cmd/frostfs-node/tree.go

@@ -53,6 +53,7 @@ func initTreeService(c *cfg) {
 			src: c.cfgObject.cnrSource,
 			cli: c.shared.cnrClient,
 		}),
+		tree.WithFrostfsidSubjectProvider(c.shared.frostfsidClient),
 		tree.WithEACLSource(c.cfgObject.eaclSource),
 		tree.WithNetmapSource(c.netMapSource),
 		tree.WithPrivateKey(&c.key.PrivateKey),

pkg/services/tree/ape.go

@@ -14,10 +14,15 @@ import (
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 )
 
+var (
+	subjectNotFoundErrorMessage = "subject not found"
+)
+
 func (s *Service) checkAPE(container *core.Container, cid cid.ID, operation acl.Op, role acl.Role, publicKey *keys.PublicKey) error {
 	namespace := ""
 	cntNamespace, hasNamespace := strings.CutSuffix(cnrSDK.ReadDomain(container.Value).Zone(), ".ns")
@@ -37,6 +42,10 @@ func (s *Service) checkAPE(container *core.Container, cid cid.ID, operation acl.
 		nativeschema.PropertyKeyActorPublicKey: hex.EncodeToString(publicKey.Bytes()),
 		nativeschema.PropertyKeyActorRole:      schemaRole,
 	}
+	reqProps, err = s.fillWithUserClaimTags(reqProps, publicKey)
+	if err != nil {
+		return apeErr(err)
+	}
 
 	var resourceName string
 	if namespace == "root" || namespace == "" {
@@ -68,3 +77,22 @@ func apeErr(err error) error {
 	errAccessDenied.WriteReason(err.Error())
 	return errAccessDenied
 }
+
+// fillWithUserClaimTags fills ape request properties with user claim tags getting them from frostfsid contract by actor public key.
+func (s *Service) fillWithUserClaimTags(reqProps map[string]string, publicKey *keys.PublicKey) (map[string]string, error) {
+	if reqProps == nil {
+		reqProps = make(map[string]string)
+	}
+	subj, err := s.frostfsidSubjectProvider.GetSubject(publicKey.GetScriptHash())
+	if err != nil {
+		if !strings.Contains(err.Error(), subjectNotFoundErrorMessage) {
+			return nil, fmt.Errorf("get subject error: %w", err)
+		}
+		return reqProps, nil
+	}
+	for k, v := range subj.KV {
+		properyKey := fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, k)
+		reqProps[properyKey] = v
+	}
+	return reqProps, nil
+}

pkg/services/tree/options.go

@@ -4,6 +4,7 @@ import (
 	"crypto/ecdsa"
 	"time"
 
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/local_object_storage/pilorama"
@@ -11,8 +12,13 @@ import (
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 )
 
+type FrostfsidSubjectProvider interface {
+	GetSubject(util.Uint160) (*client.Subject, error)
+}
+
 type ContainerSource interface {
 	container.Source
 
@@ -30,6 +36,7 @@ type cfg struct {
 	rawPub                   []byte
 	nmSource                 netmap.Source
 	cnrSource                ContainerSource
+	frostfsidSubjectProvider FrostfsidSubjectProvider
 	eaclSource               container.EACLSource
 	forest                   pilorama.Forest
 	// replication-related parameters
@@ -55,6 +62,12 @@ func WithContainerSource(src ContainerSource) Option {
 	}
 }
 
+func WithFrostfsidSubjectProvider(provider FrostfsidSubjectProvider) Option {
+	return func(c *cfg) {
+		c.frostfsidSubjectProvider = provider
+	}
+}
+
 // WithEACLSource sets a eACL table source for a tree service.
 // This option is required.
 func WithEACLSource(src container.EACLSource) Option {