From 7a13053fab01596985909143c899ca22d1d23f42 Mon Sep 17 00:00:00 2001
From: Leonard Lyubich <leonard@nspcc.ru>
Date: Fri, 10 Sep 2021 14:35:29 +0300
Subject: [PATCH] [#818] object/acl: Fit sticky bit specification

In previous implementation sticky bit could disrupt access of container
nodes to replication. According to NeoFS specification sticky bit should not
affect the requests sent by nodes from SYSTEM group.

Add role check to `stickyBitCheck`.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
---
 pkg/services/object/acl/acl.go      |  6 ++++++
 pkg/services/object/acl/acl_test.go | 17 +++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index da2da5a4d9..a7f5fe5e04 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -585,6 +585,12 @@ func stickyBitCheck(info requestInfo, owner *owner.ID) bool {
 		return false
 	}
 
+	// According to NeoFS specification sticky bit has no effect on system nodes
+	// for correct intra-container work with objects (in particular, replication).
+	if info.requestRole == acl.RoleSystem {
+		return true
+	}
+
 	if !info.basicACL.Sticky() {
 		return true
 	}
diff --git a/pkg/services/object/acl/acl_test.go b/pkg/services/object/acl/acl_test.go
index 468fbccdb9..22173d8362 100644
--- a/pkg/services/object/acl/acl_test.go
+++ b/pkg/services/object/acl/acl_test.go
@@ -3,6 +3,8 @@ package acl
 import (
 	"testing"
 
+	"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
+	ownertest "github.com/nspcc-dev/neofs-api-go/pkg/owner/test"
 	"github.com/nspcc-dev/neofs-api-go/v2/acl"
 	acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
 	"github.com/nspcc-dev/neofs-api-go/v2/session"
@@ -34,3 +36,18 @@ func testGenerateMetaHeader(depth uint32, b *acl.BearerToken, s *session.Session
 
 	return metaHeader
 }
+
+func TestStickyCheck(t *testing.T) {
+	t.Run("system role", func(t *testing.T) {
+		var info requestInfo
+
+		info.senderKey = make([]byte, 33) // any non-empty key
+		info.requestRole = eacl.RoleSystem
+
+		info.basicACL.SetSticky()
+		require.True(t, stickyBitCheck(info, ownertest.Generate()))
+
+		info.basicACL.ResetSticky()
+		require.True(t, stickyBitCheck(info, ownertest.Generate()))
+	})
+}