[#755] innerring: Check container owner namespace

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>

pkg/innerring/processors/container/process_container.go

@@ -2,6 +2,7 @@ package container
 
 import (
 	"fmt"
+	"strings"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/event"
@@ -10,6 +11,7 @@ import (
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"github.com/nspcc-dev/neo-go/pkg/network/payload"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"go.uber.org/zap"
 )
 
@@ -88,7 +90,7 @@ func (cp *Processor) checkPutContainer(ctx *putContainerContext) error {
 	}
 
 	// check native name and zone
-	err = checkNNS(ctx, cnr)
+	err = cp.checkNNS(ctx, cnr)
 	if err != nil {
 		return fmt.Errorf("NNS: %w", err)
 	}
@@ -157,7 +159,7 @@ func (cp *Processor) checkDeleteContainer(e containerEvent.Delete) error {
 	return nil
 }
 
-func checkNNS(ctx *putContainerContext, cnr containerSDK.Container) error {
+func (cp *Processor) checkNNS(ctx *putContainerContext, cnr containerSDK.Container) error {
 	// fetch domain info
 	ctx.d = containerSDK.ReadDomain(cnr)
 
@@ -175,6 +177,25 @@ func checkNNS(ctx *putContainerContext, cnr containerSDK.Container) error {
 		}
 	}
 
+	namespace, hasNamespace := strings.CutSuffix(ctx.d.Zone(), ".ns")
+	if !hasNamespace {
+		return nil
+	}
+
+	addr, err := util.Uint160DecodeBytesBE(cnr.Owner().WalletBytes()[1 : 1+util.Uint160Size])
+	if err != nil {
+		return fmt.Errorf("could not get container owner address: %w", err)
+	}
+
+	subject, err := cp.frostFSIDClient.GetSubject(addr)
+	if err != nil {
+		return fmt.Errorf("could not get subject from FrostfsID contract: %w", err)
+	}
+
+	if subject.Namespace != namespace {
+		return fmt.Errorf("container and owner namespaces do not match")
+	}
+
 	return nil
 }