From 69a03c5bbe25376e62898bf01809834e2fdc7a57 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <denis@nspcc.ru>
Date: Tue, 26 Apr 2022 17:35:12 +0300
Subject: [PATCH] [#406] authmate: update default bearer rules

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
---
 authmate/authmate.go | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/authmate/authmate.go b/authmate/authmate.go
index 127b9323..b146c409 100644
--- a/authmate/authmate.go
+++ b/authmate/authmate.go
@@ -320,16 +320,28 @@ func buildEACLTable(eaclTable []byte) (*eacl.Table, error) {
 	record := eacl.NewRecord()
 	record.SetOperation(eacl.OperationGet)
 	record.SetAction(eacl.ActionAllow)
-	// TODO: Change this later.
-	// from := eacl.HeaderFromObject
-	// matcher := eacl.MatchStringEqual
-	// record.AddFilter(from eacl.FilterHeaderType, matcher eacl.Match, name string, value string)
 	eacl.AddFormedTarget(record, eacl.RoleOthers)
 	table.AddRecord(record)
 
+	for _, rec := range restrictedRecords() {
+		table.AddRecord(rec)
+	}
+
 	return table, nil
 }
 
+func restrictedRecords() (records []*eacl.Record) {
+	for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ {
+		record := eacl.NewRecord()
+		record.SetOperation(op)
+		record.SetAction(eacl.ActionDeny)
+		eacl.AddFormedTarget(record, eacl.RoleOthers)
+		records = append(records, record)
+	}
+
+	return
+}
+
 func buildContext(rules []byte) ([]*session.ContainerContext, error) {
 	var sessionCtxs []*session.ContainerContext