diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go index 2bbf75fe14..4239a9c29f 100644 --- a/pkg/services/tree/signature.go +++ b/pkg/services/tree/signature.go @@ -18,6 +18,7 @@ import ( neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa" "github.com/nspcc-dev/neofs-sdk-go/eacl" "github.com/nspcc-dev/neofs-sdk-go/user" + "go.uber.org/zap" ) type message interface { @@ -68,8 +69,20 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op eaclOp := eACLOp(op) + var tableFromBearer bool + if len(rawBearer) != 0 { + if !basicACL.AllowedBearerRules(op) { + s.log.Debug("bearer presented but not allowed by ACL", + zap.String("cid", cid.EncodeToString()), + zap.String("op", op.String()), + ) + } else { + tableFromBearer = true + } + } + var tb eacl.Table - if len(rawBearer) != 0 && basicACL.AllowedBearerRules(op) { + if tableFromBearer { var bt bearer.Token if err = bt.Unmarshal(rawBearer); err != nil { return eACLErr(eaclOp, fmt.Errorf("invalid bearer token: %w", err))