object: add new session token V2

Signed-off-by: Andrey Butusov <[email protected]>

Author: End-rey

pkg/services/container/server.go

@@ -79,14 +79,20 @@ type sessionTokenCommonCheckResult struct {
 	err   error
 }
 
+type sessionTokenV2CommonCheckResult struct {
+	token session.TokenV2
+	err   error
+}
+
 type server struct {
 	protocontainer.UnimplementedContainerServiceServer
 	signer   *ecdsa.PrivateKey
 	net      netmap.State
 	contract Contract
 	historicN3ScriptRunner
 
-	sessionTokenCommonCheckCache *lru.Cache[[sha256.Size]byte, sessionTokenCommonCheckResult]
+	sessionTokenCommonCheckCache   *lru.Cache[[sha256.Size]byte, sessionTokenCommonCheckResult]
+	sessionTokenV2CommonCheckCache *lru.Cache[[sha256.Size]byte, sessionTokenV2CommonCheckResult]
 }
 
 // New provides protocontainer.ContainerServiceServer based on specified
@@ -99,6 +105,10 @@ func New(s *ecdsa.PrivateKey, net netmap.State, fsChain FSChain, c Contract, nc
 	if err != nil {
 		panic(fmt.Errorf("unexpected error in lru.New: %w", err))
 	}
+	sessionTokenV2CheckCache, err := lru.New[[sha256.Size]byte, sessionTokenV2CommonCheckResult](1000)
+	if err != nil {
+		panic(fmt.Errorf("unexpected error in lru.New for v2: %w", err))
+	}
 	return &server{
 		signer:   s,
 		net:      net,
@@ -107,7 +117,8 @@ func New(s *ecdsa.PrivateKey, net netmap.State, fsChain FSChain, c Contract, nc
 			FSChain:        fsChain,
 			NetmapContract: nc,
 		},
-		sessionTokenCommonCheckCache: sessionTokenCheckCache,
+		sessionTokenCommonCheckCache:   sessionTokenCheckCache,
+		sessionTokenV2CommonCheckCache: sessionTokenV2CheckCache,
 	}
 }
 
@@ -215,6 +226,96 @@ func (s *server) checkSessionIssuer(id cid.ID, issuer user.ID) error {
 	return nil
 }
 
+func (s *server) getVerifiedSessionTokenV2(mh *protosession.RequestMetaHeader, reqVerb session.ContainerVerb, reqCnr cid.ID) (*session.TokenV2, error) {
+	for omh := mh.GetOrigin(); omh != nil; omh = mh.GetOrigin() {
+		mh = omh
+	}
+	m := mh.GetSessionTokenV2()
+	if m == nil {
+		return nil, nil
+	}
+
+	b := make([]byte, m.MarshaledSize())
+	m.MarshalStable(b)
+
+	cacheKey := sha256.Sum256(b)
+	res, ok := s.sessionTokenV2CommonCheckCache.Get(cacheKey)
+	if !ok {
+		res.token, res.err = s.decodeAndVerifySessionTokenV2Common(m)
+		s.sessionTokenV2CommonCheckCache.Add(cacheKey, res)
+	}
+	if res.err != nil {
+		return nil, res.err
+	}
+
+	if err := s.verifySessionTokenV2AgainstRequest(res.token, reqVerb, reqCnr); err != nil {
+		return nil, err
+	}
+
+	return &res.token, nil
+}
+
+func (s *server) decodeAndVerifySessionTokenV2Common(m *protosession.SessionTokenV2) (session.TokenV2, error) {
+	var token session.TokenV2
+	if err := token.FromProtoMessage(m); err != nil {
+		return token, fmt.Errorf("decode v2: %w", err)
+	}
+
+	if err := token.Validate(); err != nil {
+		return token, fmt.Errorf("invalid v2 token: %w", err)
+	}
+
+	if !token.VerifySignature() {
+		return token, errors.New("v2 session token signature verification failed")
+	}
+
+	cur := s.net.CurrentEpoch()
+	if !token.ValidAt(cur) {
+		return token, fmt.Errorf("v2 token is invalid at epoch %d", cur)
+	}
+
+	return token, nil
+}
+
+func (s *server) verifySessionTokenV2AgainstRequest(token session.TokenV2, reqVerb session.ContainerVerb, reqCnr cid.ID) error {
+	verbV2 := containerVerbToVerbV2(reqVerb)
+	if verbV2 == 0 {
+		return fmt.Errorf("unsupported container verb for V2: %v", reqVerb)
+	}
+
+	if !token.AssertContainer(verbV2, reqCnr) {
+		return errors.New("v2 session token does not authorize this container operation")
+	}
+
+	if reqCnr.IsZero() {
+		return nil
+	}
+
+	issuer := token.Issuer()
+	if !issuer.IsOwnerID() {
+		return errors.New("v2 session token issuer must be OwnerID for container operations")
+	}
+
+	if err := s.checkSessionIssuer(reqCnr, issuer.OwnerID()); err != nil {
+		return fmt.Errorf("verify v2 session issuer: %w", err)
+	}
+
+	return nil
+}
+
+func containerVerbToVerbV2(verb session.ContainerVerb) session.VerbV2 {
+	switch verb {
+	case session.VerbContainerPut:
+		return session.VerbV2ContainerPut
+	case session.VerbContainerDelete:
+		return session.VerbV2ContainerDelete
+	case session.VerbContainerSetEACL:
+		return session.VerbV2ContainerSetEACL
+	default:
+		return session.VerbV2Unspecified
+	}
+}
+
 func (s *server) makePutResponse(body *protocontainer.PutResponse_Body, st *protostatus.Status) (*protocontainer.PutResponse, error) {
 	resp := &protocontainer.PutResponse{
 		Body:       body,
@@ -306,9 +407,17 @@ func (s *server) Put(_ context.Context, req *protocontainer.PutRequest) (*protoc
 		return s.makeFailedPutResponse(fmt.Errorf("invalid container: %w", err))
 	}
 
-	st, err := s.getVerifiedSessionToken(req.GetMetaHeader(), session.VerbContainerPut, cid.ID{})
+	stV2, err := s.getVerifiedSessionTokenV2(req.GetMetaHeader(), session.VerbContainerPut, cid.ID{})
 	if err != nil {
-		return s.makeFailedPutResponse(fmt.Errorf("verify session token: %w", err))
+		return s.makeFailedPutResponse(fmt.Errorf("verify session token v2: %w", err))
+	}
+
+	var st *session.Container
+	if stV2 == nil {
+		st, err = s.getVerifiedSessionToken(req.GetMetaHeader(), session.VerbContainerPut, cid.ID{})
+		if err != nil {
+			return s.makeFailedPutResponse(fmt.Errorf("verify session token: %w", err))
+		}
 	}
 
 	id, err := s.contract.Put(cnr, mSig.Key, mSig.Sign, st)
@@ -352,9 +461,17 @@ func (s *server) Delete(_ context.Context, req *protocontainer.DeleteRequest) (*
 		return s.makeDeleteResponse(fmt.Errorf("invalid ID: %w", err))
 	}
 
-	st, err := s.getVerifiedSessionToken(req.GetMetaHeader(), session.VerbContainerDelete, id)
+	stV2, err := s.getVerifiedSessionTokenV2(req.GetMetaHeader(), session.VerbContainerDelete, id)
 	if err != nil {
-		return s.makeDeleteResponse(fmt.Errorf("verify session token: %w", err))
+		return s.makeDeleteResponse(fmt.Errorf("verify session token v2: %w", err))
+	}
+
+	var st *session.Container
+	if stV2 == nil {
+		st, err = s.getVerifiedSessionToken(req.GetMetaHeader(), session.VerbContainerDelete, id)
+		if err != nil {
+			return s.makeDeleteResponse(fmt.Errorf("verify session token: %w", err))
+		}
 	}
 
 	if err := s.contract.Delete(id, mSig.Key, mSig.Sign, st); err != nil {
@@ -490,9 +607,17 @@ func (s *server) SetExtendedACL(_ context.Context, req *protocontainer.SetExtend
 		return s.makeSetEACLResponse(errors.New("missing container ID in eACL table"))
 	}
 
-	st, err := s.getVerifiedSessionToken(req.GetMetaHeader(), session.VerbContainerSetEACL, cnrID)
+	stV2, err := s.getVerifiedSessionTokenV2(req.GetMetaHeader(), session.VerbContainerSetEACL, cnrID)
 	if err != nil {
-		return s.makeSetEACLResponse(fmt.Errorf("verify session token: %w", err))
+		return s.makeSetEACLResponse(fmt.Errorf("verify session token v2: %w", err))
+	}
+
+	var st *session.Container
+	if stV2 == nil {
+		st, err = s.getVerifiedSessionToken(req.GetMetaHeader(), session.VerbContainerSetEACL, cnrID)
+		if err != nil {
+			return s.makeSetEACLResponse(fmt.Errorf("verify session token: %w", err))
+		}
 	}
 
 	if err := s.contract.PutEACL(eACL, mSig.Key, mSig.Sign, st); err != nil {

pkg/services/object/acl/v2/service.go

@@ -31,6 +31,11 @@ type sessionTokenCommonCheckResult struct {
 	err   error
 }
 
+type sessionTokenV2CommonCheckResult struct {
+	token sessionSDK.TokenV2
+	err   error
+}
+
 type bearerTokenCommonCheckResult struct {
 	token bearer.Token
 	err   error
@@ -42,8 +47,9 @@ type Service struct {
 
 	c senderClassifier
 
-	sessionTokenCommonCheckCache *lru.Cache[[sha256.Size]byte, sessionTokenCommonCheckResult]
-	bearerTokenCommonCheckCache  *lru.Cache[[sha256.Size]byte, bearerTokenCommonCheckResult]
+	sessionTokenCommonCheckCache   *lru.Cache[[sha256.Size]byte, sessionTokenCommonCheckResult]
+	sessionTokenV2CommonCheckCache *lru.Cache[[sha256.Size]byte, sessionTokenV2CommonCheckResult]
+	bearerTokenCommonCheckCache    *lru.Cache[[sha256.Size]byte, bearerTokenCommonCheckResult]
 }
 
 // Option represents Service constructor option.
@@ -114,6 +120,10 @@ func New(fsChain FSChain, opts ...Option) Service {
 	if err != nil {
 		panic(fmt.Errorf("unexpected error in lru.New: %w", err))
 	}
+	sessionTokenV2CheckCache, err := lru.New[[sha256.Size]byte, sessionTokenV2CommonCheckResult](1000)
+	if err != nil {
+		panic(fmt.Errorf("unexpected error in lru.New: %w", err))
+	}
 
 	return Service{
 		cfg: cfg,
@@ -122,21 +132,31 @@ func New(fsChain FSChain, opts ...Option) Service {
 			innerRing: cfg.irFetcher,
 			fsChain:   fsChain,
 		},
-		sessionTokenCommonCheckCache: sessionTokenCheckCache,
-		bearerTokenCommonCheckCache:  bearerTokenCheckCache,
+		sessionTokenCommonCheckCache:   sessionTokenCheckCache,
+		bearerTokenCommonCheckCache:    bearerTokenCheckCache,
+		sessionTokenV2CommonCheckCache: sessionTokenV2CheckCache,
 	}
 }
 
 // ResetTokenCheckCache resets cache of session and bearer tokens' check results.
 func (b Service) ResetTokenCheckCache() {
 	b.sessionTokenCommonCheckCache.Purge()
 	b.bearerTokenCommonCheckCache.Purge()
+	b.sessionTokenV2CommonCheckCache.Purge()
 }
 
 func (b Service) getVerifiedSessionToken(mh *protosession.RequestMetaHeader, reqVerb sessionSDK.ObjectVerb, reqCnr cid.ID, reqObj oid.ID) (*sessionSDK.Object, error) {
 	for omh := mh.GetOrigin(); omh != nil; omh = mh.GetOrigin() {
 		mh = omh
 	}
+
+	mV2 := mh.GetSessionTokenV2()
+	if mV2 != nil {
+		b.log.Debug("Verifying V2 session token")
+		return b.getVerifiedSessionTokenV2(mV2, reqVerb, reqCnr, reqObj)
+	}
+
+	// Fall back to V1 token
 	m := mh.GetSessionToken()
 	if m == nil {
 		return nil, nil
@@ -202,6 +222,98 @@ func (b Service) verifySessionTokenAgainstRequest(token sessionSDK.Object, reqVe
 	return nil
 }
 
+// getVerifiedSessionTokenV2 validates and returns V2 session token, returns nil if V2 doesn't apply.
+func (b Service) getVerifiedSessionTokenV2(mV2 *protosession.SessionTokenV2, reqVerb sessionSDK.ObjectVerb, reqCnr cid.ID, reqObj oid.ID) (*sessionSDK.Object, error) {
+	mb := make([]byte, mV2.MarshaledSize())
+	mV2.MarshalStable(mb)
+
+	cacheKey := sha256.Sum256(mb)
+	res, ok := b.sessionTokenV2CommonCheckCache.Get(cacheKey)
+	if !ok {
+		res.token, res.err = b.decodeAndVerifySessionTokenV2Common(mV2)
+		b.sessionTokenV2CommonCheckCache.Add(cacheKey, res)
+	}
+	if res.err != nil {
+		return nil, res.err
+	}
+
+	if err := b.verifySessionTokenV2AgainstRequest(res.token, reqVerb, reqCnr, reqObj); err != nil {
+		return nil, err
+	}
+
+	// V2 tokens work differently - return nil as they don't convert to V1
+	// The caller needs to handle this properly
+	return nil, nil
+}
+
+func (b Service) decodeAndVerifySessionTokenV2Common(m *protosession.SessionTokenV2) (sessionSDK.TokenV2, error) {
+	b.log.Debug("Decoding V2 session token")
+	var token sessionSDK.TokenV2
+	if err := token.FromProtoMessage(m); err != nil {
+		return token, fmt.Errorf("invalid V2 session token: %w", err)
+	}
+
+	if err := token.Validate(); err != nil {
+		return token, fmt.Errorf("invalid V2 session token: %w", err)
+	}
+
+	if !token.VerifySignature() {
+		return token, errors.New("v2 session token signature verification failed")
+	}
+
+	currentEpoch, err := b.nm.Epoch()
+	if err != nil {
+		return token, errors.New("can't fetch current epoch")
+	}
+
+	if !token.ValidAt(currentEpoch) {
+		return token, fmt.Errorf("%s: V2 token is invalid at %d epoch", invalidRequestMessage, currentEpoch)
+	}
+
+	return token, nil
+}
+
+func (b Service) verifySessionTokenV2AgainstRequest(token sessionSDK.TokenV2, reqVerb sessionSDK.ObjectVerb, reqCnr cid.ID, reqObj oid.ID) error {
+	verbV2 := objectVerbToVerbV2(reqVerb)
+	if verbV2 == 0 {
+		return fmt.Errorf("unsupported object verb for V2: %v", reqVerb)
+	}
+
+	if !reqObj.IsZero() {
+		if !token.AssertObject(verbV2, reqCnr, reqObj) {
+			return errors.New("V2 session token does not authorize access to the object")
+		}
+	} else {
+		if !token.AssertVerb(verbV2, reqCnr) {
+			return errInvalidVerb
+		}
+	}
+
+	return nil
+}
+
+// objectVerbToVerbV2 converts V1 ObjectVerb to V2 VerbV2.
+func objectVerbToVerbV2(v1Verb sessionSDK.ObjectVerb) sessionSDK.VerbV2 {
+	switch v1Verb {
+	case sessionSDK.VerbObjectGet:
+		return sessionSDK.VerbV2ObjectGet
+	case sessionSDK.VerbObjectHead:
+		return sessionSDK.VerbV2ObjectHead
+	case sessionSDK.VerbObjectPut:
+		return sessionSDK.VerbV2ObjectPut
+	case sessionSDK.VerbObjectDelete:
+		return sessionSDK.VerbV2ObjectDelete
+	case sessionSDK.VerbObjectSearch:
+		return sessionSDK.VerbV2ObjectSearch
+	case sessionSDK.VerbObjectRange:
+		return sessionSDK.VerbV2ObjectRange
+	case sessionSDK.VerbObjectRangeHash:
+		return sessionSDK.VerbV2ObjectRangeHash
+	default:
+		return 0
+	}
+}
+
 func (b Service) getVerifiedBearerToken(mh *protosession.RequestMetaHeader, reqCnr cid.ID, ownerCnr user.ID, usrSender user.ID) (*bearer.Token, error) {
 	for omh := mh.GetOrigin(); omh != nil; omh = mh.GetOrigin() {
 		mh = omh

pkg/services/object/delete/delete.go

@@ -11,7 +11,7 @@ import (
 func (s *Service) Delete(ctx context.Context, prm Prm) error {
 	// If session token is not found we will fail during tombstone PUT.
 	// Here we fail immediately to ensure no unnecessary network communication is done.
-	if tok := prm.common.SessionToken(); tok != nil {
+	if tok := prm.common.SessionToken(); tok != nil && prm.common.SessionTokenV2() == nil {
 		_, err := s.keyStorage.GetKey(&util.SessionInfo{
 			ID:    tok.ID(),
 			Owner: tok.Issuer(),

pkg/services/object/delete/local.go

@@ -43,10 +43,20 @@ func (exec *execCtx) formTombstone() (ok bool) {
 	exec.tombstoneObj.AssociateDeleted(exec.address().Object())
 
 	tokenSession := exec.commonParameters().SessionToken()
-	if tokenSession != nil {
+	tokenSessionV2 := exec.commonParameters().SessionTokenV2()
+
+	if tokenSessionV2 != nil {
+		issuer := tokenSessionV2.Issuer()
+		if issuer.IsOwnerID() {
+			exec.tombstoneObj.SetOwner(issuer.OwnerID())
+		} else {
+			// Fallback to local node if issuer is not OwnerID
+			exec.tombstoneObj.SetOwner(exec.svc.netInfo.LocalNodeID())
+		}
+	} else if tokenSession != nil {
 		exec.tombstoneObj.SetOwner(tokenSession.Issuer())
 	} else {
-		// make local node a tombstone object owner
+		// No token: make local node a tombstone object owner
 		exec.tombstoneObj.SetOwner(exec.svc.netInfo.LocalNodeID())
 	}