cli: Set up account alongside pub key in eacl rules

Closes #2914.

Signed-off-by: Evgenii Baidakov <[email protected]>

CHANGELOG.md

@@ -9,6 +9,7 @@ Changelog for NeoFS Node
 - Support for 0.20.0+ neofs-contract archive format (#2872)
 - `neofs-cli control object status` command (#2886)
 - Check the account alongside the public key in ACL (#2883)
+- Set up the account alongside the public key in CLI eacl rules (#2914)
 
 ### Fixed
 - Control service's Drop call does not clean metabase (#2822)

cmd/neofs-cli/modules/acl/extended/create.go

@@ -41,7 +41,8 @@ Target is
   'user' for container owner, 
   'system' for Storage nodes in container and Inner Ring nodes,
   'others' for all other request senders, 
-  'pubkey:<key1>,<key2>,...' for exact request sender, where <key> is a hex-encoded 33-byte public key.
+  'pubkey:<key1>,<key2>,...' for exact request sender, where <key> is a hex-encoded 33-byte public key,
+  'account:<acc1>,<acc2>,...' for exact request sender, where <acc> is a base58 25-byte account.
 
 When both '--rule' and '--file' arguments are used, '--rule' records will be placed higher in resulting extended ACL table.
 `,

cmd/neofs-cli/modules/acl/extended/create_test.go

@@ -29,6 +29,11 @@ func TestParseTable(t *testing.T) {
 			rule:       "deny getrange pubkey:036410abb260bbbda89f61c0cad65a4fa15ac5cb83b3c3abf8aee403856fcf65ed",
 			jsonRecord: `{"operation":"GETRANGE","action":"DENY","filters":[],"targets":[{"role":"ROLE_UNSPECIFIED","keys":["A2QQq7Jgu72on2HAytZaT6FaxcuDs8Or+K7kA4Vvz2Xt"]}]}`,
 		},
+		{
+			name:       "valid rule with account",
+			rule:       "deny getrange account:NWcSSzMkw5Vuq3gFmcih5yfCNxfXjWdKz8",
+			jsonRecord: `{"operation":"GETRANGE","action":"DENY","filters":[],"targets":[{"role":"ROLE_UNSPECIFIED","keys":["NXVYp24sheVFxW8PazdLtZEvUM/gLAhtqQ=="]}]}`,
+		},
 		{
 			name: "missing action",
 			rule: "get obj:a=b others",
@@ -57,6 +62,10 @@ func TestParseTable(t *testing.T) {
 			name: "invalid public key",
 			rule: "deny get obj:a=b pubkey:0123",
 		},
+		{
+			name: "invalid account",
+			rule: "deny get obj:a=b account:1234",
+		},
 	}
 
 	eaclTable := eacl.NewTable()

cmd/neofs-cli/modules/util/acl.go

@@ -14,6 +14,7 @@ import (
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neofs-sdk-go/container/acl"
 	"github.com/nspcc-dev/neofs-sdk-go/eacl"
+	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"github.com/olekukonko/tablewriter"
 	"github.com/spf13/cobra"
 )
@@ -276,7 +277,23 @@ func parseEACLRecord(args []string) (*eacl.Record, error) {
 			}
 
 			eacl.AddFormedTarget(r, role, pubs...)
+		case "account": // targets
+			var (
+				err      error
+				accounts []user.ID
+			)
 
+			if len(ss) == 2 {
+				accounts, err = parseAccountList(ss[1])
+				if err != nil {
+					return nil, err
+				}
+			}
+
+			t := eacl.NewTarget()
+			t.SetAccounts(accounts)
+
+			eacl.AddRecordTarget(r, t)
 		default:
 			return nil, fmt.Errorf("invalid prefix: %s", ss[0])
 		}
@@ -363,6 +380,23 @@ func parseKeyList(s string) ([]ecdsa.PublicKey, error) {
 	return pubs, nil
 }
 
+func parseAccountList(s string) ([]user.ID, error) {
+	parts := strings.Split(s, ",")
+	accounts := make([]user.ID, len(parts))
+
+	for i := range parts {
+		st := strings.TrimSpace(parts[i])
+		acc, err := user.DecodeString(st)
+		if err != nil {
+			return nil, fmt.Errorf("invalid account %q: %w", parts[i], err)
+		}
+
+		accounts[i] = acc
+	}
+
+	return accounts, nil
+}
+
 // eaclOperationsFromString parses list of eacl.Operation separated by comma.
 func eaclOperationsFromString(s string) ([]eacl.Operation, error) {
 	ss := strings.Split(s, ",")