[#818] object/acl: Fit sticky bit specification

In previous implementation sticky bit could disrupt access of container nodes to replication. According to NeoFS specification sticky bit should not affect the requests sent by nodes from SYSTEM group. Add role check to `stickyBitCheck`. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
2021-09-10 14:35:29 +03:00 · 2021-09-10 14:35:29 +03:00 · 7a13053fab
commit 7a13053fab
parent ba77bb44e4
2 changed files with 23 additions and 0 deletions
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@ -585,6 +585,12 @@ func stickyBitCheck(info requestInfo, owner *owner.ID) bool {
 		return false
 	}

+	// According to NeoFS specification sticky bit has no effect on system nodes
+	// for correct intra-container work with objects (in particular, replication).
+	if info.requestRole == acl.RoleSystem {
+		return true
+	}
+
 	if !info.basicACL.Sticky() {
 		return true
 	}
--- a/pkg/services/object/acl/acl_test.go
+++ b/pkg/services/object/acl/acl_test.go
@ -3,6 +3,8 @@ package acl
 import (
 	"testing"

+	"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
+	ownertest "github.com/nspcc-dev/neofs-api-go/pkg/owner/test"
 	"github.com/nspcc-dev/neofs-api-go/v2/acl"
 	acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
 	"github.com/nspcc-dev/neofs-api-go/v2/session"
@ -34,3 +36,18 @@ func testGenerateMetaHeader(depth uint32, b *acl.BearerToken, s *session.Session

 	return metaHeader
 }
+
+func TestStickyCheck(t *testing.T) {
+	t.Run("system role", func(t *testing.T) {
+		var info requestInfo
+
+		info.senderKey = make([]byte, 33) // any non-empty key
+		info.requestRole = eacl.RoleSystem
+
+		info.basicACL.SetSticky()
+		require.True(t, stickyBitCheck(info, ownertest.Generate()))
+
+		info.basicACL.ResetSticky()
+		require.True(t, stickyBitCheck(info, ownertest.Generate()))
+	})
+}