session: add a new session token v2

Session Token v2 solves the delegation, power of attorney, and chain-of-trust
problems. It enables:
- Account-based authority (direct or NNS-based indirect)
- Multi-account subjects (multiple entities can use same token)
- Multi-verb operations (GET, PUT, DELETE in single token)
- Delegation chains (verifiable like X.509 certificates)
- Indirect accounts (NeoFS Name Service resolution)

Refs #241.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>

Author: End-rey

proto-docs/refs.md

@@ -6,6 +6,7 @@
 - [refs/types.proto](#refs/types.proto)
 
   - Messages
+    - [Account](#neo.fs.v2.refs.Account)
     - [Address](#neo.fs.v2.refs.Address)
     - [Checksum](#neo.fs.v2.refs.Checksum)
     - [ContainerID](#neo.fs.v2.refs.ContainerID)
@@ -30,6 +31,19 @@
  <!-- end services -->
 
 
+<a name="neo.fs.v2.refs.Account"></a>
+
+### Message Account
+Account represents an identity in NeoFS.
+It can be either direct (OwnerID) or indirect (NNS domain).
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| owner_id | [OwnerID](#neo.fs.v2.refs.OwnerID) |  | Direct account reference via OwnerID (hash of public key). |
+| nns_name | [string](#string) |  | Indirect account reference via NeoFS Name Service. |
+
+
 <a name="neo.fs.v2.refs.Address"></a>
 
 ### Message Address

proto-docs/session.md

@@ -12,21 +12,31 @@
     - [CreateRequest.Body](#neo.fs.v2.session.CreateRequest.Body)
     - [CreateResponse](#neo.fs.v2.session.CreateResponse)
     - [CreateResponse.Body](#neo.fs.v2.session.CreateResponse.Body)
+    - [CreateV2Request](#neo.fs.v2.session.CreateV2Request)
+    - [CreateV2Request.Body](#neo.fs.v2.session.CreateV2Request.Body)
+    - [CreateV2Response](#neo.fs.v2.session.CreateV2Response)
+    - [CreateV2Response.Body](#neo.fs.v2.session.CreateV2Response.Body)
 
 
 - [session/types.proto](#session/types.proto)
 
   - Messages
     - [ContainerSessionContext](#neo.fs.v2.session.ContainerSessionContext)
+    - [ContainerSessionContextV2](#neo.fs.v2.session.ContainerSessionContextV2)
+    - [DelegationInfo](#neo.fs.v2.session.DelegationInfo)
     - [ObjectSessionContext](#neo.fs.v2.session.ObjectSessionContext)
     - [ObjectSessionContext.Target](#neo.fs.v2.session.ObjectSessionContext.Target)
+    - [ObjectSessionContextV2](#neo.fs.v2.session.ObjectSessionContextV2)
+    - [ObjectSessionContextV2.Target](#neo.fs.v2.session.ObjectSessionContextV2.Target)
     - [RequestMetaHeader](#neo.fs.v2.session.RequestMetaHeader)
     - [RequestVerificationHeader](#neo.fs.v2.session.RequestVerificationHeader)
     - [ResponseMetaHeader](#neo.fs.v2.session.ResponseMetaHeader)
     - [ResponseVerificationHeader](#neo.fs.v2.session.ResponseVerificationHeader)
     - [SessionToken](#neo.fs.v2.session.SessionToken)
     - [SessionToken.Body](#neo.fs.v2.session.SessionToken.Body)
-    - [SessionToken.Body.TokenLifetime](#neo.fs.v2.session.SessionToken.Body.TokenLifetime)
+    - [SessionTokenV2](#neo.fs.v2.session.SessionTokenV2)
+    - [SessionTokenV2.Body](#neo.fs.v2.session.SessionTokenV2.Body)
+    - [TokenLifetime](#neo.fs.v2.session.TokenLifetime)
     - [XHeader](#neo.fs.v2.session.XHeader)
 
 
@@ -52,6 +62,7 @@ section of NeoFS Technical Specification for details.
 
 ```
 rpc Create(CreateRequest) returns (CreateResponse);
+rpc CreateV2(CreateV2Request) returns (CreateV2Response);
 
 ```
 
@@ -67,6 +78,18 @@ session has been successfully opened;
 | Name | Input | Output |
 | ---- | ----- | ------ |
 | Create | [CreateRequest](#neo.fs.v2.session.CreateRequest) | [CreateResponse](#neo.fs.v2.session.CreateResponse) |
+#### Method CreateV2
+
+Create a new session token v2 with delegation and chain-of-trust support.
+
+Statuses:
+- **OK** (0, SECTION_SUCCESS):
+session token v2 has been successfully created;
+- Common failures (SECTION_FAILURE_COMMON).
+
+| Name | Input | Output |
+| ---- | ----- | ------ |
+| CreateV2 | [CreateV2Request](#neo.fs.v2.session.CreateV2Request) | [CreateV2Response](#neo.fs.v2.session.CreateV2Response) |
  <!-- end services -->
 
 
@@ -119,6 +142,57 @@ Session creation response body
 | id | [bytes](#bytes) |  | Identifier of a newly created session |
 | session_key | [bytes](#bytes) |  | Public key used for session |
 
+
+<a name="neo.fs.v2.session.CreateV2Request"></a>
+
+### Message CreateV2Request
+CreateV2Request is information necessary for creating a session token v2.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| body | [CreateV2Request.Body](#neo.fs.v2.session.CreateV2Request.Body) |  | Body of create session token v2 request message. |
+| meta_header | [RequestMetaHeader](#neo.fs.v2.session.RequestMetaHeader) |  | Carries request meta information. Header data is used only to regulate message transport and does not affect request execution. |
+| verify_header | [RequestVerificationHeader](#neo.fs.v2.session.RequestVerificationHeader) |  | Carries request verification information. This header is used to authenticate the nodes of the message route and check the correctness of transmission. |
+
+
+<a name="neo.fs.v2.session.CreateV2Request.Body"></a>
+
+### Message CreateV2Request.Body
+Session creation request v2 body.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| issuer | [neo.fs.v2.refs.Account](#neo.fs.v2.refs.Account) |  | Issuer of the session token. |
+| subjects | [neo.fs.v2.refs.Account](#neo.fs.v2.refs.Account) | repeated | Subjects authorized by this token. |
+| expiration | [int64](#int64) |  | Session expiration time. |
+| created_at | [int64](#int64) |  | Session creation time. |
+
+
+<a name="neo.fs.v2.session.CreateV2Response"></a>
+
+### Message CreateV2Response
+CreateV2Response is information about a newly created session token v2.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| body | [CreateV2Response.Body](#neo.fs.v2.session.CreateV2Response.Body) |  | Body of create session token v2 response message. |
+| meta_header | [ResponseMetaHeader](#neo.fs.v2.session.ResponseMetaHeader) |  | Carries response meta information. Header data is used only to regulate message transport and does not affect request execution. |
+| verify_header | [ResponseVerificationHeader](#neo.fs.v2.session.ResponseVerificationHeader) |  | Carries response verification information. This header is used to authenticate the nodes of the message route and check the correctness of transmission. |
+
+
+<a name="neo.fs.v2.session.CreateV2Response.Body"></a>
+
+### Message CreateV2Response.Body
+Session creation response v2 body.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| token | [SessionTokenV2](#neo.fs.v2.session.SessionTokenV2) |  | The session token v2 with delegation and chain-of-trust support. |
+
  <!-- end messages -->
 
  <!-- end enums -->
@@ -147,6 +221,35 @@ Context information for Session Tokens related to ContainerService requests.
 | container_id | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) |  | Particular container to which the action applies. Ignored if wildcard flag is set. |
 
 
+<a name="neo.fs.v2.session.ContainerSessionContextV2"></a>
+
+### Message ContainerSessionContextV2
+ContainerSessionContextV2 carries context for ContainerService requests.
+Extended version supporting multiple verbs.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| verbs | [ContainerSessionContextV2.Verb](#neo.fs.v2.session.ContainerSessionContextV2.Verb) | repeated | Multiple verbs this context authorizes. |
+| wildcard | [bool](#bool) |  | If true, applies to all containers owned by the subject. |
+| container_id | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) |  | Particular container to which the action applies. Ignored if wildcard is true. |
+
+
+<a name="neo.fs.v2.session.DelegationInfo"></a>
+
+### Message DelegationInfo
+DelegationInfo represents a single delegation in a chain of trust.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| issuer | [neo.fs.v2.refs.Account](#neo.fs.v2.refs.Account) |  | Account that performed this delegation. |
+| subject | [neo.fs.v2.refs.Account](#neo.fs.v2.refs.Account) |  | Account that received the delegation. |
+| timestamp | [int64](#int64) |  | Unix timestamp when this delegation was created. |
+| verbs | [string](#string) | repeated | List of verbs authorized by this delegation. |
+| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) |  | Signature of the issuer confirming this delegation record. The signature is created over the deterministic serialization of this DelegationInfo message excluding this field. |
+
+
 <a name="neo.fs.v2.session.ObjectSessionContext"></a>
 
 ### Message ObjectSessionContext
@@ -171,6 +274,31 @@ Carries objects involved in the object session.
 | objects | [neo.fs.v2.refs.ObjectID](#neo.fs.v2.refs.ObjectID) | repeated | Indicates which objects the session is spread to. Objects are expected to be stored in the NeoFS container referenced by `container` field. Each element MUST have correct format. |
 
 
+<a name="neo.fs.v2.session.ObjectSessionContextV2"></a>
+
+### Message ObjectSessionContextV2
+ObjectSessionContextV2 carries context for ObjectService requests.
+Extended version supporting multiple verbs and targets.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| verbs | [ObjectSessionContextV2.Verb](#neo.fs.v2.session.ObjectSessionContextV2.Verb) | repeated | Multiple verbs this context authorizes. |
+| targets | [ObjectSessionContextV2.Target](#neo.fs.v2.session.ObjectSessionContextV2.Target) | repeated | Target resource(s) this authorization applies to. |
+
+
+<a name="neo.fs.v2.session.ObjectSessionContextV2.Target"></a>
+
+### Message ObjectSessionContextV2.Target
+Target resource specification.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| container | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) |  | Container where operation is allowed. |
+| objects | [neo.fs.v2.refs.ObjectID](#neo.fs.v2.refs.ObjectID) | repeated | Specific objects where operation is allowed. Empty list means all objects in the container. |
+
+
 <a name="neo.fs.v2.session.RequestMetaHeader"></a>
 
 ### Message RequestMetaHeader
@@ -256,23 +384,53 @@ Session Token body
 | ----- | ---- | ----- | ----------- |
 | id | [bytes](#bytes) |  | Token identifier is a valid UUIDv4 in binary form |
 | owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) |  | Identifier of the session initiator |
-| lifetime | [SessionToken.Body.TokenLifetime](#neo.fs.v2.session.SessionToken.Body.TokenLifetime) |  | Lifetime of the session |
+| lifetime | [TokenLifetime](#neo.fs.v2.session.TokenLifetime) |  | Lifetime of the session |
 | session_key | [bytes](#bytes) |  | Public key used in session |
 | object | [ObjectSessionContext](#neo.fs.v2.session.ObjectSessionContext) |  | ObjectService session context |
 | container | [ContainerSessionContext](#neo.fs.v2.session.ContainerSessionContext) |  | ContainerService session context |
 
 
-<a name="neo.fs.v2.session.SessionToken.Body.TokenLifetime"></a>
+<a name="neo.fs.v2.session.SessionTokenV2"></a>
+
+### Message SessionTokenV2
+SessionTokenV2 represents NeoFS Session Token with delegation support.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| body | [SessionTokenV2.Body](#neo.fs.v2.session.SessionTokenV2.Body) |  | Session token body. |
+| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) |  | Signature of the body by the issuer. |
+
+
+<a name="neo.fs.v2.session.SessionTokenV2.Body"></a>
+
+### Message SessionTokenV2.Body
+Session Token body.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| version | [uint32](#uint32) |  | Token version. |
+| id | [bytes](#bytes) |  | Token identifier (UUIDv4 in binary form). |
+| issuer | [neo.fs.v2.refs.Account](#neo.fs.v2.refs.Account) |  | Account that issued this token (who signed it). |
+| subjects | [neo.fs.v2.refs.Account](#neo.fs.v2.refs.Account) | repeated | Accounts authorized by this token (who can use it). |
+| lifetime | [TokenLifetime](#neo.fs.v2.session.TokenLifetime) |  | Lifetime of this token. |
+| object | [ObjectSessionContextV2](#neo.fs.v2.session.ObjectSessionContextV2) |  | ObjectService authorization context. |
+| container | [ContainerSessionContextV2](#neo.fs.v2.session.ContainerSessionContextV2) |  | ContainerService authorization context. |
+| delegation_chain | [DelegationInfo](#neo.fs.v2.session.DelegationInfo) | repeated | Full history of authority delegation (chain of trust). |
+
 
-### Message SessionToken.Body.TokenLifetime
+<a name="neo.fs.v2.session.TokenLifetime"></a>
+
+### Message TokenLifetime
 Lifetime parameters of the token. Field names taken from rfc7519.
 
 
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | exp | [uint64](#uint64) |  | Expiration epoch, the last epoch when token is valid. |
 | nbf | [uint64](#uint64) |  | Not valid before epoch, the first epoch when token is valid. |
-| iat | [uint64](#uint64) |  | Issued at Epoch |
+| iat | [uint64](#uint64) |  | Issued at epoch. |
 
 
 <a name="neo.fs.v2.session.XHeader"></a>
@@ -321,6 +479,20 @@ Container request verbs
 
 
 
+<a name="neo.fs.v2.session.ContainerSessionContextV2.Verb"></a>
+
+### ContainerSessionContextV2.Verb
+Container request verbs.
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| VERB_UNSPECIFIED | 0 | Unknown verb. |
+| PUT | 1 | Refers to container.Put RPC call. |
+| DELETE | 2 | Refers to container.Delete RPC call. |
+| SETEACL | 3 | Refers to container.SetExtendedACL RPC call. |
+
+
+
 <a name="neo.fs.v2.session.ObjectSessionContext.Verb"></a>
 
 ### ObjectSessionContext.Verb
@@ -338,6 +510,24 @@ Object request verbs
 | RANGEHASH | 7 | Refers to object.GetRangeHash RPC call |
 
 
+
+<a name="neo.fs.v2.session.ObjectSessionContextV2.Verb"></a>
+
+### ObjectSessionContextV2.Verb
+Object request verbs.
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| VERB_UNSPECIFIED | 0 | Unknown verb. |
+| PUT | 1 | Refers to object.Put RPC call. |
+| GET | 2 | Refers to object.Get RPC call. |
+| HEAD | 3 | Refers to object.Head RPC call. |
+| SEARCH | 4 | Refers to object.Search RPC call. |
+| DELETE | 5 | Refers to object.Delete RPC call. |
+| RANGE | 6 | Refers to object.GetRange RPC call. |
+| RANGEHASH | 7 | Refers to object.GetRangeHash RPC call. |
+
+
  <!-- end enums -->
 
 

refs/types.proto

@@ -79,6 +79,19 @@ message OwnerID {
   bytes value = 1 [json_name = "value"];
 }
 
+// Account represents an identity in NeoFS.
+// It can be either direct (OwnerID) or indirect (NNS domain).
+message Account {
+  // Account identifier.
+  oneof identifier {
+    // Direct account reference via OwnerID (hash of public key).
+    OwnerID owner_id = 1 [json_name = "ownerID"];
+
+    // Indirect account reference via NeoFS Name Service.
+    string nns_name = 2 [json_name = "nnsName"];
+  }
+}
+
 // NeoFS subnetwork identifier.
 //
 // String representation of a value is base-10 integer.