[#1628] tree: Log unacceptable bearer attachment

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-09-12 14:28:37 +03:00 · 2022-09-12 14:28:37 +03:00 · 5adf089c1d
parent 2ffcd02ac3
commit 5adf089c1d
1 changed files with 14 additions and 1 deletions
--- a/pkg/services/tree/signature.go
+++ b/pkg/services/tree/signature.go
@ -18,6 +18,7 @@ import (
 	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
 	"github.com/nspcc-dev/neofs-sdk-go/eacl"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
+	"go.uber.org/zap"
 )

 type message interface {
@ -68,8 +69,20 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op

 	eaclOp := eACLOp(op)

+	var tableFromBearer bool
+	if len(rawBearer) != 0 {
+		if !basicACL.AllowedBearerRules(op) {
+			s.log.Debug("bearer presented but not allowed by ACL",
+				zap.String("cid", cid.EncodeToString()),
+				zap.String("op", op.String()),
+			)
+		} else {
+			tableFromBearer = true
+		}
+	}
+
 	var tb eacl.Table
-	if len(rawBearer) != 0 && basicACL.AllowedBearerRules(op) {
+	if tableFromBearer {
 		var bt bearer.Token
 		if err = bt.Unmarshal(rawBearer); err != nil {
 			return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))