Implement NeoFS contact's client which is responsible for collecting call
arguments and parsing stack items. Initially key binding and unbinding are
supported.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Update API Go library with introduce `Client.Conn` method. Implement
`ClientCache.CloseAll` method which reads and closes connections of all
cached clients.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In recent change of API Go library `owner.ID.Equal` signature was
implemented.
Replace the comparison of string representations with `Equal` method call
and remove related TODOs.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In recent change of API Go library `Token.Verify` signature was implemented.
Replace previous version-casting approach with new method call in token
signature check stage.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Token of the container session should be written out with container context.
The context should have the verb corresponding to the operation. If an
operation is performed on a fixed container, the session should be
propagated to it or to all user containers
Implement all described checks in validation of `Put` / `Delete` / `SetEACL`
events.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In previous implementation verification of `SetEACL` events failed on events
without session token. It was caused by redundant tries to verify `nil`
session token.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Session token can be presented `Put`, `Delete` and `SetEACL` notification
events. IR should consider this case as issuing a power of attorney to a
third party. Thus, checking the eligibility for an operation should be
complicated:
- token owner should be the owner of the related container;
- the intent must be signed with a session key;
- the power of attorney must be signed by the owner of the container.
Omitted checks (TBD):
- session token should have container session context;
- the verb of the context should correspond to the operation.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
There is no TLS protocol support in
`go-multiaddr` library, but there is
public function that can register any
protocol that can be implemented outside
the library. Also `TLSEnabled` function
for parsing TLS protocol from
`network.Address` was added.
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
`bindKey` parameter of `Put` method of `Container` contract was removed in
latest version.
Do not pass bind key of type `[]byte` to `Put` invocation. Remove no longer
needed field from `PutArgs`.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
From `017fb6abed9455c7c99631adcb0bb04d42741f87` used container client is
constructed with enabled notary mode.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
If container is removed via session, then session token should be included
in removal witness.
Write session token from request meta header to `container.RemovalWitness`
structure which is passed to `wrapper.Delete` function.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Approved removed container ID should be stored in sidechain along with
related session token.
Forward session token from `Delete` event to `Wrapper.Delete` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`Delete` method of latest `Container` contract accepts binary session token
as an argument.
Provide `DeleteArgs.SetSessionToken` method. Accept session token as a
`[]byte` in `Wrapper.Put` method and attach it to `PutArgs`. Marshal session
token from `RemovalWitness` in `wrapper.Delete` function and pass it to the
method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
The 3rd item of `Delete` container notification event is a byte array of
serialized session token. Parse session token in `ParseDelete` function.
Provide `Delete.SessionToken` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
NeoFS containers can be removed within a trusted session. There is a need to
take this into account during removal inspection.
Define `SessionToken` / `SetSessionToken` methods on `RemovalWitness` struct
in order to embed `session.Token` to it.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Make `wrapper.Delete` function to accept `container.RemovalWitness` struct
instead of its separated elements. `Signature` type is replaced by binary
signature since public key is unused.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Define `RemovalWitness` structure which groups the information required to
prove and verify the removal of a container. This type is going to be used
in container Delete-related methods.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Unmarshal session token from `EACLValues` and write it to resulting
`eacl.Table` structure in `Wrapper.GetEACL` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`EACL` method of `Container` contract returns binary session token, key and
signature along with eACL table.
Provide `Signature`, `PublicKey` and `SessionToken` getters from
`EACLValues` structure. Parse and set all values in `Client.EACL` methods.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Approved eACL table should be stored in sidechain along with related session
token.
Forward session token from `SetEACL` event to `Wrapper.PutEACL` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
The 4th item of `SetEACL` container notification event is a byte array of
serialized session token.
Parse session token in `ParseSetEACL` function. Provide
`SetEACL.SessionToken` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
If eACL table is set via session, then session token should be written to
it.
Write session token from request meta header to `eacl.Table` structure which
is passed to `wrapper.PutEACL` function.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Rename `PutContext` to `ContextWithToken` and implement its constructor as a
separate function in order to reuse it in other RPCs.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`SetEACL` method of latest `Container` contract accepts binary session token
as an argument.
Provide `SetEACLArgs.SetSessionToken` method. Accept session token as a
`[]byte` in `Wrapper.PutEACL` method and attach it to `SetEACLArgs`. Marshal
session token from container in `wrapper.PutEACL` function and pass it to
the method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Unmarshal session token from `GetValues` and write it to resulting
`Container` structure in `Wrapper.Get` method. Write key-signature pair from
`GetValues` to resulting `Container` structure in `Wrapper.Get` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`Get` method of `Container` contract returns binary session token, key and
signature along with container.
Provide `Signature`, `PublicKey` and `SessionToken` getters from `GetValues`
structure. Parse and set all values in `Client.Get` methods.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Approved container should be stored in sidechain along with related session
token.
Forward session token from `Put` event to `Wrapper.Put` method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
The 4th item of `Put` container notification event is a byte array of
serialized session token.
Parse session token in `ParsePut` function. Provide `Put.SessionToken`
method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
If container is created via session, then session token should be written to
it.
Write session token from request meta header to `Container` structure which
is passed to `wrapper.Put` function.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`Put` method of latest `Container` contract accepts binary session token as
an argument.
Provide `PutArgs.SetSessionToken` method. Accept session token as a `[]byte`
in `Wrapper.Put` method and attach it to `PutArgs`. Marshal session token
from container in `wrapper.Put` function and pass it to the method.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In previous implementation wrapper over the Container contract's client
accepted the signature of the eACL table in addition to itself. After recent
changes in API Go lib table carries its signature. Thus, it is redundant
to pass the eACL table signature separately.
Make `wrapper.PutEACL` method to accept `eacl.Table` only.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In previous implementation wrapper over the Container contract's client
accepted the signature of the container in addition to itself. After recent
changes in API Go lib container carries its signature. Thus, it is redundant
to pass the container signature separately.
Make `wrapper.Put` method to accept `Container` only.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In previous implementation wrapper over the Container contract's client
returned the signature of the eACL table in addition to itself. After recent
changes in API Go lib table carries its signature. Thus, it is redundant to
return the table signature separately.
Make `Wrapper.GetEACL` method to return only `eacl.Table` with error.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In recent API changes `GetExtendedACLResponseBody` carries session token.
In recent API Go lib changes `eacl.Table` structure carries related session
token.
Write session token of eACL table from sidechain to GetExtendedACL response
body in node's `ContainerService` server.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In recent API changes `GetResponseBody` carries session token and signature.
In recent API Go lib changes `Container` structure carries its session
token and signature.
Write session token and signature of container from sidechain to Get
response body in node's `ContainerService` server.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
As it explained in previous commit, session token also should
be presented in original meta header but can be omitted in higher
layers.
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
Request meta headers are organized in a layers, where
upper layers re-sign down layers. Bearer token should be
a part of original meta header and it can be omitted in
upper layers. Therefore we need to traverse over linked list
of meta header to the original meta header to get bearer token.
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
`eACL` method of `Container` contract returns structure with 4 fields (the
4th is a recently added binary session token).
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Change expected event items to 4 in order to support new binary session
token item. Parsing of the session token will be implemented later.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Construct wrapper over the Container contract client with `TryNotary` option
since it is required to perform invocations of notary contract.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
All client wrappers should use underlying static client with enabled notary
work mode in order to produce invocations of notary contract.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Some of the client wrapper's methods should produce notary contract's
invocations. In previous implementation all wrappers provided separate
methods to do it. Since notary and non-notary invocation scenarios have very
different goals, it makes sense to separate the scenarios of using the
client wrapper at the stage of its creation.
Define `Option` constructor for container client wrapper. Add `TryNotary`
option which enables tries of the notary invocations on underlying static
client. Mark all notary-dedicated methods as deprecated.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
There are two scenarios of invocation of contract methods:
1. do not invoke notary contract;
2. try to invoke notary contract if it is enabled in Client.
Taking this into account, `StaticClient` can work in one of the two described
modes. Based on this, it makes sense at the stage of creating `StaticClient`
to fix the call mode, and the further abstract from it.
Define `StaticClientOption` setters of `StaticClient` optional parameters.
Add `TryNotary` constructor of option which enables notary tries. Call
`NotaryInvoke` on underlying `Client` if the option is provided, otherwise
call `Invoke`. Mark `NotaryInvoke` method of `StaticClient` as deprecated.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Pass session token (byte array) and bind key flag (boolean) arguments to
`Put` method call of `Container` contract.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Change expected event items to 4 in order to support new binary session
token item. Parsing of the session token will be implemented later.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Owner identifier can be calculated from public key. If it matches, no
additional verification of key ownership is required.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Get all owner keys and verify container ID signature until first success. If
none of the keys match, then prohibit deletion. Thus, the delete operation
is only allowed to the owner of the container. With this approach, a
separate check for key ownership is not required.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Make `Get` method of the wrapper over Container contract's client to
accept binary container ID. Create `Get` function similar to the previous
`Get` variation. Use this function in Container service server in the place
where `Get` method was used.
Additionally implement `AsContainerSource` function which allows
to simply compose container Source interface from the wrapper.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Call `Delete` method on the wrapper over the Container contract's client
directly from `Processor.approveDeleteContainer`.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Make `Delete` method of the wrapper over Container contract's client to accept
two binary parameters: container ID and signature. Create `Delete` function
similar to the previous `Delete` variation, but accepting `Signature`
structure instead of binary signature. Use this function in Container
service server in the place where `Delete` method was used.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Call `Put` method on the wrapper over the Container contract's client
directly from `Processor.approvePutContainer`.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
`Put` method of the wrapper over the Container contract's client does not
modify passed binary container, so it makes no sense to calculate the
identifier.
`Put` method returns the error only from now. Function `Put` calculates
identifier itself since it is still required by function signature.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Make `Put` method of the wrapper over Container contract's client to accept
three binary parameters: container, key and signature. Create `Put` function
similar to the previous `Put` variation, but accepting `Signature`
structure instead of binary key and signature. Use this function in
Container service server in the place where `Put` method was used.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Split up `processContainerPut` and `processContainerDelete` methods of
container `Processor` into two sub-methods: checking the event and its
assertion.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Morph event structures defined in `pkg/morph/event` should only carry
notification values without any additional interpretation. All logical work
should be concentrated on app-side.
Change data type of `Put.PublicKey` return to byte slice. `ParsePut` doesn't
unmarshal public key from now.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Add `setEACL` notification event parser (handler) to the return of the
`ListenerParsers` (`ListenerHandlers`) method. Read address of NeoFS ID
contract from `contracts.neofsid` config. Implement `NewNeoFSIDClient`
constructor in `invoke` package and use it in IR application.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Pre-allocate slices for a known number of elements. Use single `ParserInfo`
/ `HandlerInfo` variable in order to set Container contracts's address once
and change only values that differ between events.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Use NeoFS ID contract client to check if public key from notification event
is tied to the owner of the container for which the eACL is being changed.
Approve changes coming from the owner of the container only.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Add signature check to `checkSetEACL` method of the `setEACL` notification
handler in Container processor.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Implement `handleSetEACL` method similar to other handling methods in
Container processor. To begin with, the validation logic is skipped, and all
tables will be sent to the contract. In the future, the necessary checks
will be implemented. Listening for events in the IR node will also be added.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Define `SetEACL` structure of eACL table change notification from Container
contract. Implement function which parses `SetEACL` event structure from
stack item list.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
In recent changes argument list of set eACL call of Container contract
client was extended with binary public key. In the future there will be a
need to pass the table in binary format.
Replace `PutEACL` method with `PutEACLBinary` one which accepts three binary
parameters: eACL table, key and signature. Create `PutEACL` function similar
to the removed method, but accepting `Signature` structure instead of just
a signature. Use this function in Container service server in the place
where `PutEACL` was used.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Add `SetEACLArgs.SetPublicKey` method which sets binary public key argument
of the "set eACL" contract call. Attach key to the `Invoke` call.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
If object to be inhumed is root we need to continue first traverse over the
shards. In case when several children are stored in different shards,
inhuming object in a single shard leads to appearance of inhumed object in
subsequent selections. Also, any object can be already inhumed, and this
case is equivalent to successful inhume.
Do not fail on `object.ErrAlreadyRemoved` error. Continue first iterating
over shards if we detected root object (`SplitInfoError`).
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Write unit tests of `StorageEngine.Inhume` which assert that inhumed objects
don't appear in `Select` result.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Request forwarding callback should be called only if set since it is an
optional parameter.
Call `forwarder` function only if it is non-nil.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
Request forwarding callback should be called only if set since it is an
optional parameter. In GetRangeHash forwarder is never set.
Call `forwarder` function only if it is non-nil. Remove no longer needed
`hashOnly` option.
Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>