acl: Check the account alongside the public key

Signed-off-by: Evgenii Baidakov <evgenii@nspcc.io>
nspcc-dev · Jul 5, 2024 · 68a2ab1 · 68a2ab1
1 parent 5ef73c8
commit 68a2ab1
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ Changelog for NeoFS Node
 
 ### Added
 - Indexes inspection command to neofs-lens (#2882)
+- Check the account alongside the public key in ACL (#2883)
 
 ### Fixed
 - Control service's Drop call does not clean metabase (#2822)

diff --git a/go.mod b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/nspcc-dev/neo-go v0.106.2
 	github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4
 	github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2
-	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12
+	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240705070503-e3543cb5d21b
 	github.com/nspcc-dev/tzhash v1.8.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/panjf2000/ants/v2 v2.9.0

diff --git a/go.sum b/go.sum
@@ -136,8 +136,8 @@ github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4 h1:ar
 github.com/nspcc-dev/neofs-api-go/v2 v2.14.1-0.20240305074711-35bc78d84dc4/go.mod h1:7Tm1NKEoUVVIUlkVwFrPh7GG5+Lmta2m7EGr4oVpBd8=
 github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2 h1:VT9/vs92xth7c2PIxiGt1NIK77VK2kjSFqLMWmMY/pc=
 github.com/nspcc-dev/neofs-contract v0.19.2-0.20240506202632-e78d64ecdfc2/go.mod h1:5nBFjgF2/SNpEty5oZzfTLck3YCSHLgnL4Tlv2xo54c=
-github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12 h1:mdxtlSU2I4oVZ/7AXTLKyz8uUPbDWikZw4DM8gvrddA=
-github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12/go.mod h1:JdsEM1qgNukrWqgOBDChcYp8oY4XUzidcKaxY4hNJvQ=
+github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240705070503-e3543cb5d21b h1:PRP0B3W7l3VhvZPYwm5FUUfkSsPkfs9LK0j+VWAX69o=
+github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.12.0.20240705070503-e3543cb5d21b/go.mod h1:JdsEM1qgNukrWqgOBDChcYp8oY4XUzidcKaxY4hNJvQ=
 github.com/nspcc-dev/rfc6979 v0.2.1 h1:8wWxkamHWFmO790GsewSoKUSJjVnL1fmdRpokU/RgRM=
 github.com/nspcc-dev/rfc6979 v0.2.1/go.mod h1:Tk7h5kyUWkhjyO3zUgFFhy1v2vQv3BvQEntakdtqrWc=
 github.com/nspcc-dev/tzhash v1.8.0 h1:pJvzME2mZzP/h5rcy/Wb6amT9FJBFeKbJ3HEnWEeUpY=

diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
@@ -199,6 +199,7 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 		WithOperation(eaclSDK.Operation(reqInfo.Operation())).
 		WithContainerID(&cnr).
 		WithSenderKey(reqInfo.SenderKey()).
+		WithAccount(reqInfo.SenderAccount()).
 		WithHeaderSource(hdrSrc).
 		WithEACLTable(&table),
 	)

diff --git a/pkg/services/object/acl/v2/classifier.go b/pkg/services/object/acl/v2/classifier.go
@@ -2,6 +2,7 @@ package v2
 
 import (
 	"bytes"
+	"fmt"
 
 	core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
 	"github.com/nspcc-dev/neofs-sdk-go/container"
@@ -18,8 +19,9 @@ type senderClassifier struct {
 }
 
 type classifyResult struct {
-	role acl.Role
-	key  []byte
+	role    acl.Role
+	key     []byte
+	account []byte
 }
 
 func (c senderClassifier) classify(
@@ -31,13 +33,19 @@ func (c senderClassifier) classify(
 		return nil, err
 	}
 
+	sc, err := ownerID.GetScriptHash()
+	if err != nil {
+		return nil, fmt.Errorf("owner get scripthash: %w", err)
+	}
+
 	// TODO: #767 get owner from neofs.id if present
 
 	// if request owner is the same as container owner, return RoleUser
 	if ownerID.Equals(cnr.Owner()) {
 		return &classifyResult{
-			role: acl.RoleOwner,
-			key:  ownerKey,
+			role:    acl.RoleOwner,
+			key:     ownerKey,
+			account: sc.BytesBE(),
 		}, nil
 	}
 
@@ -48,8 +56,9 @@ func (c senderClassifier) classify(
 			zap.String("error", err.Error()))
 	} else if isInnerRingNode {
 		return &classifyResult{
-			role: acl.RoleInnerRing,
-			key:  ownerKey,
+			role:    acl.RoleInnerRing,
+			key:     ownerKey,
+			account: sc.BytesBE(),
 		}, nil
 	}
 
@@ -62,15 +71,17 @@ func (c senderClassifier) classify(
 			zap.String("error", err.Error()))
 	} else if isContainerNode {
 		return &classifyResult{
-			role: acl.RoleContainer,
-			key:  ownerKey,
+			role:    acl.RoleContainer,
+			key:     ownerKey,
+			account: sc.BytesBE(),
 		}, nil
 	}
 
 	// if none of above, return RoleOthers
 	return &classifyResult{
-		role: acl.RoleOthers,
-		key:  ownerKey,
+		role:    acl.RoleOthers,
+		key:     ownerKey,
+		account: sc.BytesBE(),
 	}, nil
 }
 

diff --git a/pkg/services/object/acl/v2/request.go b/pkg/services/object/acl/v2/request.go
@@ -29,7 +29,8 @@ type RequestInfo struct {
 	// e.g. Put, Search
 	obj *oid.ID
 
-	senderKey []byte
+	senderKey     []byte
+	senderAccount []byte
 
 	bearer *bearer.Token // bearer token of request
 
@@ -88,6 +89,11 @@ func (r RequestInfo) SenderKey() []byte {
 	return r.senderKey
 }
 
+// SenderAccount returns account of the request's sender.
+func (r RequestInfo) SenderAccount() []byte {
+	return r.senderAccount
+}
+
 // Operation returns request's operation.
 func (r RequestInfo) Operation() acl.Op {
 	return r.operation

diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go
@@ -628,6 +628,7 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in
 	// it is assumed that at the moment the key will be valid,
 	// otherwise the request would not pass validation
 	info.senderKey = res.key
+	info.senderAccount = res.account
 
 	// add bearer token if it is present in request
 	info.bearer = req.bearer