package ape

const (
	RuleFlag           = "rule"
	PathFlag           = "path"
	PathFlagDesc       = "Path to encoded chain in JSON or binary format"
	TargetNameFlag     = "target-name"
	TargetNameFlagDesc = "Resource name in APE resource name format"
	TargetTypeFlag     = "target-type"
	TargetTypeFlagDesc = "Resource type(container/namespace)"
	ChainIDFlag        = "chain-id"
	ChainIDFlagDesc    = "Chain id"
	ChainIDHexFlag     = "chain-id-hex"
	ChainIDHexFlagDesc = "Flag to parse chain ID as hex"
	ChainNameFlag      = "chain-name"
	ChainNameFlagDesc  = "Chain name(ingress|s3)"
	AllFlag            = "all"
)

const RuleFlagDesc = `Defines an Access Policy Engine (APE) rule in the format:
    <status>[:status_detail] <action>... <condition>... <resource>...

Status:
  - allow                   Permits specified actions
  - deny                    Prohibits specified actions
  - deny:QuotaLimitReached  Denies access due to quota limits

Actions:
    Object operations:
    - Object.Put, Object.Get, etc.
    - Object.*     (all object operations)
    Container operations:
    - Container.Put, Container.Get, etc.
    - Container.*  (all container operations)

Conditions:
    ResourceCondition:
      Format: ResourceCondition:"key"=value, "key"!=value
        Reserved properties (use '\' before '$'):
        - $Object:version
        - $Object:objectID
        - $Object:containerID
        - $Object:ownerID
        - $Object:creationEpoch
        - $Object:payloadLength
        - $Object:payloadHash
        - $Object:objectType
        - $Object:homomorphicHash

RequestCondition:
    Format: RequestCondition:"key"=value, "key"!=value
      Reserved properties (use '\' before '$'):
        - $Actor:publicKey
        - $Actor:role

      Example:
        ResourceCondition:"check_key"!="check_value" RequestCondition:"$Actor:role"=others

Resources:
    For objects:
      - namespace/cid/oid    (specific object)
      - namespace/cid/*      (all objects in container)
      - namespace/*          (all objects in namespace)
      - *                    (all objects)
      - /*                   (all objects in root namespace)
      - /cid/*               (all objects in root container)
      - /cid/oid             (specific object in root container)

    For containers:
      - namespace/cid        (specific container)
      - namespace/*          (all containers in namespace)
      - *                    (all containers)
      - /cid                 (root container)
      - /*                   (all root containers)

Notes:
    - Cannot mix object and container operations in one rule
    - Default behavior is Any=false unless 'any' is specified
    - Use 'all' keyword to explicitly set Any=false`