From 11a38a0a8426de556ac17d4518cded38fa98e902 Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Thu, 20 Jun 2024 15:49:22 +0300 Subject: [PATCH] [#1190] tree: GroupIDs must also be target of APE checks Signed-off-by: Airat Arifullin --- pkg/services/tree/ape.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkg/services/tree/ape.go b/pkg/services/tree/ape.go index 475567c5f..116adf5db 100644 --- a/pkg/services/tree/ape.go +++ b/pkg/services/tree/ape.go @@ -161,7 +161,17 @@ func (s *Service) checkAPE(ctx context.Context, bt *bearer.Token, } } - rt := engine.NewRequestTargetExtended(namespace, cid.EncodeToString(), fmt.Sprintf("%s:%s", namespace, publicKey.Address()), nil) + groups, err := aperequest.Groups(s.frostfsidSubjectProvider, publicKey) + if err != nil { + return fmt.Errorf("failed to get group ids: %w", err) + } + + // Policy contract keeps group related chains as namespace-group pair. + for i := range groups { + groups[i] = fmt.Sprintf("%s:%s", namespace, groups[i]) + } + + rt := engine.NewRequestTargetExtended(namespace, cid.EncodeToString(), fmt.Sprintf("%s:%s", namespace, publicKey.Address()), groups) status, found, err := s.router.IsAllowed(apechain.Ingress, rt, request) if err != nil { return apeErr(err)