From 0e42126ddcc7d42db01935cd7ba7a4ff4df712c9 Mon Sep 17 00:00:00 2001
From: Dmitrii Stepanov <d.stepanov@yadro.com>
Date: Thu, 16 May 2024 10:02:41 +0300
Subject: [PATCH] [#1129] object: Fix check owner for EC part

Do not validate EC part owner if request from container node.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
---
 pkg/core/object/fmt.go | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/pkg/core/object/fmt.go b/pkg/core/object/fmt.go
index e266800b2..fa1e40dd0 100644
--- a/pkg/core/object/fmt.go
+++ b/pkg/core/object/fmt.go
@@ -167,17 +167,29 @@ func (v *FormatValidator) validateSignatureKey(obj *objectSDK.Object) error {
 	token := obj.SessionToken()
 	ownerID := obj.OwnerID()
 
+	if token == nil && obj.ECHeader() != nil {
+		role, err := v.isIROrContainerNode(obj, binKey)
+		if err != nil {
+			return err
+		}
+		if role == acl.RoleContainer {
+			// EC part could be restored or created by container node, so ownerID could not match object signature
+			return nil
+		}
+		return v.checkOwnerKey(ownerID, key)
+	}
+
 	if token == nil || !token.AssertAuthKey(&key) {
 		return v.checkOwnerKey(ownerID, key)
 	}
 
 	if v.verifyTokenIssuer {
-		signerIsIROrContainerNode, err := v.isIROrContainerNode(obj, binKey)
+		role, err := v.isIROrContainerNode(obj, binKey)
 		if err != nil {
 			return err
 		}
 
-		if signerIsIROrContainerNode {
+		if role == acl.RoleContainer || role == acl.RoleInnerRing {
 			return nil
 		}
 
@@ -190,10 +202,10 @@ func (v *FormatValidator) validateSignatureKey(obj *objectSDK.Object) error {
 	return nil
 }
 
-func (v *FormatValidator) isIROrContainerNode(obj *objectSDK.Object, signerKey []byte) (bool, error) {
+func (v *FormatValidator) isIROrContainerNode(obj *objectSDK.Object, signerKey []byte) (acl.Role, error) {
 	cnrID, containerIDSet := obj.ContainerID()
 	if !containerIDSet {
-		return false, errNilCID
+		return acl.RoleOthers, errNilCID
 	}
 
 	cnrIDBin := make([]byte, sha256.Size)
@@ -201,14 +213,14 @@ func (v *FormatValidator) isIROrContainerNode(obj *objectSDK.Object, signerKey [
 
 	cnr, err := v.containers.Get(cnrID)
 	if err != nil {
-		return false, fmt.Errorf("failed to get container (id=%s): %w", cnrID.EncodeToString(), err)
+		return acl.RoleOthers, fmt.Errorf("failed to get container (id=%s): %w", cnrID.EncodeToString(), err)
 	}
 
 	res, err := v.senderClassifier.IsInnerRingOrContainerNode(signerKey, cnrID, cnr.Value)
 	if err != nil {
-		return false, err
+		return acl.RoleOthers, err
 	}
-	return res.Role == acl.RoleContainer || res.Role == acl.RoleInnerRing, nil
+	return res.Role, nil
 }
 
 func (v *FormatValidator) checkOwnerKey(id user.ID, key frostfsecdsa.PublicKey) error {