[#1400] owner: Upgrade SDK package

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>

pkg/services/object/acl/acl.go

@@ -16,7 +16,7 @@ import (
 	bearerSDK "github.com/nspcc-dev/neofs-sdk-go/bearer"
 	eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
 	addressSDK "github.com/nspcc-dev/neofs-sdk-go/object/address"
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 )
 
 // CheckerPrm groups parameters for Checker
@@ -112,7 +112,7 @@ func (c *Checker) CheckBasicACL(info v2.RequestInfo) bool {
 }
 
 // StickyBitCheck validates owner field in the request if sticky bit is enabled.
-func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner *owner.ID) bool {
+func (c *Checker) StickyBitCheck(info v2.RequestInfo, owner *user.ID) bool {
 	// According to NeoFS specification sticky bit has no effect on system nodes
 	// for correct intra-container work with objects (in particular, replication).
 	if info.RequestRole() == eaclSDK.RoleSystem {
@@ -211,6 +211,11 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
 // entity. This method might be defined on whole ACL service because it will
 // require fetching current epoch to check lifetime.
 func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
+	ownerCnr := reqInfo.ContainerOwner()
+	if ownerCnr == nil {
+		return errors.New("missing container owner")
+	}
+
 	token := reqInfo.Bearer()
 
 	// 0. Check if bearer token is present in reqInfo.
@@ -234,7 +239,7 @@ func isValidBearer(reqInfo v2.RequestInfo, st netmap.State) error {
 		panic("unexpected false return from Issuer method on signed bearer token")
 	}
 
-	if !issuer.Equal(reqInfo.ContainerOwner()) {
+	if !issuer.Equals(*ownerCnr) {
 		// TODO: #767 in this case we can issue all owner keys from neofs.id and check once again
 		return errBearerNotSignedByOwner
 	}
@@ -260,12 +265,15 @@ func isValidLifetime(t *bearerSDK.Token, epoch uint64) bool {
 	return epoch >= t.NotBefore() && epoch <= t.Expiration()
 }
 
-func isOwnerFromKey(id *owner.ID, key *keys.PublicKey) bool {
+func isOwnerFromKey(id *user.ID, key *keys.PublicKey) bool {
 	if id == nil || key == nil {
 		return false
 	}
 
-	return id.Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key)))
+	var id2 user.ID
+	user.IDFromKey(&id2, (ecdsa.PublicKey)(*key))
+
+	return id.Equals(id2)
 }
 
 func unmarshalPublicKey(bs []byte) *keys.PublicKey {

pkg/services/object/acl/acl_test.go

@@ -7,8 +7,8 @@ import (
 	v2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/v2"
 	cidSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
-	ownertest "github.com/nspcc-dev/neofs-sdk-go/owner/test"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
+	usertest "github.com/nspcc-dev/neofs-sdk-go/user/test"
 	"github.com/stretchr/testify/require"
 )
 
@@ -40,11 +40,11 @@ func TestStickyCheck(t *testing.T) {
 
 		setSticky(&info, true)
 
-		require.True(t, checker.StickyBitCheck(info, ownertest.ID()))
+		require.True(t, checker.StickyBitCheck(info, usertest.ID()))
 
 		setSticky(&info, false)
 
-		require.True(t, checker.StickyBitCheck(info, ownertest.ID()))
+		require.True(t, checker.StickyBitCheck(info, usertest.ID()))
 	})
 
 	t.Run("owner ID and/or public key emptiness", func(t *testing.T) {
@@ -65,10 +65,10 @@ func TestStickyCheck(t *testing.T) {
 				info.SetSenderKey(nil)
 			}
 
-			var ownerID *owner.ID
+			var ownerID *user.ID
 
 			if withOwner {
-				ownerID = ownertest.ID()
+				ownerID = usertest.ID()
 			}
 
 			require.Equal(t, expected, checker.StickyBitCheck(info, ownerID))

pkg/services/object/acl/eacl/v2/headers.go

@@ -13,7 +13,7 @@ import (
 	"github.com/nspcc-dev/neofs-sdk-go/object"
 	objectSDKAddress "github.com/nspcc-dev/neofs-sdk-go/object/address"
 	objectSDKID "github.com/nspcc-dev/neofs-sdk-go/object/id"
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 )
 
 type Option func(*cfg)
@@ -216,7 +216,7 @@ func oidHeader(oid objectSDKID.ID) sysObjHdr {
 	}
 }
 
-func ownerIDHeader(ownerID *owner.ID) sysObjHdr {
+func ownerIDHeader(ownerID user.ID) sysObjHdr {
 	return sysObjHdr{
 		k: acl.FilterObjectOwnerID,
 		v: ownerID.String(),

pkg/services/object/acl/eacl/v2/object.go

@@ -38,8 +38,6 @@ func headersFromObject(obj *object.Object, addr *objectSDKAddress.Address) []eac
 
 		res = append(res,
 			cidHeader(cnr),
-			// owner ID
-			ownerIDHeader(obj.OwnerID()),
 			// creation epoch
 			sysObjHdr{
 				k: acl.FilterObjectCreationEpoch,
@@ -63,6 +61,10 @@ func headersFromObject(obj *object.Object, addr *objectSDKAddress.Address) []eac
 			},
 		)
 
+		if idOwner := obj.OwnerID(); idOwner != nil {
+			res = append(res, ownerIDHeader(*idOwner))
+		}
+
 		cs, ok := obj.PayloadChecksum()
 		if ok {
 			res = append(res, sysObjHdr{

pkg/services/object/acl/v2/classifier.go

@@ -35,6 +35,11 @@ func (c senderClassifier) classify(
 		return nil, errContainerIDNotSet
 	}
 
+	ownerCnr := cnr.OwnerID()
+	if ownerCnr == nil {
+		return nil, errors.New("missing container owner")
+	}
+
 	ownerID, ownerKey, err := req.RequestOwner()
 	if err != nil {
 		return nil, err
@@ -45,7 +50,7 @@ func (c senderClassifier) classify(
 	// TODO: #767 get owner from neofs.id if present
 
 	// if request owner is the same as container owner, return RoleUser
-	if ownerID.Equal(cnr.OwnerID()) {
+	if ownerID.Equals(*ownerCnr) {
 		return &classifyResult{
 			role: eaclSDK.RoleUser,
 			isIR: false,

pkg/services/object/acl/v2/request.go

@@ -10,8 +10,8 @@ import (
 	containerIDSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
 	oidSDK "github.com/nspcc-dev/neofs-sdk-go/object/id"
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
 	sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 )
 
 // RequestInfo groups parsed version-independent (from SDK library)
@@ -21,7 +21,7 @@ type RequestInfo struct {
 	requestRole eaclSDK.Role
 	isInnerRing bool
 	operation   eaclSDK.Operation // put, get, head, etc.
-	cnrOwner    *owner.ID         // container owner
+	cnrOwner    *user.ID          // container owner
 
 	idCnr *containerIDSDK.ID
 
@@ -52,7 +52,7 @@ func (r RequestInfo) Request() interface{} {
 }
 
 // ContainerOwner returns owner if the container.
-func (r RequestInfo) ContainerOwner() *owner.ID {
+func (r RequestInfo) ContainerOwner() *user.ID {
 	return r.cnrOwner
 }
 
@@ -112,7 +112,7 @@ type MetaWithToken struct {
 
 // RequestOwner returns ownerID and its public key
 // according to internal meta information.
-func (r MetaWithToken) RequestOwner() (*owner.ID, *keys.PublicKey, error) {
+func (r MetaWithToken) RequestOwner() (*user.ID, *keys.PublicKey, error) {
 	if r.vheader == nil {
 		return nil, nil, fmt.Errorf("%w: nil verification header", ErrMalformedRequest)
 	}
@@ -129,7 +129,13 @@ func (r MetaWithToken) RequestOwner() (*owner.ID, *keys.PublicKey, error) {
 		return nil, nil, fmt.Errorf("%w: nil at body signature", ErrMalformedRequest)
 	}
 
-	key := unmarshalPublicKey(bodySignature.GetKey())
+	key, err := unmarshalPublicKey(bodySignature.GetKey())
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid key in body signature: %w", err)
+	}
 
-	return owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key)), key, nil
+	var idSender user.ID
+	user.IDFromKey(&idSender, (ecdsa.PublicKey)(*key))
+
+	return &idSender, key, nil
 }

pkg/services/object/acl/v2/service.go

@@ -12,6 +12,7 @@ import (
 	cidSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
 	sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"go.uber.org/zap"
 )
 
@@ -366,9 +367,16 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
 			return err
 		}
 
-		ownerID, err := getObjectOwnerFromMessage(request)
+		idV2 := part.GetHeader().GetOwnerID()
+		if idV2 == nil {
+			return errors.New("missing object owner")
+		}
+
+		var idOwner user.ID
+
+		err = idOwner.ReadFromV2(*idV2)
 		if err != nil {
-			return err
+			return fmt.Errorf("invalid object owner: %w", err)
 		}
 
 		sTok := sessionSDK.NewTokenFromV2(request.GetMetaHeader().GetSessionToken())
@@ -392,7 +400,7 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
 
 		useObjectIDFromSession(&reqInfo, sTok)
 
-		if !p.source.checker.CheckBasicACL(reqInfo) || !p.source.checker.StickyBitCheck(reqInfo, ownerID) {
+		if !p.source.checker.CheckBasicACL(reqInfo) || !p.source.checker.StickyBitCheck(reqInfo, &idOwner) {
 			return basicACLErr(reqInfo)
 		} else if err := p.source.checker.CheckEACL(request, reqInfo); err != nil {
 			return eACLErr(reqInfo, err)

pkg/services/object/acl/v2/types.go

@@ -1,7 +1,7 @@
 package v2
 
 import (
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 )
 
 // ACLChecker is an interface that must provide
@@ -16,7 +16,7 @@ type ACLChecker interface {
 	// StickyBitCheck must return true only if sticky bit
 	// is disabled or enabled but request contains correct
 	// owner field.
-	StickyBitCheck(RequestInfo, *owner.ID) bool
+	StickyBitCheck(RequestInfo, *user.ID) bool
 }
 
 // InnerRingFetcher is an interface that must provide

pkg/services/object/acl/v2/util.go

@@ -14,8 +14,8 @@ import (
 	containerIDSDK "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
 	oidSDK "github.com/nspcc-dev/neofs-sdk-go/object/id"
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
 	sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 )
 
 var errMissingContainerID = errors.New("missing container ID")
@@ -113,27 +113,6 @@ func getObjectIDFromRequestBody(body interface{}) (*oidSDK.ID, error) {
 	return &id, nil
 }
 
-func getObjectOwnerFromMessage(req interface{}) (id *owner.ID, err error) {
-	switch v := req.(type) {
-	case *objectV2.PutRequest:
-		objPart := v.GetBody().GetObjectPart()
-		if part, ok := objPart.(*objectV2.PutObjectPartInit); ok {
-			return owner.NewIDFromV2(part.GetHeader().GetOwnerID()), nil
-		}
-
-		return nil, errors.New("can't get container ID in chunk")
-	case *objectV2.GetResponse:
-		objPart := v.GetBody().GetObjectPart()
-		if part, ok := objPart.(*objectV2.GetObjectPartInit); ok {
-			return owner.NewIDFromV2(part.GetHeader().GetOwnerID()), nil
-		}
-
-		return nil, errors.New("can't get container ID in chunk")
-	default:
-		return nil, errors.New("unsupported request type")
-	}
-}
-
 // sourceVerbOfRequest looks for verb in session token and if it is not found,
 // returns reqVerb. Second return value is true if operation is unknown.
 func sourceVerbOfRequest(tok *sessionSDK.Token, reqVerb eaclSDK.Operation) (eaclSDK.Operation, bool) {
@@ -185,7 +164,7 @@ func tokenVerbToOperation(ctx *sessionSDK.ObjectContext) eaclSDK.Operation {
 	}
 }
 
-func ownerFromToken(token *sessionSDK.Token) (*owner.ID, *keys.PublicKey, error) {
+func ownerFromToken(token *sessionSDK.Token) (*user.ID, *keys.PublicKey, error) {
 	// 1. First check signature of session token.
 	if !token.VerifySignature() {
 		return nil, nil, fmt.Errorf("%w: invalid session token signature", ErrMalformedRequest)
@@ -195,7 +174,11 @@ func ownerFromToken(token *sessionSDK.Token) (*owner.ID, *keys.PublicKey, error)
 	// TODO(@cthulhu-rider): #1387 implement and use another approach to avoid conversion
 	tokV2 := token.ToV2()
 
-	tokenIssuerKey := unmarshalPublicKey(tokV2.GetSignature().GetKey())
+	tokenIssuerKey, err := unmarshalPublicKey(tokV2.GetSignature().GetKey())
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid key in session token signature: %w", err)
+	}
+
 	tokenOwner := token.OwnerID()
 
 	if !isOwnerFromKey(tokenOwner, tokenIssuerKey) {
@@ -218,20 +201,19 @@ func originalBodySignature(v *sessionV2.RequestVerificationHeader) *refsV2.Signa
 	return v.GetBodySignature()
 }
 
-func unmarshalPublicKey(bs []byte) *keys.PublicKey {
-	pub, err := keys.NewPublicKeyFromBytes(bs, elliptic.P256())
-	if err != nil {
-		return nil
-	}
-	return pub
+func unmarshalPublicKey(bs []byte) (*keys.PublicKey, error) {
+	return keys.NewPublicKeyFromBytes(bs, elliptic.P256())
 }
 
-func isOwnerFromKey(id *owner.ID, key *keys.PublicKey) bool {
+func isOwnerFromKey(id *user.ID, key *keys.PublicKey) bool {
 	if id == nil || key == nil {
 		return false
 	}
 
-	return id.Equal(owner.NewIDFromPublicKey((*ecdsa.PublicKey)(key)))
+	var id2 user.ID
+	user.IDFromKey(&id2, (ecdsa.PublicKey)(*key))
+
+	return id2.Equals(*id)
 }
 
 // isVerbCompatible checks that tokenVerb operation can create auxiliary op operation.

pkg/services/object/delete/service.go

@@ -8,7 +8,7 @@ import (
 	"github.com/nspcc-dev/neofs-node/pkg/util/logger"
 	"github.com/nspcc-dev/neofs-sdk-go/object"
 	oidSDK "github.com/nspcc-dev/neofs-sdk-go/object/id"
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"go.uber.org/zap"
 )
 
@@ -30,7 +30,7 @@ type NetworkInfo interface {
 
 	// Returns user ID of the local storage node. Result must not be nil.
 	// New tombstone objects will have the result as an owner ID if removal is executed w/o a session.
-	LocalNodeID() *owner.ID
+	LocalNodeID() *user.ID
 }
 
 type cfg struct {

pkg/services/object/put/streamer.go

@@ -11,7 +11,7 @@ import (
 	"github.com/nspcc-dev/neofs-node/pkg/services/object_manager/placement"
 	"github.com/nspcc-dev/neofs-node/pkg/services/object_manager/transformer"
 	"github.com/nspcc-dev/neofs-sdk-go/object"
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 )
 
 type Streamer struct {
@@ -91,9 +91,20 @@ func (p *Streamer) initTarget(prm *PutInitPrm) error {
 
 	// In case session token is missing, the line above returns the default key.
 	// If it isn't owner key, replication attempts will fail, thus this check.
-	if sToken == nil && !prm.hdr.OwnerID().Equal(owner.NewIDFromPublicKey(&sessionKey.PublicKey)) {
-		return fmt.Errorf("(%T) session token is missing but object owner id is different from the default key", p)
+	if sToken == nil {
+		ownerObj := prm.hdr.OwnerID()
+		if ownerObj == nil {
+			return errors.New("missing object owner")
+		}
+
+		var ownerSession user.ID
+		user.IDFromKey(&ownerSession, sessionKey.PublicKey)
+
+		if !ownerObj.Equals(ownerSession) {
+			return fmt.Errorf("(%T) session token is missing but object owner id is different from the default key", p)
+		}
 	}
+
 	p.target = &validatingTarget{
 		fmt:              p.fmtValidator,
 		unpreparedObject: true,

pkg/services/object/util/key.go

@@ -6,8 +6,8 @@ import (
 	"github.com/nspcc-dev/neofs-node/pkg/core/netmap"
 	"github.com/nspcc-dev/neofs-node/pkg/services/session/storage"
 	apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
-	"github.com/nspcc-dev/neofs-sdk-go/owner"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 )
 
 // SessionSource is an interface tha provides
@@ -19,7 +19,7 @@ type SessionSource interface {
 	// token has not been created, has been expired
 	// of it is impossible to get information about the
 	// token Get must return nil.
-	Get(owner *owner.ID, tokenID []byte) *storage.PrivateToken
+	Get(owner *user.ID, tokenID []byte) *storage.PrivateToken
 }
 
 // KeyStorage represents private key storage of the local node.

pkg/services/object/util/key_test.go

@@ -7,10 +7,12 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neofs-api-go/v2/refs"
 	sessionV2 "github.com/nspcc-dev/neofs-api-go/v2/session"
 	"github.com/nspcc-dev/neofs-node/pkg/services/object/util"
 	tokenStorage "github.com/nspcc-dev/neofs-node/pkg/services/session/storage/temporary"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
+	usertest "github.com/nspcc-dev/neofs-sdk-go/user/test"
 	"github.com/stretchr/testify/require"
 )
 
@@ -62,13 +64,19 @@ func generateToken(t *testing.T) *session.Token {
 	tok := session.NewToken()
 	tok.SetSessionKey(pubKey)
 	tok.SetID(id)
+	tok.SetOwnerID(usertest.ID())
 
 	return tok
 }
 
 func createToken(t *testing.T, store *tokenStorage.TokenStore, exp uint64) *session.Token {
+	owner := usertest.ID()
+
+	var ownerV2 refs.OwnerID
+	owner.WriteToV2(&ownerV2)
+
 	req := new(sessionV2.CreateRequestBody)
-	req.SetOwnerID(nil)
+	req.SetOwnerID(&ownerV2)
 	req.SetExpiration(exp)
 
 	resp, err := store.Create(context.Background(), req)
@@ -77,6 +85,7 @@ func createToken(t *testing.T, store *tokenStorage.TokenStore, exp uint64) *sess
 	tok := session.NewToken()
 	tok.SetSessionKey(resp.GetSessionKey())
 	tok.SetID(resp.GetID())
+	tok.SetOwnerID(owner)
 
 	return tok
 }