orikik/frostfs-api
1
0
Fork 0
forked from TrueCloudLab/frostfs-api
Code Pull requests 1 Activity Actions

[#37] Move Bearer and Session Tokens to -Meta headers

Browse source 
It may be more convenient to have tokens in request Meta headers. Mostly
to simplify handling of verification headers.

Signed-off-by: Stanislav Bogatyrev <stanislav@nspcc.ru>
This commit is contained in:
Stanislav Bogatyrev 2020-08-11 18:21:45 +03:00 committed by Stanislav Bogatyrev
parent 4b1eb63b59
commit f236f6bc59
2 changed files with 90 additions and 94 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
service/meta.proto
View file

@ -6,6 +6,7 @@ option go_package = "github.com/nspcc-dev/neofs-api-go/service";
option csharp_namespace = "NeoFS.API.Service"; option csharp_namespace = "NeoFS.API.Service";
import "acl/types.proto"; import "acl/types.proto";
import "refs/types.proto";
import "service/verify.proto"; import "service/verify.proto";
message XHeader { message XHeader {
@ -23,6 +24,76 @@ message Version {
uint32 minor = 2; uint32 minor = 2;
} }
// Lifetime parameters of the token. Filed names taken from rfc7519.
message TokenLifetime {
// Expiration Epoch
uint64 exp = 1;
// Not valid before Epoch
uint64 nbf = 2;
// Issued at Epoch
uint64 iat = 3;
}
// NeoFS session token.
message SessionToken {
message Body {
// ID is a token identifier. valid UUIDv4 represented in bytes
bytes id = 1;
// OwnerID carries identifier of the session initiator.
refs.OwnerID owner_id = 2;
// Verb is an enumeration of session request types
enum Verb {
// Refers to object.Put RPC call
OBJECT_PUT = 0;
// Refers to object.Get RPC call
OBJECT_GET = 1;
// Refers to object.Head RPC call
OBJECT_HEAD = 2;
// Refers to object.Search RPC call
OBJECT_SEARCH = 3;
// Refers to object.Delete RPC call
OBJECT_DELETE = 4;
// Refers to object.GetRange RPC call
OBJECT_RANGE = 5;
// Refers to object.GetRangeHash RPC call
OBJECT_RANGEHASH = 6;
}
// Verb is a type of request for which the token is issued
Verb verb = 3;
// Lifetime is a lifetime of the session
TokenLifetime lifetime = 4;
// SessionKey is a public key of session key
bytes session_key = 5;
// Carries context of the session.
oneof context {
// object_address represents the object session context.
refs.Address object_address = 6;
}
}
// Session Token body
Body token = 1;
// Signature is a signature of session token information
Signature signature = 2;
}
// BearerToken has information about request ACL rules with limited lifetime
message BearerToken {
message Body {
// EACLTable carries table of extended ACL rules
acl.EACLTable eacl_table = 1;
// OwnerID carries identifier of the token owner
refs.OwnerID owner_id = 2;
// Token expiration and valid time period parameters
TokenLifetime lifetime = 3;
}
// Bearer Token body
Body token = 1;
// Signature of BearerToken body
Signature signature = 2;
}
// Information about the request // Information about the request
message RequestMetaHeader { message RequestMetaHeader {
// Client API version. // Client API version.
@ -33,9 +104,13 @@ message RequestMetaHeader {
uint32 ttl = 3; uint32 ttl = 3;
// Request X-Headers. // Request X-Headers.
repeated XHeader x_headers = 4; repeated XHeader x_headers = 4;
// Token is a token of the session within which the request is sent
SessionToken token = 5;
// Bearer is a Bearer token of the request
BearerToken bearer = 6;
// RequestMetaHeader of the origin request. // RequestMetaHeader of the origin request.
RequestMetaHeader origin = 98; RequestMetaHeader origin = 7;
} }
// Information about the response // Information about the response
@ -50,5 +125,5 @@ message ResponseMetaHeader {
repeated XHeader x_headers = 4; repeated XHeader x_headers = 4;
// Carries response meta header of the origin response. // Carries response meta header of the origin response.
ResponseMetaHeader origin = 98; ResponseMetaHeader origin = 5;
} }

105
service/verify.proto
View file

@ -8,6 +8,7 @@ option csharp_namespace = "NeoFS.API.Service";
import "acl/types.proto"; import "acl/types.proto";
import "refs/types.proto"; import "refs/types.proto";
// Signature of something in NeoFS
message Signature { message Signature {
// Public key used for signing. // Public key used for signing.
bytes key = 1; bytes key = 1;
@ -17,106 +18,26 @@ message Signature {
// Verification info for request signed by all intermediate nodes // Verification info for request signed by all intermediate nodes
message RequestVerificationHeader { message RequestVerificationHeader {
// Request Body signature. Should be generated once by request initiator.
Signature body_signature = 1; Signature body_signature = 1;
// Request Meta signature is added and signed by any intermediate node
Signature meta_signature = 2; Signature meta_signature = 2;
// Sign previous hops
Signature origin_signature = 3;
// Token is a token of the session within which the request is sent // Chain of previous hops signatures
SessionToken token = 3; RequestVerificationHeader origin = 4;
// Bearer is a Bearer token of the request
BearerTokenMsg bearer = 4;
RequestVerificationHeader origin = 5;
}
// Represents the NeoFS session token.
message SessionToken {
message Info {
// ID is a token identifier. valid UUIDv4 represented in bytes
bytes id = 1;
// OwnerID carries identifier of the session initiator.
refs.OwnerID owner_id = 2;
// Verb is an enumeration of session request types
enum Verb {
// Refers to object.Put RPC call
OBJECT_PUT = 0;
// Refers to object.Get RPC call
OBJECT_GET = 1;
// Refers to object.Head RPC call
OBJECT_HEAD = 2;
// Refers to object.Search RPC call
OBJECT_SEARCH = 3;
// Refers to object.Delete RPC call
OBJECT_DELETE = 4;
// Refers to object.GetRange RPC call
OBJECT_RANGE = 5;
// Refers to object.GetRangeHash RPC call
OBJECT_RANGEHASH = 6;
}
// Verb is a type of request for which the token is issued
Verb verb = 3;
// Lifetime is a lifetime of the session
TokenLifetime lifetime = 4;
// SessionKey is a public key of session key
bytes session_key = 5;
// OwnerKey is a public key of the token owner
bytes owner_key = 6;
// Carries context of the session.
oneof context {
// object_address represents the object session context.
refs.Address object_address = 7;
}
}
// token_info is a grouped information about token
Info token_info = 1;
// Signature is a signature of session token information
bytes signature = 2;
}
// TokenLifetime carries a group of lifetime parameters of the token
message TokenLifetime {
// created carries an initial epoch of token lifetime
uint64 created = 1;
// valid_until carries a last epoch of token lifetime
uint64 valid_until = 2;
}
// BearerTokenMsg carries information about request ACL rules with limited lifetime
message BearerTokenMsg {
message Info {
// EACLTable carries table of extended ACL rules.
acl.EACLTable eacl_table = 1;
// OwnerID carries identifier of the token owner.
refs.OwnerID owner_id = 2;
// ValidUntil carries a last epoch of token lifetime
uint64 valid_until = 3;
}
// token_info is a grouped information about token
Info token_info = 1;
// owner_key is a public key of the token owner
bytes owner_key = 2;
// Signature is a signature of token information
bytes signature = 3;
} }
// Verification info for response signed by all intermediate nodes // Verification info for response signed by all intermediate nodes
message ResponseVerificationHeader { message ResponseVerificationHeader {
// Response Body signature. Should be generated once by answering node.
Signature body_signature = 1; Signature body_signature = 1;
// Response Meta signature is added and signed by any intermediate node
Signature meta_signature = 2; Signature meta_signature = 2;
// Sign previous hops
Signature origin_signature = 3;
ResponseVerificationHeader origin = 3; // Chain of previous hops signatures
ResponseVerificationHeader origin = 4;
} }