[#XX] Support updating and removing policies

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

Makefile

@@ -151,13 +151,16 @@ clean:
 
 # Generate code from .proto files
 protoc:
+	# Install specific version for protobuf lib
+	@GOBIN=$(abspath $(BINDIR)) go install -mod=mod -v git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/util/protogen
 	@for f in `find . -type f -name '*.proto' -not -path './vendor/*'`; do \
 		echo "⇒ Processing $$f "; \
 		protoc \
 			--go_out=paths=source_relative:. \
-            			--plugin=protoc-gen-go-frostfs=$(BIN)/protogen \
+            --plugin=protoc-gen-go-frostfs=$(BINDIR)/protogen \
-            			--go-grpc_opt=require_unimplemented_servers=false \
+            --go-frostfs_out=. --go-frostfs_opt=paths=source_relative \
-            			--go-grpc_out=. --go-grpc_opt=paths=source_relative $$f; \
+            --go-grpc_opt=require_unimplemented_servers=false \
+            --go-grpc_out=. --go-grpc_opt=paths=source_relative $$f; \
 	done
 	rm -rf vendor
 

api/middleware/auth.go

@@ -2,7 +2,6 @@ package middleware
 
 import (
 	"crypto/elliptic"
-	"encoding/hex"
 	stderrors "errors"
 	"fmt"
 	"net/http"
@@ -152,7 +151,12 @@ func PolicyCheck(storage engine.CachedChainStorage, log *zap.Logger) Func {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			req := getPolicyRequest(r)
+			req, err := getPolicyRequest(r)
+			if err != nil {
+				reqLogOrDefault(ctx, log).Error(logs.PolicyValidationFailed, zap.Error(err))
+				WriteErrorResponse(w, GetReqInfo(ctx), err)
+				return
+			}
 
 			st, _ := storage.IsAllowed(engine.Ingress, "root", req)
 			if st != engine.Allow && st != engine.NoRuleFound {
@@ -168,25 +172,29 @@ func PolicyCheck(storage engine.CachedChainStorage, log *zap.Logger) Func {
 }
 
 // todo consider update bucket, object and api in request info
-func getPolicyRequest(r *http.Request) *policyRequest {
+func getPolicyRequest(r *http.Request) (*policyRequest, error) {
-	var requestOwnerKey []byte
+	var owner string
 	ctx := r.Context()
 	bd, err := GetBoxData(ctx)
 	if err == nil && bd.Gate.BearerToken != nil {
-		requestOwnerKey = bd.Gate.BearerToken.SigningKeyBytes()
+		pk, err := keys.NewPublicKeyFromBytes(bd.Gate.BearerToken.SigningKeyBytes(), elliptic.P256())
+		if err != nil {
+			return nil, fmt.Errorf("parse pubclic key from btoken: %w", err)
+		}
+		owner = pk.Address()
 	}
 
 	op, res := determineOperationAndResource(r)
 
 	return &policyRequest{
 		properties: map[string]string{
-			engineiam.RequestOwnerProperty: hex.EncodeToString(requestOwnerKey),
+			engineiam.RequestOwnerProperty: "AIDA" + owner,
 		},
 		operation: "s3:" + op,
 		resource: &policyResource{
 			name: "arn:aws:s3:::" + res,
 		},
-	}
+	}, nil
 }
 
 type ReqType int

creds/accessbox/accessbox.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.30.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.9
 // source: creds/accessbox/accessbox.proto
 

go.mod

@@ -7,7 +7,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231004065251-4194633db7bb
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20230531082742-c97d21411eb6
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230821090303-202412230a05
-	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231023124434-31a308ea61fb
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231102115548-63ecf63a089b
 	github.com/aws/aws-sdk-go v1.44.6
 	github.com/bluele/gcache v0.0.2
 	github.com/go-chi/chi/v5 v5.0.8

go.sum

@@ -397,8 +397,10 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230821090303-202412230a05
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20230821090303-202412230a05/go.mod h1:t1akKcUH7iBrFHX8rSXScYMP17k2kYQXMbZooiL5Juw=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231023124434-31a308ea61fb h1:yMAz3bHUoy0lpzVd8qqJaVjb1ytjUjG8ePgaLOUUt3Q=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231102092444-c3bbe0263f37 h1:7K5RQTFoI8pBiCuOULgEOyQR0XU0bDHGv4UzCo3yBmQ=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231023124434-31a308ea61fb/go.mod h1:qf3B9hSz6gCMfcfvqkhTu5ak+Gx2R+wo4Hc87LnKxPg=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231102092444-c3bbe0263f37/go.mod h1:qf3B9hSz6gCMfcfvqkhTu5ak+Gx2R+wo4Hc87LnKxPg=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231102115548-63ecf63a089b h1:gN2o/LsolQr8mgT1GJfCKoiNlC6jimaCLyvrAkCR3hg=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231102115548-63ecf63a089b/go.mod h1:qf3B9hSz6gCMfcfvqkhTu5ak+Gx2R+wo4Hc87LnKxPg=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=

pkg/service/control/client/client.go

@@ -32,22 +32,19 @@ func New(ctx context.Context, addr string, key *keys.PrivateKey) (*Client, error
 
 	svc := control.NewControlServiceClient(conn)
 
-	// todo consider add invoking healthcheck
+	cli := &Client{
-	// c.Healthcheck(ctx)
-
-	return &Client{
 		svc: svc,
 		key: key,
-	}, nil
+	}
+
+	return cli, cli.Healthcheck(ctx)
 }
 
 func (c *Client) Healthcheck(ctx context.Context) error {
 	req := &control.HealthCheckRequest{}
-	sig, err := controlSvc.SignMessage(&c.key.PrivateKey, req.Body)
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
-	if err != nil {
 		return err
 	}
-	req.Signature = sig
 
 	res, err := c.svc.HealthCheck(ctx, req)
 	if err != nil {
@@ -61,7 +58,7 @@ func (c *Client) Healthcheck(ctx context.Context) error {
 	return nil
 }
 
-func (c *Client) AddPolicyIAM(ctx context.Context, policy string) error {
+func (c *Client) AddPolicyIAM(ctx context.Context, namespace string, chainID policyengine.ChainID, policy string) error {
 	var p engineiam.Policy
 	if err := json.Unmarshal([]byte(policy), &p); err != nil {
 		return err
@@ -71,21 +68,55 @@ func (c *Client) AddPolicyIAM(ctx context.Context, policy string) error {
 	if err != nil {
 		return err
 	}
+	chain.ID = chainID
 
-	return c.AddPolicy(ctx, chain)
+	return c.AddPolicy(ctx, namespace, chain)
 }
 
-func (c *Client) AddPolicy(ctx context.Context, chain *policyengine.Chain) error {
+func (c *Client) AddPolicy(ctx context.Context, namespace string, chain *policyengine.Chain) error {
 	req := &control.AddPolicyRequest{
-		Body: chain.Bytes(),
+		Body: &control.AddPolicyRequest_Body{
+			Namespace: namespace,
+			Chain:     chain.Bytes(),
+		},
 	}
 
-	sig, err := controlSvc.SignMessage(&c.key.PrivateKey, req.Body)
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
-	if err != nil {
 		return err
 	}
-	req.Signature = sig
 
-	_, err = c.svc.AddPolicy(ctx, req)
+	_, err := c.svc.AddPolicy(ctx, req)
+	return err
+}
+
+func (c *Client) PutPolicy(ctx context.Context, namespace string, chain *policyengine.Chain) error {
+	req := &control.PutPolicyRequest{
+		Body: &control.PutPolicyRequest_Body{
+			Namespace: namespace,
+			Chain:     chain.Bytes(),
+		},
+	}
+
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
+		return err
+	}
+
+	_, err := c.svc.PutPolicy(ctx, req)
+	return err
+}
+
+func (c *Client) RemovePolicy(ctx context.Context, namespace string, chainID policyengine.ChainID) error {
+	req := &control.RemovePolicyRequest{
+		Body: &control.RemovePolicyRequest_Body{
+			Namespace: namespace,
+			ChainID:   string(chainID),
+		},
+	}
+
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
+		return err
+	}
+
+	_, err := c.svc.RemovePolicy(ctx, req)
 	return err
 }

pkg/service/control/server/server.go

@@ -116,29 +116,74 @@ func (s *Server) HealthCheck(_ context.Context, req *control.HealthCheckRequest)
 //
 // If request is unsigned or signed by disallowed key, permission error returns.
 func (s *Server) AddPolicy(_ context.Context, req *control.AddPolicyRequest) (*control.AddPolicyResponse, error) {
-	s.log.Info("add policy", zap.String("key", hex.EncodeToString(req.Signature.Key)))
+	s.log.Info("add policy", zap.String("namespace", req.GetBody().GetNamespace()), zap.String("key", hex.EncodeToString(req.Signature.Key)))
 
 	// verify request
 	if err := s.isValidRequest(req); err != nil {
 		return nil, status.Error(codes.PermissionDenied, err.Error())
 	}
 
-	req.GetBody()
-
 	var chain engine.Chain
-	if err := chain.DecodeBytes(req.Body); err != nil {
+	if err := chain.DecodeBytes(req.GetBody().Chain); err != nil {
 		return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("failed to parse body: %s", err.Error()))
 	}
 
-	s.chainStorage.AddNameSpaceChain(engine.Ingress, "root", &chain)
+	if chain.ID == "" {
+		return nil, status.Error(codes.InvalidArgument, "missing chain id")
+	}
+
+	s.chainStorage.AddOverride(engine.Ingress, &chain)
 
 	return &control.AddPolicyResponse{}, nil
 }
 
+// PutPolicy adds new policy.
+//
+// If request is unsigned or signed by disallowed key, permission error returns.
+func (s *Server) PutPolicy(_ context.Context, req *control.PutPolicyRequest) (*control.PutPolicyResponse, error) {
+	s.log.Info("update policy", zap.String("namespace", req.GetBody().GetNamespace()), zap.String("key", hex.EncodeToString(req.Signature.Key)))
+
+	// verify request
+	if err := s.isValidRequest(req); err != nil {
+		return nil, status.Error(codes.PermissionDenied, err.Error())
+	}
+
+	var chain engine.Chain
+	if err := chain.DecodeBytes(req.GetBody().Chain); err != nil {
+		return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("failed to parse body: %s", err.Error()))
+	}
+
+	if chain.ID == "" {
+		return nil, status.Error(codes.InvalidArgument, "missing chain id")
+	}
+
+	s.chainStorage.RemoveOverride(engine.Ingress, chain.ID)
+	s.chainStorage.AddOverride(engine.Ingress, &chain)
+
+	return &control.PutPolicyResponse{}, nil
+}
+
+// RemovePolicy adds new policy.
+//
+// If request is unsigned or signed by disallowed key, permission error returns.
+func (s *Server) RemovePolicy(_ context.Context, req *control.RemovePolicyRequest) (*control.RemovePolicyResponse, error) {
+	s.log.Info("remove policy", zap.String("chainId", req.GetBody().GetChainID()), zap.String("key", hex.EncodeToString(req.Signature.Key)))
+
+	// verify request
+	if err := s.isValidRequest(req); err != nil {
+		return nil, status.Error(codes.PermissionDenied, err.Error())
+	}
+
+	removed := s.chainStorage.RemoveOverride(engine.Ingress, engine.ChainID(req.GetBody().GetChainID()))
+
+	return &control.RemovePolicyResponse{Body: &control.RemovePolicyResponse_Body{Removed: removed}}, nil
+}
+
 // SignedMessage is an interface of Control service message.
 type SignedMessage interface {
+	ReadSignedData([]byte) ([]byte, error)
 	GetSignature() *control.Signature
-	GetBody() []byte
+	SetSignature(*control.Signature)
 }
 
 var errDisallowedKey = errors.New("key is not in the allowed list")
@@ -168,6 +213,10 @@ func (s *Server) isValidRequest(req SignedMessage) error {
 	}
 
 	// verify signature
+	binBody, err := req.ReadSignedData(nil)
+	if err != nil {
+		return fmt.Errorf("marshal request body: %w", err)
+	}
 
 	// TODO(@cthulhu-rider): #468 use Signature message from FrostFS API to avoid conversion
 	var sigV2 refs.Signature
@@ -180,7 +229,7 @@ func (s *Server) isValidRequest(req SignedMessage) error {
 		return fmt.Errorf("can't read signature: %w", err)
 	}
 
-	if !sig.Verify(req.GetBody()) {
+	if !sig.Verify(binBody) {
 		return errInvalidSignature
 	}
 
@@ -188,12 +237,17 @@ func (s *Server) isValidRequest(req SignedMessage) error {
 }
 
 // SignMessage signs Control service message with private key.
-func SignMessage(key *ecdsa.PrivateKey, body []byte) (*control.Signature, error) {
+func SignMessage(key *ecdsa.PrivateKey, msg SignedMessage) error {
+	binBody, err := msg.ReadSignedData(nil)
+	if err != nil {
+		return fmt.Errorf("marshal request body: %w", err)
+	}
+
 	var sig frostfscrypto.Signature
 
-	err := sig.Calculate(frostfsecdsa.Signer(*key), body)
+	err = sig.Calculate(frostfsecdsa.Signer(*key), binBody)
 	if err != nil {
-		return nil, fmt.Errorf("calculate signature: %w", err)
+		return fmt.Errorf("calculate signature: %w", err)
 	}
 
 	// TODO(@cthulhu-rider): #468 use Signature message from FrostFS API to avoid conversion
@@ -204,5 +258,7 @@ func SignMessage(key *ecdsa.PrivateKey, body []byte) (*control.Signature, error)
 	sigControl.Key = sigV2.GetKey()
 	sigControl.Sign = sigV2.GetSign()
 
-	return &sigControl, nil
+	msg.SetSignature(&sigControl)
+
+	return nil
 }

pkg/service/control/service.proto

@@ -10,6 +10,10 @@ service ControlService {
   rpc HealthCheck (HealthCheckRequest) returns (HealthCheckResponse);
 
   rpc AddPolicy (AddPolicyRequest) returns (AddPolicyResponse);
+
+  rpc PutPolicy (PutPolicyRequest) returns (PutPolicyResponse);
+
+  rpc RemovePolicy (RemovePolicyRequest) returns (RemovePolicyResponse);
 }
 
 // Signature of some message.
@@ -23,8 +27,11 @@ message Signature {
 
 // Health check request.
 message HealthCheckRequest {
+  message Body {
+  }
+
   // Body of health check request message.
-  bytes body = 1;
+  Body body = 1;
 
   // Body signature.
   Signature signature = 2;
@@ -35,11 +42,13 @@ message HealthCheckResponse {
   // Health check response body
   message Body {
     // Health status of storage node application.
-    HealthStatus health_status = 2;
+    HealthStatus health_status = 1;
   }
 
   // Body of health check response message.
   Body body = 1;
+
+  Signature signature = 2;
 }
 
 
@@ -60,8 +69,14 @@ enum HealthStatus {
 
 // Add policy request.
 message AddPolicyRequest {
-  // Body of health check request message.
+  message Body {
-  bytes body = 1;
+    // Namespace.
+    string namespace = 1;
+    // Chain rules.
+    bytes chain = 2;
+  }
+
+  Body body = 1;
 
   // Body signature.
   Signature signature = 2;
@@ -69,5 +84,61 @@ message AddPolicyRequest {
 
 // Add policy response.
 message AddPolicyResponse {
+  message Body {
+  }
 
+  Body body = 1;
+
+  Signature signature = 2;
+}
+
+// Put policy request.
+message PutPolicyRequest {
+  message Body {
+    // Namespace.
+    string namespace = 1;
+    // Chain rules.
+    bytes chain = 2;
+  }
+
+  Body body = 1;
+
+  // Body signature.
+  Signature signature = 2;
+}
+
+// Put policy response.
+message PutPolicyResponse {
+  message Body {
+  }
+
+  Body body = 1;
+
+  Signature signature = 2;
+}
+
+// Add policy request.
+message RemovePolicyRequest {
+  message Body {
+    // Namespace.
+    string namespace = 1;
+    // Chain id to remove.
+    string chainID = 2;
+  }
+
+  Body body = 1;
+
+  // Body signature.
+  Signature signature = 2;
+}
+
+// Add policy response.
+message RemovePolicyResponse {
+  message Body {
+    bool removed = 1;
+  }
+
+  Body body = 1;
+
+  Signature signature = 2;
 }

pkg/service/control/service_frostfs.pb.go

@@ -0,0 +1,705 @@
+// Code generated by protoc-gen-go-frostfs. DO NOT EDIT.
+
+package control
+
+import "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/util/proto"
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *Signature) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.BytesSize(1, x.Key)
+	size += proto.BytesSize(2, x.Sign)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *Signature) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.BytesMarshal(1, buf[offset:], x.Key)
+	offset += proto.BytesMarshal(2, buf[offset:], x.Sign)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *HealthCheckRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *HealthCheckRequest_Body) StableMarshal(buf []byte) []byte {
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *HealthCheckRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *HealthCheckRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *HealthCheckRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *HealthCheckRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *HealthCheckRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *HealthCheckResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.EnumSize(1, int32(x.HealthStatus))
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *HealthCheckResponse_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.EnumMarshal(1, buf[offset:], int32(x.HealthStatus))
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *HealthCheckResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *HealthCheckResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *HealthCheckResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *HealthCheckResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *HealthCheckResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *AddPolicyRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.StringSize(1, x.Namespace)
+	size += proto.BytesSize(2, x.Chain)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *AddPolicyRequest_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
+	offset += proto.BytesMarshal(2, buf[offset:], x.Chain)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *AddPolicyRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *AddPolicyRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *AddPolicyRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *AddPolicyRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *AddPolicyRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *AddPolicyResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *AddPolicyResponse_Body) StableMarshal(buf []byte) []byte {
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *AddPolicyResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *AddPolicyResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *AddPolicyResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *AddPolicyResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *AddPolicyResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPolicyRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.StringSize(1, x.Namespace)
+	size += proto.BytesSize(2, x.Chain)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPolicyRequest_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
+	offset += proto.BytesMarshal(2, buf[offset:], x.Chain)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPolicyRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPolicyRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *PutPolicyRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *PutPolicyRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *PutPolicyRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPolicyResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPolicyResponse_Body) StableMarshal(buf []byte) []byte {
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPolicyResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPolicyResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *PutPolicyResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *PutPolicyResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *PutPolicyResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePolicyRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.StringSize(1, x.Namespace)
+	size += proto.StringSize(2, x.ChainID)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePolicyRequest_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
+	offset += proto.StringMarshal(2, buf[offset:], x.ChainID)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePolicyRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePolicyRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *RemovePolicyRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *RemovePolicyRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *RemovePolicyRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePolicyResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.BoolSize(1, x.Removed)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePolicyResponse_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.BoolMarshal(1, buf[offset:], x.Removed)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePolicyResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePolicyResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *RemovePolicyResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *RemovePolicyResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *RemovePolicyResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}

pkg/service/control/service_grpc.pb.go

@@ -25,6 +25,8 @@ type ControlServiceClient interface {
 	// Performs health check of the storage node.
 	HealthCheck(ctx context.Context, in *HealthCheckRequest, opts ...grpc.CallOption) (*HealthCheckResponse, error)
 	AddPolicy(ctx context.Context, in *AddPolicyRequest, opts ...grpc.CallOption) (*AddPolicyResponse, error)
+	PutPolicy(ctx context.Context, in *PutPolicyRequest, opts ...grpc.CallOption) (*PutPolicyResponse, error)
+	RemovePolicy(ctx context.Context, in *RemovePolicyRequest, opts ...grpc.CallOption) (*RemovePolicyResponse, error)
 }
 
 type controlServiceClient struct {
@@ -53,6 +55,24 @@ func (c *controlServiceClient) AddPolicy(ctx context.Context, in *AddPolicyReque
 	return out, nil
 }
 
+func (c *controlServiceClient) PutPolicy(ctx context.Context, in *PutPolicyRequest, opts ...grpc.CallOption) (*PutPolicyResponse, error) {
+	out := new(PutPolicyResponse)
+	err := c.cc.Invoke(ctx, "/control.ControlService/PutPolicy", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlServiceClient) RemovePolicy(ctx context.Context, in *RemovePolicyRequest, opts ...grpc.CallOption) (*RemovePolicyResponse, error) {
+	out := new(RemovePolicyResponse)
+	err := c.cc.Invoke(ctx, "/control.ControlService/RemovePolicy", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // ControlServiceServer is the server API for ControlService service.
 // All implementations should embed UnimplementedControlServiceServer
 // for forward compatibility
@@ -60,6 +80,8 @@ type ControlServiceServer interface {
 	// Performs health check of the storage node.
 	HealthCheck(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error)
 	AddPolicy(context.Context, *AddPolicyRequest) (*AddPolicyResponse, error)
+	PutPolicy(context.Context, *PutPolicyRequest) (*PutPolicyResponse, error)
+	RemovePolicy(context.Context, *RemovePolicyRequest) (*RemovePolicyResponse, error)
 }
 
 // UnimplementedControlServiceServer should be embedded to have forward compatible implementations.
@@ -72,6 +94,12 @@ func (UnimplementedControlServiceServer) HealthCheck(context.Context, *HealthChe
 func (UnimplementedControlServiceServer) AddPolicy(context.Context, *AddPolicyRequest) (*AddPolicyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method AddPolicy not implemented")
 }
+func (UnimplementedControlServiceServer) PutPolicy(context.Context, *PutPolicyRequest) (*PutPolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PutPolicy not implemented")
+}
+func (UnimplementedControlServiceServer) RemovePolicy(context.Context, *RemovePolicyRequest) (*RemovePolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RemovePolicy not implemented")
+}
 
 // UnsafeControlServiceServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to ControlServiceServer will
@@ -120,6 +148,42 @@ func _ControlService_AddPolicy_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 
+func _ControlService_PutPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(PutPolicyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServiceServer).PutPolicy(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/control.ControlService/PutPolicy",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServiceServer).PutPolicy(ctx, req.(*PutPolicyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ControlService_RemovePolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RemovePolicyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServiceServer).RemovePolicy(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/control.ControlService/RemovePolicy",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServiceServer).RemovePolicy(ctx, req.(*RemovePolicyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // ControlService_ServiceDesc is the grpc.ServiceDesc for ControlService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -135,6 +199,14 @@ var ControlService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "AddPolicy",
 			Handler:    _ControlService_AddPolicy_Handler,
 		},
+		{
+			MethodName: "PutPolicy",
+			Handler:    _ControlService_PutPolicy_Handler,
+		},
+		{
+			MethodName: "RemovePolicy",
+			Handler:    _ControlService_RemovePolicy_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "pkg/service/control/service.proto",