[#1485] ir/container: Accept eACL only if extension is allowed

In order to extend container ACL `F` bit must be set in basic ACL.

Make `Container` contract processor to deny eACL tables bound to
non-extendable containers.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>

CHANGELOG.md

@@ -3,6 +3,9 @@ Changelog for NeoFS Node
 
 ## [Unreleased]
 
+### Fixed
+- Confirmation of eACL tables by alphabet nodes when ACL extensibility is disabled (#1485)
+
 ### Changed
 - Replace pointers with raw structures in results for local storage (#1460)
 

pkg/innerring/processors/container/process_eacl.go

@@ -51,6 +51,16 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
 		return fmt.Errorf("could not receive the container: %w", err)
 	}
 
+	// ACL extensions can be disabled by basic ACL, check it
+	basicACL := cnr.BasicACL()
+	const finalBitMask = 1 << 28
+
+	// Temp solution: NeoFS SDK is going to provide convenient interface to do this soon.
+	// This place won't be missed since BasicACL() signature will be changed.
+	if basicACL&finalBitMask == finalBitMask {
+		return errors.New("ACL extension disabled by container basic ACL")
+	}
+
 	ownerContainer := cnr.OwnerID()
 	if ownerContainer == nil {
 		return errors.New("missing container owner")