diff --git a/cmd/neofs-cli/modules/container.go b/cmd/neofs-cli/modules/container.go index 6ae5480d28..95cddf75df 100644 --- a/cmd/neofs-cli/modules/container.go +++ b/cmd/neofs-cli/modules/container.go @@ -425,10 +425,10 @@ Container ID in EACL table will be substituted with ID from the CLI.`, for i := 0; i < awaitTimeout; i++ { time.Sleep(1 * time.Second) - eaclSig, err := cli.GetEACLWithSignature(ctx, id, globalCallOptions()...) + table, err := cli.GetEACL(ctx, id, globalCallOptions()...) if err == nil { // compare binary values because EACL could have been set already - got, err := eaclSig.EACL().Marshal() + got, err := table.Marshal() if err != nil { continue } diff --git a/pkg/morph/client/container/eacl.go b/pkg/morph/client/container/eacl.go index d718bcd58e..4629d832eb 100644 --- a/pkg/morph/client/container/eacl.go +++ b/pkg/morph/client/container/eacl.go @@ -16,7 +16,9 @@ type EACLArgs struct { type EACLValues struct { eacl []byte // extended ACL table - signature []byte // signature of extended ACL table + signature []byte // RFC-6979 signature of extended ACL table + + publicKey []byte // public key of the extended ACL table signer } // SetCID sets the container identifier @@ -31,10 +33,16 @@ func (g *EACLValues) EACL() []byte { return g.eacl } +// Signature returns RFC-6979 signature of extended ACL table. func (g *EACLValues) Signature() []byte { return g.signature } +// PublicKey of the signature. +func (g *EACLValues) PublicKey() []byte { + return g.publicKey +} + // EACL performs the test invoke of get eACL // method of NeoFS Container contract. func (c *Client) EACL(args EACLArgs) (*EACLValues, error) { @@ -53,7 +61,7 @@ func (c *Client) EACL(args EACLArgs) (*EACLValues, error) { return nil, errors.Wrapf(err, "could not get item array of eACL (%s)", c.eaclMethod) } - if len(arr) != 2 { + if len(arr) != 3 { return nil, errors.Errorf("unexpected eacl stack item count (%s): %d", c.eaclMethod, len(arr)) } @@ -67,8 +75,14 @@ func (c *Client) EACL(args EACLArgs) (*EACLValues, error) { return nil, errors.Wrapf(err, "could not get byte array of eACL signature (%s)", c.eaclMethod) } + pub, err := client.BytesFromStackItem(arr[2]) + if err != nil { + return nil, errors.Wrapf(err, "could not get byte array of eACL public key (%s)", c.eaclMethod) + } + return &EACLValues{ eacl: eacl, signature: sig, + publicKey: pub, }, nil } diff --git a/pkg/morph/client/container/wrapper/eacl.go b/pkg/morph/client/container/wrapper/eacl.go index 2b966cbbdf..df4e2ccd30 100644 --- a/pkg/morph/client/container/wrapper/eacl.go +++ b/pkg/morph/client/container/wrapper/eacl.go @@ -1,6 +1,7 @@ package wrapper import ( + "github.com/nspcc-dev/neofs-api-go/pkg" "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl" containerSDK "github.com/nspcc-dev/neofs-api-go/pkg/container" "github.com/nspcc-dev/neofs-node/pkg/core/container" @@ -10,7 +11,7 @@ import ( // GetEACL reads the extended ACL table from NeoFS system // through Container contract call. -func (w *Wrapper) GetEACL(cid *containerSDK.ID) (*eacl.Table, []byte, error) { +func (w *Wrapper) GetEACL(cid *containerSDK.ID) (*eacl.Table, *pkg.Signature, error) { if cid == nil { return nil, nil, errNilArgument } @@ -37,13 +38,17 @@ func (w *Wrapper) GetEACL(cid *containerSDK.ID) (*eacl.Table, []byte, error) { return nil, nil, container.ErrEACLNotFound } + tableSignature := pkg.NewSignature() + tableSignature.SetKey(rpcAnswer.PublicKey()) + tableSignature.SetSign(sig) + table := eacl.NewTable() if err = table.Unmarshal(rpcAnswer.EACL()); err != nil { // use other major version if there any return nil, nil, err } - return table, sig, nil + return table, tableSignature, nil } // PutEACL saves the extended ACL table in NeoFS system diff --git a/pkg/services/container/morph/executor.go b/pkg/services/container/morph/executor.go index 675dda8542..5cbe5dfbd8 100644 --- a/pkg/services/container/morph/executor.go +++ b/pkg/services/container/morph/executor.go @@ -111,14 +111,7 @@ func (s *morphExecutor) GetExtendedACL(ctx context.Context, body *container.GetE res := new(container.GetExtendedACLResponseBody) res.SetEACL(table.ToV2()) - - // Public key should be obtained by request sender, so we set up only - // the signature. Technically, node can make invocation to find container - // owner public key, but request sender cannot trust this info. - sig := new(refs.Signature) - sig.SetSign(signature) - - res.SetSignature(sig) + res.SetSignature(signature.ToV2()) return res, nil }