diff --git a/service/meta.proto b/service/meta.proto index 77e5793..2e51d92 100644 --- a/service/meta.proto +++ b/service/meta.proto @@ -6,6 +6,7 @@ option go_package = "github.com/nspcc-dev/neofs-api-go/service"; option csharp_namespace = "NeoFS.API.Service"; import "acl/types.proto"; +import "refs/types.proto"; import "service/verify.proto"; message XHeader { @@ -23,6 +24,76 @@ message Version { uint32 minor = 2; } +// Lifetime parameters of the token. Filed names taken from rfc7519. +message TokenLifetime { + // Expiration Epoch + uint64 exp = 1; + // Not valid before Epoch + uint64 nbf = 2; + // Issued at Epoch + uint64 iat = 3; +} + +// NeoFS session token. +message SessionToken { + message Body { + // ID is a token identifier. valid UUIDv4 represented in bytes + bytes id = 1; + // OwnerID carries identifier of the session initiator. + refs.OwnerID owner_id = 2; + // Verb is an enumeration of session request types + enum Verb { + // Refers to object.Put RPC call + OBJECT_PUT = 0; + // Refers to object.Get RPC call + OBJECT_GET = 1; + // Refers to object.Head RPC call + OBJECT_HEAD = 2; + // Refers to object.Search RPC call + OBJECT_SEARCH = 3; + // Refers to object.Delete RPC call + OBJECT_DELETE = 4; + // Refers to object.GetRange RPC call + OBJECT_RANGE = 5; + // Refers to object.GetRangeHash RPC call + OBJECT_RANGEHASH = 6; + } + // Verb is a type of request for which the token is issued + Verb verb = 3; + // Lifetime is a lifetime of the session + TokenLifetime lifetime = 4; + // SessionKey is a public key of session key + bytes session_key = 5; + // Carries context of the session. + oneof context { + // object_address represents the object session context. + refs.Address object_address = 6; + } + } + // Session Token body + Body token = 1; + + // Signature is a signature of session token information + Signature signature = 2; +} + +// BearerToken has information about request ACL rules with limited lifetime +message BearerToken { + message Body { + // EACLTable carries table of extended ACL rules + acl.EACLTable eacl_table = 1; + // OwnerID carries identifier of the token owner + refs.OwnerID owner_id = 2; + // Token expiration and valid time period parameters + TokenLifetime lifetime = 3; + } + // Bearer Token body + Body token = 1; + + // Signature of BearerToken body + Signature signature = 2; +} + // Information about the request message RequestMetaHeader { // Client API version. @@ -33,9 +104,13 @@ message RequestMetaHeader { uint32 ttl = 3; // Request X-Headers. repeated XHeader x_headers = 4; + // Token is a token of the session within which the request is sent + SessionToken token = 5; + // Bearer is a Bearer token of the request + BearerToken bearer = 6; // RequestMetaHeader of the origin request. - RequestMetaHeader origin = 98; + RequestMetaHeader origin = 7; } // Information about the response @@ -50,5 +125,5 @@ message ResponseMetaHeader { repeated XHeader x_headers = 4; // Carries response meta header of the origin response. - ResponseMetaHeader origin = 98; + ResponseMetaHeader origin = 5; } diff --git a/service/verify.proto b/service/verify.proto index a1deab8..0c8e39f 100644 --- a/service/verify.proto +++ b/service/verify.proto @@ -8,6 +8,7 @@ option csharp_namespace = "NeoFS.API.Service"; import "acl/types.proto"; import "refs/types.proto"; +// Signature of something in NeoFS message Signature { // Public key used for signing. bytes key = 1; @@ -17,106 +18,26 @@ message Signature { // Verification info for request signed by all intermediate nodes message RequestVerificationHeader { + // Request Body signature. Should be generated once by request initiator. Signature body_signature = 1; + // Request Meta signature is added and signed by any intermediate node Signature meta_signature = 2; + // Sign previous hops + Signature origin_signature = 3; - // Token is a token of the session within which the request is sent - SessionToken token = 3; - // Bearer is a Bearer token of the request - BearerTokenMsg bearer = 4; - - RequestVerificationHeader origin = 5; -} - -// Represents the NeoFS session token. -message SessionToken { - message Info { - // ID is a token identifier. valid UUIDv4 represented in bytes - bytes id = 1; - - // OwnerID carries identifier of the session initiator. - refs.OwnerID owner_id = 2; - - // Verb is an enumeration of session request types - enum Verb { - // Refers to object.Put RPC call - OBJECT_PUT = 0; - // Refers to object.Get RPC call - OBJECT_GET = 1; - // Refers to object.Head RPC call - OBJECT_HEAD = 2; - // Refers to object.Search RPC call - OBJECT_SEARCH = 3; - // Refers to object.Delete RPC call - OBJECT_DELETE = 4; - // Refers to object.GetRange RPC call - OBJECT_RANGE = 5; - // Refers to object.GetRangeHash RPC call - OBJECT_RANGEHASH = 6; - } - - // Verb is a type of request for which the token is issued - Verb verb = 3; - - // Lifetime is a lifetime of the session - TokenLifetime lifetime = 4; - - // SessionKey is a public key of session key - bytes session_key = 5; - - // OwnerKey is a public key of the token owner - bytes owner_key = 6; - - // Carries context of the session. - oneof context { - // object_address represents the object session context. - refs.Address object_address = 7; - } - } - - // token_info is a grouped information about token - Info token_info = 1; - - // Signature is a signature of session token information - bytes signature = 2; -} - -// TokenLifetime carries a group of lifetime parameters of the token -message TokenLifetime { - // created carries an initial epoch of token lifetime - uint64 created = 1; - - // valid_until carries a last epoch of token lifetime - uint64 valid_until = 2; -} - -// BearerTokenMsg carries information about request ACL rules with limited lifetime -message BearerTokenMsg { - message Info { - // EACLTable carries table of extended ACL rules. - acl.EACLTable eacl_table = 1; - - // OwnerID carries identifier of the token owner. - refs.OwnerID owner_id = 2; - - // ValidUntil carries a last epoch of token lifetime - uint64 valid_until = 3; - } - - // token_info is a grouped information about token - Info token_info = 1; - - // owner_key is a public key of the token owner - bytes owner_key = 2; - - // Signature is a signature of token information - bytes signature = 3; + // Chain of previous hops signatures + RequestVerificationHeader origin = 4; } // Verification info for response signed by all intermediate nodes message ResponseVerificationHeader { + // Response Body signature. Should be generated once by answering node. Signature body_signature = 1; + // Response Meta signature is added and signed by any intermediate node Signature meta_signature = 2; + // Sign previous hops + Signature origin_signature = 3; - ResponseVerificationHeader origin = 3; + // Chain of previous hops signatures + ResponseVerificationHeader origin = 4; }