[#1503] container: Fix APE-request target

* Request target shouldn't contain container target as container
  operations can't be checked with container-targeted rules.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>

pkg/services/container/ape.go

@@ -327,9 +327,15 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
 		reqProps,
 	)
 
-	s, found, err := ac.router.IsAllowed(apechain.Ingress,
+	rt := policyengine.NewRequestTargetWithNamespace(namespace)
-		policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups),
+	userTarget := policyengine.UserTarget(fmt.Sprintf("%s:%s", namespace, pk.Address()))
-		request)
+	rt.User = &userTarget
+	rt.Groups = make([]policyengine.Target, len(groups))
+	for i := range groups {
+		rt.Groups[i] = policyengine.GroupTarget(groups[i])
+	}
+
+	s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request)
 	if err != nil {
 		return err
 	}

pkg/services/container/ape_test.go

@@ -117,7 +117,7 @@ func testAllowThenDenyGetContainerRuleDefined(t *testing.T) {
 	_, err = apeSrv.Get(context.Background(), req)
 	require.NoError(t, err)
 
-	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -324,7 +324,7 @@ func testDenyGetContainerForOthers(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -424,7 +424,7 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -522,7 +522,7 @@ func testDenyGetContainerByIP(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -621,7 +621,7 @@ func testDenyGetContainerByGroupID(t *testing.T) {
 	nm.netmaps[nm.currentEpoch] = &testNetmap
 	nm.netmaps[nm.currentEpoch-1] = &testNetmap
 
-	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err = router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.AccessDenied,
@@ -1213,7 +1213,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
 		initTestNetmap(components.netmap)
 
-		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 			Rules: []chain.Rule{
 				{
 					Status: chain.AccessDenied,
@@ -1255,7 +1255,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
 		initTestNetmap(components.netmap)
 
-		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 			Rules: []chain.Rule{
 				{
 					Status: chain.AccessDenied,
@@ -1341,7 +1341,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
 		initTestNetmap(components.netmap)
 
-		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 			Rules: []chain.Rule{
 				{
 					Status: chain.AccessDenied,
@@ -1384,7 +1384,7 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 		components.containerReader.c[contID] = &containercore.Container{Value: testContainer}
 		initTestNetmap(components.netmap)
 
-		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+		_, _, err := components.engine.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 			Rules: []chain.Rule{
 				{
 					Status: chain.AccessDenied,
@@ -1566,7 +1566,7 @@ func initListRequest(t *testing.T, actorPK *keys.PrivateKey, ownerPK *keys.Priva
 }
 
 func addDefaultAllowGetPolicy(t *testing.T, e engine.Engine, contID cid.ID) {
-	_, _, err := e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
+	_, _, err := e.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.NamespaceTarget(""), &chain.Chain{
 		Rules: []chain.Rule{
 			{
 				Status: chain.Allow,