ir: allow only predefined known system attributes (#3107)

CHANGELOG.md

@@ -9,6 +9,7 @@ Changelog for NeoFS Node
 - `neofs-cli control notary` with `list`, `request` and `sign` commands (#3059)
 - IR `fschain.consensus.keep_only_latest_state` and `fschain.consensus.remove_untraceable_blocks` config options (#3093)
 - `logger.timestamp` config option (#3105)
+- Container system attributes verification on IR side (#3107)
 
 ### Fixed
 - `neofs-cli object delete` command output (#3056)

cmd/neofs-ir/internal/validate/config.go

@@ -269,4 +269,8 @@ type validConfig struct {
 		BasicIncomeRate int64 `mapstructure:"basic_income_rate"`
 		AuditFee        int64 `mapstructure:"audit_fee"`
 	} `mapstructure:"settlement"`
+
+	Experimental struct {
+		ChainMetaData bool `mapstructure:"chain_meta_data"`
+	} `mapstructure:"experimental"`
 }

config/example/ir.env

@@ -91,3 +91,5 @@ NEOFS_IR_PROMETHEUS_SHUTDOWN_TIMEOUT=30s
 
 NEOFS_IR_SETTLEMENT_BASIC_INCOME_RATE=100
 NEOFS_IR_SETTLEMENT_AUDIT_FEE=100
+
+NEOFS_IR_EXPERIMENTAL_CHAIN_META_DATA=false

config/example/ir.yaml

@@ -209,3 +209,6 @@ prometheus:
 settlement:
   basic_income_rate: 100 # Optional: override basic income rate value from network config; applied only in debug mode
   audit_fee: 100         # Optional: override audit fee value from network config; applied only in debug mode
+
+experimental:
+  chain_meta_data: false # Optional: allows creating containers with meta data handled via FS chain

pkg/innerring/innerring.go

@@ -936,6 +936,7 @@ func New(ctx context.Context, log *zap.Logger, cfg *viper.Viper, errChan chan<-
 		ContainerClient: cnrClient,
 		NeoFSIDClient:   neofsIDClient,
 		NetworkState:    server.netmapClient,
+		MetaEnabled:     cfg.GetBool("experimental.chain_meta_data"),
 	})
 	if err != nil {
 		return nil, err

pkg/innerring/processors/container/process_container.go

@@ -2,6 +2,7 @@ package container
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/nspcc-dev/neo-go/pkg/network/payload"
 	cntClient "github.com/nspcc-dev/neofs-node/pkg/morph/client/container"
@@ -56,6 +57,18 @@ func (cp *Processor) processContainerPut(put putEvent) {
 	cp.approvePutContainer(ctx)
 }
 
+const (
+	sysAttrPrefix    = "__NEOFS__"
+	sysAttrChainMeta = sysAttrPrefix + "METAINFO_CONSISTENCY"
+)
+
+var allowedSystemAttributes = map[string]struct{}{
+	sysAttrPrefix + "NAME":                        {},
+	sysAttrPrefix + "ZONE":                        {},
+	sysAttrPrefix + "DISABLE_HOMOMORPHIC_HASHING": {},
+	sysAttrChainMeta:                              {},
+}
+
 func (cp *Processor) checkPutContainer(ctx *putContainerContext) error {
 	binCnr := ctx.e.Container()
 	ctx.cID = cid.NewFromMarshalledContainer(binCnr)
@@ -65,6 +78,22 @@ func (cp *Processor) checkPutContainer(ctx *putContainerContext) error {
 		return fmt.Errorf("invalid binary container: %w", err)
 	}
 
+	var denyErr error
+	ctx.cnr.IterateAttributes(func(k, v string) {
+		if denyErr == nil && strings.HasPrefix(k, sysAttrPrefix) {
+			if _, ok := allowedSystemAttributes[k]; !ok {
+				denyErr = fmt.Errorf("system attribute %s is not allowed", k)
+			}
+
+			if k == sysAttrChainMeta && !cp.metaEnabled {
+				denyErr = fmt.Errorf("chain meta data attribute is not allowed")
+			}
+		}
+	})
+	if denyErr != nil {
+		return denyErr
+	}
+
 	err = cp.verifySignature(signatureVerificationData{
 		ownerContainer:  ctx.cnr.Owner(),
 		verb:            session.VerbContainerPut,

pkg/innerring/processors/container/processor.go

@@ -27,6 +27,7 @@ type (
 		cnrClient     *container.Client // notary must be enabled
 		idClient      *neofsid.Client
 		netState      NetworkState
+		metaEnabled   bool
 	}
 
 	// Params of the processor constructor.
@@ -37,6 +38,7 @@ type (
 		ContainerClient *container.Client
 		NeoFSIDClient   *neofsid.Client
 		NetworkState    NetworkState
+		MetaEnabled     bool
 	}
 )
 
@@ -90,6 +92,7 @@ func New(p *Params) (*Processor, error) {
 		cnrClient:     p.ContainerClient,
 		idClient:      p.NeoFSIDClient,
 		netState:      p.NetworkState,
+		metaEnabled:   p.MetaEnabled,
 	}, nil
 }