From 1cee1b8f93f9d9fa737e2624ee7dda40da4d0af2 Mon Sep 17 00:00:00 2001
From: Pavel Karpy <carpawell@nspcc.ru>
Date: Wed, 1 Dec 2021 15:45:35 +0300
Subject: [PATCH] [#1002] ir: Add subnet check to the container Put process

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
---
 pkg/innerring/innerring.go                    |  1 +
 .../processors/container/process_container.go | 41 +++++++++++++++++++
 .../processors/container/processor.go         |  6 +++
 3 files changed, 48 insertions(+)

diff --git a/pkg/innerring/innerring.go b/pkg/innerring/innerring.go
index c1431ac30..2a1241f1c 100644
--- a/pkg/innerring/innerring.go
+++ b/pkg/innerring/innerring.go
@@ -714,6 +714,7 @@ func New(ctx context.Context, log *zap.Logger, cfg *viper.Viper) (*Server, error
 		NeoFSIDClient:   neofsIDClient,
 		NetworkState:    server.netmapClient,
 		NotaryDisabled:  server.sideNotaryConfig.disabled,
+		SubnetClient:    subnetClient,
 	})
 	if err != nil {
 		return nil, err
diff --git a/pkg/innerring/processors/container/process_container.go b/pkg/innerring/processors/container/process_container.go
index 92b182359..42b4a9335 100644
--- a/pkg/innerring/processors/container/process_container.go
+++ b/pkg/innerring/processors/container/process_container.go
@@ -12,11 +12,13 @@ import (
 	"github.com/nspcc-dev/neofs-node/pkg/core/container"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/client/container/wrapper"
 	neofsid "github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid/wrapper"
+	morphsubnet "github.com/nspcc-dev/neofs-node/pkg/morph/client/subnet"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/event"
 	containerEvent "github.com/nspcc-dev/neofs-node/pkg/morph/event/container"
 	containerSDK "github.com/nspcc-dev/neofs-sdk-go/container"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
+	subnetid "github.com/nspcc-dev/neofs-sdk-go/subnet/id"
 	"go.uber.org/zap"
 )
 
@@ -84,6 +86,12 @@ func (cp *Processor) checkPutContainer(ctx *putContainerContext) error {
 		return fmt.Errorf("invalid binary container: %w", err)
 	}
 
+	// check owner allowance in the subnetwork
+	err = checkSubnet(cp.subnetClient, cnr)
+	if err != nil {
+		return fmt.Errorf("incorrect subnetwork: %w", err)
+	}
+
 	// check native name and zone
 	err = checkNNS(ctx, cnr)
 	if err != nil {
@@ -275,3 +283,36 @@ func checkNNS(ctx *putContainerContext, cnr *containerSDK.Container) error {
 
 	return nil
 }
+
+func checkSubnet(subCli *morphsubnet.Client, cnr *containerSDK.Container) error {
+	prm := morphsubnet.UserAllowedPrm{}
+
+	subID := cnr.PlacementPolicy().SubnetID()
+	if subID == nil || subnetid.IsZero(*subID) {
+		return nil
+	}
+
+	rawSubID, err := subID.Marshal()
+	if err != nil {
+		return fmt.Errorf("could not marshal container subnetwork: %w", err)
+	}
+
+	ownerID, err := cnr.OwnerID().Marshal()
+	if err != nil {
+		return fmt.Errorf("could not marshal container ownerID: %w", err)
+	}
+
+	prm.SetID(rawSubID)
+	prm.SetClient(ownerID)
+
+	res, err := subCli.UserAllowed(prm)
+	if err != nil {
+		return fmt.Errorf("could not check user in contract: %w", err)
+	}
+
+	if !res.Allowed() {
+		return fmt.Errorf("user is not allowed to create containers in %s subnetwork", subID)
+	}
+
+	return nil
+}
diff --git a/pkg/innerring/processors/container/processor.go b/pkg/innerring/processors/container/processor.go
index dd3e4ed84..3edaf6bde 100644
--- a/pkg/innerring/processors/container/processor.go
+++ b/pkg/innerring/processors/container/processor.go
@@ -7,6 +7,7 @@ import (
 	"github.com/nspcc-dev/neo-go/pkg/core/mempoolevent"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/client/container/wrapper"
 	neofsid "github.com/nspcc-dev/neofs-node/pkg/morph/client/neofsid/wrapper"
+	morphsubnet "github.com/nspcc-dev/neofs-node/pkg/morph/client/subnet"
 	"github.com/nspcc-dev/neofs-node/pkg/morph/event"
 	containerEvent "github.com/nspcc-dev/neofs-node/pkg/morph/event/container"
 	"github.com/panjf2000/ants/v2"
@@ -26,6 +27,7 @@ type (
 		alphabetState  AlphabetState
 		cnrClient      *wrapper.Wrapper // notary must be enabled
 		idClient       *neofsid.ClientWrapper
+		subnetClient   *morphsubnet.Client
 		netState       NetworkState
 		notaryDisabled bool
 	}
@@ -37,6 +39,7 @@ type (
 		AlphabetState   AlphabetState
 		ContainerClient *wrapper.Wrapper
 		NeoFSIDClient   *neofsid.ClientWrapper
+		SubnetClient    *morphsubnet.Client
 		NetworkState    NetworkState
 		NotaryDisabled  bool
 	}
@@ -72,6 +75,8 @@ func New(p *Params) (*Processor, error) {
 		return nil, errors.New("ir/container: NeoFS ID client is not set")
 	case p.NetworkState == nil:
 		return nil, errors.New("ir/container: network state is not set")
+	case p.SubnetClient == nil:
+		return nil, errors.New("ir/container: subnet client is not set")
 	}
 
 	p.Log.Debug("container worker pool", zap.Int("size", p.PoolSize))
@@ -89,6 +94,7 @@ func New(p *Params) (*Processor, error) {
 		idClient:       p.NeoFSIDClient,
 		netState:       p.NetworkState,
 		notaryDisabled: p.NotaryDisabled,
+		subnetClient:   p.SubnetClient,
 	}, nil
 }