From 632bd8e38dd34e2438dd39c53111605dd94ef8b1 Mon Sep 17 00:00:00 2001
From: Dmitrii Stepanov <d.stepanov@yadro.com>
Date: Tue, 25 Mar 2025 12:15:46 +0300
Subject: [PATCH] [#1696] qos: Fix internal tag adjust

If request has no tag, but request's public key is netmap node's key or
one of allowed internal tag keys from config, then request must use
internal IO tag.

Change-Id: Iff93b626941a81b088d8999b3f2947f9501dcdf8
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
---
 cmd/frostfs-node/qos.go           |  39 ++++--
 cmd/frostfs-node/qos_test.go      | 226 ++++++++++++++++++++++++++++++
 internal/logs/logs.go             |   2 +-
 pkg/core/object/fmt_test.go       |  42 ++----
 pkg/util/testing/netmap_source.go |  36 +++++
 5 files changed, 298 insertions(+), 47 deletions(-)
 create mode 100644 cmd/frostfs-node/qos_test.go
 create mode 100644 pkg/util/testing/netmap_source.go

diff --git a/cmd/frostfs-node/qos.go b/cmd/frostfs-node/qos.go
index 9663fc6ae..6394b668b 100644
--- a/cmd/frostfs-node/qos.go
+++ b/cmd/frostfs-node/qos.go
@@ -43,6 +43,9 @@ func initQoSService(c *cfg) {
 func (s *cfgQoSService) AdjustIncomingTag(ctx context.Context, requestSignPublicKey []byte) context.Context {
 	rawTag, defined := qosTagging.IOTagFromContext(ctx)
 	if !defined {
+		if s.isInternalIOTagPublicKey(ctx, requestSignPublicKey) {
+			return qosTagging.ContextWithIOTag(ctx, qos.IOTagInternal.String())
+		}
 		return qosTagging.ContextWithIOTag(ctx, qos.IOTagClient.String())
 	}
 	ioTag, err := qos.FromRawString(rawTag)
@@ -73,20 +76,8 @@ func (s *cfgQoSService) AdjustIncomingTag(ctx context.Context, requestSignPublic
 		s.logger.Debug(ctx, logs.FailedToValidateIncomingIOTag)
 		return qosTagging.ContextWithIOTag(ctx, qos.IOTagClient.String())
 	case qos.IOTagInternal:
-		for _, pk := range s.allowedInternalPubs {
-			if bytes.Equal(pk, requestSignPublicKey) {
-				return ctx
-			}
-		}
-		nm, err := s.netmapSource.GetNetMap(ctx, 0)
-		if err != nil {
-			s.logger.Debug(ctx, logs.FailedToGetNetmapToAdjustIOTag, zap.Error(err))
-			return qosTagging.ContextWithIOTag(ctx, qos.IOTagClient.String())
-		}
-		for _, node := range nm.Nodes() {
-			if bytes.Equal(node.PublicKey(), requestSignPublicKey) {
-				return ctx
-			}
+		if s.isInternalIOTagPublicKey(ctx, requestSignPublicKey) {
+			return ctx
 		}
 		s.logger.Debug(ctx, logs.FailedToValidateIncomingIOTag)
 		return qosTagging.ContextWithIOTag(ctx, qos.IOTagClient.String())
@@ -95,3 +86,23 @@ func (s *cfgQoSService) AdjustIncomingTag(ctx context.Context, requestSignPublic
 		return qosTagging.ContextWithIOTag(ctx, qos.IOTagClient.String())
 	}
 }
+
+func (s *cfgQoSService) isInternalIOTagPublicKey(ctx context.Context, publicKey []byte) bool {
+	for _, pk := range s.allowedInternalPubs {
+		if bytes.Equal(pk, publicKey) {
+			return true
+		}
+	}
+	nm, err := s.netmapSource.GetNetMap(ctx, 0)
+	if err != nil {
+		s.logger.Debug(ctx, logs.FailedToGetNetmapToAdjustIOTag, zap.Error(err))
+		return false
+	}
+	for _, node := range nm.Nodes() {
+		if bytes.Equal(node.PublicKey(), publicKey) {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/cmd/frostfs-node/qos_test.go b/cmd/frostfs-node/qos_test.go
new file mode 100644
index 000000000..971f9eebf
--- /dev/null
+++ b/cmd/frostfs-node/qos_test.go
@@ -0,0 +1,226 @@
+package main
+
+import (
+	"context"
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/qos"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger/test"
+	utilTesting "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/testing"
+	"git.frostfs.info/TrueCloudLab/frostfs-qos/tagging"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/stretchr/testify/require"
+)
+
+func TestQoSService_Client(t *testing.T) {
+	t.Parallel()
+	s, pk := testQoSServicePrepare(t)
+	t.Run("IO tag client defined", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagClient.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.Request)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("no IO tag defined, signed with unknown key", func(t *testing.T) {
+		ctx := s.AdjustIncomingTag(context.Background(), pk.Request)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("no IO tag defined, signed with allowed critical key", func(t *testing.T) {
+		ctx := s.AdjustIncomingTag(context.Background(), pk.Critical)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("unknown IO tag, signed with unknown key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), "some IO tag we don't know")
+		ctx = s.AdjustIncomingTag(ctx, pk.Request)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("unknown IO tag, signed with netmap key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), "some IO tag we don't know")
+		ctx = s.AdjustIncomingTag(ctx, pk.NetmapNode)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("unknown IO tag, signed with allowed internal key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), "some IO tag we don't know")
+		ctx = s.AdjustIncomingTag(ctx, pk.Internal)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("unknown IO tag, signed with allowed critical key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), "some IO tag we don't know")
+		ctx = s.AdjustIncomingTag(ctx, pk.Critical)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("IO tag internal defined, signed with unknown key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagInternal.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.Request)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("IO tag internal defined, signed with allowed critical key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagInternal.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.Critical)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("IO tag critical defined, signed with unknown key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagCritical.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.Request)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("IO tag critical defined, signed with allowed internal key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagCritical.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.Internal)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+}
+
+func TestQoSService_Internal(t *testing.T) {
+	t.Parallel()
+	s, pk := testQoSServicePrepare(t)
+	t.Run("IO tag internal defined, signed with netmap key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagInternal.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.NetmapNode)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagInternal.String(), tag)
+	})
+	t.Run("IO tag internal defined, signed with allowed internal key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagInternal.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.Internal)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagInternal.String(), tag)
+	})
+	t.Run("no IO tag defined, signed with netmap key", func(t *testing.T) {
+		ctx := s.AdjustIncomingTag(context.Background(), pk.NetmapNode)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagInternal.String(), tag)
+	})
+	t.Run("no IO tag defined, signed with allowed internal key", func(t *testing.T) {
+		ctx := s.AdjustIncomingTag(context.Background(), pk.Internal)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagInternal.String(), tag)
+	})
+}
+
+func TestQoSService_Critical(t *testing.T) {
+	t.Parallel()
+	s, pk := testQoSServicePrepare(t)
+	t.Run("IO tag critical defined, signed with netmap key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagCritical.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.NetmapNode)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagCritical.String(), tag)
+	})
+	t.Run("IO tag critical defined, signed with allowed critical key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagCritical.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.Critical)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagCritical.String(), tag)
+	})
+}
+
+func TestQoSService_NetmapGetError(t *testing.T) {
+	t.Parallel()
+	s, pk := testQoSServicePrepare(t)
+	s.netmapSource = &utilTesting.TestNetmapSource{}
+	t.Run("IO tag internal defined, signed with netmap key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagInternal.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.NetmapNode)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("IO tag critical defined, signed with netmap key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), qos.IOTagCritical.String())
+		ctx = s.AdjustIncomingTag(ctx, pk.NetmapNode)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("no IO tag defined, signed with netmap key", func(t *testing.T) {
+		ctx := s.AdjustIncomingTag(context.Background(), pk.NetmapNode)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+	t.Run("unknown IO tag, signed with netmap key", func(t *testing.T) {
+		ctx := tagging.ContextWithIOTag(context.Background(), "some IO tag we don't know")
+		ctx = s.AdjustIncomingTag(ctx, pk.NetmapNode)
+		tag, ok := tagging.IOTagFromContext(ctx)
+		require.True(t, ok)
+		require.Equal(t, qos.IOTagClient.String(), tag)
+	})
+}
+
+func testQoSServicePrepare(t *testing.T) (*cfgQoSService, *testQoSServicePublicKeys) {
+	nmSigner, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+
+	reqSigner, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+
+	allowedCritSigner, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+
+	allowedIntSigner, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+
+	var node netmap.NodeInfo
+	node.SetPublicKey(nmSigner.PublicKey().Bytes())
+	nm := &netmap.NetMap{}
+	nm.SetEpoch(100)
+	nm.SetNodes([]netmap.NodeInfo{node})
+
+	return &cfgQoSService{
+			logger: test.NewLogger(t),
+			netmapSource: &utilTesting.TestNetmapSource{
+				Netmaps: map[uint64]*netmap.NetMap{
+					100: nm,
+				},
+				CurrentEpoch: 100,
+			},
+			allowedCriticalPubs: [][]byte{
+				allowedCritSigner.PublicKey().Bytes(),
+			},
+			allowedInternalPubs: [][]byte{
+				allowedIntSigner.PublicKey().Bytes(),
+			},
+		},
+		&testQoSServicePublicKeys{
+			NetmapNode: nmSigner.PublicKey().Bytes(),
+			Request:    reqSigner.PublicKey().Bytes(),
+			Internal:   allowedIntSigner.PublicKey().Bytes(),
+			Critical:   allowedCritSigner.PublicKey().Bytes(),
+		}
+}
+
+type testQoSServicePublicKeys struct {
+	NetmapNode []byte
+	Request    []byte
+	Internal   []byte
+	Critical   []byte
+}
diff --git a/internal/logs/logs.go b/internal/logs/logs.go
index 3503c922e..5b42b25ba 100644
--- a/internal/logs/logs.go
+++ b/internal/logs/logs.go
@@ -512,7 +512,7 @@ const (
 	FailedToUpdateMultinetConfiguration                                  = "failed to update multinet configuration"
 	FailedToParseIncomingIOTag                                           = "failed to parse incoming IO tag"
 	NotSupportedIncomingIOTagReplacedWithClient                          = "incoming IO tag is not supported, replaced with `client`"
-	FailedToGetNetmapToAdjustIOTag                                       = "failed to get netmap to adjust IO tag, replaced with `client`"
+	FailedToGetNetmapToAdjustIOTag                                       = "failed to get netmap to adjust IO tag"
 	FailedToValidateIncomingIOTag                                        = "failed to validate incoming IO tag, replaced with `client`"
 	WriteCacheFailedToAcquireRPSQuota                                    = "writecache failed to acquire RPS quota to flush object"
 )
diff --git a/pkg/core/object/fmt_test.go b/pkg/core/object/fmt_test.go
index 239a9f389..dc336eb34 100644
--- a/pkg/core/object/fmt_test.go
+++ b/pkg/core/object/fmt_test.go
@@ -9,6 +9,7 @@ import (
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
+	utilTesting "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/testing"
 	objectV2 "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/object"
 	containerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
@@ -410,11 +411,11 @@ func TestFormatValidator_ValidateTokenIssuer(t *testing.T) {
 				},
 			),
 			WithNetmapSource(
-				&testNetmapSource{
-					netmaps: map[uint64]*netmap.NetMap{
+				&utilTesting.TestNetmapSource{
+					Netmaps: map[uint64]*netmap.NetMap{
 						curEpoch: currentEpochNM,
 					},
-					currentEpoch: curEpoch,
+					CurrentEpoch: curEpoch,
 				},
 			),
 			WithLogger(logger.NewLoggerWrapper(zaptest.NewLogger(t))),
@@ -483,12 +484,12 @@ func TestFormatValidator_ValidateTokenIssuer(t *testing.T) {
 				},
 			),
 			WithNetmapSource(
-				&testNetmapSource{
-					netmaps: map[uint64]*netmap.NetMap{
+				&utilTesting.TestNetmapSource{
+					Netmaps: map[uint64]*netmap.NetMap{
 						curEpoch:     currentEpochNM,
 						curEpoch - 1: previousEpochNM,
 					},
-					currentEpoch: curEpoch,
+					CurrentEpoch: curEpoch,
 				},
 			),
 			WithLogger(logger.NewLoggerWrapper(zaptest.NewLogger(t))),
@@ -559,12 +560,12 @@ func TestFormatValidator_ValidateTokenIssuer(t *testing.T) {
 				},
 			),
 			WithNetmapSource(
-				&testNetmapSource{
-					netmaps: map[uint64]*netmap.NetMap{
+				&utilTesting.TestNetmapSource{
+					Netmaps: map[uint64]*netmap.NetMap{
 						curEpoch:     currentEpochNM,
 						curEpoch - 1: previousEpochNM,
 					},
-					currentEpoch: curEpoch,
+					CurrentEpoch: curEpoch,
 				},
 			),
 			WithLogger(logger.NewLoggerWrapper(zaptest.NewLogger(t))),
@@ -596,26 +597,3 @@ func (s *testContainerSource) Get(ctx context.Context, cnrID cid.ID) (*container
 func (s *testContainerSource) DeletionInfo(context.Context, cid.ID) (*container.DelInfo, error) {
 	return nil, nil
 }
-
-type testNetmapSource struct {
-	netmaps      map[uint64]*netmap.NetMap
-	currentEpoch uint64
-}
-
-func (s *testNetmapSource) GetNetMap(ctx context.Context, diff uint64) (*netmap.NetMap, error) {
-	if diff >= s.currentEpoch {
-		return nil, fmt.Errorf("invalid diff")
-	}
-	return s.GetNetMapByEpoch(ctx, s.currentEpoch-diff)
-}
-
-func (s *testNetmapSource) GetNetMapByEpoch(ctx context.Context, epoch uint64) (*netmap.NetMap, error) {
-	if nm, found := s.netmaps[epoch]; found {
-		return nm, nil
-	}
-	return nil, fmt.Errorf("netmap not found")
-}
-
-func (s *testNetmapSource) Epoch(ctx context.Context) (uint64, error) {
-	return s.currentEpoch, nil
-}
diff --git a/pkg/util/testing/netmap_source.go b/pkg/util/testing/netmap_source.go
new file mode 100644
index 000000000..7373e538f
--- /dev/null
+++ b/pkg/util/testing/netmap_source.go
@@ -0,0 +1,36 @@
+package testing
+
+import (
+	"context"
+	"errors"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
+)
+
+var (
+	errInvalidDiff    = errors.New("invalid diff")
+	errNetmapNotFound = errors.New("netmap not found")
+)
+
+type TestNetmapSource struct {
+	Netmaps      map[uint64]*netmap.NetMap
+	CurrentEpoch uint64
+}
+
+func (s *TestNetmapSource) GetNetMap(ctx context.Context, diff uint64) (*netmap.NetMap, error) {
+	if diff >= s.CurrentEpoch {
+		return nil, errInvalidDiff
+	}
+	return s.GetNetMapByEpoch(ctx, s.CurrentEpoch-diff)
+}
+
+func (s *TestNetmapSource) GetNetMapByEpoch(_ context.Context, epoch uint64) (*netmap.NetMap, error) {
+	if nm, found := s.Netmaps[epoch]; found {
+		return nm, nil
+	}
+	return nil, errNetmapNotFound
+}
+
+func (s *TestNetmapSource) Epoch(context.Context) (uint64, error) {
+	return s.CurrentEpoch, nil
+}