From 880ffe7108724d55aff29338a67f1ec03e7d7ca9 Mon Sep 17 00:00:00 2001
From: Leonard Lyubich <leonard@nspcc.ru>
Date: Fri, 10 Jun 2022 04:59:17 +0300
Subject: [PATCH] [#492] layer: Don't parameterize basic ACL of created
 containers

`CreateBucket` handler always creates containers with extended public
ACL, so there is no need to configure it in `NeoFS.CreateContainer`.

Make internal `NeoFS` implementation to create containers with
`eacl-public-read-write` basic ACL if corresponding parameter is unset.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
---
 api/data/info.go        | 1 -
 api/handler/put.go      | 6 +++---
 api/layer/container.go  | 4 ----
 api/layer/layer.go      | 1 -
 api/layer/neofs.go      | 2 ++
 internal/neofs/neofs.go | 7 +++++++
 6 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/api/data/info.go b/api/data/info.go
index b8e48fca..9ca034ce 100644
--- a/api/data/info.go
+++ b/api/data/info.go
@@ -22,7 +22,6 @@ type (
 		CID                cid.ID
 		Owner              user.ID
 		Created            time.Time
-		BasicACL           uint32
 		LocationConstraint string
 		ObjectLockEnabled  bool
 	}
diff --git a/api/handler/put.go b/api/handler/put.go
index a8efebe0..cb585a5e 100644
--- a/api/handler/put.go
+++ b/api/handler/put.go
@@ -163,8 +163,6 @@ const (
 	basicACLReadOnly  = "public-read"
 	basicACLPublic    = "public-read-write"
 	cannedACLAuthRead = "authenticated-read"
-
-	publicBasicRule = 0x0FFFFFFF
 )
 
 type createBucketParams struct {
@@ -572,7 +570,9 @@ func parseMetadata(r *http.Request) map[string]string {
 func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
 	var (
 		reqInfo = api.GetReqInfo(r.Context())
-		p       = layer.CreateBucketParams{Name: reqInfo.BucketName, ACL: publicBasicRule}
+		p       = layer.CreateBucketParams{
+			Name: reqInfo.BucketName,
+		}
 	)
 
 	if err := checkBucketName(reqInfo.BucketName); err != nil {
diff --git a/api/layer/container.go b/api/layer/container.go
index 003ffef4..33d4d74e 100644
--- a/api/layer/container.go
+++ b/api/layer/container.go
@@ -8,7 +8,6 @@ import (
 	"github.com/nspcc-dev/neofs-s3-gw/api"
 	"github.com/nspcc-dev/neofs-s3-gw/api/data"
 	"github.com/nspcc-dev/neofs-s3-gw/api/errors"
-	"github.com/nspcc-dev/neofs-sdk-go/acl"
 	"github.com/nspcc-dev/neofs-sdk-go/client"
 	"github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
@@ -53,7 +52,6 @@ func (n *layer) containerInfo(ctx context.Context, idCnr cid.ID) (*data.BucketIn
 	}
 
 	info.Owner = *res.OwnerID()
-	info.BasicACL = res.BasicACL()
 
 	for _, attr := range res.Attributes() {
 		switch key, val := attr.Key(), attr.Value(); key {
@@ -129,7 +127,6 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
 		Name:               p.Name,
 		Owner:              ownerID,
 		Created:            time.Now(), // this can be a little incorrect since the real time is set later
-		BasicACL:           p.ACL,
 		LocationConstraint: p.LocationConstraint,
 		ObjectLockEnabled:  p.ObjectLockEnabled,
 	}
@@ -151,7 +148,6 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
 		Policy:               *p.Policy,
 		Name:                 p.Name,
 		SessionToken:         p.SessionToken,
-		BasicACL:             acl.BasicACL(p.ACL),
 		AdditionalAttributes: attributes,
 	})
 	if err != nil {
diff --git a/api/layer/layer.go b/api/layer/layer.go
index d49b230a..bed9bda8 100644
--- a/api/layer/layer.go
+++ b/api/layer/layer.go
@@ -136,7 +136,6 @@ type (
 	// CreateBucketParams stores bucket create request parameters.
 	CreateBucketParams struct {
 		Name               string
-		ACL                uint32
 		Policy             *netmap.PlacementPolicy
 		EACL               *eacl.Table
 		SessionToken       *session.Container
diff --git a/api/layer/neofs.go b/api/layer/neofs.go
index de73f3d3..9ffbe783 100644
--- a/api/layer/neofs.go
+++ b/api/layer/neofs.go
@@ -144,6 +144,8 @@ type NeoFS interface {
 	// It sets 'Timestamp' attribute to the current time.
 	// It returns the ID of the saved container.
 	//
+	// Created container is public with enabled ACL extension.
+	//
 	// It returns exactly one non-nil value. It returns any error encountered which
 	// prevented the container from being created.
 	CreateContainer(context.Context, PrmContainerCreate) (*cid.ID, error)
diff --git a/internal/neofs/neofs.go b/internal/neofs/neofs.go
index b3b5e731..d12828c8 100644
--- a/internal/neofs/neofs.go
+++ b/internal/neofs/neofs.go
@@ -16,6 +16,7 @@ import (
 	"github.com/nspcc-dev/neofs-s3-gw/api/layer"
 	"github.com/nspcc-dev/neofs-s3-gw/authmate"
 	"github.com/nspcc-dev/neofs-s3-gw/creds/tokens"
+	"github.com/nspcc-dev/neofs-sdk-go/acl"
 	apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
 	"github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
@@ -119,7 +120,13 @@ func (x *NeoFS) Container(ctx context.Context, idCnr cid.ID) (*container.Contain
 }
 
 // CreateContainer implements neofs.NeoFS interface method.
+//
+// If prm.BasicACL is zero, 'eacl-public-read-write' is used.
 func (x *NeoFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreate) (*cid.ID, error) {
+	if prm.BasicACL == 0 {
+		prm.BasicACL = acl.EACLPublicBasicRule
+	}
+
 	// fill container structure
 	cnrOptions := []container.Option{
 		container.WithPolicy(&prm.Policy),