[#553] authmate: Don't use basic acl

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

.dockerignore

@@ -1,3 +1,3 @@
 .git
 .cache
-.github
+.forgejo

.github/CODEOWNERS

@@ -1 +0,0 @@
-*       @alexvanin @dkirillov

CODEOWNERS

@@ -0,0 +1 @@
+.*       @alexvanin @dkirillov

README.md

@@ -1,5 +1,5 @@
 <p align="center">
-<img src="./.github/logo.svg" width="500px" alt="FrostFS logo">
+<img src="./.forgejo/logo.svg" width="500px" alt="FrostFS logo">
 </p>
 <p align="center">
   <a href="https://frostfs.info">FrostFS</a> is a decentralized distributed object storage integrated with the <a href="https://neo.org">NEO Blockchain</a>.

api/data/lifecycle.go

@@ -20,6 +20,7 @@ type (
 		Filter                         *LifecycleRuleFilter            `xml:"Filter,omitempty"`
 		ID                             string                          `xml:"ID,omitempty"`
 		NonCurrentVersionExpiration    *NonCurrentVersionExpiration    `xml:"NoncurrentVersionExpiration,omitempty"`
+		Prefix                         string                          `xml:"Prefix,omitempty"`
 	}
 
 	AbortIncompleteMultipartUpload struct {

api/handler/acl_test.go

@@ -191,6 +191,7 @@ func TestDeleteBucketWithPolicy(t *testing.T) {
 	require.Len(t, hc.h.ape.(*apeMock).policyMap, 1)
 	require.Len(t, hc.h.ape.(*apeMock).chainMap[engine.ContainerTarget(bi.CID.EncodeToString())], 4)
 
+	hc.owner = bi.Owner
 	deleteBucket(t, hc, bktName, http.StatusNoContent)
 
 	require.Empty(t, hc.h.ape.(*apeMock).policyMap)

api/handler/delete.go

@@ -245,6 +245,11 @@ func (h *handler) DeleteBucketHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if err = checkOwner(bktInfo, reqInfo.User); err != nil {
+		h.logAndSendError(ctx, w, "request owner id does not match bucket owner id", reqInfo, err)
+		return
+	}
+
 	var sessionToken *session.Container
 
 	boxData, err := middleware.GetBoxData(ctx)

api/handler/delete_test.go

@@ -37,6 +37,7 @@ func TestDeleteBucketOnAlreadyRemovedError(t *testing.T) {
 
 	deleteObjects(t, hc, bktName, [][2]string{{objName, emptyVersion}})
 
+	hc.owner = bktInfo.Owner
 	deleteBucket(t, hc, bktName, http.StatusNoContent)
 }
 
@@ -53,11 +54,12 @@ func TestDeleteBucket(t *testing.T) {
 	tc := prepareHandlerContext(t)
 
 	bktName, objName := "bucket-for-removal", "object-to-delete"
-	_, objInfo := createVersionedBucketAndObject(t, tc, bktName, objName)
+	bktInfo, objInfo := createVersionedBucketAndObject(t, tc, bktName, objName)
 
 	deleteMarkerVersion, isDeleteMarker := deleteObject(t, tc, bktName, objName, emptyVersion)
 	require.True(t, isDeleteMarker)
 
+	tc.owner = bktInfo.Owner
 	deleteBucket(t, tc, bktName, http.StatusConflict)
 	deleteObject(t, tc, bktName, objName, objInfo.VersionID())
 	deleteBucket(t, tc, bktName, http.StatusConflict)
@@ -82,6 +84,7 @@ func TestDeleteBucketOnNotFoundError(t *testing.T) {
 
 	deleteObjects(t, hc, bktName, [][2]string{{objName, emptyVersion}})
 
+	hc.owner = bktInfo.Owner
 	deleteBucket(t, hc, bktName, http.StatusNoContent)
 }
 
@@ -99,6 +102,7 @@ func TestForceDeleteBucket(t *testing.T) {
 	addr.SetContainer(bktInfo.CID)
 	addr.SetObject(nodeVersion.OID)
 
+	hc.owner = bktInfo.Owner
 	deleteBucketForce(t, hc, bktName, http.StatusConflict, "false")
 	deleteBucketForce(t, hc, bktName, http.StatusNoContent, "true")
 }
@@ -457,6 +461,17 @@ func TestDeleteObjectCheckMarkerReturn(t *testing.T) {
 	require.Equal(t, deleteMarkerVersion, deleteMarkerVersion2)
 }
 
+func TestDeleteBucketByNotOwner(t *testing.T) {
+	hc := prepareHandlerContext(t)
+
+	bktName := "bucket-name"
+	bktInfo := createTestBucket(hc, bktName)
+	deleteBucket(t, hc, bktName, http.StatusForbidden)
+
+	hc.owner = bktInfo.Owner
+	deleteBucket(t, hc, bktName, http.StatusNoContent)
+}
+
 func createBucketAndObject(tc *handlerContext, bktName, objName string) (*data.BucketInfo, *data.ObjectInfo) {
 	bktInfo := createTestBucket(tc, bktName)
 
@@ -563,6 +578,18 @@ func checkFound(t *testing.T, hc *handlerContext, bktName, objName, version stri
 	assertStatus(t, w, http.StatusOK)
 }
 
+func headObjectWithHeaders(hc *handlerContext, bktName, objName, version string, headers map[string]string) *httptest.ResponseRecorder {
+	query := make(url.Values)
+	query.Add(api.QueryVersionID, version)
+
+	w, r := prepareTestFullRequest(hc, bktName, objName, query, nil)
+	for k, v := range headers {
+		r.Header.Set(k, v)
+	}
+	hc.Handler().HeadObjectHandler(w, r)
+	return w
+}
+
 func headObjectBase(hc *handlerContext, bktName, objName, version string) *httptest.ResponseRecorder {
 	query := make(url.Values)
 	query.Add(api.QueryVersionID, version)

api/handler/encryption_test.go

@@ -48,6 +48,25 @@ func TestSimpleGetEncrypted(t *testing.T) {
 	require.Equal(t, content, string(response))
 }
 
+func TestMD5HeaderBadOrEmpty(t *testing.T) {
+	tc := prepareHandlerContext(t)
+
+	bktName, objName := "bucket-for-sse-c", "object-to-encrypt"
+	createTestBucket(tc, bktName)
+	content := "content"
+
+	headers := map[string]string{
+		api.ContentMD5: "",
+	}
+	putEncryptedObjectWithHeadersErr(t, tc, bktName, objName, content, headers, errors.ErrInvalidDigest)
+
+	headers = map[string]string{
+		api.ContentMD5: "YWJjMTIzIT8kKiYoKSctPUB+",
+	}
+
+	putEncryptedObjectWithHeadersErr(t, tc, bktName, objName, content, headers, errors.ErrBadDigest)
+}
+
 func TestGetEncryptedRange(t *testing.T) {
 	tc := prepareHandlerContext(t)
 
@@ -360,6 +379,15 @@ func putEncryptedObject(t *testing.T, tc *handlerContext, bktName, objName, cont
 	assertStatus(t, w, http.StatusOK)
 }
 
+func putEncryptedObjectWithHeadersErr(t *testing.T, tc *handlerContext, bktName, objName, content string, headers map[string]string, code errors.ErrorCode) {
+	body := bytes.NewReader([]byte(content))
+	w, r := prepareTestPayloadRequest(tc, bktName, objName, body)
+	setHeaders(r, headers)
+
+	tc.Handler().PutObjectHandler(w, r)
+	assertS3Error(t, w, errors.GetAPIError(code))
+}
+
 func getEncryptedObject(hc *handlerContext, bktName, objName string) ([]byte, http.Header) {
 	w, r := prepareTestRequest(hc, bktName, objName, nil)
 	setEncryptHeaders(r)
@@ -371,6 +399,15 @@ func getObject(hc *handlerContext, bktName, objName string) ([]byte, http.Header
 	return getObjectBase(hc, w, r)
 }
 
+func getObjectWithHeaders(hc *handlerContext, bktName, objName string, headers map[string]string) *httptest.ResponseRecorder {
+	w, r := prepareTestRequest(hc, bktName, objName, nil)
+	for k, v := range headers {
+		r.Header.Set(k, v)
+	}
+	hc.Handler().GetObjectHandler(w, r)
+	return w
+}
+
 func getObjectBase(hc *handlerContext, w *httptest.ResponseRecorder, r *http.Request) ([]byte, http.Header) {
 	hc.Handler().GetObjectHandler(w, r)
 	assertStatus(hc.t, w, http.StatusOK)

api/handler/get.go

@@ -78,6 +78,27 @@ func addSSECHeaders(responseHeader http.Header, requestHeader http.Header) {
 	responseHeader.Set(api.AmzServerSideEncryptionCustomerKeyMD5, requestHeader.Get(api.AmzServerSideEncryptionCustomerKeyMD5))
 }
 
+func writeNotModifiedHeaders(h http.Header, extendedInfo *data.ExtendedObjectInfo, tagSetLength int, isBucketUnversioned, md5Enabled bool) {
+	h.Set(api.ETag, data.Quote(extendedInfo.ObjectInfo.ETag(md5Enabled)))
+	h.Set(api.LastModified, extendedInfo.ObjectInfo.Created.UTC().Format(http.TimeFormat))
+	h.Set(api.AmzTaggingCount, strconv.Itoa(tagSetLength))
+
+	if !isBucketUnversioned {
+		h.Set(api.AmzVersionID, extendedInfo.Version())
+	}
+
+	if cacheControl := extendedInfo.ObjectInfo.Headers[api.CacheControl]; cacheControl != "" {
+		h.Set(api.CacheControl, cacheControl)
+	}
+
+	for key, val := range extendedInfo.ObjectInfo.Headers {
+		if layer.IsSystemHeader(key) {
+			continue
+		}
+		h[api.MetadataPrefix+key] = []string{val}
+	}
+}
+
 func writeHeaders(h http.Header, requestHeader http.Header, extendedInfo *data.ExtendedObjectInfo, tagSetLength int,
 	isBucketUnversioned, md5Enabled bool) {
 	info := extendedInfo.ObjectInfo
@@ -158,7 +179,28 @@ func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	info := extendedInfo.ObjectInfo
 
+	bktSettings, err := h.obj.GetBucketSettings(ctx, bktInfo)
+	if err != nil {
+		h.logAndSendError(ctx, w, "could not get bucket settings", reqInfo, err)
+		return
+	}
+
+	t := &data.ObjectVersion{
+		BktInfo:    bktInfo,
+		ObjectName: info.Name,
+		VersionID:  info.VersionID(),
+	}
+
+	tagSet, lockInfo, err := h.obj.GetObjectTaggingAndLock(ctx, t, extendedInfo.NodeVersion)
+	if err != nil && !errors.IsS3Error(err, errors.ErrNoSuchKey) {
+		h.logAndSendError(ctx, w, "could not get object meta data", reqInfo, err)
+		return
+	}
+
 	if err = checkPreconditions(info, conditional, h.cfg.MD5Enabled()); err != nil {
+		if errors.IsS3Error(err, errors.ErrNotModified) {
+			writeNotModifiedHeaders(w.Header(), extendedInfo, len(tagSet), bktSettings.Unversioned(), h.cfg.MD5Enabled())
+		}
 		h.logAndSendError(ctx, w, "precondition failed", reqInfo, err)
 		return
 	}
@@ -185,18 +227,6 @@ func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	t := &data.ObjectVersion{
-		BktInfo:    bktInfo,
-		ObjectName: info.Name,
-		VersionID:  info.VersionID(),
-	}
-
-	tagSet, lockInfo, err := h.obj.GetObjectTaggingAndLock(ctx, t, extendedInfo.NodeVersion)
-	if err != nil && !errors.IsS3Error(err, errors.ErrNoSuchKey) {
-		h.logAndSendError(ctx, w, "could not get object meta data", reqInfo, err)
-		return
-	}
-
 	if layer.IsAuthenticatedRequest(ctx) {
 		overrideResponseHeaders(w.Header(), reqInfo.URL.Query())
 	}
@@ -206,12 +236,6 @@ func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	bktSettings, err := h.obj.GetBucketSettings(ctx, bktInfo)
-	if err != nil {
-		h.logAndSendError(ctx, w, "could not get bucket settings", reqInfo, err)
-		return
-	}
-
 	getPayloadParams := &layer.GetObjectParams{
 		ObjectInfo: info,
 		Versioned:  p.Versioned(),

api/handler/get_test.go

@@ -210,6 +210,27 @@ func TestGetObjectEnabledMD5(t *testing.T) {
 	require.Equal(t, data.Quote(objInfo.MD5Sum), headers.Get(api.ETag))
 }
 
+func TestGetObjectNotModifiedHeaders(t *testing.T) {
+	hc := prepareHandlerContextWithMinCache(t)
+	bktName, objName, metadataHeader := "bucket", "obj", api.MetadataPrefix+"header"
+	createVersionedBucket(hc, bktName)
+	header := putObjectWithHeaders(hc, bktName, objName, map[string]string{api.CacheControl: "value", metadataHeader: "value"})
+	etag, versionID := header.Get(api.ETag), header.Get(api.AmzVersionID)
+	require.NotEmpty(t, etag)
+	require.NotEmpty(t, versionID)
+
+	putObjectTagging(t, hc, bktName, objName, map[string]string{"key": "value"})
+
+	w := getObjectWithHeaders(hc, bktName, objName, map[string]string{api.IfNoneMatch: etag})
+	require.Equal(t, http.StatusNotModified, w.Code)
+	require.Equal(t, "1", w.Header().Get(api.AmzTaggingCount))
+	require.Equal(t, etag, w.Header().Get(api.ETag))
+	require.NotEmpty(t, w.Header().Get(api.LastModified))
+	require.Equal(t, versionID, w.Header().Get(api.AmzVersionID))
+	require.Equal(t, "value", w.Header().Get(api.CacheControl))
+	require.Equal(t, []string{"value"}, w.Header()[metadataHeader])
+}
+
 func putObjectContent(hc *handlerContext, bktName, objName, content string) http.Header {
 	body := bytes.NewReader([]byte(content))
 	w, r := prepareTestPayloadRequest(hc, bktName, objName, body)

api/handler/handlers_test.go

@@ -462,6 +462,7 @@ func prepareTestRequestWithQuery(hc *handlerContext, bktName, objName string, qu
 	r.URL.RawQuery = query.Encode()
 
 	reqInfo := middleware.NewReqInfo(w, r, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "")
+	reqInfo.User = hc.owner.String()
 	r = r.WithContext(middleware.SetReqInfo(hc.Context(), reqInfo))
 
 	return w, r

api/handler/head.go

@@ -66,8 +66,9 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err = checkPreconditions(info, conditional, h.cfg.MD5Enabled()); err != nil {
-		h.logAndSendError(ctx, w, "precondition failed", reqInfo, err)
+	bktSettings, err := h.obj.GetBucketSettings(ctx, bktInfo)
+	if err != nil {
+		h.logAndSendError(ctx, w, "could not get bucket settings", reqInfo, err)
 		return
 	}
 
@@ -83,6 +84,14 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if err = checkPreconditions(info, conditional, h.cfg.MD5Enabled()); err != nil {
+		if errors.IsS3Error(err, errors.ErrNotModified) {
+			writeNotModifiedHeaders(w.Header(), extendedInfo, len(tagSet), bktSettings.Unversioned(), h.cfg.MD5Enabled())
+		}
+		h.logAndSendError(ctx, w, "precondition failed", reqInfo, err)
+		return
+	}
+
 	if len(info.ContentType) == 0 {
 		if info.ContentType = layer.MimeByFilePath(info.Name); len(info.ContentType) == 0 {
 			getParams := &layer.GetObjectParams{
@@ -113,12 +122,6 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	bktSettings, err := h.obj.GetBucketSettings(ctx, bktInfo)
-	if err != nil {
-		h.logAndSendError(ctx, w, "could not get bucket settings", reqInfo, err)
-		return
-	}
-
 	writeHeaders(w.Header(), r.Header, extendedInfo, len(tagSet), bktSettings.Unversioned(), h.cfg.MD5Enabled())
 	w.WriteHeader(http.StatusOK)
 }

api/handler/head_test.go

@@ -99,6 +99,27 @@ func TestHeadObject(t *testing.T) {
 	headObjectAssertS3Error(hc, bktName, objName, emptyVersion, apierr.ErrNoSuchKey)
 }
 
+func TestHeadObjectNotModifiedHeaders(t *testing.T) {
+	hc := prepareHandlerContextWithMinCache(t)
+	bktName, objName, metadataHeader := "bucket", "obj", api.MetadataPrefix+"header"
+	createVersionedBucket(hc, bktName)
+	header := putObjectWithHeaders(hc, bktName, objName, map[string]string{api.CacheControl: "value", metadataHeader: "value"})
+	etag, versionID := header.Get(api.ETag), header.Get(api.AmzVersionID)
+	require.NotEmpty(t, etag)
+	require.NotEmpty(t, versionID)
+
+	putObjectTagging(t, hc, bktName, objName, map[string]string{"key": "value"})
+
+	w := headObjectWithHeaders(hc, bktName, objName, emptyVersion, map[string]string{api.IfNoneMatch: etag})
+	require.Equal(t, http.StatusNotModified, w.Code)
+	require.Equal(t, "1", w.Header().Get(api.AmzTaggingCount))
+	require.Equal(t, etag, w.Header().Get(api.ETag))
+	require.NotEmpty(t, w.Header().Get(api.LastModified))
+	require.Equal(t, versionID, w.Header().Get(api.AmzVersionID))
+	require.Equal(t, "value", w.Header().Get(api.CacheControl))
+	require.Equal(t, []string{"value"}, w.Header()[metadataHeader])
+}
+
 func TestIsAvailableToResolve(t *testing.T) {
 	list := []string{"container", "s3"}
 

api/handler/lifecycle.go

@@ -17,6 +17,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/util"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
+	"github.com/google/uuid"
 )
 
 const (
@@ -97,7 +98,7 @@ func (h *handler) PutBucketLifecycleHandler(w http.ResponseWriter, r *http.Reque
 	}
 
 	if err = checkLifecycleConfiguration(ctx, cfg, &networkInfo); err != nil {
-		h.logAndSendError(ctx, w, "invalid lifecycle configuration", reqInfo, fmt.Errorf("%w: %s", apierr.GetAPIError(apierr.ErrMalformedXML), err.Error()))
+		h.logAndSendError(ctx, w, "invalid lifecycle configuration", reqInfo, err)
 		return
 	}
 
@@ -140,58 +141,67 @@ func checkLifecycleConfiguration(ctx context.Context, cfg *data.LifecycleConfigu
 	now := layer.TimeNow(ctx)
 
 	if len(cfg.Rules) > maxRules {
-		return fmt.Errorf("number of rules cannot be greater than %d", maxRules)
+		return fmt.Errorf("%w: number of rules cannot be greater than %d", apierr.GetAPIError(apierr.ErrInvalidRequest), maxRules)
 	}
 
 	ids := make(map[string]struct{}, len(cfg.Rules))
 	for i, rule := range cfg.Rules {
-		if _, ok := ids[rule.ID]; ok && rule.ID != "" {
-			return fmt.Errorf("duplicate 'ID': %s", rule.ID)
+		if rule.ID == "" {
+			id, err := uuid.NewRandom()
+			if err != nil {
+				return fmt.Errorf("generate uuid: %w", err)
+			}
+			cfg.Rules[i].ID = id.String()
+			rule.ID = id.String()
+		}
+
+		if _, ok := ids[rule.ID]; ok {
+			return fmt.Errorf("%w: duplicate 'ID': %s", apierr.GetAPIError(apierr.ErrInvalidArgument), rule.ID)
 		}
 		ids[rule.ID] = struct{}{}
 
 		if len(rule.ID) > maxRuleIDLen {
-			return fmt.Errorf("'ID' value cannot be longer than %d characters", maxRuleIDLen)
+			return fmt.Errorf("%w: 'ID' value cannot be longer than %d characters", apierr.GetAPIError(apierr.ErrInvalidArgument), maxRuleIDLen)
 		}
 
 		if rule.Status != data.LifecycleStatusEnabled && rule.Status != data.LifecycleStatusDisabled {
-			return fmt.Errorf("invalid lifecycle status: %s", rule.Status)
+			return fmt.Errorf("%w: invalid lifecycle status: %s", apierr.GetAPIError(apierr.ErrMalformedXML), rule.Status)
 		}
 
 		if rule.AbortIncompleteMultipartUpload == nil && rule.Expiration == nil && rule.NonCurrentVersionExpiration == nil {
-			return fmt.Errorf("at least one action needs to be specified in a rule")
+			return fmt.Errorf("%w: at least one action needs to be specified in a rule", apierr.GetAPIError(apierr.ErrInvalidRequest))
 		}
 
 		if rule.AbortIncompleteMultipartUpload != nil {
 			if rule.AbortIncompleteMultipartUpload.DaysAfterInitiation != nil &&
 				*rule.AbortIncompleteMultipartUpload.DaysAfterInitiation <= 0 {
-				return fmt.Errorf("days after initiation must be a positive integer: %d", *rule.AbortIncompleteMultipartUpload.DaysAfterInitiation)
+				return fmt.Errorf("%w: days after initiation must be a positive integer", apierr.GetAPIError(apierr.ErrInvalidArgument))
 			}
 
 			if rule.Filter != nil && (rule.Filter.Tag != nil || (rule.Filter.And != nil && len(rule.Filter.And.Tags) > 0)) {
-				return fmt.Errorf("abort incomplete multipart upload cannot be specified with tags")
+				return fmt.Errorf("%w: abort incomplete multipart upload cannot be specified with tags", apierr.GetAPIError(apierr.ErrInvalidRequest))
 			}
 		}
 
 		if rule.Expiration != nil {
 			if rule.Expiration.ExpiredObjectDeleteMarker != nil {
 				if rule.Expiration.Days != nil || rule.Expiration.Date != "" {
-					return fmt.Errorf("expired object delete marker cannot be specified with days or date")
+					return fmt.Errorf("%w: expired object delete marker cannot be specified with days or date", apierr.GetAPIError(apierr.ErrMalformedXML))
 				}
 
 				if rule.Filter != nil && (rule.Filter.Tag != nil || (rule.Filter.And != nil && len(rule.Filter.And.Tags) > 0)) {
-					return fmt.Errorf("expired object delete marker cannot be specified with tags")
+					return fmt.Errorf("%w: expired object delete marker cannot be specified with tags", apierr.GetAPIError(apierr.ErrInvalidRequest))
 				}
 			}
 
 			if rule.Expiration.Days != nil && *rule.Expiration.Days <= 0 {
-				return fmt.Errorf("expiration days must be a positive integer: %d", *rule.Expiration.Days)
+				return fmt.Errorf("%w: expiration days must be a positive integer", apierr.GetAPIError(apierr.ErrInvalidArgument))
 			}
 
 			if rule.Expiration.Date != "" {
 				parsedTime, err := time.Parse("2006-01-02T15:04:05Z", rule.Expiration.Date)
 				if err != nil {
-					return fmt.Errorf("invalid value of expiration date: %s", rule.Expiration.Date)
+					return fmt.Errorf("%w: invalid value of expiration date: %s", apierr.GetAPIError(apierr.ErrInvalidArgument), rule.Expiration.Date)
 				}
 
 				epoch, err := util.TimeToEpoch(ni, now, parsedTime)
@@ -204,20 +214,29 @@ func checkLifecycleConfiguration(ctx context.Context, cfg *data.LifecycleConfigu
 		}
 
 		if rule.NonCurrentVersionExpiration != nil {
+			if rule.NonCurrentVersionExpiration.NewerNonCurrentVersions != nil && rule.NonCurrentVersionExpiration.NonCurrentDays == nil {
+				return fmt.Errorf("%w: newer noncurrent versions cannot be specified without noncurrent days", apierr.GetAPIError(apierr.ErrMalformedXML))
+			}
+
 			if rule.NonCurrentVersionExpiration.NewerNonCurrentVersions != nil &&
 				(*rule.NonCurrentVersionExpiration.NewerNonCurrentVersions > maxNewerNoncurrentVersions ||
 					*rule.NonCurrentVersionExpiration.NewerNonCurrentVersions <= 0) {
-				return fmt.Errorf("invalid value of newer noncurrent versions: %d", *rule.NonCurrentVersionExpiration.NewerNonCurrentVersions)
+				return fmt.Errorf("%w: newer noncurrent versions must be a positive integer up to %d", apierr.GetAPIError(apierr.ErrInvalidArgument),
+					maxNewerNoncurrentVersions)
 			}
 
 			if rule.NonCurrentVersionExpiration.NonCurrentDays != nil && *rule.NonCurrentVersionExpiration.NonCurrentDays <= 0 {
-				return fmt.Errorf("invalid value of noncurrent days: %d", *rule.NonCurrentVersionExpiration.NonCurrentDays)
+				return fmt.Errorf("%w: noncurrent days must be a positive integer", apierr.GetAPIError(apierr.ErrInvalidArgument))
 			}
 		}
 
 		if err := checkLifecycleRuleFilter(rule.Filter); err != nil {
 			return err
 		}
+
+		if rule.Filter != nil && rule.Filter.Prefix != "" && rule.Prefix != "" {
+			return fmt.Errorf("%w: rule cannot have two prefixes", apierr.GetAPIError(apierr.ErrMalformedXML))
+		}
 	}
 
 	return nil
@@ -239,9 +258,14 @@ func checkLifecycleRuleFilter(filter *data.LifecycleRuleFilter) error {
 			}
 		}
 
-		if filter.And.ObjectSizeGreaterThan != nil && filter.And.ObjectSizeLessThan != nil &&
-			*filter.And.ObjectSizeLessThan <= *filter.And.ObjectSizeGreaterThan {
-			return fmt.Errorf("the maximum object size must be larger than the minimum object size")
+		if filter.And.ObjectSizeLessThan != nil {
+			if *filter.And.ObjectSizeLessThan == 0 {
+				return fmt.Errorf("%w: the maximum object size must be more than 0", apierr.GetAPIError(apierr.ErrInvalidRequest))
+			}
+
+			if filter.And.ObjectSizeGreaterThan != nil && *filter.And.ObjectSizeLessThan <= *filter.And.ObjectSizeGreaterThan {
+				return fmt.Errorf("%w: the maximum object size must be larger than the minimum object size", apierr.GetAPIError(apierr.ErrInvalidRequest))
+			}
 		}
 	}
 
@@ -250,6 +274,9 @@ func checkLifecycleRuleFilter(filter *data.LifecycleRuleFilter) error {
 	}
 
 	if filter.ObjectSizeLessThan != nil {
+		if *filter.ObjectSizeLessThan == 0 {
+			return fmt.Errorf("%w: the maximum object size must be more than 0", apierr.GetAPIError(apierr.ErrInvalidRequest))
+		}
 		fields++
 	}
 
@@ -266,7 +293,7 @@ func checkLifecycleRuleFilter(filter *data.LifecycleRuleFilter) error {
 	}
 
 	if fields > 1 {
-		return fmt.Errorf("filter cannot have more than one field")
+		return fmt.Errorf("%w: filter cannot have more than one field", apierr.GetAPIError(apierr.ErrMalformedXML))
 	}
 
 	return nil

api/handler/lifecycle_test.go

@@ -27,19 +27,16 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 	createBucket(hc, bktName)
 
 	for _, tc := range []struct {
-		name  string
-		body  *data.LifecycleConfiguration
-		error bool
+		name      string
+		body      *data.LifecycleConfiguration
+		errorCode apierr.ErrorCode
 	}{
 		{
 			name: "correct configuration",
 			body: &data.LifecycleConfiguration{
-				XMLName: xml.Name{
-					Space: `http://s3.amazonaws.com/doc/2006-03-01/`,
-					Local: "LifecycleConfiguration",
-				},
 				Rules: []data.LifecycleRule{
 					{
+						ID:     "rule-1",
 						Status: data.LifecycleStatusEnabled,
 						Expiration: &data.LifecycleExpiration{
 							Days: ptr(21),
@@ -54,6 +51,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 						},
 					},
 					{
+						ID:     "rule-2",
 						Status: data.LifecycleStatusEnabled,
 						AbortIncompleteMultipartUpload: &data.AbortIncompleteMultipartUpload{
 							DaysAfterInitiation: ptr(14),
@@ -83,7 +81,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 				}
 				return lifecycle
 			}(),
-			error: true,
+			errorCode: apierr.ErrInvalidRequest,
 		},
 		{
 			name: "duplicate rule ID",
@@ -105,7 +103,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidArgument,
 		},
 		{
 			name: "too long rule ID",
@@ -121,7 +119,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				}
 			}(),
-			error: true,
+			errorCode: apierr.ErrInvalidArgument,
 		},
 		{
 			name: "invalid status",
@@ -132,7 +130,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrMalformedXML,
 		},
 		{
 			name: "no actions",
@@ -146,7 +144,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidRequest,
 		},
 		{
 			name: "invalid days after initiation",
@@ -160,7 +158,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidArgument,
 		},
 		{
 			name: "invalid expired object delete marker declaration",
@@ -175,7 +173,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrMalformedXML,
 		},
 		{
 			name: "invalid expiration days",
@@ -189,7 +187,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidArgument,
 		},
 		{
 			name: "invalid expiration date",
@@ -203,7 +201,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidArgument,
 		},
 		{
 			name: "newer noncurrent versions is too small",
@@ -212,12 +210,13 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					{
 						Status: data.LifecycleStatusEnabled,
 						NonCurrentVersionExpiration: &data.NonCurrentVersionExpiration{
+							NonCurrentDays:          ptr(1),
 							NewerNonCurrentVersions: ptr(0),
 						},
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidArgument,
 		},
 		{
 			name: "newer noncurrent versions is too large",
@@ -226,12 +225,13 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					{
 						Status: data.LifecycleStatusEnabled,
 						NonCurrentVersionExpiration: &data.NonCurrentVersionExpiration{
+							NonCurrentDays:          ptr(1),
 							NewerNonCurrentVersions: ptr(101),
 						},
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidArgument,
 		},
 		{
 			name: "invalid noncurrent days",
@@ -245,7 +245,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidArgument,
 		},
 		{
 			name: "more than one filter field",
@@ -263,7 +263,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrMalformedXML,
 		},
 		{
 			name: "invalid tag in filter",
@@ -280,7 +280,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidTagKey,
 		},
 		{
 			name: "abort incomplete multipart upload with tag",
@@ -297,7 +297,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidRequest,
 		},
 		{
 			name: "expired object delete marker with tag",
@@ -316,7 +316,7 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidRequest,
 		},
 		{
 			name: "invalid size range",
@@ -336,19 +336,88 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 					},
 				},
 			},
-			error: true,
+			errorCode: apierr.ErrInvalidRequest,
+		},
+		{
+			name: "two prefixes",
+			body: &data.LifecycleConfiguration{
+				Rules: []data.LifecycleRule{
+					{
+						Status: data.LifecycleStatusEnabled,
+						Expiration: &data.LifecycleExpiration{
+							Days: ptr(21),
+						},
+						Filter: &data.LifecycleRuleFilter{
+							Prefix: "prefix-1/",
+						},
+						Prefix: "prefix-2/",
+					},
+				},
+			},
+			errorCode: apierr.ErrMalformedXML,
+		},
+		{
+			name: "newer noncurrent versions without noncurrent days",
+			body: &data.LifecycleConfiguration{
+				Rules: []data.LifecycleRule{
+					{
+						Status: data.LifecycleStatusEnabled,
+						NonCurrentVersionExpiration: &data.NonCurrentVersionExpiration{
+							NewerNonCurrentVersions: ptr(10),
+						},
+					},
+				},
+			},
+			errorCode: apierr.ErrMalformedXML,
+		},
+		{
+			name: "invalid maximum object size in filter",
+			body: &data.LifecycleConfiguration{
+				Rules: []data.LifecycleRule{
+					{
+						Status: data.LifecycleStatusEnabled,
+						Expiration: &data.LifecycleExpiration{
+							Days: ptr(21),
+						},
+						Filter: &data.LifecycleRuleFilter{
+							ObjectSizeLessThan: ptr(uint64(0)),
+						},
+					},
+				},
+			},
+			errorCode: apierr.ErrInvalidRequest,
+		},
+		{
+			name: "invalid maximum object size in filter and",
+			body: &data.LifecycleConfiguration{
+				Rules: []data.LifecycleRule{
+					{
+						Status: data.LifecycleStatusEnabled,
+						Expiration: &data.LifecycleExpiration{
+							Days: ptr(21),
+						},
+						Filter: &data.LifecycleRuleFilter{
+							And: &data.LifecycleRuleAndOperator{
+								Prefix:             "prefix/",
+								ObjectSizeLessThan: ptr(uint64(0)),
+							},
+						},
+					},
+				},
+			},
+			errorCode: apierr.ErrInvalidRequest,
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.error {
-				putBucketLifecycleConfigurationErr(hc, bktName, tc.body, apierr.GetAPIError(apierr.ErrMalformedXML))
+			if tc.errorCode > 0 {
+				putBucketLifecycleConfigurationErr(hc, bktName, tc.body, apierr.GetAPIError(tc.errorCode))
 				return
 			}
 
 			putBucketLifecycleConfiguration(hc, bktName, tc.body)
 
 			cfg := getBucketLifecycleConfiguration(hc, bktName)
-			require.Equal(t, *tc.body, *cfg)
+			require.Equal(t, tc.body.Rules, cfg.Rules)
 
 			deleteBucketLifecycleConfiguration(hc, bktName)
 			getBucketLifecycleConfigurationErr(hc, bktName, apierr.GetAPIError(apierr.ErrNoSuchLifecycleConfiguration))
@@ -356,6 +425,36 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 	}
 }
 
+func TestPutBucketLifecycleIDGeneration(t *testing.T) {
+	hc := prepareHandlerContext(t)
+
+	bktName := "bucket-lifecycle-id"
+	createBucket(hc, bktName)
+
+	lifecycle := &data.LifecycleConfiguration{
+		Rules: []data.LifecycleRule{
+			{
+				Status: data.LifecycleStatusEnabled,
+				Expiration: &data.LifecycleExpiration{
+					Days: ptr(21),
+				},
+			},
+			{
+				Status: data.LifecycleStatusEnabled,
+				AbortIncompleteMultipartUpload: &data.AbortIncompleteMultipartUpload{
+					DaysAfterInitiation: ptr(14),
+				},
+			},
+		},
+	}
+
+	putBucketLifecycleConfiguration(hc, bktName, lifecycle)
+	cfg := getBucketLifecycleConfiguration(hc, bktName)
+	require.Len(t, cfg.Rules, 2)
+	require.NotEmpty(t, cfg.Rules[0].ID)
+	require.NotEmpty(t, cfg.Rules[1].ID)
+}
+
 func TestPutBucketLifecycleInvalidMD5(t *testing.T) {
 	hc := prepareHandlerContext(t)
 

api/handler/object_list_test.go

@@ -681,6 +681,80 @@ func TestS3BucketListDelimiterNotSkipSpecial(t *testing.T) {
 	}
 }
 
+func TestS3BucketListMarkerUnreadable(t *testing.T) {
+	hc := prepareHandlerContext(t)
+
+	bktName := "bucket-for-listing"
+	bktInfo := createTestBucket(hc, bktName)
+
+	objects := []string{"bar", "baz", "foo", "quxx"}
+	for _, objName := range objects {
+		createTestObject(hc, bktInfo, objName, encryption.Params{})
+	}
+
+	list := listObjectsV1(hc, bktName, "", "", "\x0a", -1)
+
+	require.Equal(t, "\x0a", list.Marker)
+	require.False(t, list.IsTruncated)
+
+	require.Len(t, list.Contents, len(objects))
+	for i := 0; i < len(list.Contents); i++ {
+		require.Equal(t, objects[i], list.Contents[i].Key)
+	}
+}
+
+func TestS3BucketListMarkerNotInList(t *testing.T) {
+	hc := prepareHandlerContext(t)
+
+	bktName := "bucket-for-listing"
+	bktInfo := createTestBucket(hc, bktName)
+
+	objects := []string{"bar", "baz", "foo", "quxx"}
+	for _, objName := range objects {
+		createTestObject(hc, bktInfo, objName, encryption.Params{})
+	}
+
+	list := listObjectsV1(hc, bktName, "", "", "blah", -1)
+
+	require.Equal(t, "blah", list.Marker)
+
+	expected := []string{"foo", "quxx"}
+	require.Len(t, list.Contents, len(expected))
+	for i := 0; i < len(list.Contents); i++ {
+		require.Equal(t, expected[i], list.Contents[i].Key)
+	}
+}
+
+func TestListTruncatedCacheHit(t *testing.T) {
+	hc := prepareHandlerContext(t)
+
+	bktName := "bucket-for-listing"
+	bktInfo := createTestBucket(hc, bktName)
+
+	objects := []string{"bar", "baz", "foo", "quxx"}
+	for _, objName := range objects {
+		createTestObject(hc, bktInfo, objName, encryption.Params{})
+	}
+
+	list := listObjectsV1(hc, bktName, "", "", "", 2)
+	require.True(t, list.IsTruncated)
+
+	require.Len(t, list.Contents, 2)
+	for i := 0; i < len(list.Contents); i++ {
+		require.Equal(t, objects[i], list.Contents[i].Key)
+	}
+
+	cacheKey := cache.CreateListSessionCacheKey(bktInfo.CID, "", list.NextMarker)
+	list = listObjectsV1(hc, bktName, "", "", list.NextMarker, 2)
+	require.Nil(t, hc.cache.GetListSession(hc.owner, cacheKey))
+	require.False(t, list.IsTruncated)
+
+	require.Len(t, list.Contents, 2)
+	for i := 0; i < len(list.Contents); i++ {
+		require.Equal(t, objects[i+2], list.Contents[i].Key)
+	}
+}
+
 func TestMintVersioningListObjectVersionsVersionIDContinuation(t *testing.T) {
 	hc := prepareHandlerContext(t)
 

api/handler/put.go

@@ -251,7 +251,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 		Reader:            body,
 		Header:            metadata,
 		Encryption:        encryptionParams,
-		ContentMD5:        r.Header.Get(api.ContentMD5),
+		ContentMD5:        getMD5Header(r),
 		ContentSHA256Hash: r.Header.Get(api.AmzContentSha256),
 	}
 
@@ -1038,3 +1038,13 @@ func (h *handler) parseLocationConstraint(r *http.Request) (*createBucketParams,
 	}
 	return params, nil
 }
+
+func getMD5Header(r *http.Request) *string {
+	var md5Hdr *string
+	if len(r.Header.Values(api.ContentMD5)) != 0 {
+		hdr := r.Header.Get(api.ContentMD5)
+		md5Hdr = &hdr
+	}
+
+	return md5Hdr
+}

api/handler/put_test.go

@@ -284,6 +284,12 @@ func TestPutObjectWithInvalidContentMD5(t *testing.T) {
 	w, r := prepareTestPayloadRequest(tc, bktName, objName, bytes.NewReader(content))
 	r.Header.Set(api.ContentMD5, base64.StdEncoding.EncodeToString([]byte("invalid")))
 	tc.Handler().PutObjectHandler(w, r)
+	assertS3Error(t, w, apierr.GetAPIError(apierr.ErrBadDigest))
+
+	content = []byte("content")
+	w, r = prepareTestPayloadRequest(tc, bktName, objName, bytes.NewReader(content))
+	r.Header.Set(api.ContentMD5, base64.StdEncoding.EncodeToString([]byte("")))
+	tc.Handler().PutObjectHandler(w, r)
 	assertS3Error(t, w, apierr.GetAPIError(apierr.ErrInvalidDigest))
 
 	checkNotFound(t, tc, bktName, objName, emptyVersion)
@@ -498,9 +504,6 @@ func getEmptyChunkedRequest(ctx context.Context, t *testing.T, bktName, objName
 	AWSAccessKeyID := "48c1K4PLVb7SvmV3PjDKEuXaMh8yZMXZ8Wx9msrkKcYw06dZeaxeiPe8vyFm2WsoeVaNt7UWEjNsVkagDs8oX4XXh"
 	AWSSecretAccessKey := "09260955b4eb0279dc017ba20a1ddac909cbd226c86cbb2d868e55534c8e64b0"
 
-	//awsCreds := credentials.NewStaticCredentials(AWSAccessKeyID, AWSSecretAccessKey, "")
-	//signer := v4.NewSigner(awsCreds)
-
 	reqBody := bytes.NewBufferString("0;chunk-signature=311a7142c8f3a07972c3aca65c36484b513a8fee48ab7178c7225388f2ae9894\r\n\r\n")
 
 	req, err := http.NewRequest("PUT", "http://localhost:8084/"+bktName+"/"+objName, reqBody)

api/layer/container.go

@@ -141,7 +141,6 @@ func (n *Layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
 		SessionToken:         p.SessionContainerCreation,
 		CreationTime:         bktInfo.Created,
 		AdditionalAttributes: attributes,
-		BasicACL:             0, // means APE
 	})
 	if err != nil {
 		return nil, fmt.Errorf("create container: %w", err)

api/layer/frostfs/frostfs.go

@@ -9,13 +9,13 @@ import (
 
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 )
 
 // PrmContainerCreate groups parameters of FrostFS.CreateContainer operation.
@@ -38,13 +38,15 @@ type PrmContainerCreate struct {
 	// Token of the container's creation session. Nil means session absence.
 	SessionToken *session.Container
 
-	// Basic ACL of the container.
-	BasicACL acl.Basic
-
 	// Attributes for optional parameters.
 	AdditionalAttributes [][2]string
 }
 
+type PrmAddContainerPolicyChain struct {
+	ContainerID cid.ID
+	Chain       chain.Chain
+}
+
 // PrmContainer groups parameters of FrostFS.Container operation.
 type PrmContainer struct {
 	// Container identifier.
@@ -239,6 +241,10 @@ type FrostFS interface {
 	// prevented the container from being created.
 	CreateContainer(context.Context, PrmContainerCreate) (*ContainerCreateResult, error)
 
+	// AddContainerPolicyChain create new policy chain for container.
+	// Can be invoked only by container owner.
+	AddContainerPolicyChain(context.Context, PrmAddContainerPolicyChain) error
+
 	// Container reads a container from FrostFS by ID.
 	//
 	// It returns exactly one non-nil value. It returns any error encountered which

api/layer/frostfs_mock.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
+	"errors"
 	"fmt"
 	"io"
 	"strings"
@@ -25,6 +26,7 @@ import (
 	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 )
 
@@ -61,13 +63,14 @@ func (k *FeatureSettingsMock) FormContainerZone(ns string) string {
 	return ns + ".ns"
 }
 
-type TestFrostFS struct {
-	frostfs.FrostFS
+var _ frostfs.FrostFS = (*TestFrostFS)(nil)
 
+type TestFrostFS struct {
 	objects         map[string]*object.Object
 	objectErrors    map[string]error
 	objectPutErrors map[string]error
 	containers      map[string]*container.Container
+	chains          map[string][]chain.Chain
 	currentEpoch    uint64
 	key             *keys.PrivateKey
 }
@@ -78,6 +81,7 @@ func NewTestFrostFS(key *keys.PrivateKey) *TestFrostFS {
 		objectErrors:    make(map[string]error),
 		objectPutErrors: make(map[string]error),
 		containers:      make(map[string]*container.Container),
+		chains:          make(map[string][]chain.Chain),
 		key:             key,
 	}
 }
@@ -145,7 +149,6 @@ func (t *TestFrostFS) CreateContainer(_ context.Context, prm frostfs.PrmContaine
 	cnr.Init()
 	cnr.SetOwner(prm.Creator)
 	cnr.SetPlacementPolicy(prm.Policy)
-	cnr.SetBasicACL(prm.BasicACL)
 
 	creationTime := prm.CreationTime
 	if creationTime.IsZero() {
@@ -174,6 +177,7 @@ func (t *TestFrostFS) CreateContainer(_ context.Context, prm frostfs.PrmContaine
 	var id cid.ID
 	id.SetSHA256(sha256.Sum256(b))
 	t.containers[id.EncodeToString()] = &cnr
+	t.chains[id.EncodeToString()] = []chain.Chain{}
 
 	return &frostfs.ContainerCreateResult{ContainerID: id}, nil
 }
@@ -455,6 +459,17 @@ func (t *TestFrostFS) PatchObject(ctx context.Context, prm frostfs.PrmObjectPatc
 	return newID, nil
 }
 
+func (t *TestFrostFS) AddContainerPolicyChain(_ context.Context, prm frostfs.PrmAddContainerPolicyChain) error {
+	list, ok := t.chains[prm.ContainerID.EncodeToString()]
+	if !ok {
+		return errors.New("container not found")
+	}
+
+	t.chains[prm.ContainerID.EncodeToString()] = append(list, prm.Chain)
+
+	return nil
+}
+
 func (t *TestFrostFS) checkAccess(cnrID cid.ID, owner user.ID) bool {
 	cnr, ok := t.containers[cnrID.EncodeToString()]
 	if !ok {

api/layer/layer.go

@@ -111,7 +111,7 @@ type (
 		Encryption        encryption.Params
 		CopiesNumbers     []uint32
 		CompleteMD5Hash   string
-		ContentMD5        string
+		ContentMD5        *string
 		ContentSHA256Hash string
 	}
 

api/layer/listing.go

@@ -585,7 +585,7 @@ func shouldSkip(node *data.ExtendedNodeVersion, p commonVersionsListingParams, e
 		return true
 	}
 
-	if p.Bookmark != "" {
+	if p.Bookmark != "" && p.Bookmark != p.Marker {
 		if _, ok := existed[continuationToken]; !ok {
 			if p.Bookmark != node.NodeVersion.OID.EncodeToString() {
 				return true

api/layer/object.go

@@ -286,8 +286,11 @@ func (n *Layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.Extend
 		return nil, err
 	}
 
-	if !p.Encryption.Enabled() && len(p.ContentMD5) > 0 {
-		headerMd5Hash, err := base64.StdEncoding.DecodeString(p.ContentMD5)
+	if !p.Encryption.Enabled() && p.ContentMD5 != nil {
+		if len(*p.ContentMD5) == 0 {
+			return nil, apierr.GetAPIError(apierr.ErrInvalidDigest)
+		}
+		headerMd5Hash, err := base64.StdEncoding.DecodeString(*p.ContentMD5)
 		if err != nil {
 			return nil, apierr.GetAPIError(apierr.ErrInvalidDigest)
 		}
@@ -296,7 +299,7 @@ func (n *Layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.Extend
 			if err != nil {
 				n.reqLogger(ctx).Debug(logs.FailedToDeleteObject, zap.Stringer("cid", p.BktInfo.CID), zap.Stringer("oid", createdObj.ID))
 			}
-			return nil, apierr.GetAPIError(apierr.ErrInvalidDigest)
+			return nil, apierr.GetAPIError(apierr.ErrBadDigest)
 		}
 	}
 

authmate/authmate.go

@@ -33,7 +33,7 @@ import (
 // PrmContainerCreate groups parameters of containers created by authmate.
 type PrmContainerCreate struct {
 	// FrostFS identifier of the container creator.
-	Owner user.ID
+	Owner *keys.PublicKey
 
 	// Container placement policy.
 	Policy netmap.PlacementPolicy

cmd/s3-authmate/modules/issue-secret.go

@@ -14,7 +14,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/wallet"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -227,10 +226,9 @@ func createAccessBox(ctx context.Context, frostFS *frostfs.AuthmateFrostFS, key
 
 	prm := authmate.PrmContainerCreate{
 		FriendlyName: friendlyName,
+		Owner:        key.PublicKey(),
 	}
 
-	user.IDFromKey(&prm.Owner, key.PrivateKey.PublicKey)
-
 	if err := prm.Policy.DecodeString(placementPolicy); err != nil {
 		return cid.ID{}, fmt.Errorf("failed to build placement policy: %w", err)
 	}

internal/frostfs/authmate.go

@@ -3,6 +3,7 @@ package frostfs
 import (
 	"bytes"
 	"context"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"strconv"
@@ -16,10 +17,12 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/crdt"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"go.uber.org/zap"
 )
 
@@ -55,21 +58,61 @@ func (x *AuthmateFrostFS) TimeToEpoch(ctx context.Context, futureTime time.Time)
 
 // CreateContainer implements authmate.FrostFS interface method.
 func (x *AuthmateFrostFS) CreateContainer(ctx context.Context, prm authmate.PrmContainerCreate) (cid.ID, error) {
-	basicACL := acl.Private
-	// allow reading objects to OTHERS in order to provide read access to S3 gateways
-	basicACL.AllowOp(acl.OpObjectGet, acl.RoleOthers)
-	basicACL.AllowOp(acl.OpObjectHead, acl.RoleOthers)
-	basicACL.AllowOp(acl.OpObjectSearch, acl.RoleOthers)
+	var owner user.ID
+	owner.SetScriptHash(prm.Owner.GetScriptHash())
 
 	res, err := x.frostFS.CreateContainer(ctx, frostfs.PrmContainerCreate{
-		Creator:  prm.Owner,
-		Policy:   prm.Policy,
-		Name:     prm.FriendlyName,
-		BasicACL: basicACL,
+		Creator: owner,
+		Policy:  prm.Policy,
+		Name:    prm.FriendlyName,
 	})
 	if err != nil {
 		return cid.ID{}, err
 	}
+
+	ch := chain.Chain{
+		ID: chain.ID("authmate/" + owner.String()),
+		Rules: []chain.Rule{
+			{
+				Status:  chain.Allow,
+				Actions: chain.Actions{Names: []string{"*"}},
+				Resources: chain.Resources{Names: []string{
+					fmt.Sprintf(native.ResourceFormatRootContainer, res.ContainerID),
+					fmt.Sprintf(native.ResourceFormatRootContainerObjects, res.ContainerID),
+				}},
+				Condition: []chain.Condition{{
+					Op:    chain.CondStringEquals,
+					Kind:  chain.KindRequest,
+					Key:   native.PropertyKeyActorPublicKey,
+					Value: hex.EncodeToString(prm.Owner.Bytes()),
+				}},
+			},
+			{
+				Status: chain.Allow,
+				Actions: chain.Actions{Names: []string{
+					native.MethodGetContainer,
+					native.MethodGetObject,
+					native.MethodHeadObject,
+					native.MethodSearchObject,
+					native.MethodRangeObject,
+					native.MethodHashObject,
+				}},
+				Resources: chain.Resources{Names: []string{
+					fmt.Sprintf(native.ResourceFormatRootContainer, res.ContainerID),
+					fmt.Sprintf(native.ResourceFormatRootContainerObjects, res.ContainerID),
+				}},
+			},
+		},
+	}
+
+	err = x.frostFS.AddContainerPolicyChain(ctx, frostfs.PrmAddContainerPolicyChain{
+		ContainerID: res.ContainerID,
+		Chain:       ch,
+	})
+	if err != nil {
+		return cid.ID{}, err
+	}
+
 	return res.ContainerID, nil
 }
 

internal/frostfs/authmate_test.go

@@ -47,7 +47,7 @@ func TestCredsObject(t *testing.T) {
 
 	cnrID, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{
 		FriendlyName: bktName,
-		Owner:        userID,
+		Owner:        key.PublicKey(),
 	})
 	require.NoError(t, err)
 

internal/frostfs/frostfs.go

@@ -12,6 +12,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
 	frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/util"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
@@ -93,7 +94,6 @@ func (x *FrostFS) CreateContainer(ctx context.Context, prm frostfs.PrmContainerC
 	cnr.Init()
 	cnr.SetPlacementPolicy(prm.Policy)
 	cnr.SetOwner(prm.Creator)
-	cnr.SetBasicACL(prm.BasicACL)
 
 	creationTime := prm.CreationTime
 	if creationTime.IsZero() {
@@ -135,6 +135,25 @@ func (x *FrostFS) CreateContainer(ctx context.Context, prm frostfs.PrmContainerC
 	}, handleObjectError("save container via connection pool", err)
 }
 
+// AddContainerPolicyChain implements frostfs.FrostFS interface method.
+func (x *FrostFS) AddContainerPolicyChain(ctx context.Context, prm frostfs.PrmAddContainerPolicyChain) error {
+	var prmAddAPEChain pool.PrmAddAPEChain
+	prmAddAPEChain.Target = ape.ChainTarget{
+		TargetType: ape.TargetTypeContainer,
+		Name:       prm.ContainerID.EncodeToString(),
+	}
+
+	data, err := prm.Chain.MarshalBinary()
+	if err != nil {
+		return err
+	}
+
+	prmAddAPEChain.Chain = ape.Chain{Raw: data}
+
+	err = x.pool.AddAPEChain(ctx, prmAddAPEChain)
+	return handleObjectError("add ape chain to container", err)
+}
+
 // UserContainers implements layer.FrostFS interface method.
 func (x *FrostFS) UserContainers(ctx context.Context, layerPrm frostfs.PrmUserContainers) ([]cid.ID, error) {
 	prm := pool.PrmContainerList{