[#180] Make separate basic ACL check for inner ring requests

Signed-off-by: Alex Vanin <alexey@nspcc.ru>

pkg/services/object/acl/acl.go

@@ -53,6 +53,7 @@ type (
 	requestInfo struct {
 		basicACL    basicACLHelper
 		requestRole acl.Role
+		isInnerRing bool
 		operation   acl.Operation // put, get, head, etc.
 		owner       *owner.ID     // container owner
 
@@ -491,6 +492,9 @@ func basicACLCheck(info requestInfo) bool {
 		checkFn = info.basicACL.UserAllowed
 	case acl.RoleSystem:
 		checkFn = info.basicACL.SystemAllowed
+		if info.isInnerRing {
+			checkFn = info.basicACL.InnerRingAllowed
+		}
 	case acl.RoleOthers:
 		checkFn = info.basicACL.OthersAllowed
 	default:

pkg/services/object/acl/basic_helper.go

@@ -121,6 +121,21 @@ func (a basicACLHelper) SystemAllowed(op eacl.Operation) bool {
 	return false
 }
 
+// InnerRingAllowed returns true if the operation is allowed by ACL for
+// InnerRing nodes, as part of System group.
+func (a basicACLHelper) InnerRingAllowed(op eacl.Operation) bool {
+	switch op {
+	case eacl.OperationSearch, eacl.OperationRangeHash, eacl.OperationHead:
+		return true
+	default:
+		if n, ok := order[op]; ok {
+			return isLeftBitSet(a, opOffset+n*bitsPerOp+bitSystem)
+		}
+
+		return false
+	}
+}
+
 // AllowSystem allows System group the n-th operation in ACL.
 func (a *basicACLHelper) AllowSystem(op eacl.Operation) {
 	if n, ok := order[op]; ok {