From 26f30e7aceae876253debe3b3d6fad3744ccf152 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <denis@nspcc.ru>
Date: Fri, 10 Sep 2021 11:07:26 +0300
Subject: [PATCH] [#255] Add expiration to access box

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
---
 authmate/authmate.go        |  2 +-
 cmd/authmate/main.go        |  6 +++---
 creds/tokens/credentials.go | 10 +++++++---
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/authmate/authmate.go b/authmate/authmate.go
index a8aa928..2881ae0 100644
--- a/authmate/authmate.go
+++ b/authmate/authmate.go
@@ -227,7 +227,7 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
 
 	address, err := tokens.
 		New(a.pool, secrets.EphemeralKey).
-		Put(ctx, cid, oid, box, options.GatesPublicKeys...)
+		Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...)
 	if err != nil {
 		return fmt.Errorf("failed to put bearer token: %w", err)
 	}
diff --git a/cmd/authmate/main.go b/cmd/authmate/main.go
index 59c5fff..29f0b6b 100644
--- a/cmd/authmate/main.go
+++ b/cmd/authmate/main.go
@@ -26,8 +26,8 @@ import (
 const (
 	poolConnectTimeout = 5 * time.Second
 	poolRequestTimeout = 5 * time.Second
-	// a number of 15-second blocks in a month.
-	defaultLifetime = 172800
+	// a number of 1-hour epochs in a month.
+	defaultLifetime = 720
 )
 
 var (
@@ -199,7 +199,7 @@ func issueSecret() *cli.Command {
 			},
 			&cli.Uint64Flag{
 				Name:        "lifetime",
-				Usage:       "Lifetime of tokens in NeoFS epoch (number of blocks in sidechain)",
+				Usage:       "Lifetime of tokens in NeoFS epoch",
 				Required:    false,
 				Destination: &lifetimeFlag,
 				Value:       defaultLifetime,
diff --git a/creds/tokens/credentials.go b/creds/tokens/credentials.go
index c0111c8..4a945d1 100644
--- a/creds/tokens/credentials.go
+++ b/creds/tokens/credentials.go
@@ -21,7 +21,7 @@ type (
 	// Credentials is a bearer token get/put interface.
 	Credentials interface {
 		GetBox(context.Context, *object.Address) (*accessbox.Box, error)
-		Put(context.Context, *cid.ID, *owner.ID, *accessbox.AccessBox, ...*keys.PublicKey) (*object.Address, error)
+		Put(context.Context, *cid.ID, *owner.ID, *accessbox.AccessBox, uint64, ...*keys.PublicKey) (*object.Address, error)
 	}
 
 	cred struct {
@@ -100,7 +100,7 @@ func (c *cred) getAccessBox(ctx context.Context, address *object.Address) (*acce
 	return &box, nil
 }
 
-func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *accessbox.AccessBox, keys ...*keys.PublicKey) (*object.Address, error) {
+func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *accessbox.AccessBox, expiration uint64, keys ...*keys.PublicKey) (*object.Address, error) {
 	var (
 		err     error
 		created = strconv.FormatInt(time.Now().Unix(), 10)
@@ -124,10 +124,14 @@ func (c *cred) Put(ctx context.Context, cid *cid.ID, issuer *owner.ID, box *acce
 	filename.SetKey(object.AttributeFileName)
 	filename.SetValue(created + "_access.box")
 
+	expirationAttr := object.NewAttribute()
+	expirationAttr.SetKey("__NEOFS__EXPIRATION_EPOCH")
+	expirationAttr.SetValue(strconv.FormatUint(expiration, 10))
+
 	raw := object.NewRaw()
 	raw.SetContainerID(cid)
 	raw.SetOwnerID(issuer)
-	raw.SetAttributes(filename, timestamp)
+	raw.SetAttributes(filename, timestamp, expirationAttr)
 
 	ops := new(client.PutObjectParams).WithObject(raw.Object()).WithPayloadReader(bytes.NewBuffer(data))
 	oid, err := c.pool.PutObject(