From 5adf089c1dcff73e7b2dae0bd42a42d37342e6d8 Mon Sep 17 00:00:00 2001
From: Pavel Karpy <carpawell@nspcc.ru>
Date: Mon, 12 Sep 2022 14:28:37 +0300
Subject: [PATCH] [#1628] tree: Log unacceptable bearer attachment

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
---
 pkg/services/tree/signature.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go
index 2bbf75fe1..4239a9c29 100644
--- a/pkg/services/tree/signature.go
+++ b/pkg/services/tree/signature.go
@@ -18,6 +18,7 @@ import (
 	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
 	"github.com/nspcc-dev/neofs-sdk-go/eacl"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
+	"go.uber.org/zap"
 )
 
 type message interface {
@@ -68,8 +69,20 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op
 
 	eaclOp := eACLOp(op)
 
+	var tableFromBearer bool
+	if len(rawBearer) != 0 {
+		if !basicACL.AllowedBearerRules(op) {
+			s.log.Debug("bearer presented but not allowed by ACL",
+				zap.String("cid", cid.EncodeToString()),
+				zap.String("op", op.String()),
+			)
+		} else {
+			tableFromBearer = true
+		}
+	}
+
 	var tb eacl.Table
-	if len(rawBearer) != 0 && basicACL.AllowedBearerRules(op) {
+	if tableFromBearer {
 		var bt bearer.Token
 		if err = bt.Unmarshal(rawBearer); err != nil {
 			return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))