object/put: Process session token of the original request in ACL checks

Previously, when checking write access to an object, the storage node
used only the session token from the last request sent. In case of a
chain of more than one request, the original session token was ignored.
As a result, it did not allow to correctly interpret on whose behalf
the action was performed. In particular, in private containers,
gateways were deprived of the right to write data on behalf of the
user.

From now storage node always processes the session token from the
original request.

Signed-off-by: Leonard Lyubich <[email protected]>

CHANGELOG.md

@@ -11,6 +11,7 @@ Changelog for NeoFS Node
 ### Fixed
 - `neo-go` RPC connection loss handling (#1337)
 - Concurrent morph cache misses (#1248)
+- Session inactivity on object PUT request relay (#2460)
 
 ### Removed
 - Deprecated `morph.rpc_endpoint` SN and `morph.endpoint.client` IR config sections (#2400)

pkg/services/object/acl/v2/service.go

@@ -480,16 +480,10 @@ func (p putStreamBasicChecker) Send(request *objectV2.PutRequest) error {
 			}
 		}
 
-		var sTok *sessionSDK.Object
-
-		if tokV2 := request.GetMetaHeader().GetSessionToken(); tokV2 != nil {
-			sTok = new(sessionSDK.Object)
-
-			err = sTok.ReadFromV2(*tokV2)
-			if err != nil {
-				return fmt.Errorf("invalid session token: %w", err)
-			}
-
+		sTok, err := originalSessionToken(request.GetMetaHeader())
+		if err != nil {
+			return err
+		} else if sTok != nil {
 			if sTok.AssertVerb(sessionSDK.VerbObjectDelete) {
 				// if session relates to object's removal, we don't check
 				// relation of the tombstone to the session here since user