From b8c8bf4ba23233a621f0a7a1893da520d8e80d2c Mon Sep 17 00:00:00 2001
From: Alex Vanin <alexey@nspcc.ru>
Date: Thu, 3 Jun 2021 18:20:03 +0300
Subject: [PATCH] [#587] cmd/neofs-cli: Add sign session-token command

Container commands in NeoFS CLI can use signed session token
to create, delete container and change extended ACL table.
This token should be signed the same way we sign bearer tokens.

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
---
 cmd/neofs-cli/modules/util.go | 54 +++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/cmd/neofs-cli/modules/util.go b/cmd/neofs-cli/modules/util.go
index 9d9de245..65457815 100644
--- a/cmd/neofs-cli/modules/util.go
+++ b/cmd/neofs-cli/modules/util.go
@@ -41,6 +41,12 @@ var (
 		RunE:  signBearerToken,
 	}
 
+	signSessionCmd = &cobra.Command{
+		Use:   "session-token",
+		Short: "sign session token to use it in requests",
+		RunE:  signSessionToken,
+	}
+
 	convertCmd = &cobra.Command{
 		Use:   "convert",
 		Short: "convert representation of NeoFS structures",
@@ -193,6 +199,12 @@ func init() {
 	signBearerCmd.Flags().String("to", "", "File to dump signed bearer token (default: binary encoded)")
 	signBearerCmd.Flags().Bool("json", false, "Dump bearer token in JSON encoding")
 
+	signCmd.AddCommand(signSessionCmd)
+	signSessionCmd.Flags().String("from", "", "File with JSON encoded session token to sign")
+	_ = signSessionCmd.MarkFlagFilename("from")
+	_ = signSessionCmd.MarkFlagRequired("from")
+	signSessionCmd.Flags().String("to", "", "File to save signed session token (optional)")
+
 	convertCmd.AddCommand(convertEACLCmd)
 	convertEACLCmd.Flags().String("from", "", "File with JSON or binary encoded extended ACL table")
 	_ = convertEACLCmd.MarkFlagFilename("from")
@@ -295,6 +307,48 @@ func signBearerToken(cmd *cobra.Command, _ []string) error {
 	return nil
 }
 
+func signSessionToken(cmd *cobra.Command, _ []string) error {
+	path, err := cmd.Flags().GetString("from")
+	if err != nil {
+		return err
+	}
+
+	stok, err := getSessionToken(path)
+	if err != nil {
+		return fmt.Errorf("can't read session token from %s: %w", path, err)
+	}
+
+	key, err := getKey()
+	if err != nil {
+		return fmt.Errorf("can't get private key, make sure it is provided: %w", err)
+	}
+
+	err = stok.Sign(key)
+	if err != nil {
+		return fmt.Errorf("can't sign token: %w", err)
+	}
+
+	data, err := stok.MarshalJSON()
+	if err != nil {
+		return fmt.Errorf("can't encode session token: %w", err)
+	}
+
+	to := cmd.Flag("to").Value.String()
+	if len(to) == 0 {
+		prettyPrintJSON(cmd, data)
+		return nil
+	}
+
+	err = ioutil.WriteFile(to, data, 0644)
+	if err != nil {
+		return fmt.Errorf("can't write signed session token to %s: %w", to, err)
+	}
+
+	fmt.Printf("signed session token saved in %s\n", to)
+
+	return nil
+}
+
 func convertEACLTable(cmd *cobra.Command, _ []string) error {
 	pathFrom := cmd.Flag("from").Value.String()
 	to := cmd.Flag("to").Value.String()