[#1124] cli: Improve APE rule parsing

* Make APE rule parser to read condition's kind in unambiguous using lexemes `ResourceCondition`, `RequestCondition` instead confusing `Object.Request`, `Object.Resource`. * Fix unit-tests. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-05-14 12:23:26 +03:00 · 2024-05-14 12:23:26 +03:00 · 952d13cd2b
commit 952d13cd2b
parent 20baf6e112
8 changed files with 151 additions and 147 deletions
--- a/cmd/frostfs-cli/modules/util/ape_test.go
+++ b/cmd/frostfs-cli/modules/util/ape_test.go
@ -109,46 +109,46 @@ func TestParseAPERule(t *testing.T) {
 		},
 		{
 			name: "Valid allow rule with conditions",
-			rule: "allow Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
+			rule: "allow Object.Get ResourceCondition:Department=HR RequestCondition:Actor!=ownerA *",
 			expectRule: policyengine.Rule{
 				Status:    policyengine.Allow,
 				Actions:   policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
 				Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
 				Condition: []policyengine.Condition{
 					{
-						Op:     policyengine.CondStringEquals,
-						Object: policyengine.ObjectResource,
-						Key:    "Department",
-						Value:  "HR",
+						Op:    policyengine.CondStringEquals,
+						Kind:  policyengine.KindResource,
+						Key:   "Department",
+						Value: "HR",
 					},
 					{
-						Op:     policyengine.CondStringNotEquals,
-						Object: policyengine.ObjectRequest,
-						Key:    "Actor",
-						Value:  "ownerA",
+						Op:    policyengine.CondStringNotEquals,
+						Kind:  policyengine.KindRequest,
+						Key:   "Actor",
+						Value: "ownerA",
 					},
 				},
 			},
 		},
 		{
 			name: "Valid rule for object with conditions with action detail",
-			rule: "deny:QuotaLimitReached Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
+			rule: "deny:QuotaLimitReached Object.Get ResourceCondition:Department=HR RequestCondition:Actor!=ownerA *",
 			expectRule: policyengine.Rule{
 				Status:    policyengine.QuotaLimitReached,
 				Actions:   policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
 				Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
 				Condition: []policyengine.Condition{
 					{
-						Op:     policyengine.CondStringEquals,
-						Object: policyengine.ObjectResource,
-						Key:    "Department",
-						Value:  "HR",
+						Op:    policyengine.CondStringEquals,
+						Kind:  policyengine.KindResource,
+						Key:   "Department",
+						Value: "HR",
 					},
 					{
-						Op:     policyengine.CondStringNotEquals,
-						Object: policyengine.ObjectRequest,
-						Key:    "Actor",
-						Value:  "ownerA",
+						Op:    policyengine.CondStringNotEquals,
+						Kind:  policyengine.KindRequest,
+						Key:   "Actor",
+						Value: "ownerA",
 					},
 				},
 			},
@ -170,12 +170,12 @@ func TestParseAPERule(t *testing.T) {
 		},
 		{
 			name:      "Invalid rule with unknown condition binary operator",
-			rule:      "deny Object.Put Object.Resource:Department<HR *",
+			rule:      "deny Object.Put ResourceCondition:Department<HR *",
 			expectErr: errUnknownBinaryOperator,
 		},
 		{
 			name:      "Invalid rule with unknown condition object type",
-			rule:      "deny Object.Put Object.ResourZe:Department=HR *",
+			rule:      "deny Object.Put ResourSeCondiDion:Department=HR *",
 			expectErr: errUnknownCondObjectType,
 		},
 		{
@ -185,7 +185,7 @@ func TestParseAPERule(t *testing.T) {
 		},
 		{
 			name:      "Invalid rule with no actions",
-			rule:      "allow Container.Resource:A=B  *",
+			rule:      "allow ResourceCondition:A=B  *",
 			expectErr: errNoActionsInRule,
 		},
 		{
@ -271,7 +271,7 @@ func TestParseAPERule(t *testing.T) {
 		},
 		{
 			name: "Valid rule for container with conditions with action detail",
-			rule: "allow Container.Get Container.Resource:A=B Container.Put Container.Request:C!=D " +
+			rule: "allow Container.Get ResourceCondition:A=B Container.Put RequestCondition:C!=D " +
 				"* /cnt_id",
 			expectRule: policyengine.Rule{
 				Status:  policyengine.Allow,
@ -282,16 +282,16 @@ func TestParseAPERule(t *testing.T) {
 				}},
 				Condition: []policyengine.Condition{
 					{
-						Op:     policyengine.CondStringEquals,
-						Object: policyengine.ContainerResource,
-						Key:    "A",
-						Value:  "B",
+						Op:    policyengine.CondStringEquals,
+						Kind:  policyengine.KindResource,
+						Key:   "A",
+						Value: "B",
 					},
 					{
-						Op:     policyengine.CondStringNotEquals,
-						Object: policyengine.ContainerRequest,
-						Key:    "C",
-						Value:  "D",
+						Op:    policyengine.CondStringNotEquals,
+						Kind:  policyengine.KindRequest,
+						Key:   "C",
+						Value: "D",
 					},
 				},
 			},