From 9902965ff49094c83b755e2f81bd386f2a74c347 Mon Sep 17 00:00:00 2001
From: Dmitrii Stepanov <d.stepanov@yadro.com>
Date: Mon, 28 Oct 2024 15:44:47 +0300
Subject: [PATCH] [#1451] writer: Sign EC parts with node's private key

As EC put request may be processed only by container node, so sign requests
with current node private to not to perform APE checks.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
---
 pkg/services/object/common/writer/ec.go      | 34 ++++++++++++++------
 pkg/services/object/common/writer/ec_test.go |  4 +++
 pkg/services/object/util/prm.go              |  9 +++++-
 3 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/pkg/services/object/common/writer/ec.go b/pkg/services/object/common/writer/ec.go
index ee0681349..3f7d4d49c 100644
--- a/pkg/services/object/common/writer/ec.go
+++ b/pkg/services/object/common/writer/ec.go
@@ -37,10 +37,12 @@ type ECWriter struct {
 
 	ObjectMeta      object.ContentMeta
 	ObjectMetaValid bool
+
+	remoteRequestSignKey *ecdsa.PrivateKey
 }
 
 func (e *ECWriter) WriteObject(ctx context.Context, obj *objectSDK.Object) error {
-	relayed, err := e.relayIfNotContainerNode(ctx, obj)
+	relayed, isContainerNode, err := e.relayIfNotContainerNode(ctx, obj)
 	if err != nil {
 		return err
 	}
@@ -60,23 +62,35 @@ func (e *ECWriter) WriteObject(ctx context.Context, obj *objectSDK.Object) error
 		e.ObjectMetaValid = true
 	}
 
+	if isContainerNode {
+		restoreTokens := e.CommonPrm.ForgetTokens()
+		defer restoreTokens()
+		// As request executed on container node, so sign request with container key.
+		e.remoteRequestSignKey, err = e.Config.KeyStorage.GetKey(nil)
+		if err != nil {
+			return err
+		}
+	} else {
+		e.remoteRequestSignKey = e.Key
+	}
+
 	if obj.ECHeader() != nil {
 		return e.writeECPart(ctx, obj)
 	}
 	return e.writeRawObject(ctx, obj)
 }
 
-func (e *ECWriter) relayIfNotContainerNode(ctx context.Context, obj *objectSDK.Object) (bool, error) {
-	if e.Relay == nil {
-		return false, nil
-	}
+func (e *ECWriter) relayIfNotContainerNode(ctx context.Context, obj *objectSDK.Object) (bool, bool, error) {
 	currentNodeIsContainerNode, err := e.currentNodeIsContainerNode()
 	if err != nil {
-		return false, err
+		return false, false, err
 	}
 	if currentNodeIsContainerNode {
 		// object can be splitted or saved local
-		return false, nil
+		return false, true, nil
+	}
+	if e.Relay == nil {
+		return false, currentNodeIsContainerNode, nil
 	}
 	objID := object.AddressOf(obj).Object()
 	var index uint32
@@ -85,9 +99,9 @@ func (e *ECWriter) relayIfNotContainerNode(ctx context.Context, obj *objectSDK.O
 		index = obj.ECHeader().Index()
 	}
 	if err := e.relayToContainerNode(ctx, objID, index); err != nil {
-		return false, err
+		return false, false, err
 	}
-	return true, nil
+	return true, currentNodeIsContainerNode, nil
 }
 
 func (e *ECWriter) currentNodeIsContainerNode() (bool, error) {
@@ -338,7 +352,7 @@ func (e *ECWriter) writePartRemote(ctx context.Context, obj *objectSDK.Object, n
 	client.NodeInfoFromNetmapElement(&clientNodeInfo, node)
 
 	remoteTaget := remoteWriter{
-		privateKey:        e.Key,
+		privateKey:        e.remoteRequestSignKey,
 		clientConstructor: e.Config.ClientConstructor,
 		commonPrm:         e.CommonPrm,
 		nodeInfo:          clientNodeInfo,
diff --git a/pkg/services/object/common/writer/ec_test.go b/pkg/services/object/common/writer/ec_test.go
index 32863d678..c828c79ba 100644
--- a/pkg/services/object/common/writer/ec_test.go
+++ b/pkg/services/object/common/writer/ec_test.go
@@ -14,6 +14,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/client"
 	netmapcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/network"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/util"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object_manager/placement"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
@@ -127,6 +128,8 @@ func TestECWriter(t *testing.T) {
 
 	ownerKey, err := keys.NewPrivateKey()
 	require.NoError(t, err)
+	nodeKey, err := keys.NewPrivateKey()
+	require.NoError(t, err)
 
 	pool, err := ants.NewPool(4, ants.WithNonblocking(true))
 	require.NoError(t, err)
@@ -141,6 +144,7 @@ func TestECWriter(t *testing.T) {
 			RemotePool:        pool,
 			Logger:            log,
 			ClientConstructor: clientConstructor{vectors: ns},
+			KeyStorage:        util.NewKeyStorage(&nodeKey.PrivateKey, nil, nil),
 		},
 		PlacementOpts: append(
 			[]placement.Option{placement.UseBuilder(builder), placement.ForContainer(cnr)},
diff --git a/pkg/services/object/util/prm.go b/pkg/services/object/util/prm.go
index 022b9fe5b..80c0db39e 100644
--- a/pkg/services/object/util/prm.go
+++ b/pkg/services/object/util/prm.go
@@ -100,11 +100,18 @@ func (p *CommonPrm) SetNetmapLookupDepth(v uint64) {
 
 // ForgetTokens forgets all the tokens read from the request's
 // meta information before.
-func (p *CommonPrm) ForgetTokens() {
+func (p *CommonPrm) ForgetTokens() func() {
 	if p != nil {
+		tk := p.token
+		br := p.bearer
 		p.token = nil
 		p.bearer = nil
+		return func() {
+			p.token = tk
+			p.bearer = br
+		}
 	}
+	return func() {}
 }
 
 func CommonPrmFromV2(req interface {