[#2106] cli: Verify container owner in container delete command

In NeoFS containers can be removed on behalf of its owner only. To improve user experience, there is a need to add ownership check to the removal command of the NeoFS CLI. Check container ownership in `container delete` command `Run` function. The check can be skipped by `--force` option. Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com>
2022-12-08 10:28:57 +03:00 · 2022-12-08 10:28:57 +03:00 · a68ff67ed8
commit a68ff67ed8
parent 73ef5b18c7
2 changed files with 37 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -19,6 +19,8 @@ Changelog for NeoFS Node
 - `LOCK` object are stored on every container node (#1502)
 - `neofs-cli container get-eacl` print ACL table in json format only with arg `--json' (#2012)
 - Side chain notary deposits use max uint32 as till parameter (#1486)
+- Allow object removal without linking object (#2100)
+- `neofs-cli container delete` command pre-checks container ownership (#2106) 

 ### Fixed
 - Open FSTree in sync mode by default (#1992)
@ -68,6 +70,9 @@ The default value is taken from `object.put.pool_size_remote` as in earlier vers

 Added `neofs_node_object_*_req_count_success` metrics for tracking successfully executed requests.

+`neofs-cli container delete` command now requires given account or session issuer
+to match the container owner. Use `--force` (`-f`) flag to bypass this requirement.
+
 ## [0.34.0] - 2022-10-31 - Marado (마라도, 馬羅島)

 ### Added
--- a/cmd/frostfs-cli/modules/container/delete.go
+++ b/cmd/frostfs-cli/modules/container/delete.go
@ -9,6 +9,7 @@ import (
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	objectSDK "github.com/TrueCloudLab/frostfs-sdk-go/object"
+	"github.com/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/spf13/cobra"
 )

@ -26,6 +27,36 @@ Only owner of the container has a permission to remove container.`,
 		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)

 		if force, _ := cmd.Flags().GetBool(commonflags.ForceFlag); !force {
+			common.PrintVerbose("Reading the container to check ownership...")
+
+			var getPrm internalclient.GetContainerPrm
+			getPrm.SetClient(cli)
+			getPrm.SetContainer(id)
+
+			resGet, err := internalclient.GetContainer(getPrm)
+			common.ExitOnErr(cmd, "can't get the container: %w", err)
+
+			owner := resGet.Container().Owner()
+
+			if tok != nil {
+				common.PrintVerbose("Checking session issuer...")
+
+				if !tok.Issuer().Equals(owner) {
+					common.ExitOnErr(cmd, "", fmt.Errorf("session issuer differs with the container owner: expected %s, has %s", owner, tok.Issuer()))
+				}
+			} else {
+				common.PrintVerbose("Checking provided account...")
+
+				var acc user.ID
+				user.IDFromKey(&acc, pk.PublicKey)
+
+				if !acc.Equals(owner) {
+					common.ExitOnErr(cmd, "", fmt.Errorf("provided account differs with the container owner: expected %s, has %s", owner, acc))
+				}
+			}
+
+			common.PrintVerbose("Account matches the container owner.")
+
 			fs := objectSDK.NewSearchFilters()
 			fs.AddTypeFilter(objectSDK.MatchStringEqual, objectSDK.TypeLock)

@ -91,5 +122,5 @@ func initContainerDeleteCmd() {

 	flags.StringVar(&containerID, commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
 	flags.BoolVar(&containerAwait, "await", false, "Block execution until container is removed")
-	flags.BoolP(commonflags.ForceFlag, commonflags.ForceFlagShorthand, false, "Do not check whether container contains locks and remove immediately")
+	flags.BoolP(commonflags.ForceFlag, commonflags.ForceFlagShorthand, false, "Skip validation checks (ownership, presence of LOCK objects)")
 }