package util import ( "testing" policyengine "git.frostfs.info/TrueCloudLab/policy-engine" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" "github.com/stretchr/testify/require" ) func TestParseAPERule(t *testing.T) { tests := [...]struct { name string rule string expectErr error expectRule policyengine.Rule }{ { name: "Valid allow rule", rule: "allow Object.Put *", expectRule: policyengine.Rule{ Status: policyengine.Allow, Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}}, Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, Condition: []policyengine.Condition{}, }, }, { name: "Valid deny rule", rule: "deny Object.Put *", expectRule: policyengine.Rule{ Status: policyengine.AccessDenied, Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}}, Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, Condition: []policyengine.Condition{}, }, }, { name: "Valid deny rule with action detail", rule: "deny:QuotaLimitReached Object.Put *", expectRule: policyengine.Rule{ Status: policyengine.QuotaLimitReached, Actions: policyengine.Actions{Names: []string{nativeschema.MethodPutObject}}, Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, Condition: []policyengine.Condition{}, }, }, { name: "Valid allow rule with conditions", rule: "allow Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *", expectRule: policyengine.Rule{ Status: policyengine.Allow, Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}}, Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, Condition: []policyengine.Condition{ { Op: policyengine.CondStringEquals, Object: policyengine.ObjectResource, Key: "Department", Value: "HR", }, { Op: policyengine.CondStringNotEquals, Object: policyengine.ObjectRequest, Key: "Actor", Value: "ownerA", }, }, }, }, { name: "Valid rule with conditions with action detail", rule: "deny:QuotaLimitReached Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *", expectRule: policyengine.Rule{ Status: policyengine.QuotaLimitReached, Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}}, Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}}, Condition: []policyengine.Condition{ { Op: policyengine.CondStringEquals, Object: policyengine.ObjectResource, Key: "Department", Value: "HR", }, { Op: policyengine.CondStringNotEquals, Object: policyengine.ObjectRequest, Key: "Actor", Value: "ownerA", }, }, }, }, { name: "Invalid rule with unknown action", rule: "permit Object.Put *", expectErr: errUnknownAction, }, { name: "Invalid rule with unknown operation", rule: "allow Object.PutOut *", expectErr: errUnknownOperation, }, { name: "Invalid rule with unknown action detail", rule: "deny:UnknownActionDetail Object.Put *", expectErr: errUnknownActionDetail, }, { name: "Invalid rule with unknown condition binary operator", rule: "deny Object.Put Object.Resource:Department