[#1190] tree: GroupIDs must also be target of APE checks

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-06-20 15:49:22 +03:00 · 2024-06-20 15:49:22 +03:00 · 11a38a0a84
commit 11a38a0a84
parent 0b87388c18
1 changed files with 11 additions and 1 deletions
--- a/pkg/services/tree/ape.go
+++ b/pkg/services/tree/ape.go
@ -161,7 +161,17 @@ func (s *Service) checkAPE(ctx context.Context, bt *bearer.Token,
 		}
 	}

-	rt := engine.NewRequestTargetExtended(namespace, cid.EncodeToString(), fmt.Sprintf("%s:%s", namespace, publicKey.Address()), nil)
+	groups, err := aperequest.Groups(s.frostfsidSubjectProvider, publicKey)
+	if err != nil {
+		return fmt.Errorf("failed to get group ids: %w", err)
+	}
+
+	// Policy contract keeps group related chains as namespace-group pair.
+	for i := range groups {
+		groups[i] = fmt.Sprintf("%s:%s", namespace, groups[i])
+	}
+
+	rt := engine.NewRequestTargetExtended(namespace, cid.EncodeToString(), fmt.Sprintf("%s:%s", namespace, publicKey.Address()), groups)
 	status, found, err := s.router.IsAllowed(apechain.Ingress, rt, request)
 	if err != nil {
 		return apeErr(err)