frostfs-mfa/mfa/mfa.go

package mfa

import (
	"bytes"
	"context"
	"errors"
	"fmt"
	"strings"

	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
	"github.com/pquerna/otp"
	"go.uber.org/zap"
)

type (
	// Manager provides interface to manage MFA devices in FrostFS container.
	// It should be provided with Storage interface to manage FrostFS objects
	// and KeyStore interface to encode and decode OTP keys inside FrostFS
	// objects.
	Manager struct {
		storage   Storage
		unlocker  KeyStore
		container cid.ID
		logger    *zap.Logger
	}

	// KeyStore is an interface for Manager to provide keys to encode and decode
	// OTP keys of MFA devices.
	KeyStore interface {
		// PrivateKey returns private key of this Manager.
		PrivateKey() *keys.PrivateKey
		// PublicKeys returns list of public keys for all managers, including
		// this Manager.
		PublicKeys() []*keys.PublicKey
	}

	// Config contains parameters for Manager constructor.
	Config struct {
		Storage   Storage
		Unlocker  KeyStore
		Container cid.ID
		Logger    *zap.Logger
	}
)

// NewManager creates new instance of Manager.
func NewManager(cfg Config) (*Manager, error) {
	if cfg.Storage == nil {
		return nil, errors.New("mfa storage is nil")
	}
	if cfg.Logger == nil {
		return nil, errors.New("mfa logger is nil")
	}
	if cfg.Unlocker == nil {
		return nil, errors.New("mfa key store is nil")
	}

	return &Manager{
		storage:   cfg.Storage,
		container: cfg.Container,
		unlocker:  cfg.Unlocker,
		logger:    cfg.Logger,
	}, nil
}

// CreateMFADevice creates new FrostFS object with encoded MFA device inside and stores it in MFA container.
func (m *Manager) CreateMFADevice(ctx context.Context, device SecretDevice) error {
	ctx, span := tracing.StartSpanFromContext(ctx, "mfa.CreateMFADevice")
	defer span.End()

	filePath := getTreePath(device.Namespace, device.Name)
	if _, err := m.storage.GetTreeNode(ctx, m.container, filePath); err == nil {
		return ErrMFAEntityAlreadyExists // return well known error here
	} else if !errors.Is(err, ErrTreeNodeNotFound) {
		return fmt.Errorf("get mfa node '%s' to check: %w", filePath, err)
	}

	return m.putMFADevice(ctx, device)
}

// GetMFADevice returns decoded MFA device from MFA container.
func (m *Manager) GetMFADevice(ctx context.Context, ns, mfaName string) (*SecretDevice, error) {
	ctx, span := tracing.StartSpanFromContext(ctx, "mfa.GetMFADevice")
	defer span.End()

	node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(ns, mfaName))
	if err != nil {
		return nil, fmt.Errorf("get mfa nodes: %w", err)
	}

	var objID oid.ID
	if err = objID.DecodeString(node.Current.Meta[OIDKey]); err != nil {
		return nil, fmt.Errorf("decode oid '%s': %w", node.Current.Meta[OIDKey], err)
	}

	var addr oid.Address
	addr.SetContainer(m.container)
	addr.SetObject(objID)

	boxData, err := m.storage.GetObject(ctx, addr)
	if err != nil {
		return nil, fmt.Errorf("get object '%s': %w", addr.EncodeToString(), err)
	}

	mfaBox := new(MFABox)
	if err = mfaBox.Unmarshal(boxData); err != nil {
		return nil, fmt.Errorf("unmarshal box data: %w", err)
	}

	secrets, err := UnpackMFABox(mfaBox, m.unlocker.PrivateKey())
	if err != nil {
		return nil, fmt.Errorf("unpack mfa box: %w", err)
	}

	key, err := otp.NewKeyFromURL(secrets.URL())
	if err != nil {
		return nil, err
	}

	dev, err := newDevice(&node.Current)
	if err != nil {
		return nil, err
	}

	return &SecretDevice{
		Device: *dev,
		Key:    key,
	}, nil
}

// GetTinyMFADevice returns MFA device metadata without OTP key from the tree of MFA container.
func (m *Manager) GetTinyMFADevice(ctx context.Context, ns, mfaName string) (*Device, error) {
	ctx, span := tracing.StartSpanFromContext(ctx, "mfa.GetTinyMFADevice")
	defer span.End()

	node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(ns, mfaName))
	if err != nil {
		return nil, fmt.Errorf("get mfa nodes: %w", err)
	}

	dev, err := newDevice(&node.Current)
	if err != nil {
		return nil, err
	}

	return dev, nil
}

// ListMFADevices lists all available MFA device metadata with specified device namespace from the tree of MFA container.
func (m *Manager) ListMFADevices(ctx context.Context, ns string) ([]*Device, error) {
	ctx, span := tracing.StartSpanFromContext(ctx, "mfa.ListMFADevices")
	defer span.End()

	list, err := m.storage.GetTreeNodes(ctx, m.container, ns)
	if err != nil {
		return nil, err
	}

	return m.formDevices(list)
}

// ListAllMFADevices lists all available MFA device metadata from the tree of MFA container.
func (m *Manager) ListAllMFADevices(ctx context.Context) ([]*Device, error) {
	ctx, span := tracing.StartSpanFromContext(ctx, "mfa.ListAllMFADevices")
	defer span.End()

	list, err := m.storage.GetTreeNodes(ctx, m.container, "")
	if err != nil {
		return nil, err
	}

	return m.formDevices(list)
}

// UpdateMFADevice updates MFA device metadata in the tree of MFA container.
func (m *Manager) UpdateMFADevice(ctx context.Context, device *Device) error {
	ctx, span := tracing.StartSpanFromContext(ctx, "mfa.UpdateMFADevice")
	defer span.End()

	node, err := m.storage.SetTreeNode(ctx, m.container, getTreePath(device.Namespace, device.Name), device.Meta)
	if err != nil {
		return fmt.Errorf("set mfa tree node : %w", err)
	}

	m.deleteObjects(ctx, node.Old)

	return nil
}

// DeleteMFADevice removes FrostFS object and metadata from the tree of MFA container related to device.
func (m *Manager) DeleteMFADevice(ctx context.Context, device *Device) error {
	ctx, span := tracing.StartSpanFromContext(ctx, "mfa.DeleteMFADevice")
	defer span.End()

	meta := device.Meta
	var objID oid.ID
	if err := objID.DecodeString(meta[OIDKey]); err != nil {
		return fmt.Errorf("decode oid '%s': %w", meta[OIDKey], err)
	}

	address := oid.Address{}
	address.SetObject(objID)
	address.SetContainer(m.container)

	if err := m.storage.DeleteObject(ctx, address); err != nil {
		return fmt.Errorf("failed to delete from storage: %w", err)
	}

	old, err := m.storage.DeleteTreeNode(ctx, m.container, getTreePath(device.Namespace, device.Name))
	if err != nil {
		m.deleteObjects(ctx, old)
		return fmt.Errorf("failed to delete from tree: %w", err)
	}

	return nil
}

// RecipherDevice creates new FrostFS object with encoded OTP key for new set
// of public keys from KeyManager. If existing FrostFS object already contains
// all public keys from KeyManager, then does nothing.
func (m *Manager) RecipherDevice(ctx context.Context, dev *Device) error {
	ctx, span := tracing.StartSpanFromContext(ctx, "mfa.RecipherDevice")
	defer span.End()

	node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(dev.Namespace, dev.Name))
	if err != nil {
		return fmt.Errorf("get mfa nodes: %w", err)
	}

	if dev.OID.EncodeToString() != node.Current.Meta[OIDKey] {
		// This can happen in the following cases:
		// * device was reciphered by other Manager
		// * device was removed and newly created with the same name
		// in both cases it must be already encrypted for new list of keys
		return nil
	}

	var addr oid.Address
	addr.SetContainer(m.container)
	addr.SetObject(dev.OID)

	boxData, err := m.storage.GetObject(ctx, addr)
	if err != nil {
		return fmt.Errorf("get object '%s': %w", addr.EncodeToString(), err)
	}

	mfaBox := new(MFABox)
	if err = mfaBox.Unmarshal(boxData); err != nil {
		return fmt.Errorf("unmarshal box data: %w", err)
	}

	newKeys := m.unlocker.PublicKeys()
	oldKeys := mfaBox.GetUnlockers()
	if equalKeys(newKeys, oldKeys) {
		m.logger.Info("mfabox has already been reciphered",
			zap.String("device", dev.String()),
			zap.String("OID", dev.OID.EncodeToString()))
		return nil
	}

	secrets, err := UnpackMFABox(mfaBox, m.unlocker.PrivateKey())
	if err != nil {
		return fmt.Errorf("unpack mfa box: %w", err)
	}

	key, err := otp.NewKeyFromURL(secrets.URL())
	if err != nil {
		return err
	}

	return m.putMFADevice(ctx, SecretDevice{
		Device: *dev,
		Key:    key,
	})
}

func (m *Manager) putMFADevice(ctx context.Context, device SecretDevice) error {
	filePath := "/" + device.Namespace + "/" + device.Name

	box, err := PackMFABox(device.Key, m.unlocker.PublicKeys())
	if err != nil {
		return fmt.Errorf("pack mfa box: %w", err)
	}

	boxData, err := box.Marshal()
	if err != nil {
		return fmt.Errorf("marshal mfa box: %w", err)
	}

	var owner user.ID
	user.IDFromKey(&owner, m.unlocker.PrivateKey().PrivateKey.PublicKey)

	objID, err := m.storage.CreateObject(ctx, PrmObjectCreate{
		Container: m.container,
		Owner:     owner,
		FilePath:  filePath,
		Payload:   boxData,
	})
	if err != nil {
		return fmt.Errorf("put mfa box object: %w", err)
	}

	meta := map[string]string{
		FilePathKey: filePath,
		OIDKey:      objID.EncodeToString(),
	}

	for k, v := range device.Meta {
		if k != FilePathKey && k != OIDKey {
			meta[k] = v
		}
	}

	node, err := m.storage.SetTreeNode(ctx, m.container, filePath, meta)
	if err != nil {
		return fmt.Errorf("set mfa tree node : %w", err)
	}

	m.deleteObjects(ctx, node.Old)

	m.deleteObject(ctx, device.OID)

	return nil
}

func (m *Manager) formDevices(list []*TreeNode) ([]*Device, error) {
	res := make([]*Device, 0, len(list))
	for _, item := range list {
		dev, err := newDevice(item)
		if err != nil {
			m.logger.Warn("invalid mfa device tree node", zap.Error(err))
			continue
		}
		res = append(res, dev)
	}

	return res, nil
}

func (m *Manager) deleteObjects(ctx context.Context, nodes []*TreeNode) {
	var addr oid.Address
	addr.SetContainer(m.container)

	for _, node := range nodes {
		var objID oid.ID
		if err := objID.DecodeString(node.Meta[OIDKey]); err != nil {
			m.logger.Warn("failed to decode old multinode oid", zap.String("oid", node.Meta[OIDKey]), zap.Error(err))
		}

		addr.SetObject(objID)
		if err := m.storage.DeleteObject(ctx, addr); err != nil {
			m.logger.Warn("failed to delete old multinode object", zap.String("address", addr.EncodeToString()), zap.Error(err))
		}
	}
}

func (m *Manager) deleteObject(ctx context.Context, objID oid.ID) {
	if objID.Equals(oid.ID{}) {
		return
	}

	var addr oid.Address
	addr.SetContainer(m.container)
	addr.SetObject(objID)
	if err := m.storage.DeleteObject(ctx, addr); err != nil {
		m.logger.Warn("failed to delete object", zap.String("address", addr.EncodeToString()), zap.Error(err))
	}
}

func newDevice(node *TreeNode) (*Device, error) {
	meta := node.Meta
	filepathArr := strings.Split(meta[FilePathKey], "/")
	if len(filepathArr) != 2 {
		return nil, fmt.Errorf("invalid device filepath: '%s'", meta[FilePathKey])
	}

	var objID oid.ID
	if err := objID.DecodeString(meta[OIDKey]); err != nil {
		return nil, fmt.Errorf("decode oid '%s': %w", meta[OIDKey], err)
	}

	return &Device{
		Namespace: filepathArr[0],
		Name:      filepathArr[1],
		OID:       objID,
		Meta:      meta,
	}, nil
}

// equalKeys returns true if 'got' contains all public keys from 'expected' slice.
func equalKeys(expected []*keys.PublicKey, got []*Unlocker) bool {
loop:
	for _, newKey := range expected {
		for _, svcKey := range got {
			if bytes.Equal(newKey.Bytes(), svcKey.GetPublicKey()) {
				continue loop
			}
		}
		return false
	}
	return true
}

func getTreePath(ns, mfaName string) string {
	return ns + "/" + mfaName
}
[#1] Add initial implementation of MFA library Signed-off-by: Alex Vanin <a.vanin@yadro.com> 2025-03-13 11:57:16 +03:00			`package mfa`

			`import (`
			`"bytes"`
			`"context"`
			`"errors"`
			`"fmt"`
			`"strings"`

			`"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"`
			`cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"`
			`oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"`
			`"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"`
			`"github.com/nspcc-dev/neo-go/pkg/crypto/keys"`
			`"github.com/pquerna/otp"`
			`"go.uber.org/zap"`
			`)`

			`type (`
			`// Manager provides interface to manage MFA devices in FrostFS container.`
			`// It should be provided with Storage interface to manage FrostFS objects`
			`// and KeyStore interface to encode and decode OTP keys inside FrostFS`
			`// objects.`
			`Manager struct {`
			`storage Storage`
			`unlocker KeyStore`
			`container cid.ID`
			`logger *zap.Logger`
			`}`

			`// KeyStore is an interface for Manager to provide keys to encode and decode`
			`// OTP keys of MFA devices.`
			`KeyStore interface {`
			`// PrivateKey returns private key of this Manager.`
			`PrivateKey() *keys.PrivateKey`
			`// PublicKeys returns list of public keys for all managers, including`
			`// this Manager.`
			`PublicKeys() []*keys.PublicKey`
			`}`

			`// Config contains parameters for Manager constructor.`
			`Config struct {`
			`Storage Storage`
			`Unlocker KeyStore`
			`Container cid.ID`
			`Logger *zap.Logger`
			`}`
			`)`

			`// NewManager creates new instance of Manager.`
			`func NewManager(cfg Config) (*Manager, error) {`
			`if cfg.Storage == nil {`
			`return nil, errors.New("mfa storage is nil")`
			`}`
			`if cfg.Logger == nil {`
			`return nil, errors.New("mfa logger is nil")`
			`}`
			`if cfg.Unlocker == nil {`
			`return nil, errors.New("mfa key store is nil")`
			`}`

			`return &Manager{`
			`storage: cfg.Storage,`
			`container: cfg.Container,`
			`unlocker: cfg.Unlocker,`
			`logger: cfg.Logger,`
			`}, nil`
			`}`

			`// CreateMFADevice creates new FrostFS object with encoded MFA device inside and stores it in MFA container.`
			`func (m *Manager) CreateMFADevice(ctx context.Context, device SecretDevice) error {`
			`ctx, span := tracing.StartSpanFromContext(ctx, "mfa.CreateMFADevice")`
			`defer span.End()`

			`filePath := getTreePath(device.Namespace, device.Name)`
			`if _, err := m.storage.GetTreeNode(ctx, m.container, filePath); err == nil {`
			`return ErrMFAEntityAlreadyExists // return well known error here`
			`} else if !errors.Is(err, ErrTreeNodeNotFound) {`
			`return fmt.Errorf("get mfa node '%s' to check: %w", filePath, err)`
			`}`

			`return m.putMFADevice(ctx, device)`
			`}`

			`// GetMFADevice returns decoded MFA device from MFA container.`
			`func (m Manager) GetMFADevice(ctx context.Context, ns, mfaName string) (SecretDevice, error) {`
			`ctx, span := tracing.StartSpanFromContext(ctx, "mfa.GetMFADevice")`
			`defer span.End()`

			`node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(ns, mfaName))`
			`if err != nil {`
			`return nil, fmt.Errorf("get mfa nodes: %w", err)`
			`}`

			`var objID oid.ID`
			`if err = objID.DecodeString(node.Current.Meta[OIDKey]); err != nil {`
			`return nil, fmt.Errorf("decode oid '%s': %w", node.Current.Meta[OIDKey], err)`
			`}`

			`var addr oid.Address`
			`addr.SetContainer(m.container)`
			`addr.SetObject(objID)`

			`boxData, err := m.storage.GetObject(ctx, addr)`
			`if err != nil {`
			`return nil, fmt.Errorf("get object '%s': %w", addr.EncodeToString(), err)`
			`}`

			`mfaBox := new(MFABox)`
			`if err = mfaBox.Unmarshal(boxData); err != nil {`
			`return nil, fmt.Errorf("unmarshal box data: %w", err)`
			`}`

			`secrets, err := UnpackMFABox(mfaBox, m.unlocker.PrivateKey())`
			`if err != nil {`
			`return nil, fmt.Errorf("unpack mfa box: %w", err)`
			`}`

			`key, err := otp.NewKeyFromURL(secrets.URL())`
			`if err != nil {`
			`return nil, err`
			`}`

			`dev, err := newDevice(&node.Current)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &SecretDevice{`
			`Device: *dev,`
			`Key: key,`
			`}, nil`
			`}`

			`// GetTinyMFADevice returns MFA device metadata without OTP key from the tree of MFA container.`
			`func (m Manager) GetTinyMFADevice(ctx context.Context, ns, mfaName string) (Device, error) {`
			`ctx, span := tracing.StartSpanFromContext(ctx, "mfa.GetTinyMFADevice")`
			`defer span.End()`

			`node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(ns, mfaName))`
			`if err != nil {`
			`return nil, fmt.Errorf("get mfa nodes: %w", err)`
			`}`

			`dev, err := newDevice(&node.Current)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return dev, nil`
			`}`

			`// ListMFADevices lists all available MFA device metadata with specified device namespace from the tree of MFA container.`
			`func (m Manager) ListMFADevices(ctx context.Context, ns string) ([]Device, error) {`
			`ctx, span := tracing.StartSpanFromContext(ctx, "mfa.ListMFADevices")`
			`defer span.End()`

			`list, err := m.storage.GetTreeNodes(ctx, m.container, ns)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return m.formDevices(list)`
			`}`

			`// ListAllMFADevices lists all available MFA device metadata from the tree of MFA container.`
			`func (m Manager) ListAllMFADevices(ctx context.Context) ([]Device, error) {`
			`ctx, span := tracing.StartSpanFromContext(ctx, "mfa.ListAllMFADevices")`
			`defer span.End()`

			`list, err := m.storage.GetTreeNodes(ctx, m.container, "")`
			`if err != nil {`
			`return nil, err`
			`}`

			`return m.formDevices(list)`
			`}`

			`// UpdateMFADevice updates MFA device metadata in the tree of MFA container.`
			`func (m Manager) UpdateMFADevice(ctx context.Context, device Device) error {`
			`ctx, span := tracing.StartSpanFromContext(ctx, "mfa.UpdateMFADevice")`
			`defer span.End()`

			`node, err := m.storage.SetTreeNode(ctx, m.container, getTreePath(device.Namespace, device.Name), device.Meta)`
			`if err != nil {`
			`return fmt.Errorf("set mfa tree node : %w", err)`
			`}`

			`m.deleteObjects(ctx, node.Old)`

			`return nil`
			`}`

			`// DeleteMFADevice removes FrostFS object and metadata from the tree of MFA container related to device.`
			`func (m Manager) DeleteMFADevice(ctx context.Context, device Device) error {`
			`ctx, span := tracing.StartSpanFromContext(ctx, "mfa.DeleteMFADevice")`
			`defer span.End()`

			`meta := device.Meta`
			`var objID oid.ID`
			`if err := objID.DecodeString(meta[OIDKey]); err != nil {`
			`return fmt.Errorf("decode oid '%s': %w", meta[OIDKey], err)`
			`}`

			`address := oid.Address{}`
			`address.SetObject(objID)`
			`address.SetContainer(m.container)`

			`if err := m.storage.DeleteObject(ctx, address); err != nil {`
			`return fmt.Errorf("failed to delete from storage: %w", err)`
			`}`

			`old, err := m.storage.DeleteTreeNode(ctx, m.container, getTreePath(device.Namespace, device.Name))`
			`if err != nil {`
			`m.deleteObjects(ctx, old)`
			`return fmt.Errorf("failed to delete from tree: %w", err)`
			`}`

			`return nil`
			`}`

			`// RecipherDevice creates new FrostFS object with encoded OTP key for new set`
			`// of public keys from KeyManager. If existing FrostFS object already contains`
			`// all public keys from KeyManager, then does nothing.`
			`func (m Manager) RecipherDevice(ctx context.Context, dev Device) error {`
			`ctx, span := tracing.StartSpanFromContext(ctx, "mfa.RecipherDevice")`
			`defer span.End()`

			`node, err := m.storage.GetTreeNode(ctx, m.container, getTreePath(dev.Namespace, dev.Name))`
			`if err != nil {`
			`return fmt.Errorf("get mfa nodes: %w", err)`
			`}`

			`if dev.OID.EncodeToString() != node.Current.Meta[OIDKey] {`
			`// This can happen in the following cases:`
			`// * device was reciphered by other Manager`
			`// * device was removed and newly created with the same name`
			`// in both cases it must be already encrypted for new list of keys`
			`return nil`
			`}`

			`var addr oid.Address`
			`addr.SetContainer(m.container)`
			`addr.SetObject(dev.OID)`

			`boxData, err := m.storage.GetObject(ctx, addr)`
			`if err != nil {`
			`return fmt.Errorf("get object '%s': %w", addr.EncodeToString(), err)`
			`}`

			`mfaBox := new(MFABox)`
			`if err = mfaBox.Unmarshal(boxData); err != nil {`
			`return fmt.Errorf("unmarshal box data: %w", err)`
			`}`

			`newKeys := m.unlocker.PublicKeys()`
			`oldKeys := mfaBox.GetUnlockers()`
			`if equalKeys(newKeys, oldKeys) {`
			`m.logger.Info("mfabox has already been reciphered",`
			`zap.String("device", dev.String()),`
			`zap.String("OID", dev.OID.EncodeToString()))`
			`return nil`
			`}`

			`secrets, err := UnpackMFABox(mfaBox, m.unlocker.PrivateKey())`
			`if err != nil {`
			`return fmt.Errorf("unpack mfa box: %w", err)`
			`}`

			`key, err := otp.NewKeyFromURL(secrets.URL())`
			`if err != nil {`
			`return err`
			`}`

			`return m.putMFADevice(ctx, SecretDevice{`
			`Device: *dev,`
			`Key: key,`
			`})`
			`}`

			`func (m *Manager) putMFADevice(ctx context.Context, device SecretDevice) error {`
			`filePath := "/" + device.Namespace + "/" + device.Name`

			`box, err := PackMFABox(device.Key, m.unlocker.PublicKeys())`
			`if err != nil {`
			`return fmt.Errorf("pack mfa box: %w", err)`
			`}`

			`boxData, err := box.Marshal()`
			`if err != nil {`
			`return fmt.Errorf("marshal mfa box: %w", err)`
			`}`

			`var owner user.ID`
			`user.IDFromKey(&owner, m.unlocker.PrivateKey().PrivateKey.PublicKey)`

			`objID, err := m.storage.CreateObject(ctx, PrmObjectCreate{`
			`Container: m.container,`
			`Owner: owner,`
			`FilePath: filePath,`
			`Payload: boxData,`
			`})`
			`if err != nil {`
			`return fmt.Errorf("put mfa box object: %w", err)`
			`}`

			`meta := map[string]string{`
			`FilePathKey: filePath,`
			`OIDKey: objID.EncodeToString(),`
			`}`

			`for k, v := range device.Meta {`
			`if k != FilePathKey && k != OIDKey {`
			`meta[k] = v`
			`}`
			`}`

			`node, err := m.storage.SetTreeNode(ctx, m.container, filePath, meta)`
			`if err != nil {`
			`return fmt.Errorf("set mfa tree node : %w", err)`
			`}`

			`m.deleteObjects(ctx, node.Old)`

			`m.deleteObject(ctx, device.OID)`

			`return nil`
			`}`

			`func (m Manager) formDevices(list []TreeNode) ([]*Device, error) {`
			`res := make([]*Device, 0, len(list))`
			`for _, item := range list {`
			`dev, err := newDevice(item)`
			`if err != nil {`
			`m.logger.Warn("invalid mfa device tree node", zap.Error(err))`
			`continue`
			`}`
			`res = append(res, dev)`
			`}`

			`return res, nil`
			`}`

			`func (m Manager) deleteObjects(ctx context.Context, nodes []TreeNode) {`
			`var addr oid.Address`
			`addr.SetContainer(m.container)`

			`for _, node := range nodes {`
			`var objID oid.ID`
			`if err := objID.DecodeString(node.Meta[OIDKey]); err != nil {`
			`m.logger.Warn("failed to decode old multinode oid", zap.String("oid", node.Meta[OIDKey]), zap.Error(err))`
			`}`

			`addr.SetObject(objID)`
			`if err := m.storage.DeleteObject(ctx, addr); err != nil {`
			`m.logger.Warn("failed to delete old multinode object", zap.String("address", addr.EncodeToString()), zap.Error(err))`
			`}`
			`}`
			`}`

			`func (m *Manager) deleteObject(ctx context.Context, objID oid.ID) {`
			`if objID.Equals(oid.ID{}) {`
			`return`
			`}`

			`var addr oid.Address`
			`addr.SetContainer(m.container)`
			`addr.SetObject(objID)`
			`if err := m.storage.DeleteObject(ctx, addr); err != nil {`
			`m.logger.Warn("failed to delete object", zap.String("address", addr.EncodeToString()), zap.Error(err))`
			`}`
			`}`

			`func newDevice(node TreeNode) (Device, error) {`
			`meta := node.Meta`
			`filepathArr := strings.Split(meta[FilePathKey], "/")`
			`if len(filepathArr) != 2 {`
			`return nil, fmt.Errorf("invalid device filepath: '%s'", meta[FilePathKey])`
			`}`

			`var objID oid.ID`
			`if err := objID.DecodeString(meta[OIDKey]); err != nil {`
			`return nil, fmt.Errorf("decode oid '%s': %w", meta[OIDKey], err)`
			`}`

			`return &Device{`
			`Namespace: filepathArr[0],`
			`Name: filepathArr[1],`
			`OID: objID,`
			`Meta: meta,`
			`}, nil`
			`}`

			`// equalKeys returns true if 'got' contains all public keys from 'expected' slice.`
			`func equalKeys(expected []keys.PublicKey, got []Unlocker) bool {`
			`loop:`
			`for _, newKey := range expected {`
			`for _, svcKey := range got {`
			`if bytes.Equal(newKey.Bytes(), svcKey.GetPublicKey()) {`
			`continue loop`
			`}`
			`}`
			`return false`
			`}`
			`return true`
			`}`

			`func getTreePath(ns, mfaName string) string {`
			`return ns + "/" + mfaName`
			`}`