From 7e04083c273c7c50eebd76cde5d46d91fcc494a2 Mon Sep 17 00:00:00 2001
From: Dmitrii Stepanov <d.stepanov@yadro.com>
Date: Mon, 29 Jul 2024 13:03:55 +0300
Subject: [PATCH] [#1278] containerSvc: Validate FrostFSID subject exitence on
 Put

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
---
 pkg/services/container/ape.go      | 21 ++++++++++++++++++++-
 pkg/services/container/ape_test.go | 15 ++++++++++-----
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/pkg/services/container/ape.go b/pkg/services/container/ape.go
index 8fe4dd2d9..6f8a8e0e6 100644
--- a/pkg/services/container/ape.go
+++ b/pkg/services/container/ape.go
@@ -211,7 +211,7 @@ func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*cont
 		}
 	}
 
-	namespace, err := ac.namespaceByOwner(req.GetBody().GetContainer().GetOwnerID())
+	namespace, err := ac.namespaceByKnownOwner(req.GetBody().GetContainer().GetOwnerID())
 	if err != nil {
 		return nil, fmt.Errorf("get namespace error: %w", err)
 	}
@@ -608,6 +608,25 @@ func (ac *apeChecker) namespaceByOwner(owner *refs.OwnerID) (string, error) {
 	return namespace, nil
 }
 
+func (ac *apeChecker) namespaceByKnownOwner(owner *refs.OwnerID) (string, error) {
+	var ownerSDK user.ID
+	if owner == nil {
+		return "", errOwnerIDIsNotSet
+	}
+	if err := ownerSDK.ReadFromV2(*owner); err != nil {
+		return "", err
+	}
+	addr, err := ownerSDK.ScriptHash()
+	if err != nil {
+		return "", err
+	}
+	subject, err := ac.frostFSIDClient.GetSubject(addr)
+	if err != nil {
+		return "", fmt.Errorf("get subject error: %w", err)
+	}
+	return subject.Namespace, nil
+}
+
 // validateNamespace validates a namespace set in a container.
 // If frostfs-id contract stores a namespace N1 for an owner ID and a container within a request
 // is set with namespace N2 (via Zone() property), then N2 is invalid and the request is denied.
diff --git a/pkg/services/container/ape_test.go b/pkg/services/container/ape_test.go
index 9eed469ca..68c1158a6 100644
--- a/pkg/services/container/ape_test.go
+++ b/pkg/services/container/ape_test.go
@@ -765,17 +765,22 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
 		keys: [][]byte{},
 	}
 	nm := &netmapStub{}
-	frostfsIDSubjectReader := &frostfsidStub{
-		subjects: map[util.Uint160]*client.Subject{},
-	}
-	apeSrv := NewAPEServer(router, contRdr, ir, nm, frostfsIDSubjectReader, srv)
 
 	testContainer := containertest.Container()
+	owner := testContainer.Owner()
+	ownerAddr, err := owner.ScriptHash()
+	require.NoError(t, err)
+	frostfsIDSubjectReader := &frostfsidStub{
+		subjects: map[util.Uint160]*client.Subject{
+			ownerAddr: {},
+		},
+	}
+	apeSrv := NewAPEServer(router, contRdr, ir, nm, frostfsIDSubjectReader, srv)
 
 	nm.currentEpoch = 100
 	nm.netmaps = map[uint64]*netmap.NetMap{}
 
-	_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,