sn/object: Forward original GET/HEAD/RANGE request to container members

cthulhu-rider · cthulhu-rider · commit fcc91874b525 · 2025-06-23T15:01:13.000+03:00
Previously, when proxy SN forwarded read object requests to the
container, it updated the request as follows:
 1. meta header was wrapped into the new one with decremented TTL;
 2. verification header was wrapped into to the new one with added
   signatures for original parts.

This resulted in the following costs:
 - additional calculation of two signatures on proxy SN;
 - more expensive request serialization, more data over the network;
 - more expensive request deserialization on container SN;
 - additional verification of two signatures on container SN.

At the same time, apart from the mentioned actions, container SN did not
use additional data for processing. So if a node doesn't update TTL and
add signatures, then it's just reduces the resources spent without
changing the behavior.

This makes proxy SN to not resign object GET/HEAD/RANGE requests on
forwarding.

Signed-off-by: Leonard Lyubich &lt;leonard@morphbits.io&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ Changelog for NeoFS Node
 - SN caches up to 1000 bearer token verification results until the next epoch (#3369)
 - SN caches up to 1000 session token verification results until the next epoch (#3369)
 - SN no longer wastes memory for logger in ACL and GET/HEAD/RANGE handlers (#3408, #3412)
+- SN no longer modifies original GET/HEAD/RANGE request when proxying it to the container (#3413)
 
 ### Removed
 
diff --git a/pkg/services/object/server.go b/pkg/services/object/server.go
@@ -602,7 +602,7 @@ func (s *Server) Head(ctx context.Context, req *protoobject.HeadRequest) (*proto
 	}
 
 	var resp protoobject.HeadResponse
-	p, err := convertHeadPrm(s.signer, req, &resp)
+	p, err := convertHeadPrm(req, &resp)
 	if err != nil {
 		return s.makeStatusHeadResponse(err), nil
 	}
@@ -657,7 +657,7 @@ func (x *headResponse) WriteHeader(hdr *object.Object) error {
 
 // converts original request into parameters accepted by the internal handler.
 // Note that the response is untouched within this call.
-func convertHeadPrm(signer ecdsa.PrivateKey, req *protoobject.HeadRequest, resp *protoobject.HeadResponse) (getsvc.HeadPrm, error) {
+func convertHeadPrm(req *protoobject.HeadRequest, resp *protoobject.HeadResponse) (getsvc.HeadPrm, error) {
 	body := req.GetBody()
 	ma := body.GetAddress()
 	if ma == nil { // includes nil body
@@ -686,25 +686,11 @@ func convertHeadPrm(signer ecdsa.PrivateKey, req *protoobject.HeadRequest, resp
 		return p, nil
 	}
 
-	var onceResign sync.Once
 	meta := req.GetMetaHeader()
 	if meta == nil {
 		return getsvc.HeadPrm{}, errors.New("missing meta header")
 	}
 	p.SetRequestForwarder(func(ctx context.Context, node client.NodeInfo, c client.MultiAddressClient) (*object.Object, error) {
-		var err error
-		onceResign.Do(func() {
-			req.MetaHeader = &protosession.RequestMetaHeader{
-				// TODO: #1165 think how to set the other fields
-				Ttl:    meta.GetTtl() - 1,
-				Origin: meta,
-			}
-			req.VerifyHeader, err = neofscrypto.SignRequestWithBuffer(neofsecdsa.Signer(signer), req, nil)
-		})
-		if err != nil {
-			return nil, err
-		}
-
 		nodePub := node.PublicKey()
 		var hdr *object.Object
 		return hdr, c.ForEachGRPCConn(ctx, func(ctx context.Context, conn *grpc.ClientConn) error {
@@ -1051,7 +1037,7 @@ func (s *Server) Get(req *protoobject.GetRequest, gStream protoobject.ObjectServ
 		return s.sendStatusGetResponse(gStream, err)
 	}
 
-	p, err := convertGetPrm(s.signer, req, &getStream{
+	p, err := convertGetPrm(req, &getStream{
 		base:    gStream,
 		srv:     s,
 		reqInfo: reqInfo,
@@ -1069,7 +1055,7 @@ func (s *Server) Get(req *protoobject.GetRequest, gStream protoobject.ObjectServ
 // converts original request into parameters accepted by the internal handler.
 // Note that the stream is untouched within this call, errors are not reported
 // into it.
-func convertGetPrm(signer ecdsa.PrivateKey, req *protoobject.GetRequest, stream *getStream) (getsvc.Prm, error) {
+func convertGetPrm(req *protoobject.GetRequest, stream *getStream) (getsvc.Prm, error) {
 	body := req.GetBody()
 	ma := body.GetAddress()
 	if ma == nil { // includes nil body
@@ -1095,27 +1081,13 @@ func convertGetPrm(signer ecdsa.PrivateKey, req *protoobject.GetRequest, stream
 		return p, nil
 	}
 
-	var onceResign sync.Once
 	var onceHdr sync.Once
 	var respondedPayload int
 	meta := req.GetMetaHeader()
 	if meta == nil {
 		return getsvc.Prm{}, errors.New("missing meta header")
 	}
 	p.SetRequestForwarder(func(ctx context.Context, node client.NodeInfo, c client.MultiAddressClient) (*object.Object, error) {
-		var err error
-		onceResign.Do(func() {
-			req.MetaHeader = &protosession.RequestMetaHeader{
-				// TODO: #1165 think how to set the other fields
-				Ttl:    meta.GetTtl() - 1,
-				Origin: meta,
-			}
-			req.VerifyHeader, err = neofscrypto.SignRequestWithBuffer(neofsecdsa.Signer(signer), req, nil)
-		})
-		if err != nil {
-			return nil, err
-		}
-
 		nodePub := node.PublicKey()
 		return nil, c.ForEachGRPCConn(ctx, func(ctx context.Context, conn *grpc.ClientConn) error {
 			err := continueGetFromRemoteNode(ctx, conn, nodePub, req, stream, &onceHdr, &respondedPayload)
@@ -1291,7 +1263,7 @@ func (s *Server) GetRange(req *protoobject.GetRangeRequest, gStream protoobject.
 		return s.sendStatusRangeResponse(gStream, err)
 	}
 
-	p, err := convertRangePrm(s.signer, req, &rangeStream{
+	p, err := convertRangePrm(req, &rangeStream{
 		base:    gStream,
 		srv:     s,
 		reqInfo: reqInfo,
@@ -1309,7 +1281,7 @@ func (s *Server) GetRange(req *protoobject.GetRangeRequest, gStream protoobject.
 // converts original request into parameters accepted by the internal handler.
 // Note that the stream is untouched within this call, errors are not reported
 // into it.
-func convertRangePrm(signer ecdsa.PrivateKey, req *protoobject.GetRangeRequest, stream *rangeStream) (getsvc.RangePrm, error) {
+func convertRangePrm(req *protoobject.GetRangeRequest, stream *rangeStream) (getsvc.RangePrm, error) {
 	body := req.GetBody()
 	ma := body.GetAddress()
 	if ma == nil { // includes nil body
@@ -1348,26 +1320,12 @@ func convertRangePrm(signer ecdsa.PrivateKey, req *protoobject.GetRangeRequest,
 		return p, nil
 	}
 
-	var onceResign sync.Once
 	var respondedPayload int
 	meta := req.GetMetaHeader()
 	if meta == nil {
 		return getsvc.RangePrm{}, errors.New("missing meta header")
 	}
 	p.SetRequestForwarder(func(ctx context.Context, node client.NodeInfo, c client.MultiAddressClient) (*object.Object, error) {
-		var err error
-		onceResign.Do(func() {
-			req.MetaHeader = &protosession.RequestMetaHeader{
-				// TODO: #1165 think how to set the other fields
-				Ttl:    meta.GetTtl() - 1,
-				Origin: meta,
-			}
-			req.VerifyHeader, err = neofscrypto.SignRequestWithBuffer(neofsecdsa.Signer(signer), req, nil)
-		})
-		if err != nil {
-			return nil, err
-		}
-
 		nodePub := node.PublicKey()
 		return nil, c.ForEachGRPCConn(ctx, func(ctx context.Context, conn *grpc.ClientConn) error {
 			err := continueRangeFromRemoteNode(ctx, conn, nodePub, req, stream, &respondedPayload)
