`fmt.Errorf can be replaced with errors.New` and `fmt.Sprintf can be replaced with string addition`
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
Found by vulncheck:
Vulnerability #1: GO-2024-2611
Infinite loop in JSON unmarshaling in google.golang.org/protobuf
More info: https://pkg.go.dev/vuln/GO-2024-2611
Module: google.golang.org/protobuf
Found in: google.golang.org/protobuf@v1.32.0
Fixed in: google.golang.org/protobuf@v1.33.0
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
* Inroduce workaround to create actor for contract storage interface
without passing a real alphabet wallet. This is made by creating
a dummy account.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
* Remove removed flag in service.proto for RemoveChainLocalOverrideResponse.
* Regenerate control API.
* Return error only if RemoveOverride returns non-NotFound code.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
* If APE check returns NoRuleFound, then it is taken for request deny.
* Add more unit-test for ape container middleware.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
* Soft APE check means that APE should allow request even
it gets status NoRuleFound for a request. Otherwise,
it is interpreted as Deny.
* Soft APE check is performed if basic ACL mask is not set.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
There may be a race condition between put an object and
flushing the writecache:
1. Put object to the writecache
2. Writecache flushes object to the blobstore and sets blobstore's
storageID
3. Put object to the metabase, set writecache's storageID
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
Nothing is broken now, but will easily become if we change nnsMaxTokens,
thus this change.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
Initial prefetch size can be arbitrary an restricted only by VM/RPC
limits. For TraverseIterator() there is an explicit check on the
server-side, though.
Introduced in df055fead5.
Refs #931.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
Proxy contract can now be used as an owner of NNS domains, thus we need
it not only to pay for the transaction but also to check domain
ownership. CalledByEntry is not enough, because we may register NNS
domains owned by proxy indirectly from the container contract.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
Most of the time it exits, e.g. when it is per-container and use on each
object PUT. Bbolt implementation first tries to create bucket and then
returns it if it exists. Create operation uses cursor and thus is not
very lightweight, we can avoid it.
```
goos: linux
goarch: amd64
pkg: git.frostfs.info/TrueCloudLab/frostfs-node/pkg/local_object_storage/metabase
cpu: 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz
│ old │ new │
│ sec/op │ sec/op vs base │
Put/parallel-8 174.4µ ± 3% 163.3µ ± 3% -6.39% (p=0.000 n=10)
Put/sequential-8 263.3µ ± 2% 259.0µ ± 1% -1.64% (p=0.000 n=10)
geomean 214.3µ 205.6µ -4.05%
│ old │ new │
│ B/op │ B/op vs base │
Put/parallel-8 275.3Ki ± 3% 281.1Ki ± 4% ~ (p=0.063 n=10)
Put/sequential-8 413.0Ki ± 2% 426.6Ki ± 2% +3.29% (p=0.003 n=10)
geomean 337.2Ki 346.3Ki +2.70%
│ old │ new │
│ allocs/op │ allocs/op vs base │
Put/parallel-8 678.0 ± 1% 524.5 ± 2% -22.64% (p=0.000 n=10)
Put/sequential-8 1.329k ± 0% 1.183k ± 0% -10.91% (p=0.000 n=10)
geomean 949.1 787.9 -16.98%
```
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
* Introduce path flag to make add-rule command read and parse
chain from file. File is binary/JSON-encoded chain.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
