+
+	_, err = f.WriteString(nodeWallet)
+	require.NoError(t, err)
+
+	err = f.Close()
+	require.NoError(t, err)
+	return f.Name()
+}
+
+func await(ctx context.Context, t *testing.T, rpc *rpcclient.Client, tx util.Uint256, vub uint32) *state.AppExecResult {
+	waitCtx, waitCancel := context.WithTimeout(ctx, 5*time.Second)
+	defer waitCancel()
+
+	for {
+		select {
+		case <-waitCtx.Done():
+			require.NoError(t, waitCtx.Err())
+			return nil
+		default:
+			bc, err := rpc.GetBlockCount()
+			require.NoError(t, err)
+
+			tr := trigger.Application
+			if log, err := rpc.GetApplicationLog(tx, &tr); err == nil {
+				return &state.AppExecResult{
+					Container: log.Container,
+					Execution: log.Executions[0],
+				}
+			}
+
+			require.LessOrEqual(t, bc, vub, "vub is expired")
+			time.Sleep(100 * time.Millisecond)
+		}
+	}
+}
+
+func neogoCfg() config.Config {
+	return config.Config{
+		ProtocolConfiguration: config.ProtocolConfiguration{},
+		ApplicationConfiguration: config.ApplicationConfiguration{
+			RPC: config.RPC{
+				BasicService: config.BasicService{
+					Enabled: true,
+					// See how tests are done in the neo-go itself:
+					// https://github.com/nspcc-dev/neo-go/blob/5fc61be5f6c5349d8de8b61967380feee6b51c55/config/protocol.unit_testnet.single.yml#L61
+					Addresses: []string{"localhost:0"},
+				},
+				MaxGasInvoke:           200_000_000,
+				SessionEnabled:         true,
+				MaxIteratorResultItems: 100,
+				SessionPoolSize:        20,
+				SessionExpirationTime:  15,
+			},
+			DBConfiguration: dbconfig.DBConfiguration{
+				Type: dbconfig.InMemoryDB,
+			},
+		},
+	}
+}
+
+func consensusCfg(chain *core.Blockchain, walletAddress string, srv *network.Server) consensus.Config {
+	return consensus.Config{
+		Logger:                zap.NewExample(),
+		Broadcast:             srv.BroadcastExtensible,
+		BlockQueue:            srv.GetBlockQueue(),
+		Chain:                 chain,
+		ProtocolConfiguration: chain.GetConfig().ProtocolConfiguration,
+		RequestTx:             srv.RequestTx,
+		StopTxFlow:            srv.StopTxFlow,
+		Wallet: config.Wallet{
+			Path:     walletAddress,
+			Password: "one",
+		},
+		TimePerBlock: 100 * time.Millisecond,
+	}
+}
+
+func runRPC(ctx context.Context, t *testing.T, chain *core.Blockchain, walletPath string) string {
+	log := zap.NewExample()
+	cfg := neogoCfg()
+
+	srvCfg, err := network.NewServerConfig(cfg)
+	require.NoError(t, err)
+	srv, err := network.NewServer(srvCfg, chain, chain.GetStateSyncModule(), log)
+	require.NoError(t, err)
+
+	t.Cleanup(srv.Shutdown)
+
+	errCh := make(chan error)
+	go func() {
+		for err := range errCh {
+			require.NoError(t, err)
+			return
+		}
+	}()
+
+	srMod := chain.GetStateModule().(*corestate.Module)
+	sr, err := stateroot.New(srvCfg.StateRootCfg, srMod, log, chain, srv.BroadcastExtensible)
+	require.NoError(t, err)
+	srv.AddExtensibleService(sr, stateroot.Category, sr.OnPayload)
+
+	consens, err := consensus.NewService(consensusCfg(chain, walletPath, srv))
+	require.NoError(t, err)
+	srv.AddConsensusService(consens, consens.OnPayload, consens.OnTransaction)
+
+	rpcSrv := rpcsrv.New(chain, cfg.ApplicationConfiguration.RPC, srv, nil, log, errCh)
+	srv.AddService(&rpcSrv)
+
+	initialAddr := rpcSrv.Addresses()[0]
+
+	go srv.Start()
+
+	// wait until RPC server is started
+	startTimeout, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	ticker := time.NewTicker(time.Millisecond * 100)
+	defer ticker.Stop()
+
+	var actualAddr string
+	for {
+		select {
+		case <-startTimeout.Done():
+			t.Fatalf("Waiting for server start: %v", startTimeout.Err())
+		case <-ticker.C:
+			if actualAddr == "" {
+				newAddr := rpcSrv.Addresses()[0]
+				if initialAddr == newAddr {
+					continue
+				}
+				actualAddr = newAddr
+				t.Logf("RPC server is listening at %s, checking health", actualAddr)
+			}
+			if _, err = http.Get("http://" + actualAddr); err == nil {
+				return actualAddr
+			}
+		}
+	}
+}