cmd/frostfs-adm/internal/modules/morph/ape/ape_util.go

@@ -98,6 +98,16 @@ func parseChainName(cmd *cobra.Command) apechain.Name {
 	return apeChainName
 }
 
+// invokerAdapter adapats invoker.Invoker to ContractStorageInvoker interface.
+type invokerAdapter struct {
+	*invoker.Invoker
+	rpcActor invoker.RPCInvoke
+}
+
+func (n *invokerAdapter) GetRPCInvoker() invoker.RPCInvoke {
+	return n.rpcActor
+}
+
 func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorageReader, *invoker.Invoker) {
 	c, err := helper.GetN3Client(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
@@ -111,7 +121,12 @@ func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorag
 	ch, err = helper.NNSResolveHash(inv, nnsCs.Hash, helper.DomainOf(constants.PolicyContract))
 	commonCmd.ExitOnErr(cmd, "unable to resolve policy contract hash: %w", err)
 
-	return morph.NewContractStorageReader(inv, ch), inv
+	invokerAdapter := &invokerAdapter{
+		Invoker:  inv,
+		rpcActor: c,
+	}
+
+	return morph.NewContractStorageReader(invokerAdapter, ch), inv
 }
 
 func newPolicyContractInterface(cmd *cobra.Command) (*morph.ContractStorage, *helper.LocalActor) {

cmd/frostfs-adm/internal/modules/morph/helper/actor.go

@@ -23,9 +23,10 @@ import (
 
 // LocalActor is a kludge, do not use it outside of the morph commands.
 type LocalActor struct {
-	neoActor *actor.Actor
+	neoActor   *actor.Actor
-	accounts []*wallet.Account
+	accounts   []*wallet.Account
-	Invoker  *invoker.Invoker
+	Invoker    *invoker.Invoker
+	rpcInvoker invoker.RPCInvoke
 }
 
 // NewLocalActor create LocalActor with accounts form provided wallets.
@@ -68,9 +69,10 @@ func NewLocalActor(cmd *cobra.Command, c actor.RPCActor) (*LocalActor, error) {
 		}
 	}
 	return &LocalActor{
-		neoActor: act,
+		neoActor:   act,
-		accounts: accounts,
+		accounts:   accounts,
-		Invoker:  &act.Invoker,
+		Invoker:    &act.Invoker,
+		rpcInvoker: c,
 	}, nil
 }
 
@@ -167,3 +169,7 @@ func (a *LocalActor) MakeUnsignedRun(_ []byte, _ []transaction.Attribute) (*tran
 func (a *LocalActor) MakeCall(_ util.Uint160, _ string, _ ...any) (*transaction.Transaction, error) {
 	panic("unimplemented")
 }
+
+func (a *LocalActor) GetRPCInvoker() invoker.RPCInvoke {
+	return a.rpcInvoker
+}

cmd/frostfs-cli/modules/control/add_rule.go

@@ -24,7 +24,7 @@ var addRuleCmd = &cobra.Command{
 	Long:  "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",
 	Example: `control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --rule "allow Object.Get *"
 --rule "deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*"
---rule "deny:QuotaLimitReached Object.Put Object.Resource:Department=HR *"
+--rule "deny:QuotaLimitReached Object.Put ResourceCondition:Department=HR *"
 
 control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --path some_chain.json
 `,

cmd/frostfs-cli/modules/util/ape.go

@@ -21,7 +21,7 @@ var (
 	errUnknownAction             = errors.New("action is not recognized")
 	errUnknownBinaryOperator     = errors.New("binary operator is not recognized")
 	errUnknownCondObjectType     = errors.New("condition object type is not recognized")
-	errMixedTypesInRule          = errors.New("found mixed type of actions and conditions in rule")
+	errMixedTypesInRule          = errors.New("found mixed type of actions in rule")
 	errNoActionsInRule           = errors.New("there are no actions in rule")
 	errUnsupportedResourceFormat = errors.New("unsupported resource format")
 	errFailedToParseAllAny       = errors.New("any/all is not parsed")
@@ -38,10 +38,10 @@ func PrintHumanReadableAPEChain(cmd *cobra.Command, chain *apechain.Chain) {
 		cmd.Println("\tConditions:")
 		for _, c := range rule.Condition {
 			var ot string
-			switch c.Object {
+			switch c.Kind {
-			case apechain.ObjectResource:
+			case apechain.KindResource:
 				ot = "Resource"
-			case apechain.ObjectRequest:
+			case apechain.KindRequest:
 				ot = "Request"
 			default:
 				panic("unknown object type")
@@ -100,9 +100,9 @@ func ParseAPEChain(chain *apechain.Chain, rules []string) error {
 // deny  Object.Put *
 // deny:QuotaLimitReached Object.Put *
 // allow Object.Put *
-// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
+// allow Object.Get ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
-// allow Object.Get any Object.Resource:Department=HR Object.Request:Actor=ownerA *
+// allow Object.Get any ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
-// allow Object.Get all Object.Resource:Department=HR Object.Request:Actor=ownerA *
+// allow Object.Get all ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
 // allow Object.* *
 // allow Container.* *
 //
@@ -138,7 +138,9 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
 		return err
 	}
 
-	var isObject *bool
+	var objectTargeted bool
+	var containerTargeted bool
+
 	for i, lexeme := range lexemes[1:] {
 		anyExpr, anyErr := parseAnyAll(lexeme)
 		if anyErr == nil {
@@ -156,23 +158,30 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
 				lexemes = lexemes[i+1:]
 				break
 			}
-			actionType = condition.Object == apechain.ObjectResource || condition.Object == apechain.ObjectRequest
 			r.Condition = append(r.Condition, *condition)
 		} else {
+			if actionType {
+				objectTargeted = true
+			} else {
+				containerTargeted = true
+			}
+			if objectTargeted && containerTargeted {
+				// Actually, APE chain allows to define rules for several resources, for example, if
+				// chain target is namespace, but the parser primitevly compiles verbs,
+				// conditions and resources in one rule. So, for the parser, one rule relates only to
+				// one resource type - object or container.
+				return errMixedTypesInRule
+			}
+
 			r.Actions.Names = append(r.Actions.Names, names...)
 		}
-		if isObject == nil {
-			isObject = &actionType
-		} else if actionType != *isObject {
-			return errMixedTypesInRule
-		}
 	}
 	r.Actions.Names = unique(r.Actions.Names)
 	if len(r.Actions.Names) == 0 {
 		return fmt.Errorf("%w:%w", err, errNoActionsInRule)
 	}
 	for _, lexeme := range lexemes {
-		resource, errRes := parseResource(lexeme, *isObject)
+		resource, errRes := parseResource(lexeme, objectTargeted)
 		if errRes != nil {
 			return fmt.Errorf("%w:%w", err, errRes)
 		}
@@ -308,32 +317,27 @@ func parseResource(lexeme string, isObj bool) (string, error) {
 }
 
 const (
-	ObjectResource = "object.resource"
+	ResourceCondition = "resourcecondition"
-	ObjectRequest  = "object.request"
+	RequestCondition  = "requestcondition"
-
-	ContainerResource = "container.resource"
-	ContainerRequest  = "container.request"
 )
 
-var typeToCondObject = map[string]apechain.ObjectType{
+var typeToCondKindType = map[string]apechain.ConditionKindType{
-	ObjectResource:    apechain.ObjectResource,
+	ResourceCondition: apechain.KindResource,
-	ObjectRequest:     apechain.ObjectRequest,
+	RequestCondition:  apechain.KindRequest,
-	ContainerResource: apechain.ContainerResource,
-	ContainerRequest:  apechain.ContainerRequest,
 }
 
 func parseCondition(lexeme string) (*apechain.Condition, error) {
 	typ, expression, found := strings.Cut(lexeme, ":")
 	typ = strings.ToLower(typ)
 
-	objType, ok := typeToCondObject[typ]
+	condKindType, ok := typeToCondKindType[typ]
 	if ok {
 		if !found {
 			return nil, fmt.Errorf("%w: %s", errInvalidConditionFormat, lexeme)
 		}
 
 		var cond apechain.Condition
-		cond.Object = objType
+		cond.Kind = condKindType
 
 		lhs, rhs, binExpFound := strings.Cut(expression, "!=")
 		if !binExpFound {

cmd/frostfs-cli/modules/util/ape_test.go

@@ -109,46 +109,46 @@ func TestParseAPERule(t *testing.T) {
 		},
 		{
 			name: "Valid allow rule with conditions",
-			rule: "allow Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
+			rule: "allow Object.Get ResourceCondition:Department=HR RequestCondition:Actor!=ownerA *",
 			expectRule: policyengine.Rule{
 				Status:    policyengine.Allow,
 				Actions:   policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
 				Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
 				Condition: []policyengine.Condition{
 					{
-						Op:     policyengine.CondStringEquals,
+						Op:    policyengine.CondStringEquals,
-						Object: policyengine.ObjectResource,
+						Kind:  policyengine.KindResource,
-						Key:    "Department",
+						Key:   "Department",
-						Value:  "HR",
+						Value: "HR",
 					},
 					{
-						Op:     policyengine.CondStringNotEquals,
+						Op:    policyengine.CondStringNotEquals,
-						Object: policyengine.ObjectRequest,
+						Kind:  policyengine.KindRequest,
-						Key:    "Actor",
+						Key:   "Actor",
-						Value:  "ownerA",
+						Value: "ownerA",
 					},
 				},
 			},
 		},
 		{
 			name: "Valid rule for object with conditions with action detail",
-			rule: "deny:QuotaLimitReached Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
+			rule: "deny:QuotaLimitReached Object.Get ResourceCondition:Department=HR RequestCondition:Actor!=ownerA *",
 			expectRule: policyengine.Rule{
 				Status:    policyengine.QuotaLimitReached,
 				Actions:   policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
 				Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
 				Condition: []policyengine.Condition{
 					{
-						Op:     policyengine.CondStringEquals,
+						Op:    policyengine.CondStringEquals,
-						Object: policyengine.ObjectResource,
+						Kind:  policyengine.KindResource,
-						Key:    "Department",
+						Key:   "Department",
-						Value:  "HR",
+						Value: "HR",
 					},
 					{
-						Op:     policyengine.CondStringNotEquals,
+						Op:    policyengine.CondStringNotEquals,
-						Object: policyengine.ObjectRequest,
+						Kind:  policyengine.KindRequest,
-						Key:    "Actor",
+						Key:   "Actor",
-						Value:  "ownerA",
+						Value: "ownerA",
 					},
 				},
 			},
@@ -170,12 +170,12 @@ func TestParseAPERule(t *testing.T) {
 		},
 		{
 			name:      "Invalid rule with unknown condition binary operator",
-			rule:      "deny Object.Put Object.Resource:Department<HR *",
+			rule:      "deny Object.Put ResourceCondition:Department<HR *",
 			expectErr: errUnknownBinaryOperator,
 		},
 		{
 			name:      "Invalid rule with unknown condition object type",
-			rule:      "deny Object.Put Object.ResourZe:Department=HR *",
+			rule:      "deny Object.Put ResourSeCondiDion:Department=HR *",
 			expectErr: errUnknownCondObjectType,
 		},
 		{
@@ -185,7 +185,7 @@ func TestParseAPERule(t *testing.T) {
 		},
 		{
 			name:      "Invalid rule with no actions",
-			rule:      "allow Container.Resource:A=B  *",
+			rule:      "allow ResourceCondition:A=B  *",
 			expectErr: errNoActionsInRule,
 		},
 		{
@@ -271,7 +271,7 @@ func TestParseAPERule(t *testing.T) {
 		},
 		{
 			name: "Valid rule for container with conditions with action detail",
-			rule: "allow Container.Get Container.Resource:A=B Container.Put Container.Request:C!=D " +
+			rule: "allow Container.Get ResourceCondition:A=B Container.Put RequestCondition:C!=D " +
 				"* /cnt_id",
 			expectRule: policyengine.Rule{
 				Status:  policyengine.Allow,
@@ -282,16 +282,16 @@ func TestParseAPERule(t *testing.T) {
 				}},
 				Condition: []policyengine.Condition{
 					{
-						Op:     policyengine.CondStringEquals,
+						Op:    policyengine.CondStringEquals,
-						Object: policyengine.ContainerResource,
+						Kind:  policyengine.KindResource,
-						Key:    "A",
+						Key:   "A",
-						Value:  "B",
+						Value: "B",
 					},
 					{
-						Op:     policyengine.CondStringNotEquals,
+						Op:    policyengine.CondStringNotEquals,
-						Object: policyengine.ContainerRequest,
+						Kind:  policyengine.KindRequest,
-						Key:    "C",
+						Key:   "C",
-						Value:  "D",
+						Value: "D",
 					},
 				},
 			},

go.mod

@@ -5,11 +5,11 @@ go 1.21
 require (
 	code.gitea.io/sdk/gitea v0.17.1
 	git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240427200446-67c6f305b21f
-	git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.0
+	git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.3-0.20240409111539-e7a05a49ff45
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1
-	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240513163744-1f6f4163d40d
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02
 	github.com/cheggaaa/pb v1.0.29

go.sum

@@ -2,8 +2,8 @@ code.gitea.io/sdk/gitea v0.17.1 h1:3jCPOG2ojbl8AcfaUCRYLT5MUcBMFwS0OSK2mA5Zok8=
 code.gitea.io/sdk/gitea v0.17.1/go.mod h1:aCnBqhHpoEWA180gMbaCtdX9Pl6BWBAuuP2miadoTNM=
 git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240427200446-67c6f305b21f h1:YyjsQNtrngQzIKOUtApXoi5r5pewatM+cXfpY19vZWo=
 git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240427200446-67c6f305b21f/go.mod h1:OBDSr+DqV1z4VDouoX3YMleNc4DPBVBWTG3WDT2PK1o=
-git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.0 h1:FzurjElUwC7InY9v5rzXReKbfBL5yRJKSWJPq6BKhH0=
+git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.3-0.20240409111539-e7a05a49ff45 h1:Tp4I+XOLp3VCJORfxSamQtj3RZNISbaLM4WD5iIzXxg=
-git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.0/go.mod h1:F/fe1OoIDKr5Bz99q4sriuHDuf3aZefZy9ZsCqEtgxc=
+git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.3-0.20240409111539-e7a05a49ff45/go.mod h1:F/fe1OoIDKr5Bz99q4sriuHDuf3aZefZy9ZsCqEtgxc=
 git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk=
 git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU=
 git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65 h1:PaZ8GpnUoXxUoNsc1qp36bT2u7FU+neU4Jn9cl8AWqI=
@@ -12,8 +12,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12/go.mod h1:e7H9nNFpx1Tj3R20Zoxy0Vo6Srlb6zV5L7ZQXqg9rn4=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a h1:wbndKvHbwDQiSMQWL75RxiTZCeUyCi7NUj1lsfdAGkc=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240513163744-1f6f4163d40d h1:hHk8FWbWgEnwm2I045CaBIrZBjy/o81CehIVOySA/pQ=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a/go.mod h1:H/AW85RtYxVTbcgwHW76DqXeKlsiCIOeNXHPqyDBrfQ=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240513163744-1f6f4163d40d/go.mod h1:SgioiGhQNWqiV5qpFAXRDJF81SEFRBhtwGEiU0FViyA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=

internal/ape/converter.go

@@ -80,7 +80,7 @@ func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.
 	}
 	for _, target := range targets {
 		var roleCondition apechain.Condition
-		roleCondition.Object = apechain.ObjectRequest
+		roleCondition.Kind = apechain.KindRequest
 		roleCondition.Key = nativeschema.PropertyKeyActorRole
 		roleCondition.Value = target.Role().String()
 		roleCondition.Op = apechain.CondStringEquals
@@ -88,7 +88,7 @@ func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.
 
 		for _, binKey := range target.BinaryKeys() {
 			var pubKeyCondition apechain.Condition
-			pubKeyCondition.Object = apechain.ObjectRequest
+			pubKeyCondition.Kind = apechain.KindRequest
 			pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
 			pubKeyCondition.Value = hex.EncodeToString(binKey)
 			pubKeyCondition.Op = apechain.CondStringEquals
@@ -112,7 +112,7 @@ func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act ape
 			Resources: res,
 		}
 		var roleCondition apechain.Condition
-		roleCondition.Object = apechain.ObjectRequest
+		roleCondition.Kind = apechain.KindRequest
 		roleCondition.Key = nativeschema.PropertyKeyActorRole
 		roleCondition.Value = target.Role().String()
 		roleCondition.Op = apechain.CondStringEquals
@@ -132,7 +132,7 @@ func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act ape
 				Resources: res,
 			}
 			var pubKeyCondition apechain.Condition
-			pubKeyCondition.Object = apechain.ObjectRequest
+			pubKeyCondition.Kind = apechain.KindRequest
 			pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
 			pubKeyCondition.Value = hex.EncodeToString(binKey)
 			pubKeyCondition.Op = apechain.CondStringEquals
@@ -155,10 +155,10 @@ func appendFilters(source []apechain.Condition, filters []eacl.Filter) ([]apecha
 		var cond apechain.Condition
 		var isObject bool
 		if filter.From() == eacl.HeaderFromObject {
-			cond.Object = apechain.ObjectResource
+			cond.Kind = apechain.KindResource
 			isObject = true
 		} else if filter.From() == eacl.HeaderFromRequest {
-			cond.Object = apechain.ObjectRequest
+			cond.Kind = apechain.KindRequest
 		} else {
 			return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter from: %d", filter.From())}
 		}

pkg/morph/client/actor.go

@@ -6,12 +6,14 @@ import (
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 )
 
 type actorProvider interface {
 	GetActor() *actor.Actor
+	GetRPCActor() actor.RPCActor
 }
 
 // Client switches an established connection with neo-go if it is broken.
@@ -132,3 +134,11 @@ func (a *SwitchRPCGuardedActor) TerminateSession(sessionID uuid.UUID) error {
 func (a *SwitchRPCGuardedActor) TraverseIterator(sessionID uuid.UUID, iterator *result.Iterator, num int) ([]stackitem.Item, error) {
 	return a.actorProvider.GetActor().TraverseIterator(sessionID, iterator, num)
 }
+
+func (a *SwitchRPCGuardedActor) GetRPCActor() actor.RPCActor {
+	return a.actorProvider.GetRPCActor()
+}
+
+func (a *SwitchRPCGuardedActor) GetRPCInvoker() invoker.RPCInvoke {
+	return a.actorProvider.GetRPCActor()
+}

pkg/morph/client/client.go

@@ -579,3 +579,10 @@ func (c *Client) GetActor() *actor.Actor {
 
 	return c.rpcActor
 }
+
+func (c *Client) GetRPCActor() actor.RPCActor {
+	c.switchLock.RLock()
+	defer c.switchLock.RUnlock()
+
+	return c.client
+}

pkg/services/container/ape_test.go

@@ -228,10 +228,10 @@ func testDenyGetContainerForOthers(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    nativeschema.PropertyKeyActorRole,
+						Key:   nativeschema.PropertyKeyActorRole,
-						Value:  nativeschema.PropertyValueContainerRoleOthers,
+						Value: nativeschema.PropertyValueContainerRoleOthers,
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -328,10 +328,10 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, "tag-attr1"),
+						Key:   fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, "tag-attr1"),
-						Value:  "value100",
+						Value: "value100",
-						Op:     chain.CondStringNotEquals,
+						Op:    chain.CondStringNotEquals,
 					},
 				},
 			},
@@ -426,10 +426,10 @@ func testDenyGetContainerByGroupID(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    commonschema.PropertyKeyFrostFSIDGroupID,
+						Key:   commonschema.PropertyKeyFrostFSIDGroupID,
-						Value:  "19888",
+						Value: "19888",
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -500,10 +500,10 @@ func testDenySetContainerEACLForIR(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    nativeschema.PropertyKeyActorRole,
+						Key:   nativeschema.PropertyKeyActorRole,
-						Value:  nativeschema.PropertyValueContainerRoleIR,
+						Value: nativeschema.PropertyValueContainerRoleIR,
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -578,10 +578,10 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    nativeschema.PropertyKeyActorRole,
+						Key:   nativeschema.PropertyKeyActorRole,
-						Value:  nativeschema.PropertyValueContainerRoleIR,
+						Value: nativeschema.PropertyValueContainerRoleIR,
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -657,10 +657,10 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    nativeschema.PropertyKeyActorRole,
+						Key:   nativeschema.PropertyKeyActorRole,
-						Value:  nativeschema.PropertyValueContainerRoleOthers,
+						Value: nativeschema.PropertyValueContainerRoleOthers,
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -712,10 +712,10 @@ func testDenyPutContainerReadNamespaceFromFrostfsID(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    nativeschema.PropertyKeyActorRole,
+						Key:   nativeschema.PropertyKeyActorRole,
-						Value:  nativeschema.PropertyValueContainerRoleOthers,
+						Value: nativeschema.PropertyValueContainerRoleOthers,
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -796,10 +796,10 @@ func testDenyPutContainerInvalidNamespace(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    nativeschema.PropertyKeyActorRole,
+						Key:   nativeschema.PropertyKeyActorRole,
-						Value:  nativeschema.PropertyValueContainerRoleOthers,
+						Value: nativeschema.PropertyValueContainerRoleOthers,
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -879,10 +879,10 @@ func testDenyListContainersForPK(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    nativeschema.PropertyKeyActorPublicKey,
+						Key:   nativeschema.PropertyKeyActorPublicKey,
-						Value:  hex.EncodeToString(pk.PublicKey().Bytes()),
+						Value: hex.EncodeToString(pk.PublicKey().Bytes()),
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -993,10 +993,10 @@ func testDenyListContainersValidationNamespaceError(t *testing.T) {
 				},
 				Condition: []chain.Condition{
 					{
-						Object: chain.ObjectRequest,
+						Kind:  chain.KindRequest,
-						Key:    nativeschema.PropertyKeyActorPublicKey,
+						Key:   nativeschema.PropertyKeyActorPublicKey,
-						Value:  actorPK.PublicKey().String(),
+						Value: actorPK.PublicKey().String(),
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
 					},
 				},
 			},
@@ -1195,10 +1195,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 					},
 					Condition: []chain.Condition{
 						{
-							Object: chain.ObjectRequest,
+							Kind:  chain.KindRequest,
-							Key:    nativeschema.PropertyKeyActorRole,
+							Key:   nativeschema.PropertyKeyActorRole,
-							Value:  nativeschema.PropertyValueContainerRoleOthers,
+							Value: nativeschema.PropertyValueContainerRoleOthers,
-							Op:     chain.CondStringEquals,
+							Op:    chain.CondStringEquals,
 						},
 					},
 				},
@@ -1237,10 +1237,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 					},
 					Condition: []chain.Condition{
 						{
-							Object: chain.ObjectRequest,
+							Kind:  chain.KindRequest,
-							Key:    nativeschema.PropertyKeyActorRole,
+							Key:   nativeschema.PropertyKeyActorRole,
-							Value:  nativeschema.PropertyValueContainerRoleOthers,
+							Value: nativeschema.PropertyValueContainerRoleOthers,
-							Op:     chain.CondStringEquals,
+							Op:    chain.CondStringEquals,
 						},
 					},
 				},
@@ -1280,10 +1280,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 					},
 					Condition: []chain.Condition{
 						{
-							Object: chain.ObjectRequest,
+							Kind:  chain.KindRequest,
-							Key:    nativeschema.PropertyKeyActorRole,
+							Key:   nativeschema.PropertyKeyActorRole,
-							Value:  nativeschema.PropertyValueContainerRoleOthers,
+							Value: nativeschema.PropertyValueContainerRoleOthers,
-							Op:     chain.CondStringEquals,
+							Op:    chain.CondStringEquals,
 						},
 					},
 				},
@@ -1323,10 +1323,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 					},
 					Condition: []chain.Condition{
 						{
-							Object: chain.ObjectRequest,
+							Kind:  chain.KindRequest,
-							Key:    nativeschema.PropertyKeyActorRole,
+							Key:   nativeschema.PropertyKeyActorRole,
-							Value:  nativeschema.PropertyValueContainerRoleOthers,
+							Value: nativeschema.PropertyValueContainerRoleOthers,
-							Op:     chain.CondStringEquals,
+							Op:    chain.CondStringEquals,
 						},
 					},
 				},
@@ -1366,10 +1366,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 					},
 					Condition: []chain.Condition{
 						{
-							Object: chain.ObjectRequest,
+							Kind:  chain.KindRequest,
-							Key:    nativeschema.PropertyKeyActorRole,
+							Key:   nativeschema.PropertyKeyActorRole,
-							Value:  nativeschema.PropertyValueContainerRoleOthers,
+							Value: nativeschema.PropertyValueContainerRoleOthers,
-							Op:     chain.CondStringEquals,
+							Op:    chain.CondStringEquals,
 						},
 					},
 				},
@@ -1410,10 +1410,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
 					},
 					Condition: []chain.Condition{
 						{
-							Object: chain.ObjectRequest,
+							Kind:  chain.KindRequest,
-							Key:    nativeschema.PropertyKeyActorRole,
+							Key:   nativeschema.PropertyKeyActorRole,
-							Value:  nativeschema.PropertyValueContainerRoleOthers,
+							Value: nativeschema.PropertyValueContainerRoleOthers,
-							Op:     chain.CondStringEquals,
+							Op:    chain.CondStringEquals,
 						},
 					},
 				},

pkg/services/object/ape/checker_test.go

@@ -312,10 +312,10 @@ func TestAPECheck(t *testing.T) {
 					Any: true,
 					Condition: []chain.Condition{
 						{
-							Op:     chain.CondStringLike,
+							Op:    chain.CondStringLike,
-							Object: chain.ObjectResource,
+							Kind:  chain.KindResource,
-							Key:    "attr1",
+							Key:   "attr1",
-							Value:  "attribute*",
+							Value: "attribute*",
 						},
 					},
 				},
@@ -351,10 +351,10 @@ func TestAPECheck(t *testing.T) {
 					Any: true,
 					Condition: []chain.Condition{
 						{
-							Op:     chain.CondStringLike,
+							Op:    chain.CondStringLike,
-							Object: chain.ObjectRequest,
+							Kind:  chain.KindRequest,
-							Key:    nativeschema.PropertyKeyActorPublicKey,
+							Key:   nativeschema.PropertyKeyActorPublicKey,
-							Value:  senderKey,
+							Value: senderKey,
 						},
 					},
 				},
@@ -381,10 +381,10 @@ func TestAPECheck(t *testing.T) {
 					Any: true,
 					Condition: []chain.Condition{
 						{
-							Op:     chain.CondStringEquals,
+							Op:    chain.CondStringEquals,
-							Object: chain.ObjectResource,
+							Kind:  chain.KindResource,
-							Key:    nativeschema.PropertyKeyObjectPayloadLength,
+							Key:   nativeschema.PropertyKeyObjectPayloadLength,
-							Value:  "1000",
+							Value: "1000",
 						},
 					},
 				},
@@ -503,10 +503,10 @@ func TestPutECChunk(t *testing.T) {
 				Any: true,
 				Condition: []chain.Condition{
 					{
-						Op:     chain.CondStringEquals,
+						Op:    chain.CondStringEquals,
-						Object: chain.ObjectResource,
+						Kind:  chain.KindResource,
-						Key:    "attr1",
+						Key:   "attr1",
-						Value:  "value",
+						Value: "value",
 					},
 				},
 			},