From d5a14041e00d52a8511dc8c9c2bc1134a0d16c3c Mon Sep 17 00:00:00 2001
From: Pavel Karpy <carpawell@nspcc.ru>
Date: Fri, 11 Nov 2022 20:57:56 +0300
Subject: [PATCH] [#2040] node: Do not attach tokens in the assembly process

A container node is expected to have full "get" access to assemble the
object.
A non-container node is expected to forward any request to a container node.
Any token is expected to be issued for an original request sender not for a
node so any new request is invalid by design with that token.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
---
 CHANGELOG.md                        |  1 +
 pkg/services/object/get/assemble.go | 13 +++++++++++++
 pkg/services/object/util/prm.go     |  9 +++++++++
 3 files changed, 23 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2d5109a9e..7259f6d01 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,7 @@ Changelog for NeoFS Node
 - Malformed request errors' reasons in the responses (#2028)
 - Session token's IAT and NBF checks in ACL service (#2028)
 - Losing meta information on request forwarding (#2040)
+- Assembly process triggered by a request with a bearer token (#2040)
 
 ### Removed
 ### Updated
diff --git a/pkg/services/object/get/assemble.go b/pkg/services/object/get/assemble.go
index 58cb95130..8a9f959fb 100644
--- a/pkg/services/object/get/assemble.go
+++ b/pkg/services/object/get/assemble.go
@@ -13,6 +13,19 @@ func (exec *execCtx) assemble() {
 		return
 	}
 
+	// Any access tokens are not expected to be used in the assembly process:
+	//  - there is no requirement to specify child objects in session/bearer
+	//    token for `GET`/`GETRANGE`/`RANGEHASH` requests in the API protocol,
+	//    and, therefore, their missing in the original request should not be
+	//    considered as error; on the other hand, without session for every child
+	//    object, it is impossible to attach bearer token in the new generated
+	//    requests correctly because the token has not been issued for that node's
+	//    key;
+	//  - the assembly process is expected to be handled on a container node
+	//    only since the requests forwarding mechanism presentation; such the
+	//    node should have enough rights for getting any child object by design.
+	exec.prm.common.ForgetTokens()
+
 	// Do not use forwarding during assembly stage.
 	// Request forwarding closure inherited in produced
 	// `execCtx` so it should be disabled there.
diff --git a/pkg/services/object/util/prm.go b/pkg/services/object/util/prm.go
index 952f12824..d608ad68e 100644
--- a/pkg/services/object/util/prm.go
+++ b/pkg/services/object/util/prm.go
@@ -98,6 +98,15 @@ func (p *CommonPrm) SetNetmapLookupDepth(v uint64) {
 	}
 }
 
+// ForgetTokens forgets all the tokens read from the request's
+// meta information before.
+func (p *CommonPrm) ForgetTokens() {
+	if p != nil {
+		p.token = nil
+		p.bearer = nil
+	}
+}
+
 func CommonPrmFromV2(req interface {
 	GetMetaHeader() *session.RequestMetaHeader
 }) (*CommonPrm, error) {