From 1951b5c447c12ee8e4e830323064682cca473280 Mon Sep 17 00:00:00 2001
From: Leonard Lyubich <leonard@morphbits.io>
Date: Mon, 26 Feb 2024 10:08:45 +0400
Subject: [PATCH] acl: Extend `BearerToken` message with `issuer` field

Previously, `BearerToken` message had no explicit field for the token
issuer. This could become a limitation on subject identification because
only public key derivation was supported. To prevent this, `issuer`
field is added.

Closes #266.

Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
---
 CHANGELOG.md      | 1 +
 acl/types.proto   | 4 ++++
 proto-docs/acl.md | 1 +
 3 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f45bd16..d1684f4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Link object payload message (#263)
 - Children sizes index to the link objects (#264)
 - `LINK` split chain object type (#283)
+- `BearerToken.issuer` field (#266)
 
 ### Changed
 - Split ID is deprecated, the first child part is used instead and is known to the other parts (#283)
diff --git a/acl/types.proto b/acl/types.proto
index e359c94..5b91028 100644
--- a/acl/types.proto
+++ b/acl/types.proto
@@ -236,6 +236,10 @@ message BearerToken {
     }
     // Token expiration and valid time period parameters
     TokenLifetime lifetime = 3 [json_name="lifetime"];
+
+    // Token issuer's user ID in NeoFS. It must equal to the related
+    // container's [owner](#neo.fs.v2.container.Container.owner).
+    neo.fs.v2.refs.OwnerID issuer = 4 [json_name="issuer"];
   }
   // Bearer Token body
   Body body = 1 [json_name="body"];
diff --git a/proto-docs/acl.md b/proto-docs/acl.md
index 42326ea..b2a244b 100644
--- a/proto-docs/acl.md
+++ b/proto-docs/acl.md
@@ -60,6 +60,7 @@ owner with additional information preventing token abuse.
 | eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) |  | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed. |
 | owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) |  | `OwnerID` defines to whom the token was issued. It must match the request originator's `OwnerID`. If empty, any token bearer will be accepted. |
 | lifetime | [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime) |  | Token expiration and valid time period parameters |
+| issuer | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) |  | User ID of the token issuer in NeoFS. It must equal to the related container's [owner](#neo.fs.v2.container.Container.owner). |
 
 
 <a name="neo.fs.v2.acl.BearerToken.Body.TokenLifetime"></a>