From 0f064b79628c52779d6fbdebdbcb2e74597240ce Mon Sep 17 00:00:00 2001
From: Airat Arifullin <a.arifullin@yadro.com>
Date: Fri, 16 Feb 2024 13:13:54 +0300
Subject: [PATCH] [#989] util: Introduce any and all statements for ape rule
 parsing

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
---
 cmd/frostfs-cli/docs/policy.md      |  3 +++
 cmd/frostfs-cli/modules/util/ape.go | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/cmd/frostfs-cli/docs/policy.md b/cmd/frostfs-cli/docs/policy.md
index 06c325c6..43dd97fc 100644
--- a/cmd/frostfs-cli/docs/policy.md
+++ b/cmd/frostfs-cli/docs/policy.md
@@ -30,6 +30,9 @@ Actions is a regular operations upon FrostFS containers/objects. Like `Object.Pu
 
 In status section it is possible to use `allow`, `deny` or `deny:QuotaLimitReached` actions.
 
+If a statement does not contain lexeme `any`, field `Any` is set to `false` by default. Otherwise, it is set
+to `true`. Optionally, `all` can be used - it also sets `Any=false`.
+
 It is prohibited to mix operation under FrostFS container and object in one rule.
 The same statement is equal for conditions and resources - one rule is for one type of items.
 
diff --git a/cmd/frostfs-cli/modules/util/ape.go b/cmd/frostfs-cli/modules/util/ape.go
index dfe70e7d..41d186b0 100644
--- a/cmd/frostfs-cli/modules/util/ape.go
+++ b/cmd/frostfs-cli/modules/util/ape.go
@@ -100,6 +100,8 @@ func ParseAPEChain(chain *apechain.Chain, rules []string) error {
 // deny:QuotaLimitReached Object.Put *
 // allow Object.Put *
 // allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
+// allow Object.Get any Object.Resource:Department=HR Object.Request:Actor=ownerA *
+// allow Object.Get all Object.Resource:Department=HR Object.Request:Actor=ownerA *
 //
 //nolint:godot
 func ParseAPERule(r *apechain.Rule, rule string) error {
@@ -123,6 +125,12 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
 
 	var isObject *bool
 	for i, lexeme := range lexemes[1:] {
+		anyExpr, anyErr := parseAnyAll(lexeme)
+		if anyErr == nil {
+			r.Any = anyExpr
+			continue
+		}
+
 		var name string
 		var actionType bool
 		name, actionType, err = parseAction(lexeme)
@@ -158,6 +166,17 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
 	return nil
 }
 
+func parseAnyAll(lexeme string) (bool, error) {
+	switch strings.ToLower(lexeme) {
+	case "any":
+		return true, nil
+	case "all":
+		return false, nil
+	default:
+		return false, fmt.Errorf("any/all is not parsed")
+	}
+}
+
 func parseStatus(lexeme string) (apechain.Status, error) {
 	action, expression, found := strings.Cut(lexeme, ":")
 	switch strings.ToLower(action) {