From 740cfe4ac1fb32586ad68524a041224db58d0c83 Mon Sep 17 00:00:00 2001
From: aarifullin <a.arifullin@yadro.com>
Date: Tue, 19 Mar 2024 14:32:58 +0300
Subject: [PATCH] [#1051] object: Ignore APE check for PutSingle with tombstone
 object

* When a client requests DeleteObject, delete service may send PutSingle
  with tombstone object type to several nodes. If APE allows deletes,
  but denies puts, then PutSingle cannot be performed although it is
  being performed in the delete context. So, check for putting tombstone
  is ignored.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
---
 pkg/services/object/ape/checker.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/services/object/ape/checker.go b/pkg/services/object/ape/checker.go
index 1d42d21d4..d858af2fe 100644
--- a/pkg/services/object/ape/checker.go
+++ b/pkg/services/object/ape/checker.go
@@ -77,6 +77,11 @@ func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error {
 		return fmt.Errorf("failed to create ape request: %w", err)
 	}
 
+	if prm.Method == nativeschema.MethodPutObject &&
+		r.Resource().Property(nativeschema.PropertyKeyObjectType) == objectV2.TypeTombstone.String() {
+		return nil
+	}
+
 	status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress,
 		policyengine.NewRequestTarget(prm.Namespace, prm.Container.EncodeToString()), r)
 	if err != nil {