[#1485] ir/container: Accept eACL only if extension is allowed

In order to extend container ACL `F` bit must be set in basic ACL.

Make `Container` contract processor to deny eACL tables bound to
non-extendable containers.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2022-06-06 19:23:15 +03:00 committed by fyrchik
parent af7d15cc1a
commit 0937513c14
2 changed files with 13 additions and 0 deletions

View file

@ -3,6 +3,9 @@ Changelog for NeoFS Node
## [Unreleased] ## [Unreleased]
### Fixed
- Confirmation of eACL tables by alphabet nodes when ACL extensibility is disabled (#1485)
### Changed ### Changed
- Replace pointers with raw structures in results for local storage (#1460) - Replace pointers with raw structures in results for local storage (#1460)

View file

@ -51,6 +51,16 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
return fmt.Errorf("could not receive the container: %w", err) return fmt.Errorf("could not receive the container: %w", err)
} }
// ACL extensions can be disabled by basic ACL, check it
basicACL := cnr.BasicACL()
const finalBitMask = 1 << 28
// Temp solution: NeoFS SDK is going to provide convenient interface to do this soon.
// This place won't be missed since BasicACL() signature will be changed.
if basicACL&finalBitMask == finalBitMask {
return errors.New("ACL extension disabled by container basic ACL")
}
ownerContainer := cnr.OwnerID() ownerContainer := cnr.OwnerID()
if ownerContainer == nil { if ownerContainer == nil {
return errors.New("missing container owner") return errors.New("missing container owner")