session: access session keys by account only

There is no need to store session information in two formats in session key
storage. An ID is not required, as it can be retrieved using the public key
account of the open session.

Closes #3793.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>

Author: End-rey

CHANGELOG.md

@@ -12,6 +12,7 @@ Changelog for NeoFS Node
 
 ### Changed
 - SN returns unsigned responses to requests with API >= `v2.22` (#3785)
+- Session key storage access session keys by account only (#3817)
 
 ### Removed
 

cmd/neofs-node/config.go

@@ -407,6 +407,9 @@ func initCfg(appCfg *config.Config) *cfg {
 		fatalOnErr(err)
 	}
 
+	err = persistate.MigrateSessionTokensToAccounts()
+	fatalOnErr(err)
+
 	basicSharedConfig := initBasics(c, key, persistate)
 	streamTimeout := appCfg.APIClient.StreamTimeout
 	minConnTimeout := appCfg.APIClient.MinConnectionTime

cmd/neofs-node/object.go

@@ -11,7 +11,6 @@ import (
 	"sync/atomic"
 	"time"
 
-	"github.com/google/uuid"
 	lru "github.com/hashicorp/golang-lru/v2"
 	iec "github.com/nspcc-dev/neofs-node/internal/ec"
 	coreclient "github.com/nspcc-dev/neofs-node/pkg/core/client"
@@ -627,16 +626,16 @@ func (x storageForObjectService) VerifyAndStoreObjectLocally(obj object.Object)
 	return x.putSvc.ValidateAndStoreObjectLocally(obj)
 }
 
-func (x storageForObjectService) GetSessionPrivateKey(usr user.ID, uid uuid.UUID) (ecdsa.PrivateKey, error) {
-	k, err := x.keys.GetKey(&util.SessionInfo{ID: uid, Owner: usr})
+func (x storageForObjectService) GetSessionPrivateKey(account user.ID) (ecdsa.PrivateKey, error) {
+	k, err := x.keys.GetKey(&account)
 	if err != nil {
 		return ecdsa.PrivateKey{}, err
 	}
 	return *k, nil
 }
 
-func (x storageForObjectService) GetSessionV2PrivateKey(issuer user.ID, subjects []sessionv2.Target) (ecdsa.PrivateKey, error) {
-	k, err := x.keys.GetKeyBySubjects(issuer, subjects)
+func (x storageForObjectService) GetSessionV2PrivateKey(subjects []sessionv2.Target) (ecdsa.PrivateKey, error) {
+	k, err := x.keys.GetKeyBySubjects(subjects)
 	if err != nil {
 		return ecdsa.PrivateKey{}, err
 	}

cmd/neofs-node/session.go

@@ -12,8 +12,8 @@ import (
 
 type sessionStorage interface {
 	sessionSvc.KeyStorage
-	GetToken(ownerID user.ID, tokenID []byte) *session.PrivateToken
-	FindTokenBySubjects(owner user.ID, subjects []sessionv2.Target) *session.PrivateToken
+	GetToken(account user.ID) *session.PrivateToken
+	FindTokenBySubjects(subjects []sessionv2.Target) *session.PrivateToken
 	RemoveOldTokens(epoch uint64)
 
 	Close() error

pkg/services/object/delete/delete.go

@@ -2,8 +2,8 @@ package deletesvc
 
 import (
 	"context"
+	"fmt"
 
-	"github.com/nspcc-dev/neofs-node/pkg/services/object/util"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"go.uber.org/zap"
 )
@@ -13,7 +13,7 @@ func (s *Service) Delete(ctx context.Context, prm Prm) error {
 	// If session token is not found we will fail during tombstone PUT.
 	// Here we fail immediately to ensure no unnecessary network communication is done.
 	if tokV2 := prm.common.SessionTokenV2(); tokV2 != nil {
-		if _, err := s.keyStorage.GetKeyBySubjects(tokV2.Issuer(), tokV2.Subjects()); err != nil {
+		if _, err := s.keyStorage.GetKeyBySubjects(tokV2.Subjects()); err != nil {
 			if s.nnsResolver == nil {
 				return err
 			}
@@ -31,10 +31,11 @@ func (s *Service) Delete(ctx context.Context, prm Prm) error {
 			}
 		}
 	} else if tok := prm.common.SessionToken(); tok != nil {
-		_, err := s.keyStorage.GetKey(&util.SessionInfo{
-			ID:    tok.ID(),
-			Owner: tok.Issuer(),
-		})
+		authUser, err := tok.AuthUser()
+		if err != nil {
+			return fmt.Errorf("can't get auth user from token: %w", err)
+		}
+		_, err = s.keyStorage.GetKey(&authUser)
 		if err != nil {
 			return err
 		}

pkg/services/object/get/exec.go

@@ -8,7 +8,6 @@ import (
 	"io"
 
 	clientcore "github.com/nspcc-dev/neofs-node/pkg/core/client"
-	"github.com/nspcc-dev/neofs-node/pkg/services/object/util"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	"github.com/nspcc-dev/neofs-sdk-go/netmap"
 	"github.com/nspcc-dev/neofs-sdk-go/object"
@@ -172,7 +171,7 @@ func (exec execCtx) key() (*ecdsa.PrivateKey, error) {
 	}
 	if tokV2 := exec.prm.common.SessionTokenV2(); tokV2 != nil {
 		// For V2 tokens, the key is stored as the subjects
-		if keyForSession, err := exec.svc.keyStore.GetKeyBySubjects(tokV2.Issuer(), tokV2.Subjects()); err == nil {
+		if keyForSession, err := exec.svc.keyStore.GetKeyBySubjects(tokV2.Subjects()); err == nil {
 			key = keyForSession
 		} else if exec.svc.nnsResolver != nil {
 			nodeUser := user.NewFromECDSAPublicKey(key.PublicKey)
@@ -188,10 +187,11 @@ func (exec execCtx) key() (*ecdsa.PrivateKey, error) {
 			return nil, fmt.Errorf("get key for session v2 token: %w", err)
 		}
 	} else if tok := exec.prm.common.SessionToken(); tok != nil {
-		key, err = exec.svc.keyStore.GetKey(&util.SessionInfo{
-			ID:    tok.ID(),
-			Owner: tok.Issuer(),
-		})
+		authUser, err := tok.AuthUser()
+		if err != nil {
+			return nil, fmt.Errorf("could not get session auth user: %w", err)
+		}
+		key, err = exec.svc.keyStore.GetKey(&authUser)
 		if err != nil {
 			return nil, err
 		}

pkg/services/object/get/service.go

@@ -105,8 +105,8 @@ type cfg struct {
 	}
 
 	keyStore interface {
-		GetKey(*util.SessionInfo) (*ecdsa.PrivateKey, error)
-		GetKeyBySubjects(user.ID, []sessionv2.Target) (*ecdsa.PrivateKey, error)
+		GetKey(*user.ID) (*ecdsa.PrivateKey, error)
+		GetKeyBySubjects([]sessionv2.Target) (*ecdsa.PrivateKey, error)
 	}
 
 	nnsResolver sessionv2.NNSResolver

pkg/services/object/get/service_test.go

@@ -144,11 +144,11 @@ type mockKeyStorage struct {
 	privKey ecdsa.PrivateKey
 }
 
-func (x *mockKeyStorage) GetKey(*util.SessionInfo) (*ecdsa.PrivateKey, error) {
+func (x *mockKeyStorage) GetKey(*user.ID) (*ecdsa.PrivateKey, error) {
 	return &x.privKey, nil
 }
 
-func (x *mockKeyStorage) GetKeyBySubjects(user.ID, []sessionv2.Target) (*ecdsa.PrivateKey, error) {
+func (x *mockKeyStorage) GetKeyBySubjects([]sessionv2.Target) (*ecdsa.PrivateKey, error) {
 	return &x.privKey, nil
 }
 

pkg/services/object/put/remote.go

@@ -43,16 +43,16 @@ func putObjectToNode(ctx context.Context, nodeInfo clientcore.NodeInfo, obj *obj
 
 	if tokV2 := commonPrm.SessionTokenV2(); tokV2 != nil {
 		// For V2 tokens, the key is stored as the subjects
-		if keyForSession, err := keyStorage.GetKeyBySubjects(tokV2.Issuer(), tokV2.Subjects()); err == nil {
+		if keyForSession, err := keyStorage.GetKeyBySubjects(tokV2.Subjects()); err == nil {
 			key = keyForSession
 		}
 		opts.WithinSessionV2(*tokV2)
 	} else if tok := commonPrm.SessionToken(); tok != nil {
-		sessionInfo := &util.SessionInfo{
-			ID:    tok.ID(),
-			Owner: tok.Issuer(),
+		authUser, err := tok.AuthUser()
+		if err != nil {
+			return fmt.Errorf("could not get session auth user: %w", err)
 		}
-		key, err = keyStorage.GetKey(sessionInfo)
+		key, err = keyStorage.GetKey(&authUser)
 		if err != nil {
 			return fmt.Errorf("could not receive private key: %w", err)
 		}

pkg/services/object/put/service_test.go

@@ -893,11 +893,11 @@ type mockNodeSession struct {
 	expiresAt uint64
 }
 
-func (x mockNodeSession) FindTokenBySubjects(user.ID, []sessionv2.Target) *storage.PrivateToken {
+func (x mockNodeSession) FindTokenBySubjects([]sessionv2.Target) *storage.PrivateToken {
 	return storage.NewPrivateToken(&x.signer.ECDSAPrivateKey, x.expiresAt)
 }
 
-func (x mockNodeSession) GetToken(user.ID, []byte) *storage.PrivateToken {
+func (x mockNodeSession) GetToken(user.ID) *storage.PrivateToken {
 	return storage.NewPrivateToken(&x.signer.ECDSAPrivateKey, x.expiresAt)
 }