[#xxx] Upgrade NeoFS SDK Go with changed container sessions

After recent changes in NeoFS SDK Go library session tokens aren't
embedded into `container.Container` and `eacl.Table` structures.

Group value, session token and signature in a structure for container
and eACL.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>

cmd/neofs-cli/modules/container/create.go

@@ -98,7 +98,6 @@ It will be stored in sidechain when inner ring will accepts it.`,
 
 			issuer := tok.Issuer()
 			cnr.SetOwnerID(&issuer)
-			cnr.SetSessionToken(tok)
 		} else {
 			var idOwner user.ID
 			user.IDFromKey(&idOwner, key.PublicKey)
@@ -113,7 +112,6 @@ It will be stored in sidechain when inner ring will accepts it.`,
 		cnr.SetBasicACL(basicACL)
 		cnr.SetAttributes(attributes)
 		cnr.SetNonceUUID(nonce)
-		cnr.SetSessionToken(tok)
 
 		cli := internalclient.GetSDKClientByFlag(cmd, key, commonflags.RPC)
 
@@ -121,6 +119,10 @@ It will be stored in sidechain when inner ring will accepts it.`,
 		putPrm.SetClient(cli)
 		putPrm.SetContainer(*cnr)
 
+		if tok != nil {
+			putPrm.WithinSession(*tok)
+		}
+
 		res, err := internalclient.PutContainer(putPrm)
 		common.ExitOnErr(cmd, "rpc error: %w", err)
 

cmd/neofs-cli/modules/container/get_eacl.go

@@ -3,7 +3,6 @@ package container
 import (
 	"os"
 
-	"github.com/nspcc-dev/neofs-api-go/v2/refs"
 	internalclient "github.com/nspcc-dev/neofs-node/cmd/neofs-cli/internal/client"
 	"github.com/nspcc-dev/neofs-node/cmd/neofs-cli/internal/common"
 	"github.com/nspcc-dev/neofs-node/cmd/neofs-cli/internal/commonflags"
@@ -29,22 +28,10 @@ var getExtendedACLCmd = &cobra.Command{
 
 		eaclTable := res.EACL()
 
-		sig := eaclTable.Signature()
-
-		// TODO(@cthulhu-rider): #1387 avoid type conversion
-		var sigV2 refs.Signature
-		sig.WriteToV2(&sigV2)
-
 		if containerPathTo == "" {
 			cmd.Println("eACL: ")
 			common.PrettyPrintJSON(cmd, eaclTable, "eACL")
 
-			var sigV2 refs.Signature
-			sig.WriteToV2(&sigV2)
-
-			cmd.Println("Signature:")
-			common.PrettyPrintJSON(cmd, &sigV2, "signature")
-
 			return
 		}
 
@@ -60,9 +47,6 @@ var getExtendedACLCmd = &cobra.Command{
 
 		cmd.Println("dumping data to file:", containerPathTo)
 
-		cmd.Println("Signature:")
-		common.PrettyPrintJSON(cmd, &sigV2, "signature")
-
 		err = os.WriteFile(containerPathTo, data, 0644)
 		common.ExitOnErr(cmd, "could not write eACL to file: %w", err)
 	},

cmd/neofs-cli/modules/container/set_eacl.go

@@ -32,7 +32,6 @@ Container ID in EACL table will be substituted with ID from the CLI.`,
 		}
 
 		eaclTable.SetCID(id)
-		eaclTable.SetSessionToken(tok)
 
 		pk := key.GetOrGenerate(cmd)
 		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)
@@ -41,6 +40,10 @@ Container ID in EACL table will be substituted with ID from the CLI.`,
 		setEACLPrm.SetClient(cli)
 		setEACLPrm.SetTable(*eaclTable)
 
+		if tok != nil {
+			setEACLPrm.WithinSession(*tok)
+		}
+
 		_, err := internalclient.SetEACL(setEACLPrm)
 		common.ExitOnErr(cmd, "rpc error: %w", err)
 

cmd/neofs-node/cache.go

@@ -10,9 +10,7 @@ import (
 	cntClient "github.com/nspcc-dev/neofs-node/pkg/morph/client/container"
 	"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
 	putsvc "github.com/nspcc-dev/neofs-node/pkg/services/object/put"
-	containerSDK "github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
-	eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
 	netmapSDK "github.com/nspcc-dev/neofs-sdk-go/netmap"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
 )
@@ -147,13 +145,13 @@ func newCachedContainerStorage(v container.Source) *ttlContainerStorage {
 
 // Get returns container value from the cache. If value is missing in the cache
 // or expired, then it returns value from side chain and updates the cache.
-func (s *ttlContainerStorage) Get(cnr cid.ID) (*containerSDK.Container, error) {
+func (s *ttlContainerStorage) Get(cnr cid.ID) (*container.Container, error) {
 	val, err := (*ttlNetCache)(s).get(cnr.EncodeToString())
 	if err != nil {
 		return nil, err
 	}
 
-	return val.(*containerSDK.Container), nil
+	return val.(*container.Container), nil
 }
 
 type ttlEACLStorage ttlNetCache
@@ -180,13 +178,13 @@ func newCachedEACLStorage(v eacl.Source) *ttlEACLStorage {
 
 // GetEACL returns eACL value from the cache. If value is missing in the cache
 // or expired, then it returns value from side chain and updates cache.
-func (s *ttlEACLStorage) GetEACL(cnr cid.ID) (*eaclSDK.Table, error) {
+func (s *ttlEACLStorage) GetEACL(cnr cid.ID) (*container.EACL, error) {
 	val, err := (*ttlNetCache)(s).get(cnr.EncodeToString())
 	if err != nil {
 		return nil, err
 	}
 
-	return val.(*eaclSDK.Table), nil
+	return val.(*container.EACL), nil
 }
 
 // InvalidateEACL removes cached eACL value.

cmd/neofs-node/container.go

@@ -30,7 +30,6 @@ import (
 	apiClient "github.com/nspcc-dev/neofs-sdk-go/client"
 	containerSDK "github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
-	eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
 	"github.com/nspcc-dev/neofs-sdk-go/netmap"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"go.uber.org/zap"
@@ -355,7 +354,7 @@ func (l *loadPlacementBuilder) buildPlacement(epoch uint64, idCnr cid.ID) ([][]n
 		return nil, nil, err
 	}
 
-	policy := cnr.PlacementPolicy()
+	policy := cnr.Value.PlacementPolicy()
 	if policy == nil {
 		return nil, nil, errors.New("missing placement policy in container")
 	}
@@ -566,11 +565,11 @@ type morphContainerReader struct {
 	}
 }
 
-func (x *morphContainerReader) Get(id cid.ID) (*containerSDK.Container, error) {
+func (x *morphContainerReader) Get(id cid.ID) (*containerCore.Container, error) {
 	return x.get.Get(id)
 }
 
-func (x *morphContainerReader) GetEACL(id cid.ID) (*eaclSDK.Table, error) {
+func (x *morphContainerReader) GetEACL(id cid.ID) (*containerCore.EACL, error) {
 	return x.eacl.GetEACL(id)
 }
 
@@ -586,13 +585,13 @@ type morphContainerWriter struct {
 	lists        *ttlContainerLister
 }
 
-func (m morphContainerWriter) Put(cnr *containerSDK.Container) (*cid.ID, error) {
+func (m morphContainerWriter) Put(cnr containerCore.Container) (*cid.ID, error) {
 	containerID, err := cntClient.Put(m.neoClient, cnr)
 	if err != nil {
 		return nil, err
 	}
 
-	idOwner := cnr.OwnerID()
+	idOwner := cnr.Value.OwnerID()
 	if idOwner == nil {
 		return nil, errors.New("missing container owner")
 	}
@@ -608,14 +607,14 @@ func (m morphContainerWriter) Delete(witness containerCore.RemovalWitness) error
 	return cntClient.Delete(m.neoClient, witness)
 }
 
-func (m morphContainerWriter) PutEACL(table *eaclSDK.Table) error {
+func (m morphContainerWriter) PutEACL(eaclInfo containerCore.EACL) error {
-	err := cntClient.PutEACL(m.neoClient, table)
+	err := cntClient.PutEACL(m.neoClient, eaclInfo)
 	if err != nil {
 		return err
 	}
 
 	if m.cacheEnabled {
-		id, _ := table.CID()
+		id, _ := eaclInfo.Value.CID()
 		m.eacls.InvalidateEACL(id)
 	}
 

cmd/neofs-node/object.go

@@ -11,6 +11,7 @@ import (
 	policerconfig "github.com/nspcc-dev/neofs-node/cmd/neofs-node/config/policer"
 	replicatorconfig "github.com/nspcc-dev/neofs-node/cmd/neofs-node/config/replicator"
 	coreclient "github.com/nspcc-dev/neofs-node/pkg/core/client"
+	containercore "github.com/nspcc-dev/neofs-node/pkg/core/container"
 	"github.com/nspcc-dev/neofs-node/pkg/core/netmap"
 	objectCore "github.com/nspcc-dev/neofs-node/pkg/core/object"
 	"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/engine"
@@ -402,29 +403,23 @@ type morphEACLFetcher struct {
 	w *cntClient.Client
 }
 
-func (s *morphEACLFetcher) GetEACL(cnr cid.ID) (*eaclSDK.Table, error) {
+func (s *morphEACLFetcher) GetEACL(cnr cid.ID) (*containercore.EACL, error) {
-	table, err := s.w.GetEACL(cnr)
+	eaclInfo, err := s.w.GetEACL(cnr)
 	if err != nil {
 		return nil, err
 	}
 
-	sig := table.Signature()
+	binTable, err := eaclInfo.Value.Marshal()
-	if sig == nil {
-		// TODO(@cthulhu-rider): #1387 use "const" error
-		return nil, errors.New("missing signature")
-	}
-
-	binTable, err := table.Marshal()
 	if err != nil {
 		return nil, fmt.Errorf("marshal eACL table: %w", err)
 	}
 
-	if !sig.Verify(binTable) {
+	if !eaclInfo.Signature.Verify(binTable) {
 		// TODO(@cthulhu-rider): #1387 use "const" error
 		return nil, errors.New("invalid signature of the eACL table")
 	}
 
-	return table, nil
+	return eaclInfo, nil
 }
 
 type reputationClientConstructor struct {

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20220601120906-3bec6657f5c5 // indirect
 	github.com/nspcc-dev/neofs-api-go/v2 v2.12.3-0.20220620114558-454b5c0ed7e9
 	github.com/nspcc-dev/neofs-contract v0.15.1
-	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220616082321-e986f4780721
+	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220621170307-721df386c599
 	github.com/nspcc-dev/tzhash v1.5.2
 	github.com/panjf2000/ants/v2 v2.4.0
 	github.com/paulmach/orb v0.2.2

pkg/core/container/storage.go

@@ -6,8 +6,23 @@ import (
 	apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
 	"github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
+	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
+	"github.com/nspcc-dev/neofs-sdk-go/eacl"
+	"github.com/nspcc-dev/neofs-sdk-go/session"
 )
 
+// Container groups information about the NeoFS container stored in the NeoFS network.
+type Container struct {
+	// Container structure.
+	Value *container.Container
+
+	// Signature of the Value.
+	Signature neofscrypto.Signature
+
+	// Session within which Value was created. Nil means session absence.
+	Session *session.Container
+}
+
 // Source is an interface that wraps
 // basic container receiving method.
 type Source interface {
@@ -19,7 +34,7 @@ type Source interface {
 	//
 	// Implementations must not retain the container pointer and modify
 	// the container through it.
-	Get(cid.ID) (*container.Container, error)
+	Get(cid.ID) (*Container, error)
 }
 
 // IsErrNotFound checks if the error returned by Source.Get corresponds
@@ -31,3 +46,16 @@ func IsErrNotFound(err error) bool {
 // ErrEACLNotFound is returned by eACL storage implementations when
 // the requested eACL table is not in the storage.
 var ErrEACLNotFound = errors.New("extended ACL table is not set for this container")
+
+// EACL groups information about the NeoFS container's extended ACL stored in
+// the NeoFS network.
+type EACL struct {
+	// Extended ACL structure.
+	Value *eacl.Table
+
+	// Signature of the Value.
+	Signature neofscrypto.Signature
+
+	// Session within which Value was set. Nil means session absence.
+	Session *session.Container
+}

pkg/innerring/processors/audit/process.go

@@ -60,7 +60,7 @@ func (ap *Processor) processStartAudit(epoch uint64) {
 			continue
 		}
 
-		policy := cnr.PlacementPolicy()
+		policy := cnr.Value.PlacementPolicy()
 		if policy == nil {
 			log.Error("missing placement policy in container, ignore",
 				zap.Stringer("cid", containers[i]),
@@ -108,7 +108,7 @@ func (ap *Processor) processStartAudit(epoch uint64) {
 			WithAuditContext(auditCtx).
 			WithContainerID(containers[i]).
 			WithStorageGroupList(storageGroups).
-			WithContainerStructure(cnr).
+			WithContainerStructure(cnr.Value).
 			WithContainerNodes(nodes).
 			WithNetworkMap(nm)
 

pkg/innerring/processors/container/process_container.go

@@ -169,7 +169,7 @@ func (cp *Processor) checkDeleteContainer(e *containerEvent.Delete) error {
 		return fmt.Errorf("could not receive the container: %w", err)
 	}
 
-	ownerContainer := cnr.OwnerID()
+	ownerContainer := cnr.Value.OwnerID()
 	if ownerContainer == nil {
 		return errors.New("missing container owner")
 	}

pkg/innerring/processors/container/process_eacl.go

@@ -52,7 +52,7 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
 	}
 
 	// ACL extensions can be disabled by basic ACL, check it
-	basicACL := cnr.BasicACL()
+	basicACL := cnr.Value.BasicACL()
 	const finalBitMask = 1 << 28
 
 	// Temp solution: NeoFS SDK is going to provide convenient interface to do this soon.
@@ -61,7 +61,7 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
 		return errors.New("ACL extension disabled by container basic ACL")
 	}
 
-	ownerContainer := cnr.OwnerID()
+	ownerContainer := cnr.Value.OwnerID()
 	if ownerContainer == nil {
 		return errors.New("missing container owner")
 	}

pkg/innerring/settlement.go

@@ -123,7 +123,7 @@ func (s settlementDeps) ContainerInfo(cid cid.ID) (common.ContainerInfo, error)
 		return nil, fmt.Errorf("could not get container from storage: %w", err)
 	}
 
-	return (*containerWrapper)(cnr), nil
+	return (*containerWrapper)(cnr.Value), nil
 }
 
 func (s settlementDeps) buildContainer(e uint64, cid cid.ID) ([][]netmapAPI.NodeInfo, *netmapAPI.NetMap, error) {
@@ -147,7 +147,7 @@ func (s settlementDeps) buildContainer(e uint64, cid cid.ID) ([][]netmapAPI.Node
 		return nil, nil, fmt.Errorf("could not get container from sidechain: %w", err)
 	}
 
-	policy := cnr.PlacementPolicy()
+	policy := cnr.Value.PlacementPolicy()
 	if policy == nil {
 		return nil, nil, errors.New("missing placement policy in container")
 	}

pkg/morph/client/container/eacl.go

@@ -8,14 +8,13 @@ import (
 	"github.com/nspcc-dev/neofs-node/pkg/core/container"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/client"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
-	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
 	"github.com/nspcc-dev/neofs-sdk-go/eacl"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
 )
 
 // GetEACL reads the extended ACL table from NeoFS system
 // through Container contract call.
-func (c *Client) GetEACL(cnr cid.ID) (*eacl.Table, error) {
+func (c *Client) GetEACL(cnr cid.ID) (*container.EACL, error) {
 	binCnr := make([]byte, sha256.Size)
 	cnr.Encode(binCnr)
 
@@ -66,34 +65,29 @@ func (c *Client) GetEACL(cnr cid.ID) (*eacl.Table, error) {
 		return nil, fmt.Errorf("could not get byte array of eACL session token (%s): %w", eaclMethod, err)
 	}
 
-	table := eacl.NewTable()
+	var res container.EACL
-	if err = table.Unmarshal(rawEACL); err != nil {
+
-		// use other major version if there any
+	res.Value = eacl.NewTable()
+	if err = res.Value.Unmarshal(rawEACL); err != nil {
 		return nil, err
 	}
 
 	if len(binToken) > 0 {
-		var tok session.Container
+		res.Session = new(session.Container)
 
-		err = tok.Unmarshal(binToken)
+		err = res.Session.Unmarshal(binToken)
 		if err != nil {
 			return nil, fmt.Errorf("could not unmarshal session token: %w", err)
 		}
-
-		table.SetSessionToken(&tok)
 	}
 
-	// FIXME(@cthulhu-rider): #1387 temp solution, later table structure won't have a signature
+	// TODO(@cthulhu-rider): #1387 implement and use another approach to avoid conversion
-
 	var sigV2 refs.Signature
 	sigV2.SetKey(pub)
 	sigV2.SetSign(sig)
 	sigV2.SetScheme(refs.ECDSA_RFC6979_SHA256)
 
-	var tableSignature neofscrypto.Signature
+	res.Signature.ReadFromV2(sigV2)
-	tableSignature.ReadFromV2(sigV2)
 
-	table.SetSignature(&tableSignature)
+	return &res, nil
-
-	return table, nil
 }

pkg/morph/client/container/eacl_set.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 
 	"github.com/nspcc-dev/neofs-api-go/v2/refs"
+	containercore "github.com/nspcc-dev/neofs-node/pkg/core/container"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/client"
-	"github.com/nspcc-dev/neofs-sdk-go/eacl"
 )
 
 // PutEACL marshals table, and passes it to Wrapper's PutEACLBinary method
@@ -14,12 +14,12 @@ import (
 // Returns error if table is nil.
 //
 // If TryNotary is provided, calls notary contract.
-func PutEACL(c *Client, table *eacl.Table) error {
+func PutEACL(c *Client, eaclInfo containercore.EACL) error {
-	if table == nil {
+	if eaclInfo.Value == nil {
 		return errNilArgument
 	}
 
-	data, err := table.Marshal()
+	data, err := eaclInfo.Value.Marshal()
 	if err != nil {
 		return fmt.Errorf("can't marshal eacl table: %w", err)
 	}
@@ -27,18 +27,16 @@ func PutEACL(c *Client, table *eacl.Table) error {
 	var prm PutEACLPrm
 	prm.SetTable(data)
 
-	if tok := table.SessionToken(); tok != nil {
+	if eaclInfo.Session != nil {
-		prm.SetToken(tok.Marshal())
+		prm.SetToken(eaclInfo.Session.Marshal())
 	}
 
-	if sig := table.Signature(); sig != nil {
 	// TODO(@cthulhu-rider): #1387 implement and use another approach to avoid conversion
 	var sigV2 refs.Signature
-		sig.WriteToV2(&sigV2)
+	eaclInfo.Signature.WriteToV2(&sigV2)
 
 	prm.SetKey(sigV2.GetKey())
 	prm.SetSignature(sigV2.GetSign())
-	}
 
 	return c.PutEACL(prm)
 }

pkg/morph/client/container/get.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/nspcc-dev/neofs-api-go/v2/refs"
 	containerContract "github.com/nspcc-dev/neofs-contract/container"
+	containercore "github.com/nspcc-dev/neofs-node/pkg/core/container"
 	core "github.com/nspcc-dev/neofs-node/pkg/core/container"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/client"
 	apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
@@ -18,7 +19,7 @@ import (
 
 type containerSource Client
 
-func (x *containerSource) Get(cnr cid.ID) (*container.Container, error) {
+func (x *containerSource) Get(cnr cid.ID) (*containercore.Container, error) {
 	return Get((*Client)(x), cnr)
 }
 
@@ -29,7 +30,7 @@ func AsContainerSource(w *Client) core.Source {
 }
 
 // Get marshals container ID, and passes it to Wrapper's Get method.
-func Get(c *Client, cnr cid.ID) (*container.Container, error) {
+func Get(c *Client, cnr cid.ID) (*containercore.Container, error) {
 	binCnr := make([]byte, sha256.Size)
 	cnr.Encode(binCnr)
 
@@ -41,7 +42,7 @@ func Get(c *Client, cnr cid.ID) (*container.Container, error) {
 //
 // If an empty slice is returned for the requested identifier,
 // storage.ErrNotFound error is returned.
-func (c *Client) Get(cid []byte) (*container.Container, error) {
+func (c *Client) Get(cid []byte) (*containercore.Container, error) {
 	prm := client.TestInvokePrm{}
 	prm.SetMethod(getMethod)
 	prm.SetArgs(cid)
@@ -87,25 +88,24 @@ func (c *Client) Get(cid []byte) (*container.Container, error) {
 		return nil, fmt.Errorf("could not get byte array of session token (%s): %w", getMethod, err)
 	}
 
-	cnr := container.New()
+	var cnr containercore.Container
-	if err := cnr.Unmarshal(cnrBytes); err != nil {
+
+	cnr.Value = container.New()
+	if err := cnr.Value.Unmarshal(cnrBytes); err != nil {
 		// use other major version if there any
 		return nil, fmt.Errorf("can't unmarshal container: %w", err)
 	}
 
 	if len(tokBytes) > 0 {
-		var tok session.Container
+		cnr.Session = new(session.Container)
 
-		err = tok.Unmarshal(tokBytes)
+		err = cnr.Session.Unmarshal(tokBytes)
 		if err != nil {
 			return nil, fmt.Errorf("could not unmarshal session token: %w", err)
 		}
-
-		cnr.SetSessionToken(&tok)
 	}
 
-	// FIXME(@cthulhu-rider): #1387 temp solution, later table structure won't have a signature
+	// TODO(@cthulhu-rider): #1387 implement and use another approach to avoid conversion
-
 	var sigV2 refs.Signature
 	sigV2.SetKey(pub)
 	sigV2.SetSign(sigBytes)
@@ -114,7 +114,5 @@ func (c *Client) Get(cid []byte) (*container.Container, error) {
 	var sig neofscrypto.Signature
 	sig.ReadFromV2(sigV2)
 
-	cnr.SetSignature(&sig)
+	return &cnr, nil
-
-	return cnr, nil
 }

pkg/morph/client/container/put.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/nspcc-dev/neofs-api-go/v2/refs"
+	containercore "github.com/nspcc-dev/neofs-node/pkg/core/container"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/client"
 	"github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
@@ -14,35 +15,33 @@ import (
 // along with sig.Key() and sig.Sign().
 //
 // Returns error if container is nil.
-func Put(c *Client, cnr *container.Container) (*cid.ID, error) {
+func Put(c *Client, cnr containercore.Container) (*cid.ID, error) {
-	if cnr == nil {
+	if cnr.Value == nil {
 		return nil, errNilArgument
 	}
 
-	data, err := cnr.Marshal()
+	data, err := cnr.Value.Marshal()
 	if err != nil {
 		return nil, fmt.Errorf("can't marshal container: %w", err)
 	}
 
-	name, zone := container.GetNativeNameWithZone(cnr)
+	name, zone := container.GetNativeNameWithZone(cnr.Value)
 
 	var prm PutPrm
 	prm.SetContainer(data)
 	prm.SetName(name)
 	prm.SetZone(zone)
 
-	if tok := cnr.SessionToken(); tok != nil {
+	if cnr.Session != nil {
-		prm.SetToken(tok.Marshal())
+		prm.SetToken(cnr.Session.Marshal())
 	}
 
-	if sig := cnr.Signature(); sig != nil {
 	// TODO(@cthulhu-rider): #1387 implement and use another approach to avoid conversion
 	var sigV2 refs.Signature
-		sig.WriteToV2(&sigV2)
+	cnr.Signature.WriteToV2(&sigV2)
 
 	prm.SetKey(sigV2.GetKey())
 	prm.SetSignature(sigV2.GetSign())
-	}
 
 	err = c.Put(prm)
 	if err != nil {

pkg/services/container/morph/executor.go

@@ -13,7 +13,6 @@ import (
 	"github.com/nspcc-dev/neofs-node/pkg/services/object/acl/eacl"
 	containerSDK "github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
-	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
 	eaclSDK "github.com/nspcc-dev/neofs-sdk-go/eacl"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
@@ -38,11 +37,11 @@ type Reader interface {
 // Writer is an interface of container storage updater.
 type Writer interface {
 	// Put stores specified container in the side chain.
-	Put(*containerSDK.Container) (*cid.ID, error)
+	Put(containercore.Container) (*cid.ID, error)
 	// Delete removes specified container from the side chain.
 	Delete(containercore.RemovalWitness) error
 	// PutEACL updates extended ACL table of specified container in the side chain.
-	PutEACL(*eaclSDK.Table) error
+	PutEACL(containercore.EACL) error
 }
 
 func NewExecutor(rdr Reader, wrt Writer) containerSvc.ServiceExecutor {
@@ -59,22 +58,19 @@ func (s *morphExecutor) Put(_ context.Context, tokV2 *sessionV2.Token, body *con
 		return nil, errors.New("missing signature")
 	}
 
-	cnr := containerSDK.NewContainerFromV2(body.GetContainer())
+	cnr := containercore.Container{
+		Value: containerSDK.NewContainerFromV2(body.GetContainer()),
+	}
 
-	var sig neofscrypto.Signature
+	cnr.Signature.ReadFromV2(*sigV2)
-	sig.ReadFromV2(*sigV2)
-
-	cnr.SetSignature(&sig)
 
 	if tokV2 != nil {
-		var tok session.Container
+		cnr.Session = new(session.Container)
 
-		err := tok.ReadFromV2(*tokV2)
+		err := cnr.Session.ReadFromV2(*tokV2)
 		if err != nil {
 			return nil, fmt.Errorf("invalid session token: %w", err)
 		}
-
-		cnr.SetSessionToken(&tok)
 	}
 
 	idCnr, err := s.wrt.Put(cnr)
@@ -151,21 +147,19 @@ func (s *morphExecutor) Get(ctx context.Context, body *container.GetRequestBody)
 
 	var sigV2 *refs.Signature
 
-	if sig := cnr.Signature(); sig != nil {
 	sigV2 = new(refs.Signature)
-		sig.WriteToV2(sigV2)
+	cnr.Signature.WriteToV2(sigV2)
-	}
 
 	var tokV2 *sessionV2.Token
 
-	if tok := cnr.SessionToken(); tok != nil {
+	if cnr.Session != nil {
 		tokV2 = new(sessionV2.Token)
 
-		tok.WriteToV2(tokV2)
+		cnr.Session.WriteToV2(tokV2)
 	}
 
 	res := new(container.GetResponseBody)
-	res.SetContainer(cnr.ToV2())
+	res.SetContainer(cnr.Value.ToV2())
 	res.SetSignature(sigV2)
 	res.SetSessionToken(tokV2)
 
@@ -208,25 +202,22 @@ func (s *morphExecutor) SetExtendedACL(ctx context.Context, tokV2 *sessionV2.Tok
 		return nil, errors.New("missing signature")
 	}
 
-	table := eaclSDK.NewTableFromV2(body.GetEACL())
+	eaclInfo := containercore.EACL{
+		Value: eaclSDK.NewTableFromV2(body.GetEACL()),
+	}
 
-	var sig neofscrypto.Signature
+	eaclInfo.Signature.ReadFromV2(*sigV2)
-	sig.ReadFromV2(*sigV2)
-
-	table.SetSignature(&sig)
 
 	if tokV2 != nil {
-		var tok session.Container
+		eaclInfo.Session = new(session.Container)
 
-		err := tok.ReadFromV2(*tokV2)
+		err := eaclInfo.Session.ReadFromV2(*tokV2)
 		if err != nil {
 			return nil, fmt.Errorf("invalid session token: %w", err)
 		}
-
-		table.SetSessionToken(&tok)
 	}
 
-	err := s.wrt.PutEACL(table)
+	err := s.wrt.PutEACL(eaclInfo)
 	if err != nil {
 		return nil, err
 	}
@@ -247,29 +238,25 @@ func (s *morphExecutor) GetExtendedACL(ctx context.Context, body *container.GetE
 		return nil, fmt.Errorf("invalid container ID: %w", err)
 	}
 
-	table, err := s.rdr.GetEACL(id)
+	eaclInfo, err := s.rdr.GetEACL(id)
 	if err != nil {
 		return nil, err
 	}
 
-	var sigV2 *refs.Signature
+	var sigV2 refs.Signature
-
+	eaclInfo.Signature.WriteToV2(&sigV2)
-	if sig := table.Signature(); sig != nil {
-		sigV2 = new(refs.Signature)
-		sig.WriteToV2(sigV2)
-	}
 
 	var tokV2 *sessionV2.Token
 
-	if tok := table.SessionToken(); tok != nil {
+	if eaclInfo.Session != nil {
 		tokV2 = new(sessionV2.Token)
 
-		tok.WriteToV2(tokV2)
+		eaclInfo.Session.WriteToV2(tokV2)
 	}
 
 	res := new(container.GetExtendedACLResponseBody)
-	res.SetEACL(table.ToV2())
+	res.SetEACL(eaclInfo.Value.ToV2())
-	res.SetSignature(sigV2)
+	res.SetSignature(&sigV2)
 	res.SetSessionToken(tokV2)
 
 	return res, nil

pkg/services/container/morph/executor_test.go

@@ -10,10 +10,8 @@ import (
 	containerCore "github.com/nspcc-dev/neofs-node/pkg/core/container"
 	containerSvc "github.com/nspcc-dev/neofs-node/pkg/services/container"
 	containerSvcMorph "github.com/nspcc-dev/neofs-node/pkg/services/container/morph"
-	containerSDK "github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	cidtest "github.com/nspcc-dev/neofs-sdk-go/container/id/test"
-	"github.com/nspcc-dev/neofs-sdk-go/eacl"
 	sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test"
 	"github.com/stretchr/testify/require"
 )
@@ -22,7 +20,7 @@ type mock struct {
 	containerSvcMorph.Reader
 }
 
-func (m mock) Put(_ *containerSDK.Container) (*cid.ID, error) {
+func (m mock) Put(_ containerCore.Container) (*cid.ID, error) {
 	return new(cid.ID), nil
 }
 
@@ -30,7 +28,7 @@ func (m mock) Delete(_ containerCore.RemovalWitness) error {
 	return nil
 }
 
-func (m mock) PutEACL(_ *eacl.Table) error {
+func (m mock) PutEACL(_ containerCore.EACL) error {
 	return nil
 }
 

pkg/services/object/acl/acl.go

@@ -148,7 +148,7 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
 
 	bearerTok := reqInfo.Bearer()
 	if bearerTok == nil {
-		pTable, err := c.eaclSrc.GetEACL(cnr)
+		eaclInfo, err := c.eaclSrc.GetEACL(cnr)
 		if err != nil {
 			if errors.Is(err, container.ErrEACLNotFound) {
 				return nil
@@ -156,7 +156,7 @@ func (c *Checker) CheckEACL(msg interface{}, reqInfo v2.RequestInfo) error {
 			return err
 		}
 
-		table = *pTable
+		table = *eaclInfo.Value
 	} else {
 		table = bearerTok.EACLTable()
 	}

pkg/services/object/acl/acl_test.go

@@ -3,6 +3,7 @@ package acl
 import (
 	"testing"
 
+	"github.com/nspcc-dev/neofs-node/pkg/core/container"
 	"github.com/nspcc-dev/neofs-node/pkg/local_object_storage/engine"
 	v2 "github.com/nspcc-dev/neofs-node/pkg/services/object/acl/v2"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
@@ -14,7 +15,7 @@ import (
 
 type emptyEACLSource struct{}
 
-func (e emptyEACLSource) GetEACL(_ cid.ID) (*eaclSDK.Table, error) {
+func (e emptyEACLSource) GetEACL(_ cid.ID) (*container.EACL, error) {
 	return nil, nil
 }
 

pkg/services/object/acl/eacl/types.go

@@ -1,8 +1,8 @@
 package eacl
 
 import (
+	containercore "github.com/nspcc-dev/neofs-node/pkg/core/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
-	"github.com/nspcc-dev/neofs-sdk-go/eacl"
 )
 
 // Source is the interface that wraps
@@ -15,5 +15,5 @@ type Source interface {
 	//
 	// Must return pkg/core/container.ErrEACLNotFound if requested
 	// eACL table is not in source.
-	GetEACL(cid.ID) (*eacl.Table, error)
+	GetEACL(cid.ID) (*containercore.EACL, error)
 }

pkg/services/object/acl/v2/service.go

@@ -506,7 +506,7 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op eaclSDK.Ope
 	cnr, err := b.containers.Get(idCnr) // fetch actual container
 	if err != nil {
 		return info, err
-	} else if cnr.OwnerID() == nil {
+	} else if cnr.Value.OwnerID() == nil {
 		return info, errors.New("missing owner in container descriptor")
 	}
 
@@ -526,7 +526,7 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op eaclSDK.Ope
 	}
 
 	// find request role and key
-	res, err := b.c.classify(req, idCnr, cnr)
+	res, err := b.c.classify(req, idCnr, cnr.Value)
 	if err != nil {
 		return info, err
 	}
@@ -535,11 +535,11 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op eaclSDK.Ope
 		return info, ErrUnknownRole
 	}
 
-	info.basicACL = cnr.BasicACL()
+	info.basicACL = cnr.Value.BasicACL()
 	info.requestRole = res.role
 	info.isInnerRing = res.isIR
 	info.operation = op
-	info.cnrOwner = *cnr.OwnerID()
+	info.cnrOwner = *cnr.Value.OwnerID()
 	info.idCnr = idCnr
 
 	// it is assumed that at the moment the key will be valid,

pkg/services/object/put/streamer.go

@@ -156,7 +156,7 @@ func (p *Streamer) preparePrm(prm *PutInitPrm) error {
 	// add common options
 	prm.traverseOpts = append(prm.traverseOpts,
 		// set processing container
-		placement.ForContainer(cnr),
+		placement.ForContainer(cnr.Value),
 	)
 
 	if id, ok := prm.hdr.ID(); ok {

pkg/services/object/util/placement.go

@@ -147,7 +147,7 @@ func (g *TraverserGenerator) GenerateTraverser(idCnr cid.ID, idObj *oid.ID, epoc
 
 	traverseOpts = append(traverseOpts,
 		// set processing container
-		placement.ForContainer(cnr),
+		placement.ForContainer(cnr.Value),
 
 		// set placement builder
 		placement.UseBuilder(builder),

pkg/services/policer/check.go

@@ -44,7 +44,7 @@ func (p *Policer) processObject(ctx context.Context, addr oid.Address) {
 		return
 	}
 
-	policy := cnr.PlacementPolicy()
+	policy := cnr.Value.PlacementPolicy()
 	if policy == nil {
 		p.log.Error("missing placement policy in container",
 			zap.Stringer("cid", idCnr),