pkg/services/common/ape/checker.go

@@ -103,7 +103,7 @@ func (c *checkerCoreImpl) CheckAPE(prm CheckPrm) error {
 	if found && status == apechain.Allow {
 		return nil
 	}
-	return fmt.Errorf("access to operation %s is denied by access policy engine: %s", prm.Request.Operation(), status.String())
+	return newChainRouterError(prm.Request.Operation(), status)
 }
 
 // isValidBearer checks whether bearer token was correctly signed by authorized

pkg/services/common/ape/error.go

@@ -0,0 +1,33 @@
+package ape
+
+import (
+	"fmt"
+
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+)
+
+// ChainRouterError is returned when chain router validation prevents
+// the APE request from being processed (no rule found, access denied, etc.).
+type ChainRouterError struct {
+	operation string
+	status    apechain.Status
+}
+
+func (e *ChainRouterError) Error() string {
+	return fmt.Sprintf("access to operation %s is denied by access policy engine: %s", e.Operation(), e.Status())
+}
+
+func (e *ChainRouterError) Operation() string {
+	return e.operation
+}
+
+func (e *ChainRouterError) Status() apechain.Status {
+	return e.status
+}
+
+func newChainRouterError(operation string, status apechain.Status) *ChainRouterError {
+	return &ChainRouterError{
+		operation: operation,
+		status:    status,
+	}
+}

pkg/services/object/ape/errors.go

@@ -1,10 +1,19 @@
 package ape
 
 import (
+	"errors"
+
+	checkercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/common/ape"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
 )
 
 func toStatusErr(err error) error {
+	var chRouterErr *checkercore.ChainRouterError
+	if !errors.As(err, &chRouterErr) {
+		errServerInternal := &apistatus.ServerInternal{}
+		apistatus.WriteInternalServerErr(errServerInternal, err)
+		return errServerInternal
+	}
 	errAccessDenied := &apistatus.ObjectAccessDenied{}
 	errAccessDenied.WriteReason("ape denied request: " + err.Error())
 	return errAccessDenied

pkg/services/tree/signature.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 
 	core "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
+	checkercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/common/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
@@ -70,6 +71,12 @@ func (s *Service) verifyClient(ctx context.Context, req message, cid cidSDK.ID,
 }
 
 func apeErr(err error) error {
+	var chRouterErr *checkercore.ChainRouterError
+	if !errors.As(err, &chRouterErr) {
+		errServerInternal := &apistatus.ServerInternal{}
+		apistatus.WriteInternalServerErr(errServerInternal, err)
+		return errServerInternal
+	}
 	errAccessDenied := &apistatus.ObjectAccessDenied{}
 	errAccessDenied.WriteReason(err.Error())
 	return errAccessDenied