From 7a13053fab01596985909143c899ca22d1d23f42 Mon Sep 17 00:00:00 2001
From: Leonard Lyubich <leonard@nspcc.ru>
Date: Fri, 10 Sep 2021 14:35:29 +0300
Subject: [PATCH] [#818] object/acl: Fit sticky bit specification

In previous implementation sticky bit could disrupt access of container
nodes to replication. According to NeoFS specification sticky bit should not
affect the requests sent by nodes from SYSTEM group.

Add role check to `stickyBitCheck`.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
---
 pkg/services/object/acl/acl.go      |  6 ++++++
 pkg/services/object/acl/acl_test.go | 17 +++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index da2da5a4d..a7f5fe5e0 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -585,6 +585,12 @@ func stickyBitCheck(info requestInfo, owner *owner.ID) bool {
 		return false
 	}
 
+	// According to NeoFS specification sticky bit has no effect on system nodes
+	// for correct intra-container work with objects (in particular, replication).
+	if info.requestRole == acl.RoleSystem {
+		return true
+	}
+
 	if !info.basicACL.Sticky() {
 		return true
 	}
diff --git a/pkg/services/object/acl/acl_test.go b/pkg/services/object/acl/acl_test.go
index 468fbccdb..22173d836 100644
--- a/pkg/services/object/acl/acl_test.go
+++ b/pkg/services/object/acl/acl_test.go
@@ -3,6 +3,8 @@ package acl
 import (
 	"testing"
 
+	"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
+	ownertest "github.com/nspcc-dev/neofs-api-go/pkg/owner/test"
 	"github.com/nspcc-dev/neofs-api-go/v2/acl"
 	acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
 	"github.com/nspcc-dev/neofs-api-go/v2/session"
@@ -34,3 +36,18 @@ func testGenerateMetaHeader(depth uint32, b *acl.BearerToken, s *session.Session
 
 	return metaHeader
 }
+
+func TestStickyCheck(t *testing.T) {
+	t.Run("system role", func(t *testing.T) {
+		var info requestInfo
+
+		info.senderKey = make([]byte, 33) // any non-empty key
+		info.requestRole = eacl.RoleSystem
+
+		info.basicACL.SetSticky()
+		require.True(t, stickyBitCheck(info, ownertest.Generate()))
+
+		info.basicACL.ResetSticky()
+		require.True(t, stickyBitCheck(info, ownertest.Generate()))
+	})
+}