Session tokens have limited lifetime in NeoFS. Container processor should
verify lifetime of the incoming tokens.
Define `NetworkState` interface with `Epoch` method to get number of the
current epoch. Use Netmap contract client's wrapper as `NetworkState` of
Container `Processor`. Check values of token lifetime, and deny if:
* NBF value is gt the current epoch;
* IAT is gt the current epoch;
* EXP is le the current epoch.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Make IR processor of NeoFS contract to handle `Bind`/`Unbind` notification
events. The processor verifies the format of wallet script hash and public
keys, and call NeoFS ID client wrapper in order to approve adding/removing
keys from NeoFS account.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Pass `TryNotary()` option to constructor of the static client of the NeoFS
ID contract in `NewFromMorph`. This will allow to use client wrapper for key
management in IR application.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Morph event structures defined in `pkg/morph/event` should only carry
notification values without any additional interpretation. All logical work
should be concentrated on app-side. Change `Bind.User` / `Unbind.User` to
return byte slice. Change `Bind.Keys` / `Unbind.Keys` to return `[][]byte`.
`ParseBind` / `ParseUnbind` don't decode data from now.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Implement method `ClientWrapper.ManageKeys` method which provides the
interface to add/remove keys to/from NeoFS account.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Implement `AddKeys` / `RemoveKeys` methods to call `addKey` / `removeKey`
methods of NeoFS ID contract.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Implement wrapper over NeoFS contact's client which allows you to
conveniently interact with the contract. Implement `ManageKeys` method
for binding or unbinding public keys to the NeoFS account.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Implement NeoFS contact's client which is responsible for collecting call
arguments and parsing stack items. Initially key binding and unbinding are
supported.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Update API Go library with introduce `Client.Conn` method. Implement
`ClientCache.CloseAll` method which reads and closes connections of all
cached clients.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In recent change of API Go library `owner.ID.Equal` signature was
implemented.
Replace the comparison of string representations with `Equal` method call
and remove related TODOs.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In recent change of API Go library `Token.Verify` signature was implemented.
Replace previous version-casting approach with new method call in token
signature check stage.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Token of the container session should be written out with container context.
The context should have the verb corresponding to the operation. If an
operation is performed on a fixed container, the session should be
propagated to it or to all user containers
Implement all described checks in validation of `Put` / `Delete` / `SetEACL`
events.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In previous implementation verification of `SetEACL` events failed on events
without session token. It was caused by redundant tries to verify `nil`
session token.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Session token can be presented `Put`, `Delete` and `SetEACL` notification
events. IR should consider this case as issuing a power of attorney to a
third party. Thus, checking the eligibility for an operation should be
complicated:
- token owner should be the owner of the related container;
- the intent must be signed with a session key;
- the power of attorney must be signed by the owner of the container.
Omitted checks (TBD):
- session token should have container session context;
- the verb of the context should correspond to the operation.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
There is no TLS protocol support in
`go-multiaddr` library, but there is
public function that can register any
protocol that can be implemented outside
the library. Also `TLSEnabled` function
for parsing TLS protocol from
`network.Address` was added.
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
`bindKey` parameter of `Put` method of `Container` contract was removed in
latest version.
Do not pass bind key of type `[]byte` to `Put` invocation. Remove no longer
needed field from `PutArgs`.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
From `017fb6abed9455c7c99631adcb0bb04d42741f87` used container client is
constructed with enabled notary mode.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
If container is removed via session, then session token should be included
in removal witness.
Write session token from request meta header to `container.RemovalWitness`
structure which is passed to `wrapper.Delete` function.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Approved removed container ID should be stored in sidechain along with
related session token.
Forward session token from `Delete` event to `Wrapper.Delete` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`Delete` method of latest `Container` contract accepts binary session token
as an argument.
Provide `DeleteArgs.SetSessionToken` method. Accept session token as a
`[]byte` in `Wrapper.Put` method and attach it to `PutArgs`. Marshal session
token from `RemovalWitness` in `wrapper.Delete` function and pass it to the
method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
The 3rd item of `Delete` container notification event is a byte array of
serialized session token. Parse session token in `ParseDelete` function.
Provide `Delete.SessionToken` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
NeoFS containers can be removed within a trusted session. There is a need to
take this into account during removal inspection.
Define `SessionToken` / `SetSessionToken` methods on `RemovalWitness` struct
in order to embed `session.Token` to it.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Make `wrapper.Delete` function to accept `container.RemovalWitness` struct
instead of its separated elements. `Signature` type is replaced by binary
signature since public key is unused.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Define `RemovalWitness` structure which groups the information required to
prove and verify the removal of a container. This type is going to be used
in container Delete-related methods.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Unmarshal session token from `EACLValues` and write it to resulting
`eacl.Table` structure in `Wrapper.GetEACL` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`EACL` method of `Container` contract returns binary session token, key and
signature along with eACL table.
Provide `Signature`, `PublicKey` and `SessionToken` getters from
`EACLValues` structure. Parse and set all values in `Client.EACL` methods.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Approved eACL table should be stored in sidechain along with related session
token.
Forward session token from `SetEACL` event to `Wrapper.PutEACL` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
The 4th item of `SetEACL` container notification event is a byte array of
serialized session token.
Parse session token in `ParseSetEACL` function. Provide
`SetEACL.SessionToken` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
If eACL table is set via session, then session token should be written to
it.
Write session token from request meta header to `eacl.Table` structure which
is passed to `wrapper.PutEACL` function.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Rename `PutContext` to `ContextWithToken` and implement its constructor as a
separate function in order to reuse it in other RPCs.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`SetEACL` method of latest `Container` contract accepts binary session token
as an argument.
Provide `SetEACLArgs.SetSessionToken` method. Accept session token as a
`[]byte` in `Wrapper.PutEACL` method and attach it to `SetEACLArgs`. Marshal
session token from container in `wrapper.PutEACL` function and pass it to
the method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Unmarshal session token from `GetValues` and write it to resulting
`Container` structure in `Wrapper.Get` method. Write key-signature pair from
`GetValues` to resulting `Container` structure in `Wrapper.Get` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`Get` method of `Container` contract returns binary session token, key and
signature along with container.
Provide `Signature`, `PublicKey` and `SessionToken` getters from `GetValues`
structure. Parse and set all values in `Client.Get` methods.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Leonard Lyubich
Alex Vanin
Pavel Karpy
Evgenii Stratonikov