acl: Check the account alongside the public key

Signed-off-by: Evgenii Baidakov <[email protected]>
nspcc-dev · Jul 4, 2024 · 72f5541 · 72f5541
1 parent 5ef73c8
commit 72f5541
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 14 deletions.
diff --git a/go.mod b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/nspcc-dev/neo-go v0.106.2
 	github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4
 	github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2
-	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12
+	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6
 	github.com/nspcc-dev/tzhash v1.8.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/panjf2000/ants/v2 v2.9.0

diff --git a/go.sum b/go.sum
@@ -136,8 +136,8 @@ github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4 h1:ar
 github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4/go.mod h1:7Tm1NKEoUVVIUlkVwFrPh7GG5+Lmta2m7EGr4oVpBd8=
 github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2 h1:VT9/vs92xth7c2PIxiGt1NIK77VK2kjSFqLMWmMY/pc=
 github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2/go.mod h1:5nBFjgF2/SNpEty5oZzfTLck3YCSHLgnL4Tlv2xo54c=
-github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12 h1:mdxtlSU2I4oVZ/7AXTLKyz8uUPbDWikZw4DM8gvrddA=
-github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12/go.mod h1:JdsEM1qgNukrWqgOBDChcYp8oY4XUzidcKaxY4hNJvQ=
+github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6 h1:6Z61E1NqyxjnUKzaSQqZWmP67TZ2GB5WLgozBtTS7j8=
+github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240704083855-724f847f0ce6/go.mod h1:JdsEM1qgNukrWqgOBDChcYp8oY4XUzidcKaxY4hNJvQ=
 github.com/nspcc-dev/rfc6979 v0.2.1 h1:8wWxkamHWFmO790GsewSoKUSJjVnL1fmdRpokU/RgRM=
 github.com/nspcc-dev/rfc6979 v0.2.1/go.mod h1:Tk7h5kyUWkhjyO3zUgFFhy1v2vQv3BvQEntakdtqrWc=
 github.com/nspcc-dev/tzhash v1.8.0 h1:pJvzME2mZzP/h5rcy/Wb6amT9FJBFeKbJ3HEnWEeUpY=

diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
@@ -199,6 +199,7 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 		WithOperation(eaclSDK.Operation(reqInfo.Operation())).
 		WithContainerID(&cnr).
 		WithSenderKey(reqInfo.SenderKey()).
+		WithAccount(reqInfo.SenderAccount()).
 		WithHeaderSource(hdrSrc).
 		WithEACLTable(&table),
 	)

diff --git a/pkg/services/object/acl/v2/classifier.go b/pkg/services/object/acl/v2/classifier.go
@@ -18,8 +18,9 @@ type senderClassifier struct {
 }
 
 type classifyResult struct {
-	role acl.Role
-	key  []byte
+	role    acl.Role
+	key     []byte
+	account []byte
 }
 
 func (c senderClassifier) classify(
@@ -36,8 +37,9 @@ func (c senderClassifier) classify(
 	// if request owner is the same as container owner, return RoleUser
 	if ownerID.Equals(cnr.Owner()) {
 		return &classifyResult{
-			role: acl.RoleOwner,
-			key:  ownerKey,
+			role:    acl.RoleOwner,
+			key:     ownerKey,
+			account: ownerID.WalletBytes(),
 		}, nil
 	}
 
@@ -48,8 +50,9 @@ func (c senderClassifier) classify(
 			zap.String("error", err.Error()))
 	} else if isInnerRingNode {
 		return &classifyResult{
-			role: acl.RoleInnerRing,
-			key:  ownerKey,
+			role:    acl.RoleInnerRing,
+			key:     ownerKey,
+			account: ownerID.WalletBytes(),
 		}, nil
 	}
 
@@ -62,15 +65,17 @@ func (c senderClassifier) classify(
 			zap.String("error", err.Error()))
 	} else if isContainerNode {
 		return &classifyResult{
-			role: acl.RoleContainer,
-			key:  ownerKey,
+			role:    acl.RoleContainer,
+			key:     ownerKey,
+			account: ownerID.WalletBytes(),
 		}, nil
 	}
 
 	// if none of above, return RoleOthers
 	return &classifyResult{
-		role: acl.RoleOthers,
-		key:  ownerKey,
+		role:    acl.RoleOthers,
+		key:     ownerKey,
+		account: ownerID.WalletBytes(),
 	}, nil
 }
 

diff --git a/pkg/services/object/acl/v2/request.go b/pkg/services/object/acl/v2/request.go
@@ -29,7 +29,8 @@ type RequestInfo struct {
 	// e.g. Put, Search
 	obj *oid.ID
 
-	senderKey []byte
+	senderKey     []byte
+	senderAccount []byte
 
 	bearer *bearer.Token // bearer token of request
 
@@ -88,6 +89,11 @@ func (r RequestInfo) SenderKey() []byte {
 	return r.senderKey
 }
 
+// SenderAccount returns account of the request's sender.
+func (r RequestInfo) SenderAccount() []byte {
+	return r.senderAccount
+}
+
 // Operation returns request's operation.
 func (r RequestInfo) Operation() acl.Op {
 	return r.operation

diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go
@@ -628,6 +628,7 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in
 	// it is assumed that at the moment the key will be valid,
 	// otherwise the request would not pass validation
 	info.senderKey = res.key
+	info.senderAccount = res.account
 
 	// add bearer token if it is present in request
 	info.bearer = req.bearer