session: add a new session token v2

Session Token v2 solves the delegation, power of attorney, and chain-of-trust
problems. It enables:
- Account-based authority (direct or NNS-based indirect)
- Multi-account subjects (multiple entities can use same token)
- Multi-verb operations (GET, PUT, DELETE in single token)
- Delegation chains (verifiable like X.509 certificates)
- Indirect accounts (NeoFS Name Service resolution)

Refs #241.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>

Author: End-rey

proto-docs/session.md

@@ -18,15 +18,21 @@
 
   - Messages
     - [ContainerSessionContext](#neo.fs.v2.session.ContainerSessionContext)
+    - [DelegationInfo](#neo.fs.v2.session.DelegationInfo)
     - [ObjectSessionContext](#neo.fs.v2.session.ObjectSessionContext)
     - [ObjectSessionContext.Target](#neo.fs.v2.session.ObjectSessionContext.Target)
     - [RequestMetaHeader](#neo.fs.v2.session.RequestMetaHeader)
     - [RequestVerificationHeader](#neo.fs.v2.session.RequestVerificationHeader)
     - [ResponseMetaHeader](#neo.fs.v2.session.ResponseMetaHeader)
     - [ResponseVerificationHeader](#neo.fs.v2.session.ResponseVerificationHeader)
+    - [SessionContextV2](#neo.fs.v2.session.SessionContextV2)
+    - [SessionContextV2.Target](#neo.fs.v2.session.SessionContextV2.Target)
     - [SessionToken](#neo.fs.v2.session.SessionToken)
     - [SessionToken.Body](#neo.fs.v2.session.SessionToken.Body)
-    - [SessionToken.Body.TokenLifetime](#neo.fs.v2.session.SessionToken.Body.TokenLifetime)
+    - [SessionTokenV2](#neo.fs.v2.session.SessionTokenV2)
+    - [SessionTokenV2.Body](#neo.fs.v2.session.SessionTokenV2.Body)
+    - [Target](#neo.fs.v2.session.Target)
+    - [TokenLifetime](#neo.fs.v2.session.TokenLifetime)
     - [XHeader](#neo.fs.v2.session.XHeader)
 
 
@@ -147,6 +153,21 @@ Context information for Session Tokens related to ContainerService requests.
 | container_id | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) |  | Particular container to which the action applies. Ignored if wildcard flag is set. |
 
 
+<a name="neo.fs.v2.session.DelegationInfo"></a>
+
+### Message DelegationInfo
+DelegationInfo represents a single delegation in a chain of trust.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| issuer | [Target](#neo.fs.v2.session.Target) |  | Account that performed this delegation. |
+| subject | [Target](#neo.fs.v2.session.Target) |  | Account that received the delegation. |
+| timestamp | [int64](#int64) |  | Unix timestamp when this delegation was created. |
+| verbs | [string](#string) | repeated | List of verbs authorized by this delegation. |
+| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) |  | Signature of the issuer confirming this delegation record. The signature is created over the deterministic serialization of this DelegationInfo message excluding this field. |
+
+
 <a name="neo.fs.v2.session.ObjectSessionContext"></a>
 
 ### Message ObjectSessionContext
@@ -185,6 +206,7 @@ request meta headers are folded in matryoshka style.
 | ttl | [uint32](#uint32) |  | Maximum number of intermediate nodes in the request route |
 | x_headers | [XHeader](#neo.fs.v2.session.XHeader) | repeated | Request X-Headers |
 | session_token | [SessionToken](#neo.fs.v2.session.SessionToken) |  | Session token within which the request is sent |
+| session_token_v2 | [SessionTokenV2](#neo.fs.v2.session.SessionTokenV2) |  | Session token v2 with delegation chain support. If both session_token and session_token_v2 are set, session_token_v2 takes precedence. |
 | bearer_token | [neo.fs.v2.acl.BearerToken](#neo.fs.v2.acl.BearerToken) |  | `BearerToken` with eACL overrides for the request |
 | origin | [RequestMetaHeader](#neo.fs.v2.session.RequestMetaHeader) |  | `RequestMetaHeader` of the origin request |
 | magic_number | [uint64](#uint64) |  | NeoFS network magic. Must match the value for the network that the server belongs to. |
@@ -234,6 +256,30 @@ Verification info for the response signed by all intermediate nodes
 | origin | [ResponseVerificationHeader](#neo.fs.v2.session.ResponseVerificationHeader) |  | Chain of previous hops signatures |
 
 
+<a name="neo.fs.v2.session.SessionContextV2"></a>
+
+### Message SessionContextV2
+SessionContextV2 carries unified context for both ObjectService and ContainerService requests.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| verbs | [SessionContextV2.Verb](#neo.fs.v2.session.SessionContextV2.Verb) | repeated | Multiple verbs this context authorizes. |
+| targets | [SessionContextV2.Target](#neo.fs.v2.session.SessionContextV2.Target) | repeated | Target resource(s) this authorization applies to. |
+
+
+<a name="neo.fs.v2.session.SessionContextV2.Target"></a>
+
+### Message SessionContextV2.Target
+Target resource specification.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| container | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) |  | Container where operation is allowed. For container operations, this is the container being operated on. For object operations, this is the container holding the objects. |
+| objects | [neo.fs.v2.refs.ObjectID](#neo.fs.v2.refs.ObjectID) | repeated | Specific objects where operation is allowed. Only relevant for object operations. Empty list means all objects in the container. |
+
+
 <a name="neo.fs.v2.session.SessionToken"></a>
 
 ### Message SessionToken
@@ -256,23 +302,65 @@ Session Token body
 | ----- | ---- | ----- | ----------- |
 | id | [bytes](#bytes) |  | Token identifier is a valid UUIDv4 in binary form |
 | owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) |  | Identifier of the session initiator |
-| lifetime | [SessionToken.Body.TokenLifetime](#neo.fs.v2.session.SessionToken.Body.TokenLifetime) |  | Lifetime of the session |
+| lifetime | [TokenLifetime](#neo.fs.v2.session.TokenLifetime) |  | Lifetime of the session |
 | session_key | [bytes](#bytes) |  | Public key used in session |
 | object | [ObjectSessionContext](#neo.fs.v2.session.ObjectSessionContext) |  | ObjectService session context |
 | container | [ContainerSessionContext](#neo.fs.v2.session.ContainerSessionContext) |  | ContainerService session context |
 
 
-<a name="neo.fs.v2.session.SessionToken.Body.TokenLifetime"></a>
+<a name="neo.fs.v2.session.SessionTokenV2"></a>
+
+### Message SessionTokenV2
+SessionTokenV2 represents NeoFS Session Token with delegation support.
 
-### Message SessionToken.Body.TokenLifetime
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| body | [SessionTokenV2.Body](#neo.fs.v2.session.SessionTokenV2.Body) |  | Session token body. |
+| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) |  | Signature of the body by the issuer. |
+
+
+<a name="neo.fs.v2.session.SessionTokenV2.Body"></a>
+
+### Message SessionTokenV2.Body
+Session Token body.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| version | [uint32](#uint32) |  | Token version. |
+| id | [bytes](#bytes) |  | Token identifier (UUIDv4 in binary form). |
+| issuer | [Target](#neo.fs.v2.session.Target) |  | Account that issued this token (who signed it). |
+| subjects | [Target](#neo.fs.v2.session.Target) | repeated | Accounts authorized by this token (who can use it). |
+| lifetime | [TokenLifetime](#neo.fs.v2.session.TokenLifetime) |  | Lifetime of this token. |
+| context | [SessionContextV2](#neo.fs.v2.session.SessionContextV2) |  | Unified session context for both object and container operations. |
+| delegation_chain | [DelegationInfo](#neo.fs.v2.session.DelegationInfo) | repeated | Full history of authority delegation (chain of trust). |
+
+
+<a name="neo.fs.v2.session.Target"></a>
+
+### Message Target
+Target account for SessionTokenV2.
+It can be either direct (OwnerID) or indirect (NNS domain).
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) |  | Direct account reference via OwnerID (hash of verification script). |
+| nns_name | [string](#string) |  | Indirect account reference via NeoFS Name Service. NNS name is a domain name that resolves to an OwnerID through the NeoFS Name Service. The name must be a valid DNS-like domain name (e.g., "example.neofs") that is registered in the NNS contract on the Neo blockchain. The NNS record should contain a string record with the corresponding OwnerID value. |
+
+
+<a name="neo.fs.v2.session.TokenLifetime"></a>
+
+### Message TokenLifetime
 Lifetime parameters of the token. Field names taken from rfc7519.
 
 
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | exp | [uint64](#uint64) |  | Expiration epoch, the last epoch when token is valid. |
 | nbf | [uint64](#uint64) |  | Not valid before epoch, the first epoch when token is valid. |
-| iat | [uint64](#uint64) |  | Issued at Epoch |
+| iat | [uint64](#uint64) |  | Issued at epoch. |
 
 
 <a name="neo.fs.v2.session.XHeader"></a>
@@ -338,6 +426,27 @@ Object request verbs
 | RANGEHASH | 7 | Refers to object.GetRangeHash RPC call |
 
 
+
+<a name="neo.fs.v2.session.SessionContextV2.Verb"></a>
+
+### SessionContextV2.Verb
+Unified verbs for both object and container operations.
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| VERB_UNSPECIFIED | 0 | Unknown verb. |
+| OBJECT_PUT | 1 | Refers to object.Put RPC call. |
+| OBJECT_GET | 2 | Refers to object.Get RPC call. |
+| OBJECT_HEAD | 3 | Refers to object.Head RPC call. |
+| OBJECT_SEARCH | 4 | Refers to object.Search RPC call. |
+| OBJECT_DELETE | 5 | Refers to object.Delete RPC call. |
+| OBJECT_RANGE | 6 | Refers to object.GetRange RPC call. |
+| OBJECT_RANGEHASH | 7 | Refers to object.GetRangeHash RPC call. |
+| CONTAINER_PUT | 8 | Refers to container.Put RPC call. |
+| CONTAINER_DELETE | 9 | Refers to container.Delete RPC call. |
+| CONTAINER_SETEACL | 10 | Refers to container.SetExtendedACL RPC call. |
+
+
  <!-- end enums -->
 
 

session/types.proto

@@ -85,6 +85,18 @@ message ContainerSessionContext {
   refs.ContainerID container_id = 3 [json_name = "containerID"];
 }
 
+// Lifetime parameters of the token. Field names taken from rfc7519.
+message TokenLifetime {
+  // Expiration epoch, the last epoch when token is valid.
+  uint64 exp = 1 [json_name = "exp"];
+
+  // Not valid before epoch, the first epoch when token is valid.
+  uint64 nbf = 2 [json_name = "nbf"];
+
+  // Issued at epoch.
+  uint64 iat = 3 [json_name = "iat"];
+}
+
 // NeoFS Session Token.
 message SessionToken {
   // Session Token body
@@ -95,17 +107,6 @@ message SessionToken {
     // Identifier of the session initiator
     neo.fs.v2.refs.OwnerID owner_id = 2 [json_name = "ownerID"];
 
-    // Lifetime parameters of the token. Field names taken from rfc7519.
-    message TokenLifetime {
-      // Expiration epoch, the last epoch when token is valid.
-      uint64 exp = 1 [json_name = "exp"];
-
-      // Not valid before epoch, the first epoch when token is valid.
-      uint64 nbf = 2 [json_name = "nbf"];
-
-      // Issued at Epoch
-      uint64 iat = 3 [json_name = "iat"];
-    }
     // Lifetime of the session
     TokenLifetime lifetime = 3 [json_name = "lifetime"];
 
@@ -175,6 +176,10 @@ message RequestMetaHeader {
   // Session token within which the request is sent
   SessionToken session_token = 5 [json_name = "sessionToken"];
 
+  // Session token v2 with delegation chain support.
+  // If both session_token and session_token_v2 are set, session_token_v2 takes precedence.
+  SessionTokenV2 session_token_v2 = 9 [json_name = "sessionTokenV2"];
+
   // `BearerToken` with eACL overrides for the request
   neo.fs.v2.acl.BearerToken bearer_token = 6 [json_name = "bearerToken"];
 
@@ -232,3 +237,130 @@ message ResponseVerificationHeader {
   // Chain of previous hops signatures
   ResponseVerificationHeader origin = 4 [json_name = "origin"];
 }
+
+// Session Token v2
+
+// Target account for SessionTokenV2.
+// It can be either direct (OwnerID) or indirect (NNS domain).
+message Target {
+  // Account identifier.
+  oneof identifier {
+    // Direct account reference via OwnerID (hash of verification script).
+    neo.fs.v2.refs.OwnerID owner_id = 1 [json_name = "ownerID"];
+
+    // Indirect account reference via NeoFS Name Service.
+    // NNS name is a domain name that resolves to an OwnerID through the
+    // NeoFS Name Service. The name must be a valid DNS-like domain name
+    // (e.g., "example.neofs") that is registered in the NNS contract on
+    // the Neo blockchain. The NNS record should contain a string record with
+    // the corresponding OwnerID value.
+    string nns_name = 2 [json_name = "nnsName"];
+  }
+}
+
+// DelegationInfo represents a single delegation in a chain of trust.
+message DelegationInfo {
+  // Account that performed this delegation.
+  Target issuer = 1 [json_name = "issuer"];
+
+  // Account that received the delegation.
+  Target subject = 2 [json_name = "subject"];
+
+  // Unix timestamp when this delegation was created.
+  int64 timestamp = 3 [json_name = "timestamp"];
+
+  // List of verbs authorized by this delegation.
+  repeated string verbs = 4 [json_name = "verbs"];
+
+  // Signature of the issuer confirming this delegation record.
+  // The signature is created over the deterministic serialization
+  // of this DelegationInfo message excluding this field.
+  neo.fs.v2.refs.Signature signature = 5 [json_name = "signature"];
+}
+
+// SessionContextV2 carries unified context for both ObjectService and ContainerService requests.
+message SessionContextV2 {
+  // Unified verbs for both object and container operations.
+  enum Verb {
+    // Unknown verb.
+    VERB_UNSPECIFIED = 0;
+
+    // Object operations
+
+    // Refers to object.Put RPC call.
+    OBJECT_PUT = 1;
+    // Refers to object.Get RPC call.
+    OBJECT_GET = 2;
+    // Refers to object.Head RPC call.
+    OBJECT_HEAD = 3;
+    // Refers to object.Search RPC call.
+    OBJECT_SEARCH = 4;
+    // Refers to object.Delete RPC call.
+    OBJECT_DELETE = 5;
+    // Refers to object.GetRange RPC call.
+    OBJECT_RANGE = 6;
+    // Refers to object.GetRangeHash RPC call.
+    OBJECT_RANGEHASH = 7;
+
+    // Container operations
+
+    // Refers to container.Put RPC call.
+    CONTAINER_PUT = 8;
+    // Refers to container.Delete RPC call.
+    CONTAINER_DELETE = 9;
+    // Refers to container.SetExtendedACL RPC call.
+    CONTAINER_SETEACL = 10;
+  }
+
+  // Multiple verbs this context authorizes.
+  repeated Verb verbs = 1 [json_name = "verbs"];
+
+  // Target resource specification.
+  message Target {
+    // Container where operation is allowed.
+    // For container operations, this is the container being operated on.
+    // For object operations, this is the container holding the objects.
+    neo.fs.v2.refs.ContainerID container = 1 [json_name = "container"];
+
+    // Specific objects where operation is allowed.
+    // Only relevant for object operations.
+    // Empty list means all objects in the container.
+    repeated neo.fs.v2.refs.ObjectID objects = 2 [json_name = "objects"];
+  }
+
+  // Target resource(s) this authorization applies to.
+  repeated Target targets = 2 [json_name = "targets"];
+}
+
+// SessionTokenV2 represents NeoFS Session Token with delegation support.
+message SessionTokenV2 {
+  // Session Token body.
+  message Body {
+    // Token version.
+    uint32 version = 1 [json_name = "version"];
+
+    // Token identifier (UUIDv4 in binary form).
+    bytes id = 2 [json_name = "id"];
+
+    // Account that issued this token (who signed it).
+    Target issuer = 3 [json_name = "issuer"];
+
+    // Accounts authorized by this token (who can use it).
+    repeated Target subjects = 4 [json_name = "subjects"];
+
+    // Lifetime of this token.
+    TokenLifetime lifetime = 5 [json_name = "lifetime"];
+
+    // Unified session context for both object and container operations.
+    SessionContextV2 context = 6 [json_name = "context"];
+
+    // Full history of authority delegation (chain of trust).
+    repeated DelegationInfo delegation_chain = 7 [json_name = "delegationChain"];
+  }
+
+  // Session token body.
+  Body body = 1 [json_name = "body"];
+
+  // Signature of the body by the issuer.
+  neo.fs.v2.refs.Signature signature = 2 [json_name = "signature"];
+}