search

nspcc-dev / neofs-node

NeoFS is a decentralized distributed object storage integrated with the Neo blockchain
https://fs.neo.org
GNU General Public License v3.0
31 stars 38 forks source link

Invalid behavior with numeric eacl rules #2785

Closed evgeniiz321 closed 3 months ago

evgeniiz321 commented 3 months ago
  1. Get object before setting eacl, note numeric_value=1:
[MainThread] 2024-03-27 14:09:01 [INFO] Command: neofs-cli --config /home/ezayats/neofs-testcases/wallet_config.yml object get --rpc-endpoint 'localhost:46681' --wallet '/home/ezayats/neofs-testcases/TemporaryDir/beefc0c3-5083-48fe-a29a-08b643d0a8c4.json' --cid 'FBFdbkXrC5a2Ppch4GtQGcCNE8qHvVB9cnwjvtruMGLE' --oid 'DnpbFksXtStw4xvvFwNu5vxnreZxz8Yxixktr3QtC9qs' --file 'TemporaryDir/TestObjectsDir/6a831f99-4104-4a37-a228-52932118158c' --no-progress
Success:
return code: 0
Output: [TemporaryDir/TestObjectsDir/6a831f99-4104-4a37-a228-52932118158c] Object successfully saved
ID: DnpbFksXtStw4xvvFwNu5vxnreZxz8Yxixktr3QtC9qs
CID: FBFdbkXrC5a2Ppch4GtQGcCNE8qHvVB9cnwjvtruMGLE
Owner: NaanBGnLueT9XKbAe2nqbbyFVYoGbPBEmY
CreatedAt: 2
Size: 1000
HomoHash: 0f0e7802dcf9531f6360758fb5939e9f6c9c6923fb9f9e6474f9ea02772d6c1328a73f517e29b3574a3afa4497ac322c697ec331113eebcd6a343dcdb08b9c51
Checksum: cfb1afaa258ee2645c4e17715b77973779d39bcf33972a18adf047762c589000
Type: REGULAR
Attributes:
  numeric_value=1
  FileName=eb979069-f103-4c90-ab29-15714751ded1
  Timestamp=1711548539 (2024-03-27 14:08:59 +0000 UTC)
ID signature:
  public key: 02fcc6c7bbf9df0bb3ab13f58965cdeafa9d1e2dfde9410f34d4edf23a84ada121
  signature: 04d3c9f75fef144234a04e9376e67c347fa1a6ac91a764976c3d084b882a65714ccb957b63d17ddcb9629bfbe8a06c4e5cdf460e04fdfa21a81b660bf554efa654
  1. Set eacl with rule --rule 'deny get obj:numeric_value<0 user': 
    [MainThread] 2024-03-27 14:09:33 [INFO] Command: neofs-cli --config /home/ezayats/neofs-testcases/wallet_config.yml container get-eacl --rpc-endpoint 'localhost:46681' --wallet '/home/ezayats/neofs-testcases/TemporaryDir/beefc0c3-5083-48fe-a29a-08b643d0a8c4.json' --cid 'FBFdbkXrC5a2Ppch4GtQGcCNE8qHvVB9cnwjvtruMGLE'
Success:
return code: 0
Output: eACL:
{
"version": {
"major": 2,
"minor": 13
},
"containerID": {
"value": "0qP36XzpUj2eqdOsotUY+yMmxFWKmFO7FjkOPbkIXLc="
},
"records": [
{
  "operation": "GET",
  "action": "DENY",
  "filters": [
    {
      "headerType": "OBJECT",
      "matchType": "NUM_LT",
      "key": "numeric_value",
      "value": "0"
    }
  ],
  "targets": [
    {
      "role": "USER",
      "keys": []
    }
  ]
}
]
}
  2. Try to get object with numeric_value=1 
    [MainThread] 2024-03-27 14:09:33 [INFO] Command: neofs-cli --config /home/ezayats/neofs-testcases/wallet_config.yml object get --rpc-endpoint 'localhost:46681' --wallet '/home/ezayats/neofs-testcases/TemporaryDir/beefc0c3-5083-48fe-a29a-08b643d0a8c4.json' --cid 'FBFdbkXrC5a2Ppch4GtQGcCNE8qHvVB9cnwjvtruMGLE' --oid 'DnpbFksXtStw4xvvFwNu5vxnreZxz8Yxixktr3QtC9qs' --file 'TemporaryDir/TestObjectsDir/937f9170-ea3a-4ca4-9480-0d620e6e5ad9' --no-progress
Error:
return code: 2
Output: rpc error: init object reading on client: header: status: code = 2048 message = access to object operation denied: access to operation OBJECT_GET is denied by extended ACL check: denied by rule

Expected Behavior

Get object with numeric_value=1 should be allowed with --rule 'deny get obj:numeric_value<0 user'

Current Behavior

Get object with numeric_value=1 is not allowed with --rule 'deny get obj:numeric_value<0 user'