From f41d743203b4daee2531fb02ebda4cbb2f32127f Mon Sep 17 00:00:00 2001
From: Alex Vanin <a.vanin@yadro.com>
Date: Thu, 14 Mar 2024 21:10:31 +0300
Subject: [PATCH] ape: Add container source to object policy checker

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
---
 cmd/frostfs-node/object.go         |  1 +
 pkg/services/object/ape/checker.go | 11 ++++++++++-
 pkg/services/object/ape/request.go | 10 +++++++++-
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/cmd/frostfs-node/object.go b/cmd/frostfs-node/object.go
index 7f1d094fd..0c9610e51 100644
--- a/cmd/frostfs-node/object.go
+++ b/cmd/frostfs-node/object.go
@@ -444,6 +444,7 @@ func createAPEService(c *cfg, splitSvc *objectService.TransportSplitter) *object
 		objectAPE.NewChecker(
 			c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.chainRouter,
 			objectAPE.NewStorageEngineHeaderProvider(c.cfgObject.cfgLocalStorage.localStorage),
+			c.cfgObject.cnrSource,
 		),
 		splitSvc,
 	)
diff --git a/pkg/services/object/ape/checker.go b/pkg/services/object/ape/checker.go
index 13b2729e9..9fbf4bab8 100644
--- a/pkg/services/object/ape/checker.go
+++ b/pkg/services/object/ape/checker.go
@@ -5,23 +5,32 @@ import (
 	"fmt"
 
 	objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
+	containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 )
 
+type containers interface {
+	Get(cid.ID) (*containercore.Container, error)
+}
+
 type checkerImpl struct {
 	chainRouter policyengine.ChainRouter
 
 	headerProvider HeaderProvider
+
+	reader containers
 }
 
-func NewChecker(chainRouter policyengine.ChainRouter, headerProvider HeaderProvider) Checker {
+func NewChecker(chainRouter policyengine.ChainRouter, headerProvider HeaderProvider, reader containers) Checker {
 	return &checkerImpl{
 		chainRouter: chainRouter,
 
 		headerProvider: headerProvider,
+
+		reader: reader,
 	}
 }
 
diff --git a/pkg/services/object/ape/request.go b/pkg/services/object/ape/request.go
index caf52645c..faecfae35 100644
--- a/pkg/services/object/ape/request.go
+++ b/pkg/services/object/ape/request.go
@@ -145,11 +145,19 @@ func (c *checkerImpl) newAPERequest(ctx context.Context, prm Prm) (*request, err
 		}
 	}
 
+	cont, err := c.reader.Get(prm.Container)
+	if err != nil {
+		return nil, fmt.Errorf("get container: %s", err)
+	}
+
+	props := objectProperties(prm.Container, prm.Object, header)
+	props[nativeschema.PropertyKeyContainerOwnerID] = cont.Value.Owner().EncodeToString()
+
 	return &request{
 		operation: prm.Method,
 		resource: &resource{
 			name:       resourceName(prm.Container, prm.Object, prm.Namespace),
-			properties: objectProperties(prm.Container, prm.Object, header),
+			properties: props,
 		},
 		properties: map[string]string{
 			nativeschema.PropertyKeyActorPublicKey: prm.SenderKey,
-- 
2.45.2