Move to frostfs-node

Signed-off-by: Pavel Karpy <p.karpy@yadro.com>
2022-12-23 20:35:35 +03:00 · 2022-12-23 20:35:35 +03:00 · 923f84722a
commit 923f84722a
parent 42554a9298
934 changed files with 3470 additions and 3451 deletions
--- a/cmd/frostfs-cli/modules/util/acl.go
+++ b/cmd/frostfs-cli/modules/util/acl.go
@ -0,0 +1,330 @@
+package util
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/TrueCloudLab/frostfs-sdk-go/container/acl"
+	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	"github.com/flynn-archive/go-shlex"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/olekukonko/tablewriter"
+	"github.com/spf13/cobra"
+)
+
+// PrettyPrintTableBACL print basic ACL in table format.
+func PrettyPrintTableBACL(cmd *cobra.Command, bacl *acl.Basic) {
+	// Header
+	w := tabwriter.NewWriter(cmd.OutOrStdout(), 1, 4, 4, ' ', 0)
+	fmt.Fprintln(w, "\tRangeHASH\tRange\tSearch\tDelete\tPut\tHead\tGet")
+	// Bits
+	bits := []string{
+		boolToString(bacl.Sticky()) + " " + boolToString(bacl.Extendable()),
+		getRoleBitsForOperation(bacl, acl.OpObjectHash), getRoleBitsForOperation(bacl, acl.OpObjectRange),
+		getRoleBitsForOperation(bacl, acl.OpObjectSearch), getRoleBitsForOperation(bacl, acl.OpObjectDelete),
+		getRoleBitsForOperation(bacl, acl.OpObjectPut), getRoleBitsForOperation(bacl, acl.OpObjectHead),
+		getRoleBitsForOperation(bacl, acl.OpObjectGet),
+	}
+	fmt.Fprintln(w, strings.Join(bits, "\t"))
+	// Footer
+	footer := []string{"X F"}
+	for i := 0; i < 7; i++ {
+		footer = append(footer, "U S O B")
+	}
+	fmt.Fprintln(w, strings.Join(footer, "\t"))
+
+	w.Flush()
+
+	cmd.Println("  X-Sticky F-Final U-User S-System O-Others B-Bearer")
+}
+
+func getRoleBitsForOperation(bacl *acl.Basic, op acl.Op) string {
+	return boolToString(bacl.IsOpAllowed(op, acl.RoleOwner)) + " " +
+		boolToString(bacl.IsOpAllowed(op, acl.RoleContainer)) + " " +
+		boolToString(bacl.IsOpAllowed(op, acl.RoleOthers)) + " " +
+		boolToString(bacl.IsOpAllowed(op, acl.RoleInnerRing))
+}
+
+func boolToString(b bool) string {
+	if b {
+		return "1"
+	}
+	return "0"
+}
+
+// PrettyPrintTableEACL print extended ACL in table format.
+func PrettyPrintTableEACL(cmd *cobra.Command, table *eacl.Table) {
+	out := tablewriter.NewWriter(cmd.OutOrStdout())
+	out.SetHeader([]string{"Operation", "Action", "Filters", "Targets"})
+	out.SetAlignment(tablewriter.ALIGN_CENTER)
+	out.SetRowLine(true)
+
+	out.SetAutoWrapText(false)
+
+	for _, r := range table.Records() {
+		out.Append([]string{
+			r.Operation().String(),
+			r.Action().String(),
+			eaclFiltersToString(r.Filters()),
+			eaclTargetsToString(r.Targets()),
+		})
+	}
+
+	out.Render()
+}
+
+func eaclTargetsToString(ts []eacl.Target) string {
+	b := bytes.NewBuffer(nil)
+	for _, t := range ts {
+		keysExists := len(t.BinaryKeys()) > 0
+		switch t.Role() {
+		case eacl.RoleUser:
+			b.WriteString("User")
+			if keysExists {
+				b.WriteString(":    ")
+			}
+		case eacl.RoleSystem:
+			b.WriteString("System")
+			if keysExists {
+				b.WriteString(":  ")
+			}
+		case eacl.RoleOthers:
+			b.WriteString("Others")
+			if keysExists {
+				b.WriteString(":  ")
+			}
+		default:
+			b.WriteString("Unknown")
+			if keysExists {
+				b.WriteString(": ")
+			}
+		}
+
+		for i, pub := range t.BinaryKeys() {
+			if i != 0 {
+				b.WriteString("         ")
+			}
+			b.WriteString(hex.EncodeToString(pub))
+			b.WriteString("\n")
+		}
+	}
+
+	return b.String()
+}
+
+func eaclFiltersToString(fs []eacl.Filter) string {
+	b := bytes.NewBuffer(nil)
+	tw := tabwriter.NewWriter(b, 0, 0, 1, ' ', 0)
+
+	for _, f := range fs {
+		switch f.From() {
+		case eacl.HeaderFromObject:
+			_, _ = tw.Write([]byte("O:\t"))
+		case eacl.HeaderFromRequest:
+			_, _ = tw.Write([]byte("R:\t"))
+		case eacl.HeaderFromService:
+			_, _ = tw.Write([]byte("S:\t"))
+		default:
+			_, _ = tw.Write([]byte("  \t"))
+		}
+
+		_, _ = tw.Write([]byte(f.Key()))
+
+		switch f.Matcher() {
+		case eacl.MatchStringEqual:
+			_, _ = tw.Write([]byte("\t==\t"))
+		case eacl.MatchStringNotEqual:
+			_, _ = tw.Write([]byte("\t!=\t"))
+		case eacl.MatchUnknown:
+		}
+
+		_, _ = tw.Write([]byte(f.Value() + "\t"))
+		_, _ = tw.Write([]byte("\n"))
+	}
+
+	_ = tw.Flush()
+
+	// To have nice output with tabwriter, we must append newline
+	// after the last line. Here we strip it to delete empty line
+	// in the final output.
+	s := b.String()
+	if len(s) > 0 {
+		s = s[:len(s)-1]
+	}
+
+	return s
+}
+
+// ParseEACLRules parses eACL table.
+// Uses ParseEACLRule.
+//
+//nolint:godot
+func ParseEACLRules(table *eacl.Table, rules []string) error {
+	if len(rules) == 0 {
+		return errors.New("no extended ACL rules has been provided")
+	}
+
+	for _, ruleStr := range rules {
+		err := ParseEACLRule(table, ruleStr)
+		if err != nil {
+			return fmt.Errorf("can't create extended acl record from rule '%s': %v", ruleStr, err)
+		}
+	}
+	return nil
+}
+
+// ParseEACLRule parses eACL table from the following form:
+// <action> <operation> [<filter1> ...] [<target1> ...]
+//
+// Examples:
+// allow get req:X-Header=123 obj:Attr=value others:0xkey1,key2 system:key3 user:key4
+//
+//nolint:godot
+func ParseEACLRule(table *eacl.Table, rule string) error {
+	r, err := shlex.Split(rule)
+	if err != nil {
+		return fmt.Errorf("can't parse rule '%s': %v", rule, err)
+	}
+	return parseEACLTable(table, r)
+}
+
+func parseEACLTable(tb *eacl.Table, args []string) error {
+	if len(args) < 2 {
+		return errors.New("at least 2 arguments must be provided")
+	}
+
+	var action eacl.Action
+	if !action.FromString(strings.ToUpper(args[0])) {
+		return errors.New("invalid action (expected 'allow' or 'deny')")
+	}
+
+	ops, err := eaclOperationsFromString(args[1])
+	if err != nil {
+		return err
+	}
+
+	r, err := parseEACLRecord(args[2:])
+	if err != nil {
+		return err
+	}
+
+	r.SetAction(action)
+
+	for _, op := range ops {
+		r := *r
+		r.SetOperation(op)
+		tb.AddRecord(&r)
+	}
+
+	return nil
+}
+
+func parseEACLRecord(args []string) (*eacl.Record, error) {
+	r := new(eacl.Record)
+	for i := range args {
+		ss := strings.SplitN(args[i], ":", 2)
+
+		switch prefix := strings.ToLower(ss[0]); prefix {
+		case "req", "obj": // filters
+			if len(ss) != 2 {
+				return nil, fmt.Errorf("invalid filter or target: %s", args[i])
+			}
+
+			i := strings.Index(ss[1], "=")
+			if i < 0 {
+				return nil, fmt.Errorf("invalid filter key-value pair: %s", ss[1])
+			}
+
+			var key, value string
+			var op eacl.Match
+
+			if 0 < i && ss[1][i-1] == '!' {
+				key = ss[1][:i-1]
+				op = eacl.MatchStringNotEqual
+			} else {
+				key = ss[1][:i]
+				op = eacl.MatchStringEqual
+			}
+
+			value = ss[1][i+1:]
+
+			typ := eacl.HeaderFromRequest
+			if ss[0] == "obj" {
+				typ = eacl.HeaderFromObject
+			}
+
+			r.AddFilter(typ, op, key, value)
+		case "others", "system", "user", "pubkey": // targets
+			var err error
+
+			var pubs []ecdsa.PublicKey
+			if len(ss) == 2 {
+				pubs, err = parseKeyList(ss[1])
+				if err != nil {
+					return nil, err
+				}
+			}
+
+			var role eacl.Role
+			if prefix != "pubkey" {
+				role, err = eaclRoleFromString(prefix)
+				if err != nil {
+					return nil, err
+				}
+			}
+
+			eacl.AddFormedTarget(r, role, pubs...)
+
+		default:
+			return nil, fmt.Errorf("invalid prefix: %s", ss[0])
+		}
+	}
+
+	return r, nil
+}
+
+// eaclRoleFromString parses eacl.Role from string.
+func eaclRoleFromString(s string) (eacl.Role, error) {
+	var r eacl.Role
+	if !r.FromString(strings.ToUpper(s)) {
+		return r, fmt.Errorf("unexpected role %s", s)
+	}
+
+	return r, nil
+}
+
+// parseKeyList parses list of hex-encoded public keys separated by comma.
+func parseKeyList(s string) ([]ecdsa.PublicKey, error) {
+	ss := strings.Split(s, ",")
+	pubs := make([]ecdsa.PublicKey, len(ss))
+	for i := range ss {
+		st := strings.TrimPrefix(ss[i], "0x")
+		pub, err := keys.NewPublicKeyFromString(st)
+		if err != nil {
+			return nil, fmt.Errorf("invalid public key '%s': %w", ss[i], err)
+		}
+
+		pubs[i] = ecdsa.PublicKey(*pub)
+	}
+
+	return pubs, nil
+}
+
+// eaclOperationsFromString parses list of eacl.Operation separated by comma.
+func eaclOperationsFromString(s string) ([]eacl.Operation, error) {
+	ss := strings.Split(s, ",")
+	ops := make([]eacl.Operation, len(ss))
+
+	for i := range ss {
+		if !ops[i].FromString(strings.ToUpper(ss[i])) {
+			return nil, fmt.Errorf("invalid operation: %s", ss[i])
+		}
+	}
+
+	return ops, nil
+}
--- a/cmd/frostfs-cli/modules/util/convert.go
+++ b/cmd/frostfs-cli/modules/util/convert.go
@ -0,0 +1,14 @@
+package util
+
+import "github.com/spf13/cobra"
+
+var convertCmd = &cobra.Command{
+	Use:   "convert",
+	Short: "Convert representation of NeoFS structures",
+}
+
+func initConvertCmd() {
+	convertCmd.AddCommand(convertEACLCmd)
+
+	initConvertEACLCmd()
+}
--- a/cmd/frostfs-cli/modules/util/convert_eacl.go
+++ b/cmd/frostfs-cli/modules/util/convert_eacl.go
@ -0,0 +1,65 @@
+package util
+
+import (
+	"bytes"
+	"encoding/json"
+	"os"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/spf13/cobra"
+)
+
+var convertEACLCmd = &cobra.Command{
+	Use:   "eacl",
+	Short: "Convert representation of extended ACL table",
+	Run:   convertEACLTable,
+}
+
+func initConvertEACLCmd() {
+	flags := convertEACLCmd.Flags()
+
+	flags.String("from", "", "File with JSON or binary encoded extended ACL table")
+	_ = convertEACLCmd.MarkFlagFilename("from")
+	_ = convertEACLCmd.MarkFlagRequired("from")
+
+	flags.String("to", "", "File to dump extended ACL table (default: binary encoded)")
+	flags.Bool(commonflags.JSON, false, "Dump extended ACL table in JSON encoding")
+}
+
+func convertEACLTable(cmd *cobra.Command, _ []string) {
+	pathFrom := cmd.Flag("from").Value.String()
+	to := cmd.Flag("to").Value.String()
+	jsonFlag, _ := cmd.Flags().GetBool(commonflags.JSON)
+
+	table := common.ReadEACL(cmd, pathFrom)
+
+	var data []byte
+	var err error
+	if jsonFlag || len(to) == 0 {
+		data, err = table.MarshalJSON()
+		common.ExitOnErr(cmd, "can't JSON encode extended ACL table: %w", err)
+	} else {
+		data, err = table.Marshal()
+		common.ExitOnErr(cmd, "can't binary encode extended ACL table: %w", err)
+	}
+
+	if len(to) == 0 {
+		prettyPrintJSON(cmd, data)
+		return
+	}
+
+	err = os.WriteFile(to, data, 0644)
+	common.ExitOnErr(cmd, "can't write exteded ACL table to file: %w", err)
+
+	cmd.Printf("extended ACL table was successfully dumped to %s\n", to)
+}
+
+func prettyPrintJSON(cmd *cobra.Command, data []byte) {
+	buf := new(bytes.Buffer)
+	if err := json.Indent(buf, data, "", "  "); err != nil {
+		common.PrintVerbose("Can't pretty print json: %w", err)
+	}
+
+	cmd.Println(buf)
+}
--- a/cmd/frostfs-cli/modules/util/keyer.go
+++ b/cmd/frostfs-cli/modules/util/keyer.go
@ -0,0 +1,99 @@
+package util
+
+import (
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/pkg/util/keyer"
+	"github.com/spf13/cobra"
+)
+
+var keyerCmd = &cobra.Command{
+	Use:   "keyer",
+	Short: "Generate or print information about keys",
+	Run:   processKeyer,
+}
+
+var errKeyerSingleArgument = errors.New("pass only one argument at a time")
+
+func initKeyerCmd() {
+	keyerCmd.Flags().BoolP("generate", "g", false, "Generate new private key")
+	keyerCmd.Flags().Bool("hex", false, "Print all values in hex encoding")
+	keyerCmd.Flags().BoolP("uncompressed", "u", false, "Use uncompressed public key format")
+	keyerCmd.Flags().BoolP("multisig", "m", false, "Calculate multisig address from public keys")
+}
+
+func processKeyer(cmd *cobra.Command, args []string) {
+	var (
+		err error
+
+		result          = new(keyer.Dashboard)
+		generate, _     = cmd.Flags().GetBool("generate")
+		useHex, _       = cmd.Flags().GetBool("hex")
+		uncompressed, _ = cmd.Flags().GetBool("uncompressed")
+		multisig, _     = cmd.Flags().GetBool("multisig")
+	)
+
+	if multisig {
+		err = result.ParseMultiSig(args)
+	} else {
+		if len(args) > 1 {
+			common.ExitOnErr(cmd, "", errKeyerSingleArgument)
+		}
+
+		var argument string
+		if len(args) > 0 {
+			argument = args[0]
+		}
+
+		switch {
+		case generate:
+			err = keyerGenerate(argument, result)
+		case fileExists(argument):
+			err = keyerParseFile(argument, result)
+		default:
+			err = result.ParseString(argument)
+		}
+	}
+
+	common.ExitOnErr(cmd, "", err)
+
+	result.PrettyPrint(uncompressed, useHex)
+}
+
+func keyerGenerate(filename string, d *keyer.Dashboard) error {
+	key := make([]byte, keyer.NeoPrivateKeySize)
+
+	_, err := rand.Read(key)
+	if err != nil {
+		return fmt.Errorf("can't get random source: %w", err)
+	}
+
+	err = d.ParseBinary(key)
+	if err != nil {
+		return fmt.Errorf("can't parse key: %w", err)
+	}
+
+	if filename != "" {
+		return os.WriteFile(filename, key, 0600)
+	}
+
+	return nil
+}
+
+func fileExists(filename string) bool {
+	info, err := os.Stat(filename)
+	return !os.IsNotExist(err) && !info.IsDir()
+}
+
+func keyerParseFile(filename string, d *keyer.Dashboard) error {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("can't open %v file: %w", filename, err)
+	}
+
+	return d.ParseBinary(data)
+}
--- a/cmd/frostfs-cli/modules/util/locode.go
+++ b/cmd/frostfs-cli/modules/util/locode.go
@ -0,0 +1,18 @@
+package util
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// locode section.
+var locodeCmd = &cobra.Command{
+	Use:   "locode",
+	Short: "Working with NeoFS UN/LOCODE database",
+}
+
+func initLocodeCmd() {
+	locodeCmd.AddCommand(locodeGenerateCmd, locodeInfoCmd)
+
+	initUtilLocodeInfoCmd()
+	initUtilLocodeGenerateCmd()
+}
--- a/cmd/frostfs-cli/modules/util/locode_generate.go
+++ b/cmd/frostfs-cli/modules/util/locode_generate.go
@ -0,0 +1,96 @@
+package util
+
+import (
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	locodedb "github.com/TrueCloudLab/frostfs-node/pkg/util/locode/db"
+	airportsdb "github.com/TrueCloudLab/frostfs-node/pkg/util/locode/db/airports"
+	locodebolt "github.com/TrueCloudLab/frostfs-node/pkg/util/locode/db/boltdb"
+	continentsdb "github.com/TrueCloudLab/frostfs-node/pkg/util/locode/db/continents/geojson"
+	csvlocode "github.com/TrueCloudLab/frostfs-node/pkg/util/locode/table/csv"
+	"github.com/spf13/cobra"
+)
+
+type namesDB struct {
+	*airportsdb.DB
+	*csvlocode.Table
+}
+
+const (
+	locodeGenerateInputFlag      = "in"
+	locodeGenerateSubDivFlag     = "subdiv"
+	locodeGenerateAirportsFlag   = "airports"
+	locodeGenerateCountriesFlag  = "countries"
+	locodeGenerateContinentsFlag = "continents"
+	locodeGenerateOutputFlag     = "out"
+)
+
+var (
+	locodeGenerateInPaths        []string
+	locodeGenerateSubDivPath     string
+	locodeGenerateAirportsPath   string
+	locodeGenerateCountriesPath  string
+	locodeGenerateContinentsPath string
+	locodeGenerateOutPath        string
+
+	locodeGenerateCmd = &cobra.Command{
+		Use:   "generate",
+		Short: "Generate UN/LOCODE database for NeoFS",
+		Run: func(cmd *cobra.Command, _ []string) {
+			locodeDB := csvlocode.New(
+				csvlocode.Prm{
+					Path:       locodeGenerateInPaths[0],
+					SubDivPath: locodeGenerateSubDivPath,
+				},
+				csvlocode.WithExtraPaths(locodeGenerateInPaths[1:]...),
+			)
+
+			airportDB := airportsdb.New(airportsdb.Prm{
+				AirportsPath:  locodeGenerateAirportsPath,
+				CountriesPath: locodeGenerateCountriesPath,
+			})
+
+			continentsDB := continentsdb.New(continentsdb.Prm{
+				Path: locodeGenerateContinentsPath,
+			})
+
+			targetDB := locodebolt.New(locodebolt.Prm{
+				Path: locodeGenerateOutPath,
+			})
+
+			err := targetDB.Open()
+			common.ExitOnErr(cmd, "", err)
+
+			defer targetDB.Close()
+
+			names := &namesDB{
+				DB:    airportDB,
+				Table: locodeDB,
+			}
+
+			err = locodedb.FillDatabase(locodeDB, airportDB, continentsDB, names, targetDB)
+			common.ExitOnErr(cmd, "", err)
+		},
+	}
+)
+
+func initUtilLocodeGenerateCmd() {
+	flags := locodeGenerateCmd.Flags()
+
+	flags.StringSliceVar(&locodeGenerateInPaths, locodeGenerateInputFlag, nil, "List of paths to UN/LOCODE tables (csv)")
+	_ = locodeGenerateCmd.MarkFlagRequired(locodeGenerateInputFlag)
+
+	flags.StringVar(&locodeGenerateSubDivPath, locodeGenerateSubDivFlag, "", "Path to UN/LOCODE subdivision database (csv)")
+	_ = locodeGenerateCmd.MarkFlagRequired(locodeGenerateSubDivFlag)
+
+	flags.StringVar(&locodeGenerateAirportsPath, locodeGenerateAirportsFlag, "", "Path to OpenFlights airport database (csv)")
+	_ = locodeGenerateCmd.MarkFlagRequired(locodeGenerateAirportsFlag)
+
+	flags.StringVar(&locodeGenerateCountriesPath, locodeGenerateCountriesFlag, "", "Path to OpenFlights country database (csv)")
+	_ = locodeGenerateCmd.MarkFlagRequired(locodeGenerateCountriesFlag)
+
+	flags.StringVar(&locodeGenerateContinentsPath, locodeGenerateContinentsFlag, "", "Path to continent polygons (GeoJSON)")
+	_ = locodeGenerateCmd.MarkFlagRequired(locodeGenerateContinentsFlag)
+
+	flags.StringVar(&locodeGenerateOutPath, locodeGenerateOutputFlag, "", "Target path for generated database")
+	_ = locodeGenerateCmd.MarkFlagRequired(locodeGenerateOutputFlag)
+}
--- a/cmd/frostfs-cli/modules/util/locode_info.go
+++ b/cmd/frostfs-cli/modules/util/locode_info.go
@ -0,0 +1,56 @@
+package util
+
+import (
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	locodedb "github.com/TrueCloudLab/frostfs-node/pkg/util/locode/db"
+	locodebolt "github.com/TrueCloudLab/frostfs-node/pkg/util/locode/db/boltdb"
+	"github.com/spf13/cobra"
+)
+
+const (
+	locodeInfoDBFlag   = "db"
+	locodeInfoCodeFlag = "locode"
+)
+
+var (
+	locodeInfoDBPath string
+	locodeInfoCode   string
+
+	locodeInfoCmd = &cobra.Command{
+		Use:   "info",
+		Short: "Print information about UN/LOCODE from NeoFS database",
+		Run: func(cmd *cobra.Command, _ []string) {
+			targetDB := locodebolt.New(locodebolt.Prm{
+				Path: locodeInfoDBPath,
+			}, locodebolt.ReadOnly())
+
+			err := targetDB.Open()
+			common.ExitOnErr(cmd, "", err)
+
+			defer targetDB.Close()
+
+			record, err := locodedb.LocodeRecord(targetDB, locodeInfoCode)
+			common.ExitOnErr(cmd, "", err)
+
+			cmd.Printf("Country: %s\n", record.CountryName())
+			cmd.Printf("Location: %s\n", record.LocationName())
+			cmd.Printf("Continent: %s\n", record.Continent())
+			if subDivCode := record.SubDivCode(); subDivCode != "" {
+				cmd.Printf("Subdivision: [%s] %s\n", subDivCode, record.SubDivName())
+			}
+
+			geoPoint := record.GeoPoint()
+			cmd.Printf("Coordinates: %0.2f, %0.2f\n", geoPoint.Latitude(), geoPoint.Longitude())
+		},
+	}
+)
+
+func initUtilLocodeInfoCmd() {
+	flags := locodeInfoCmd.Flags()
+
+	flags.StringVar(&locodeInfoDBPath, locodeInfoDBFlag, "", "Path to NeoFS UN/LOCODE database")
+	_ = locodeInfoCmd.MarkFlagRequired(locodeInfoDBFlag)
+
+	flags.StringVar(&locodeInfoCode, locodeInfoCodeFlag, "", "UN/LOCODE")
+	_ = locodeInfoCmd.MarkFlagRequired(locodeInfoCodeFlag)
+}
--- a/cmd/frostfs-cli/modules/util/root.go
+++ b/cmd/frostfs-cli/modules/util/root.go
@ -0,0 +1,33 @@
+package util
+
+import (
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var Cmd = &cobra.Command{
+	Use:   "util",
+	Short: "Utility operations",
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		flags := cmd.Flags()
+
+		_ = viper.BindPFlag(commonflags.GenerateKey, flags.Lookup(commonflags.GenerateKey))
+		_ = viper.BindPFlag(commonflags.WalletPath, flags.Lookup(commonflags.WalletPath))
+		_ = viper.BindPFlag(commonflags.Account, flags.Lookup(commonflags.Account))
+	},
+}
+
+func init() {
+	Cmd.AddCommand(
+		signCmd,
+		convertCmd,
+		keyerCmd,
+		locodeCmd,
+	)
+
+	initSignCmd()
+	initConvertCmd()
+	initKeyerCmd()
+	initLocodeCmd()
+}
--- a/cmd/frostfs-cli/modules/util/sign.go
+++ b/cmd/frostfs-cli/modules/util/sign.go
@ -0,0 +1,22 @@
+package util
+
+import (
+	"github.com/spf13/cobra"
+)
+
+const (
+	signFromFlag = "from"
+	signToFlag   = "to"
+)
+
+var signCmd = &cobra.Command{
+	Use:   "sign",
+	Short: "Sign NeoFS structure",
+}
+
+func initSignCmd() {
+	signCmd.AddCommand(signBearerCmd, signSessionCmd)
+
+	initSignBearerCmd()
+	initSignSessionCmd()
+}
--- a/cmd/frostfs-cli/modules/util/sign_bearer.go
+++ b/cmd/frostfs-cli/modules/util/sign_bearer.go
@ -0,0 +1,63 @@
+package util
+
+import (
+	"os"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"github.com/spf13/cobra"
+)
+
+const (
+	signBearerJSONFlag = commonflags.JSON
+)
+
+var signBearerCmd = &cobra.Command{
+	Use:   "bearer-token",
+	Short: "Sign bearer token to use it in requests",
+	Run:   signBearerToken,
+}
+
+func initSignBearerCmd() {
+	commonflags.InitWithoutRPC(signBearerCmd)
+
+	flags := signBearerCmd.Flags()
+
+	flags.String(signFromFlag, "", "File with JSON or binary encoded bearer token to sign")
+	_ = signBearerCmd.MarkFlagFilename(signFromFlag)
+	_ = signBearerCmd.MarkFlagRequired(signFromFlag)
+
+	flags.String(signToFlag, "", "File to dump signed bearer token (default: binary encoded)")
+	flags.Bool(signBearerJSONFlag, false, "Dump bearer token in JSON encoding")
+}
+
+func signBearerToken(cmd *cobra.Command, _ []string) {
+	btok := common.ReadBearerToken(cmd, signFromFlag)
+	pk := key.GetOrGenerate(cmd)
+
+	err := btok.Sign(*pk)
+	common.ExitOnErr(cmd, "", err)
+
+	to := cmd.Flag(signToFlag).Value.String()
+	jsonFlag, _ := cmd.Flags().GetBool(signBearerJSONFlag)
+
+	var data []byte
+	if jsonFlag || len(to) == 0 {
+		data, err = btok.MarshalJSON()
+		common.ExitOnErr(cmd, "can't JSON encode bearer token: %w", err)
+	} else {
+		data = btok.Marshal()
+	}
+
+	if len(to) == 0 {
+		prettyPrintJSON(cmd, data)
+
+		return
+	}
+
+	err = os.WriteFile(to, data, 0644)
+	common.ExitOnErr(cmd, "can't write signed bearer token to file: %w", err)
+
+	cmd.Printf("signed bearer token was successfully dumped to %s\n", to)
+}
--- a/cmd/frostfs-cli/modules/util/sign_session.go
+++ b/cmd/frostfs-cli/modules/util/sign_session.go
@ -0,0 +1,84 @@
+package util
+
+import (
+	"crypto/ecdsa"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"github.com/TrueCloudLab/frostfs-sdk-go/session"
+	"github.com/spf13/cobra"
+)
+
+var signSessionCmd = &cobra.Command{
+	Use:   "session-token",
+	Short: "Sign session token to use it in requests",
+	Run:   signSessionToken,
+}
+
+func initSignSessionCmd() {
+	commonflags.InitWithoutRPC(signSessionCmd)
+
+	flags := signSessionCmd.Flags()
+
+	flags.String(signFromFlag, "", "File with JSON encoded session token to sign")
+	_ = signSessionCmd.MarkFlagFilename(signFromFlag)
+	_ = signSessionCmd.MarkFlagRequired(signFromFlag)
+
+	flags.String(signToFlag, "", "File to save signed session token (optional)")
+}
+
+func signSessionToken(cmd *cobra.Command, _ []string) {
+	fPath, err := cmd.Flags().GetString(signFromFlag)
+	common.ExitOnErr(cmd, "", err)
+
+	if fPath == "" {
+		common.ExitOnErr(cmd, "", errors.New("missing session token flag"))
+	}
+
+	type iTokenSession interface {
+		json.Marshaler
+		common.BinaryOrJSON
+		Sign(ecdsa.PrivateKey) error
+	}
+	var errLast error
+	var stok iTokenSession
+
+	for _, el := range [...]iTokenSession{
+		new(session.Object),
+		new(session.Container),
+	} {
+		errLast = common.ReadBinaryOrJSON(el, fPath)
+		if errLast == nil {
+			stok = el
+			break
+		}
+	}
+
+	common.ExitOnErr(cmd, "decode session: %v", errLast)
+
+	pk := key.GetOrGenerate(cmd)
+
+	err = stok.Sign(*pk)
+	common.ExitOnErr(cmd, "can't sign token: %w", err)
+
+	data, err := stok.MarshalJSON()
+	common.ExitOnErr(cmd, "can't encode session token: %w", err)
+
+	to := cmd.Flag(signToFlag).Value.String()
+	if len(to) == 0 {
+		prettyPrintJSON(cmd, data)
+		return
+	}
+
+	err = os.WriteFile(to, data, 0644)
+	if err != nil {
+		common.ExitOnErr(cmd, "", fmt.Errorf("can't write signed session token to %s: %w", to, err))
+	}
+
+	cmd.Printf("signed session token saved in %s\n", to)
+}