From 0937513c1466bbb22a99d376a2c50458322f43ae Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Mon, 6 Jun 2022 19:23:15 +0300 Subject: [PATCH] [#1485] ir/container: Accept eACL only if extension is allowed In order to extend container ACL `F` bit must be set in basic ACL. Make `Container` contract processor to deny eACL tables bound to non-extendable containers. Signed-off-by: Leonard Lyubich --- CHANGELOG.md | 3 +++ pkg/innerring/processors/container/process_eacl.go | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e15915c..dc4a8319 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ Changelog for NeoFS Node ## [Unreleased] +### Fixed +- Confirmation of eACL tables by alphabet nodes when ACL extensibility is disabled (#1485) + ### Changed - Replace pointers with raw structures in results for local storage (#1460) diff --git a/pkg/innerring/processors/container/process_eacl.go b/pkg/innerring/processors/container/process_eacl.go index 7c347f9a..caf36ad6 100644 --- a/pkg/innerring/processors/container/process_eacl.go +++ b/pkg/innerring/processors/container/process_eacl.go @@ -51,6 +51,16 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error { return fmt.Errorf("could not receive the container: %w", err) } + // ACL extensions can be disabled by basic ACL, check it + basicACL := cnr.BasicACL() + const finalBitMask = 1 << 28 + + // Temp solution: NeoFS SDK is going to provide convenient interface to do this soon. + // This place won't be missed since BasicACL() signature will be changed. + if basicACL&finalBitMask == finalBitMask { + return errors.New("ACL extension disabled by container basic ACL") + } + ownerContainer := cnr.OwnerID() if ownerContainer == nil { return errors.New("missing container owner")