session: add a new session token v2

Session Token v2 solves the delegation, power of attorney, and chain-of-trust
problems. It enables:
- Account-based authority (direct or NNS-based indirect)
- Multi-account subjects (multiple entities can use same token)
- Multi-verb operations (GET, PUT, DELETE in single token)
- Delegation chains (verifiable like X.509 certificates)
- Indirect accounts (NeoFS Name Service resolution)

Refs #241.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>

Author: End-rey

proto-docs/session.md

@@ -10,23 +10,34 @@
   - Messages
     - [CreateRequest](#neo.fs.v2.session.CreateRequest)
     - [CreateRequest.Body](#neo.fs.v2.session.CreateRequest.Body)
+    - [CreateRequestV2](#neo.fs.v2.session.CreateRequestV2)
+    - [CreateRequestV2.Body](#neo.fs.v2.session.CreateRequestV2.Body)
     - [CreateResponse](#neo.fs.v2.session.CreateResponse)
     - [CreateResponse.Body](#neo.fs.v2.session.CreateResponse.Body)
+    - [CreateResponseV2](#neo.fs.v2.session.CreateResponseV2)
+    - [CreateResponseV2.Body](#neo.fs.v2.session.CreateResponseV2.Body)
 
 
 - [session/types.proto](#session/types.proto)
 
   - Messages
+    - [Account](#neo.fs.v2.session.Account)
     - [ContainerSessionContext](#neo.fs.v2.session.ContainerSessionContext)
+    - [ContainerSessionContextV2](#neo.fs.v2.session.ContainerSessionContextV2)
+    - [DelegationInfo](#neo.fs.v2.session.DelegationInfo)
     - [ObjectSessionContext](#neo.fs.v2.session.ObjectSessionContext)
     - [ObjectSessionContext.Target](#neo.fs.v2.session.ObjectSessionContext.Target)
+    - [ObjectSessionContextV2](#neo.fs.v2.session.ObjectSessionContextV2)
+    - [ObjectSessionContextV2.Target](#neo.fs.v2.session.ObjectSessionContextV2.Target)
     - [RequestMetaHeader](#neo.fs.v2.session.RequestMetaHeader)
     - [RequestVerificationHeader](#neo.fs.v2.session.RequestVerificationHeader)
     - [ResponseMetaHeader](#neo.fs.v2.session.ResponseMetaHeader)
     - [ResponseVerificationHeader](#neo.fs.v2.session.ResponseVerificationHeader)
     - [SessionToken](#neo.fs.v2.session.SessionToken)
     - [SessionToken.Body](#neo.fs.v2.session.SessionToken.Body)
-    - [SessionToken.Body.TokenLifetime](#neo.fs.v2.session.SessionToken.Body.TokenLifetime)
+    - [SessionTokenV2](#neo.fs.v2.session.SessionTokenV2)
+    - [SessionTokenV2.Body](#neo.fs.v2.session.SessionTokenV2.Body)
+    - [TokenLifetime](#neo.fs.v2.session.TokenLifetime)
     - [XHeader](#neo.fs.v2.session.XHeader)
 
 
@@ -52,6 +63,7 @@ section of NeoFS Technical Specification for details.
 
 ```
 rpc Create(CreateRequest) returns (CreateResponse);
+rpc CreateV2(CreateRequestV2) returns (CreateResponseV2);
 
 ```
 
@@ -67,6 +79,18 @@ session has been successfully opened;
 | Name | Input | Output |
 | ---- | ----- | ------ |
 | Create | [CreateRequest](#neo.fs.v2.session.CreateRequest) | [CreateResponse](#neo.fs.v2.session.CreateResponse) |
+#### Method CreateV2
+
+Create a new session token v2 with delegation and chain-of-trust support.
+
+Statuses:
+- **OK** (0, SECTION_SUCCESS):
+session token v2 has been successfully created;
+- Common failures (SECTION_FAILURE_COMMON).
+
+| Name | Input | Output |
+| ---- | ----- | ------ |
+| CreateV2 | [CreateRequestV2](#neo.fs.v2.session.CreateRequestV2) | [CreateResponseV2](#neo.fs.v2.session.CreateResponseV2) |
  <!-- end services -->
 
 
@@ -95,6 +119,35 @@ Session creation request body
 | expiration | [uint64](#uint64) |  | Session expiration epoch, the last epoch when session is valid. |
 
 
+<a name="neo.fs.v2.session.CreateRequestV2"></a>
+
+### Message CreateRequestV2
+CreateRequestV2 is information necessary for creating a session token v2.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| body | [CreateRequestV2.Body](#neo.fs.v2.session.CreateRequestV2.Body) |  | Body of create session token v2 request message |
+| meta_header | [RequestMetaHeader](#neo.fs.v2.session.RequestMetaHeader) |  | Carries request meta information. Header data is used only to regulate message transport and does not affect request execution. |
+| verify_header | [RequestVerificationHeader](#neo.fs.v2.session.RequestVerificationHeader) |  | Carries request verification information. This header is used to authenticate the nodes of the message route and check the correctness of transmission. |
+
+
+<a name="neo.fs.v2.session.CreateRequestV2.Body"></a>
+
+### Message CreateRequestV2.Body
+Session creation request v2 body
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| issuer | [Account](#neo.fs.v2.session.Account) |  | Issuer of the session token |
+| subjects | [Account](#neo.fs.v2.session.Account) | repeated | Subjects authorized by this token |
+| expiration | [int64](#int64) |  | Session expiration time |
+| created_at | [int64](#int64) |  | Session creation time |
+| object | [ObjectSessionContextV2](#neo.fs.v2.session.ObjectSessionContextV2) |  |  |
+| container | [ContainerSessionContextV2](#neo.fs.v2.session.ContainerSessionContextV2) |  |  |
+
+
 <a name="neo.fs.v2.session.CreateResponse"></a>
 
 ### Message CreateResponse
@@ -119,6 +172,30 @@ Session creation response body
 | id | [bytes](#bytes) |  | Identifier of a newly created session |
 | session_key | [bytes](#bytes) |  | Public key used for session |
 
+
+<a name="neo.fs.v2.session.CreateResponseV2"></a>
+
+### Message CreateResponseV2
+CreateResponseV2 is information about a newly created session token v2.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| body | [CreateResponseV2.Body](#neo.fs.v2.session.CreateResponseV2.Body) |  | Body of create session token v2 response message |
+| meta_header | [ResponseMetaHeader](#neo.fs.v2.session.ResponseMetaHeader) |  | Carries response meta information. Header data is used only to regulate message transport and does not affect request execution. |
+| verify_header | [ResponseVerificationHeader](#neo.fs.v2.session.ResponseVerificationHeader) |  | Carries response verification information. This header is used to authenticate the nodes of the message route and check the correctness of transmission. |
+
+
+<a name="neo.fs.v2.session.CreateResponseV2.Body"></a>
+
+### Message CreateResponseV2.Body
+Session creation response v2 body
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| token | [SessionTokenV2](#neo.fs.v2.session.SessionTokenV2) |  | The session token v2 with delegation and chain-of-trust support |
+
  <!-- end messages -->
 
  <!-- end enums -->
@@ -134,6 +211,19 @@ Session creation response body
  <!-- end services -->
 
 
+<a name="neo.fs.v2.session.Account"></a>
+
+### Message Account
+Account represents an identity in NeoFS.
+It can be either direct (OwnerID) or indirect (NNS domain).
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) |  | Direct account reference via OwnerID (hash of public key) |
+| nns_name | [string](#string) |  | Indirect account reference via NeoFS Name Service |
+
+
 <a name="neo.fs.v2.session.ContainerSessionContext"></a>
 
 ### Message ContainerSessionContext
@@ -147,6 +237,35 @@ Context information for Session Tokens related to ContainerService requests.
 | container_id | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) |  | Particular container to which the action applies. Ignored if wildcard flag is set. |
 
 
+<a name="neo.fs.v2.session.ContainerSessionContextV2"></a>
+
+### Message ContainerSessionContextV2
+ContainerSessionContextV2 carries context for ContainerService requests.
+Extended version supporting multiple verbs.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| verbs | [ContainerSessionContextV2.Verb](#neo.fs.v2.session.ContainerSessionContextV2.Verb) | repeated | Multiple verbs this context authorizes |
+| wildcard | [bool](#bool) |  | If true, applies to all containers owned by the subject |
+| container_id | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) |  | Particular container to which the action applies Ignored if wildcard is true |
+
+
+<a name="neo.fs.v2.session.DelegationInfo"></a>
+
+### Message DelegationInfo
+DelegationInfo represents a single delegation in a chain of trust.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| issuer | [Account](#neo.fs.v2.session.Account) |  | Account that performed this delegation |
+| subject | [Account](#neo.fs.v2.session.Account) |  | Account that received the delegation |
+| timestamp | [int64](#int64) |  | Unix timestamp when this delegation was created |
+| verbs | [string](#string) | repeated | List of verbs authorized by this delegation |
+| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) |  | Signature of the issuer confirming this delegation record. The signature is created over the deterministic serialization of this DelegationInfo message excluding this field. |
+
+
 <a name="neo.fs.v2.session.ObjectSessionContext"></a>
 
 ### Message ObjectSessionContext
@@ -171,6 +290,31 @@ Carries objects involved in the object session.
 | objects | [neo.fs.v2.refs.ObjectID](#neo.fs.v2.refs.ObjectID) | repeated | Indicates which objects the session is spread to. Objects are expected to be stored in the NeoFS container referenced by `container` field. Each element MUST have correct format. |
 
 
+<a name="neo.fs.v2.session.ObjectSessionContextV2"></a>
+
+### Message ObjectSessionContextV2
+ObjectSessionContextV2 carries context for ObjectService requests.
+Extended version supporting multiple verbs and targets.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| verbs | [ObjectSessionContextV2.Verb](#neo.fs.v2.session.ObjectSessionContextV2.Verb) | repeated | Multiple verbs this context authorizes |
+| targets | [ObjectSessionContextV2.Target](#neo.fs.v2.session.ObjectSessionContextV2.Target) | repeated | Target resource(s) this authorization applies to |
+
+
+<a name="neo.fs.v2.session.ObjectSessionContextV2.Target"></a>
+
+### Message ObjectSessionContextV2.Target
+Target resource specification
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| container | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) |  | Container where operation is allowed |
+| objects | [neo.fs.v2.refs.ObjectID](#neo.fs.v2.refs.ObjectID) | repeated | Specific objects where operation is allowed Empty list means all objects in the container |
+
+
 <a name="neo.fs.v2.session.RequestMetaHeader"></a>
 
 ### Message RequestMetaHeader
@@ -256,15 +400,45 @@ Session Token body
 | ----- | ---- | ----- | ----------- |
 | id | [bytes](#bytes) |  | Token identifier is a valid UUIDv4 in binary form |
 | owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) |  | Identifier of the session initiator |
-| lifetime | [SessionToken.Body.TokenLifetime](#neo.fs.v2.session.SessionToken.Body.TokenLifetime) |  | Lifetime of the session |
+| lifetime | [TokenLifetime](#neo.fs.v2.session.TokenLifetime) |  | Lifetime of the session |
 | session_key | [bytes](#bytes) |  | Public key used in session |
 | object | [ObjectSessionContext](#neo.fs.v2.session.ObjectSessionContext) |  | ObjectService session context |
 | container | [ContainerSessionContext](#neo.fs.v2.session.ContainerSessionContext) |  | ContainerService session context |
 
 
-<a name="neo.fs.v2.session.SessionToken.Body.TokenLifetime"></a>
+<a name="neo.fs.v2.session.SessionTokenV2"></a>
+
+### Message SessionTokenV2
+SessionTokenV2 represents NeoFS Session Token with delegation support.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| body | [SessionTokenV2.Body](#neo.fs.v2.session.SessionTokenV2.Body) |  | Session token body |
+| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) |  | Signature of the body by the issuer |
 
-### Message SessionToken.Body.TokenLifetime
+
+<a name="neo.fs.v2.session.SessionTokenV2.Body"></a>
+
+### Message SessionTokenV2.Body
+Session Token body
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| version | [uint32](#uint32) |  | Token version |
+| id | [bytes](#bytes) |  | Token identifier (UUIDv4 in binary form) |
+| issuer | [Account](#neo.fs.v2.session.Account) |  | Account that issued this token (who signed it) |
+| subjects | [Account](#neo.fs.v2.session.Account) | repeated | Accounts authorized by this token (who can use it) |
+| lifetime | [TokenLifetime](#neo.fs.v2.session.TokenLifetime) |  | Lifetime of this token |
+| object | [ObjectSessionContextV2](#neo.fs.v2.session.ObjectSessionContextV2) |  | ObjectService authorization context |
+| container | [ContainerSessionContextV2](#neo.fs.v2.session.ContainerSessionContextV2) |  | ContainerService authorization context |
+| delegation_chain | [DelegationInfo](#neo.fs.v2.session.DelegationInfo) | repeated | Full history of authority delegation (chain of trust) |
+
+
+<a name="neo.fs.v2.session.TokenLifetime"></a>
+
+### Message TokenLifetime
 Lifetime parameters of the token. Field names taken from rfc7519.
 
 
@@ -321,6 +495,20 @@ Container request verbs
 
 
 
+<a name="neo.fs.v2.session.ContainerSessionContextV2.Verb"></a>
+
+### ContainerSessionContextV2.Verb
+
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| VERB_UNSPECIFIED | 0 |  |
+| PUT | 1 |  |
+| DELETE | 2 |  |
+| SETEACL | 3 |  |
+
+
+
 <a name="neo.fs.v2.session.ObjectSessionContext.Verb"></a>
 
 ### ObjectSessionContext.Verb
@@ -338,6 +526,24 @@ Object request verbs
 | RANGEHASH | 7 | Refers to object.GetRangeHash RPC call |
 
 
+
+<a name="neo.fs.v2.session.ObjectSessionContextV2.Verb"></a>
+
+### ObjectSessionContextV2.Verb
+
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| VERB_UNSPECIFIED | 0 |  |
+| PUT | 1 |  |
+| GET | 2 |  |
+| HEAD | 3 |  |
+| SEARCH | 4 |  |
+| DELETE | 5 |  |
+| RANGE | 6 |  |
+| RANGEHASH | 7 |  |
+
+
  <!-- end enums -->
 
 

session/service.proto

@@ -20,6 +20,14 @@ service SessionService {
   // session has been successfully opened;
   // - Common failures (SECTION_FAILURE_COMMON).
   rpc Create(CreateRequest) returns (CreateResponse);
+
+  // Create a new session token v2 with delegation and chain-of-trust support.
+  //
+  // Statuses:
+  // - **OK** (0, SECTION_SUCCESS):
+  // session token v2 has been successfully created;
+  // - Common failures (SECTION_FAILURE_COMMON).
+  rpc CreateV2(CreateV2Request) returns (CreateV2Response);
 }
 
 // Information necessary for opening a session.
@@ -67,3 +75,54 @@ message CreateResponse {
   // transmission.
   neo.fs.v2.session.ResponseVerificationHeader verify_header = 3;
 }
+
+// CreateV2Request is information necessary for creating a session token v2.
+message CreateV2Request {
+  // Session creation request v2 body
+  message Body {
+    // Issuer of the session token
+    neo.fs.v2.session.Account issuer = 1 [json_name = "issuer"];
+
+    // Subjects authorized by this token
+    repeated neo.fs.v2.session.Account subjects = 2 [json_name = "subjects"];
+
+    // Session expiration time
+    int64 expiration = 3 [json_name = "expiration"];
+
+    // Session creation time
+    int64 created_at = 4 [json_name = "createdAt"];
+  }
+
+  // Body of create session token v2 request message
+  Body body = 1;
+
+  // Carries request meta information. Header data is used only to regulate
+  // message transport and does not affect request execution.
+  neo.fs.v2.session.RequestMetaHeader meta_header = 2;
+
+  // Carries request verification information. This header is used to
+  // authenticate the nodes of the message route and check the correctness of
+  // transmission.
+  neo.fs.v2.session.RequestVerificationHeader verify_header = 3;
+}
+
+// CreateV2Response is information about a newly created session token v2.
+message CreateV2Response {
+  // Session creation response v2 body
+  message Body {
+    // The session token v2 with delegation and chain-of-trust support
+    neo.fs.v2.session.SessionTokenV2 token = 1 [json_name = "token"];
+  }
+
+  // Body of create session token v2 response message
+  Body body = 1;
+
+  // Carries response meta information. Header data is used only to regulate
+  // message transport and does not affect request execution.
+  neo.fs.v2.session.ResponseMetaHeader meta_header = 2;
+
+  // Carries response verification information. This header is used to
+  // authenticate the nodes of the message route and check the correctness of
+  // transmission.
+  neo.fs.v2.session.ResponseVerificationHeader verify_header = 3;
+}