@startuml s3 ape

participant "Client" as client

participant "IAM" as iam
participant "IAM -> APE converter" as converter

box "S3" #HotPink
  participant "S3 gateway" as s3
end box

box "Access Policy Engine (as s3 middleware)" #LightPink
  participant "Local override storage" as s3localOverrides
  participant "Chain router" as s3chainRouter
end box

box "Policy contract (shared)" 
  participant "Morph rule storage" as morphRuleStorage
end box

box "Access Policy Engine (as storage middleware)" #LightGreen
  participant "Chain Router" as storageChainRouter
  participant "Local override storage" as storageLocalOverrides
end box

box "Storage node" #Green
  participant "Object service" as obj
  participant "Control service" as control
end box

group Request IAM to set a policy
  client -> iam : Set IAM policy
  iam -> converter : Convert IAM policy
  converter -> iam : Return APE chain
  iam -> morphRuleStorage : Store IAM policy and APE chain
  iam -> s3localOverrides : Set S3 local overrides
  iam -> client : OK
end

group Request S3 to set a policy
  client -> s3 : Set bucket policy
  s3 -> converter : Convert IAM policy
  converter -> s3 : Return APE chain
  s3 -> morphRuleStorage : Store bucket policy and APE chain
  s3 -> client : OK
end

group Get object
  client -> s3: GetObject
  s3 -> s3chainRouter: Check if APE allows request for S3
  note over s3chainRouter: matching the request with overrides and rules
  s3chainRouter -> s3: Status: ALLOW
  s3 -> obj: Get object
  obj -> storageChainRouter: Check if APE allows the request
  note over storageChainRouter : matching the request with overrides and rules
  storageChainRouter -> obj: Status: ALLOW
  obj -> s3: Response: OK, Object
  s3 -> client: Response: OK, Object
end

@enduml