[#17] iam: Add converter to native/s3 policy

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

.forgejo/workflows/dco.yml

@@ -16,6 +16,6 @@ jobs:
           go-version: '1.21'
 
       - name: Run commit format checker
-        uses: https://git.frostfs.info/TrueCloudLab/dco-go@v3
+        uses: https://git.frostfs.info/TrueCloudLab/dco-go@v2
         with:
           from: 'origin/${{ github.event.pull_request.base.ref }}'

.gitattributes

@@ -1,4 +1,2 @@
 /**/*.pb.go -diff -merge
 /**/*.pb.go linguist-generated=true
-/**/*_easyjson.go -diff -merge
-/**/*_easyjson.go linguist-generated=true

Makefile

@@ -5,8 +5,6 @@ TMP_DIR := .cache
 OUTPUT_LINT_DIR ?= $(shell pwd)/bin
 LINT_VERSION ?= 1.55.1
 LINT_DIR = $(OUTPUT_LINT_DIR)/golangci-lint-$(LINT_VERSION)-v$(TRUECLOUDLAB_LINT_VERSION)
-EASYJSON_VERSION ?= $(shell go list -f '{{.Version}}' -m github.com/mailru/easyjson)
-EASYJSON_DIR ?= $(shell pwd)/bin/easyjson-$(EASYJSON_VERSION)
 
 # Run all code formatters
 fmts: fmt imports
@@ -62,15 +60,3 @@ staticcheck-install:
 # Run staticcheck
 staticcheck-run:
 	@staticcheck ./...
-
-easyjson-install:
-	@rm -rf $(EASYJSON_DIR)
-	@mkdir -p $(EASYJSON_DIR)
-	@GOBIN=$(EASYJSON_DIR) go install github.com/mailru/easyjson/...@$(EASYJSON_VERSION)
-
-generate:
-	@if [ ! -d "$(EASYJSON_DIR)" ]; then \
-		make easyjson-install; \
-	fi
-	find ./ -name "_easyjson.go" -exec rm -rf {} \;
-	$(EASYJSON_DIR)/easyjson ./pkg/chain/chain.go

docs/resource.md

@@ -1,20 +0,0 @@
-# Resource
-
-From the point of the access policy engine, a resource is an object to which a request is being performed. 
-This can be an object in a container within a namespace, or all objects in a container,
-or all containers within the root namespace etc.
-
-A resource can be viewed from two sides:
- - As part of a [request](../pkg/resource/resource.go). In this case a resource has a name and properties.
- - As part of rule [chain](../pkg/chain/chain.go): a resource has just a name.
-
-## Resource name
-
-A resource name must have a such format that can be processed by a chain router that matches a request
-either with local overrides or with rules within policy contract to get if this request is allowed to be performed.
-The main idea of this format is for the chain router to match by full name (`native:object//cnrID/objID`) or
-wildcard (`native:object//cnrID/*`).
-
-Check out formats that are defined in the schema: [native formats](../schema/native/consts.go), [s3 formats](../schema/s3/consts.go).
-You should validate a resource name using [util](../schema/native/util/validation.go) before instantiating a request or
-before putting it to either to local override storage or the policy contract storage.

go.mod

@@ -3,26 +3,23 @@ module git.frostfs.info/TrueCloudLab/policy-engine
 go 1.20
 
 require (
-	git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958
+	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231114081800-3787477133f3
-	github.com/google/uuid v1.3.0
+	github.com/nspcc-dev/neo-go v0.103.1
-	github.com/mailru/easyjson v0.7.7
-	github.com/nspcc-dev/neo-go v0.103.0
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
 )
 
 require (
+	git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230802075510-964c3edb3f44 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
-	github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 // indirect
-	github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 // indirect
 	github.com/nspcc-dev/rfc6979 v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,49 +1,40 @@
-git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958 h1:X9yPizADIhD3K/gdKVCthlAnf9aQ3UJJGnZgIwwixRQ=
+git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230802075510-964c3edb3f44 h1:v6JqBD/VzZx3QSxbaXnUwnnJ1KEYheU4LzLGr3IhsAE=
-git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958/go.mod h1:rQWdsG18NaiFvkJpMguJev913KD/yleHaniRBkUyt0o=
+git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.15.1-0.20230802075510-964c3edb3f44/go.mod h1:pKJJRLOChW4zDQsAt1e8k/snWKljJtpkiPfxV53ngjI=
+git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231114081800-3787477133f3 h1:Qa35bB58plMb14LIsYzu2ibeYfsY2taFnbZytv9Ao3M=
+git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231114081800-3787477133f3/go.mod h1:t1akKcUH7iBrFHX8rSXScYMP17k2kYQXMbZooiL5Juw=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4=
 github.com/hashicorp/golang-lru v0.6.0/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
-github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
-github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
 github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
-github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 h1:n4ZaFCKt1pQJd7PXoMJabZWK9ejjbLOVrkl/lOUmshg=
+github.com/nspcc-dev/neo-go v0.103.1 h1:BfRBceHUu8jSc1KQy7CzmQ/pa+xzAmgcyteGf0/IGgM=
-github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22/go.mod h1:79bEUDEviBHJMFV6Iq6in57FEOCMcRhfQnfaf0ETA5U=
+github.com/nspcc-dev/neo-go v0.103.1/go.mod h1:MD7MPiyshUwrE5n1/LzxeandbItaa/iLW/bJb6gNs/U=
-github.com/nspcc-dev/neo-go v0.103.0 h1:UVyWPhzZdfYFG35ORP3FRDLh8J/raRQ6m8SptDdlgfM=
-github.com/nspcc-dev/neo-go v0.103.0/go.mod h1:x+wmcYqpZYJwLp1l/pHZrqNp3RSWlkMymWGDij3/OPo=
-github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5 h1:09CpI5uwsxb1EeFPIKQRwwWlfCmDD/Dwwh01lPiQScM=
-github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20231020160724-c3955f87d1b5/go.mod h1:J/Mk6+nKeKSW4wygkZQFLQ6SkLOSGX5Ga0RuuuktEag=
 github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
 github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954 h1:xQdMZ1WLrgkkvOZ/LDQxjVxMLdby7osSh4ZEVa5sIjs=
-github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 h1:JwtAtbp7r/7QSyGz8mKUbYJBg2+6Cd7OjM8o/GNOcVo=
-github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74/go.mod h1:RmMWU37GKR2s6pgrIEB4ixgpVCt/cf7dnJv3fuH1J1c=
-go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
-golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

iam/converter.go

@@ -6,9 +6,10 @@ import (
 	"strconv"
 	"strings"
 	"time"
-	"unicode/utf8"
 
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 )
 
 const condKeyAWSPrincipalARN = "aws:PrincipalArn"
@@ -50,16 +51,12 @@ const (
 	CondArnLike      string = "ArnLike"
 	CondArnNotEquals string = "ArnNotEquals"
 	CondArnNotLike   string = "ArnNotLike"
-
-	// Custom condition operators.
-	CondSliceContains string = "SliceContains"
 )
 
 const (
 	arnIAMPrefix     = "arn:aws:iam::"
 	s3ResourcePrefix = "arn:aws:s3:::"
 	s3ActionPrefix   = "s3:"
-	iamActionPrefix  = "iam:"
 )
 
 var (
@@ -68,14 +65,21 @@ var (
 
 	// ErrInvalidResourceFormat occurs when resource has unknown/unsupported format.
 	ErrInvalidResourceFormat = errors.New("invalid resource format")
-
-	// ErrInvalidActionFormat occurs when action has unknown/unsupported format.
-	ErrInvalidActionFormat = errors.New("invalid action format")
-
-	// ErrActionsNotApplicable occurs when failed to convert any actions.
-	ErrActionsNotApplicable = errors.New("actions not applicable")
 )
 
+type UserResolver interface {
+	GetUserKey(account, user string) (*keys.PublicKey, error)
+}
+
+type BucketResolver interface {
+	GetBucketCID(bucket string) (cid.ID, error)
+}
+
+type Resolver interface {
+	UserResolver
+	BucketResolver
+}
+
 type formPrincipalConditionFunc func(string) chain.Condition
 
 type transformConditionFunc func(gr GroupedConditions) (GroupedConditions, error)
@@ -197,8 +201,6 @@ func getConditionTypeAndConverter(op string) (chain.ConditionType, convertFuncti
 		return chain.CondStringLike, noConvertFunction, nil
 	case op == CondNotIPAddress:
 		return chain.CondStringNotLike, noConvertFunction, nil
-	case op == CondSliceContains:
-		return chain.CondSliceContains, noConvertFunction, nil
 	default:
 		return 0, nil, fmt.Errorf("unsupported condition operator: '%s'", op)
 	}
@@ -252,38 +254,29 @@ func parsePrincipalAsIAMUser(principal string) (account string, user string, err
 	return account, user, nil
 }
 
-func validateResource(resource string) error {
+func parseResourceAsS3ARN(resource string) (bucket string, object string, err error) {
-	if resource == Wildcard {
+	if !strings.HasPrefix(resource, s3ResourcePrefix) {
-		return nil
+		return "", "", ErrInvalidResourceFormat
 	}
 
-	if !strings.HasPrefix(resource, s3ResourcePrefix) && !strings.HasPrefix(resource, arnIAMPrefix) {
+	// iam arn format arn:aws:s3:::<bucket-name>/<object-name>
-		return ErrInvalidResourceFormat
+	s3Resource := strings.TrimPrefix(resource, s3ResourcePrefix)
+	sepIndex := strings.Index(s3Resource, "/")
+	if sepIndex < 0 {
+		return s3Resource, Wildcard, nil
 	}
 
-	index := strings.IndexByte(resource, Wildcard[0])
+	bucket = s3Resource[:sepIndex]
-	if index != -1 && index != utf8.RuneCountInString(resource)-1 {
+	object = s3Resource[sepIndex+1:]
-		return ErrInvalidResourceFormat
+	if len(object) == 0 {
+		return bucket, Wildcard, nil
 	}
 
-	return nil
+	if bucket == Wildcard && object != Wildcard {
+		return "", "", ErrInvalidResourceFormat
 	}
 
-func validateAction(action string) error {
+	return bucket, object, nil
-	if action == Wildcard {
-		return nil
-	}
-
-	if !strings.HasPrefix(action, s3ActionPrefix) && !strings.HasPrefix(action, iamActionPrefix) {
-		return ErrInvalidActionFormat
-	}
-
-	index := strings.IndexByte(action, Wildcard[0])
-	if index != -1 && index != utf8.RuneCountInString(action)-1 {
-		return ErrInvalidActionFormat
-	}
-
-	return nil
 }
 
 func splitGroupedConditions(groupedConditions []GroupedConditions) [][]chain.Condition {

iam/converter_native.go

@@ -1,6 +1,7 @@
 package iam
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
@@ -10,64 +11,26 @@ import (
 
 const PropertyKeyFilePath = "FilePath"
 
-var supportedActionToNativeOpMap = map[string][]string{
+// ErrActionsNotApplicable occurs when failed to convert any actions.
-	supportedS3NativeActionDeleteObject: {native.MethodDeleteObject, native.MethodHeadObject},
+var ErrActionsNotApplicable = errors.New("actions not applicable")
-	supportedS3NativeActionHeadObject:   {native.MethodHeadObject},
-	supportedS3NativeActionGetObject:    {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
-	supportedS3NativeActionPutObject:    {native.MethodPutObject},
-	supportedS3NativeActionListBucket:   {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
 
-	supportedS3NativeActionCreateBucket:    {native.MethodPutContainer},
+var actionToOpMap = map[string][]string{
-	supportedS3NativeActionDeleteBucket:    {native.MethodDeleteContainer},
+	supportedS3ActionDeleteObject: {native.MethodDeleteObject},
-	supportedS3NativeActionListAllMyBucket: {native.MethodListContainers},
+	supportedS3ActionGetObject:    {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
-	supportedS3NativeActionPutBucketACL:    {native.MethodSetContainerEACL},
+	supportedS3ActionHeadObject:   {native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
-	supportedS3NativeActionGetBucketACL:    {native.MethodGetContainerEACL},
+	supportedS3ActionPutObject:    {native.MethodPutObject},
-}
+	supportedS3ActionListBucket:   {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},
-
-var containerNativeOperations = map[string]struct{}{
-	native.MethodPutContainer:     {},
-	native.MethodDeleteContainer:  {},
-	native.MethodGetContainer:     {},
-	native.MethodListContainers:   {},
-	native.MethodSetContainerEACL: {},
-	native.MethodGetContainerEACL: {},
-}
-
-var objectNativeOperations = map[string]struct{}{
-	native.MethodGetObject:    {},
-	native.MethodPutObject:    {},
-	native.MethodHeadObject:   {},
-	native.MethodDeleteObject: {},
-	native.MethodSearchObject: {},
-	native.MethodRangeObject:  {},
-	native.MethodHashObject:   {},
 }
 
 const (
-	supportedS3NativeActionDeleteObject = "s3:DeleteObject"
+	supportedS3ActionDeleteObject = "DeleteObject"
-	supportedS3NativeActionGetObject    = "s3:GetObject"
+	supportedS3ActionGetObject    = "GetObject"
-	supportedS3NativeActionHeadObject   = "s3:HeadObject"
+	supportedS3ActionHeadObject   = "HeadObject"
-	supportedS3NativeActionPutObject    = "s3:PutObject"
+	supportedS3ActionPutObject    = "PutObject"
-	supportedS3NativeActionListBucket   = "s3:ListBucket"
+	supportedS3ActionListBucket   = "ListBucket"
-
-	supportedS3NativeActionCreateBucket    = "s3:CreateBucket"
-	supportedS3NativeActionDeleteBucket    = "s3:DeleteBucket"
-	supportedS3NativeActionListAllMyBucket = "s3:ListAllMyBuckets"
-	supportedS3NativeActionPutBucketACL    = "s3:PutBucketAcl"
-	supportedS3NativeActionGetBucketACL    = "s3:GetBucketAcl"
 )
 
-type NativeResolver interface {
+func ConvertToNativeChain(p Policy, resolver Resolver) (*chain.Chain, error) {
-	GetUserKey(account, name string) (string, error)
-	GetBucketInfo(bucket string) (*BucketInfo, error)
-}
-
-type BucketInfo struct {
-	Namespace string
-	Container string
-}
-
-func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, error) {
 	if err := p.Validate(ResourceBasedPolicyType); err != nil {
 		return nil, err
 	}
@@ -78,17 +41,13 @@ func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, erro
 		status := formStatus(statement)
 
 		action, actionInverted := statement.action()
-		nativeActions, err := formNativeActionNames(action)
+		ruleAction := chain.Actions{Inverted: actionInverted, Names: formNativeActionNames(action)}
-		if err != nil {
-			return nil, err
-		}
-		ruleAction := chain.Actions{Inverted: actionInverted, Names: nativeActions}
 		if len(ruleAction.Names) == 0 {
 			continue
 		}
 
 		resource, resourceInverted := statement.resource()
-		groupedResources, err := formNativeResourceNamesAndConditions(resource, resolver, getActionTypes(nativeActions))
+		groupedResources, err := formNativeResourceNamesAndConditions(resource, resolver)
 		if err != nil {
 			return nil, err
 		}
@@ -107,12 +66,7 @@ func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, erro
 		for _, groupedResource := range groupedResources {
 			for _, principal := range principals {
 				for _, conditions := range splitConditions {
-					var principalCondition []chain.Condition
+					ruleConditions := append([]chain.Condition{principalCondFn(principal)}, groupedResource.Conditions...)
-					if principal != Wildcard {
-						principalCondition = []chain.Condition{principalCondFn(principal)}
-					}
-
-					ruleConditions := append(principalCondition, groupedResource.Conditions...)
 
 					r := chain.Rule{
 						Status:  status,
@@ -136,24 +90,7 @@ func ConvertToNativeChain(p Policy, resolver NativeResolver) (*chain.Chain, erro
 	return &engineChain, nil
 }
 
-func getActionTypes(nativeActions []string) ActionTypes {
+func getNativePrincipalsAndConditionFunc(statement Statement, resolver UserResolver) ([]string, formPrincipalConditionFunc, error) {
-	var res ActionTypes
-	for _, action := range nativeActions {
-		if res.Object && res.Container {
-			break
-		}
-
-		_, isObj := objectNativeOperations[action]
-		_, isCnr := containerNativeOperations[action]
-
-		res.Object = isObj || action == Wildcard
-		res.Container = isCnr || action == Wildcard
-	}
-
-	return res
-}
-
-func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeResolver) ([]string, formPrincipalConditionFunc, error) {
 	var principals []string
 	var op chain.ConditionType
 	statementPrincipal, inverted := statement.principal()
@@ -188,7 +125,7 @@ func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeRes
 	}, nil
 }
 
-func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]GroupedConditions, error) {
+func convertToNativeChainCondition(c Conditions, resolver UserResolver) ([]GroupedConditions, error) {
 	return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
 		for i := range gr.Conditions {
 			if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
@@ -210,67 +147,35 @@ type GroupedResources struct {
 	Conditions []chain.Condition
 }
 
-type ActionTypes struct {
+func formNativeResourceNamesAndConditions(names []string, resolver BucketResolver) ([]GroupedResources, error) {
-	Object    bool
-	Container bool
-}
-
-func formNativeResourceNamesAndConditions(names []string, resolver NativeResolver, actionTypes ActionTypes) ([]GroupedResources, error) {
-	if !actionTypes.Object && !actionTypes.Container {
-		return nil, ErrActionsNotApplicable
-	}
-
 	res := make([]GroupedResources, 0, len(names))
 
 	var combined []string
 
-	for _, resource := range names {
+	for i := range names {
-		if err := validateResource(resource); err != nil {
+		bkt, obj, err := parseResourceAsS3ARN(names[i])
-			return nil, err
-		}
-
-		if resource == Wildcard {
-			res = res[:0]
-			return append(res, formWildcardNativeResource(actionTypes)), nil
-		}
-
-		if !strings.HasPrefix(resource, s3ResourcePrefix) {
-			continue
-		}
-
-		var bkt, obj string
-		s3Resource := strings.TrimPrefix(resource, s3ResourcePrefix)
-		if s3Resource == Wildcard {
-			res = res[:0]
-			return append(res, formWildcardNativeResource(actionTypes)), nil
-		}
-
-		if sepIndex := strings.Index(s3Resource, "/"); sepIndex < 0 {
-			bkt = s3Resource
-		} else {
-			bkt = s3Resource[:sepIndex]
-			obj = s3Resource[sepIndex+1:]
-			if len(obj) == 0 {
-				obj = Wildcard
-			}
-		}
-
-		bktInfo, err := resolver.GetBucketInfo(bkt)
 		if err != nil {
 			return nil, err
 		}
 
-		if obj == Wildcard && actionTypes.Object { // this corresponds to arn:aws:s3:::BUCKET/ or arn:aws:s3:::BUCKET/*
+		if bkt == Wildcard {
-			combined = append(combined, fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container))
+			res = res[:0]
-			continue
+			return append(res, GroupedResources{Names: []string{native.ResourceFormatAllObjects}}), nil
 		}
-		if obj == "" && actionTypes.Container { // this corresponds to arn:aws:s3:::BUCKET
+
-			combined = append(combined, fmt.Sprintf(native.ResourceFormatNamespaceContainer, bktInfo.Namespace, bktInfo.Container))
+		cnrID, err := resolver.GetBucketCID(bkt)
+		if err != nil {
+			return nil, err
+		}
+		resource := fmt.Sprintf(native.ResourceFormatRootContainerObjects, cnrID.EncodeToString())
+
+		if obj == Wildcard {
+			combined = append(combined, resource)
 			continue
 		}
 
 		res = append(res, GroupedResources{
-			Names: []string{fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, bktInfo.Namespace, bktInfo.Container)},
+			Names: []string{resource},
 			Conditions: []chain.Condition{
 				{
 					Op:     chain.CondStringLike,
@@ -289,19 +194,7 @@ func formNativeResourceNamesAndConditions(names []string, resolver NativeResolve
 	return res, nil
 }
 
-func formWildcardNativeResource(actionTypes ActionTypes) GroupedResources {
+func formNativePrincipal(principal []string, resolver UserResolver) ([]string, error) {
-	groupedNames := make([]string, 0, 2)
-	if actionTypes.Object {
-		groupedNames = append(groupedNames, native.ResourceFormatAllObjects)
-	}
-	if actionTypes.Container {
-		groupedNames = append(groupedNames, native.ResourceFormatAllContainers)
-	}
-
-	return GroupedResources{Names: groupedNames}
-}
-
-func formNativePrincipal(principal []string, resolver NativeResolver) ([]string, error) {
 	res := make([]string, len(principal))
 
 	var err error
@@ -314,7 +207,7 @@ func formNativePrincipal(principal []string, resolver NativeResolver) ([]string,
 	return res, nil
 }
 
-func formPrincipalKey(principal string, resolver NativeResolver) (string, error) {
+func formPrincipalKey(principal string, resolver UserResolver) (string, error) {
 	account, user, err := parsePrincipalAsIAMUser(principal)
 	if err != nil {
 		return "", err
@@ -322,34 +215,22 @@ func formPrincipalKey(principal string, resolver NativeResolver) (string, error)
 
 	key, err := resolver.GetUserKey(account, user)
 	if err != nil {
-		return "", fmt.Errorf("get user key: %w", err)
+		return "", fmt.Errorf("resolve user: %w", err)
 	}
 
-	return key, nil
+	return string(key.Bytes()), nil
 }
 
-func formNativeActionNames(names []string) ([]string, error) {
+func formNativeActionNames(names []string) []string {
 	res := make([]string, 0, len(names))
 
-	for _, action := range names {
+	for i := range names {
-		if err := validateAction(action); err != nil {
+		trimmed := strings.TrimPrefix(names[i], s3ActionPrefix)
-			return nil, err
+		if trimmed == Wildcard {
+			return []string{Wildcard}
+		}
+		res = append(res, actionToOpMap[trimmed]...)
 	}
 
-		if action == Wildcard {
+	return res
-			return []string{Wildcard}, nil
-		}
-
-		if !strings.HasPrefix(action, s3ActionPrefix) {
-			continue
-		}
-
-		if strings.TrimPrefix(action, s3ActionPrefix) == Wildcard {
-			return []string{Wildcard}, nil
-		}
-
-		res = append(res, supportedActionToNativeOpMap[action]...)
-	}
-
-	return res, nil
 }

iam/converter_s3.go

@@ -2,86 +2,13 @@ package iam
 
 import (
 	"fmt"
+	"strings"
 
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
 )
 
-var specialActionToS3OpMap = map[string][]string{
+func ConvertToS3Chain(p Policy, resolver UserResolver) (*chain.Chain, error) {
-	specialS3ActionsListAllMyBuckets:                 {"s3:ListBuckets"},
-	specialS3ActionsListBucket:                       {"s3:HeadBucket", "s3:GetBucketLocation", "s3:ListObjectsV1", "s3:ListObjectsV2"},
-	specialS3ActionsListBucketVersions:               {"s3:ListBucketObjectVersions"},
-	specialS3ActionsListBucketMultipartUploads:       {"s3:ListMultipartUploads"},
-	specialS3ActionsGetBucketObjectLockConfiguration: {"s3:GetBucketObjectLockConfig"},
-	specialS3ActionsGetEncryptionConfiguration:       {"s3:GetBucketEncryption"},
-	specialS3ActionsGetLifecycleConfiguration:        {"s3:GetBucketLifecycle"},
-	specialS3ActionsGetBucketACL:                     {"s3:GetBucketACL"},
-	specialS3ActionsGetBucketCORS:                    {"s3:GetBucketCors"},
-	specialS3ActionsPutBucketTagging:                 {"s3:PutBucketTagging", "s3:DeleteBucketTagging"},
-	specialS3ActionsPutBucketObjectLockConfiguration: {"s3:PutBucketObjectLockConfig"},
-	specialS3ActionsPutEncryptionConfiguration:       {"s3:PutBucketEncryption", "s3:DeleteBucketEncryption"},
-	specialS3ActionsPutLifecycleConfiguration:        {"s3:PutBucketLifecycle", "s3:DeleteBucketLifecycle"},
-	specialS3ActionsPutBucketACL:                     {"s3:PutBucketACL"},
-	specialS3ActionsPutBucketCORS:                    {"s3:PutBucketCors", "s3:DeleteBucketCors"},
-	specialS3ActionsDeleteBucketCORS:                 {"s3:DeleteBucketCors"},
-
-	specialS3ActionsListMultipartUploadParts:   {"s3:ListParts"},
-	specialS3ActionsGetObjectACL:               {"s3:GetObjectACL"},
-	specialS3ActionsGetObject:                  {"s3:GetObject", "s3:HeadObject"},
-	specialS3ActionsGetObjectVersion:           {"s3:GetObject", "s3:HeadObject"},
-	specialS3ActionsGetObjectVersionACL:        {"s3:GetObjectACL"},
-	specialS3ActionsGetObjectVersionAttributes: {"s3:GetObjectAttributes"},
-	specialS3ActionsGetObjectVersionTagging:    {"s3:GetObjectTagging"},
-	specialS3ActionsPutObjectACL:               {"s3:PutObjectACL"},
-	specialS3ActionsPutObjectVersionACL:        {"s3:PutObjectACL"},
-	specialS3ActionsPutObjectVersionTagging:    {"s3:PutObjectTagging"},
-	specialS3ActionsPutObject: {
-		"s3:PutObject", "s3:PostObject", "s3:CopyObject",
-		"s3:UploadPart", "s3:UploadPartCopy", "s3:CreateMultipartUpload", "s3:CompleteMultipartUpload",
-	},
-	specialS3ActionsDeleteObjectVersionTagging: {"s3:DeleteObjectTagging"},
-	specialS3ActionsDeleteObject:               {"s3:DeleteObject", "s3:DeleteMultipleObjects"},
-	specialS3ActionsDeleteObjectVersion:        {"s3:DeleteObject", "s3:DeleteMultipleObjects"},
-}
-
-const (
-	specialS3ActionsListAllMyBuckets                 = "s3:ListAllMyBuckets"
-	specialS3ActionsListBucket                       = "s3:ListBucket"
-	specialS3ActionsListBucketVersions               = "s3:ListBucketVersions"
-	specialS3ActionsListBucketMultipartUploads       = "s3:ListBucketMultipartUploads"
-	specialS3ActionsGetBucketObjectLockConfiguration = "s3:GetBucketObjectLockConfiguration"
-	specialS3ActionsGetEncryptionConfiguration       = "s3:GetEncryptionConfiguration"
-	specialS3ActionsGetLifecycleConfiguration        = "s3:GetLifecycleConfiguration"
-	specialS3ActionsGetBucketACL                     = "s3:GetBucketAcl"
-	specialS3ActionsGetBucketCORS                    = "s3:GetBucketCORS"
-	specialS3ActionsPutBucketTagging                 = "s3:PutBucketTagging"
-	specialS3ActionsPutBucketObjectLockConfiguration = "s3:PutBucketObjectLockConfiguration"
-	specialS3ActionsPutEncryptionConfiguration       = "s3:PutEncryptionConfiguration"
-	specialS3ActionsPutLifecycleConfiguration        = "s3:PutLifecycleConfiguration"
-	specialS3ActionsPutBucketACL                     = "s3:PutBucketAcl"
-	specialS3ActionsPutBucketCORS                    = "s3:PutBucketCORS"
-	specialS3ActionsDeleteBucketCORS                 = "s3:DeleteBucketCORS"
-	specialS3ActionsListMultipartUploadParts         = "s3:ListMultipartUploadParts"
-	specialS3ActionsGetObjectACL                     = "s3:GetObjectAcl"
-	specialS3ActionsGetObject                        = "s3:GetObject"
-	specialS3ActionsGetObjectVersion                 = "s3:GetObjectVersion"
-	specialS3ActionsGetObjectVersionACL              = "s3:GetObjectVersionAcl"
-	specialS3ActionsGetObjectVersionAttributes       = "s3:GetObjectVersionAttributes"
-	specialS3ActionsGetObjectVersionTagging          = "s3:GetObjectVersionTagging"
-	specialS3ActionsPutObjectACL                     = "s3:PutObjectAcl"
-	specialS3ActionsPutObjectVersionACL              = "s3:PutObjectVersionAcl"
-	specialS3ActionsPutObjectVersionTagging          = "s3:PutObjectVersionTagging"
-	specialS3ActionsPutObject                        = "s3:PutObject"
-	specialS3ActionsDeleteObjectVersionTagging       = "s3:DeleteObjectVersionTagging"
-	specialS3ActionsDeleteObject                     = "s3:DeleteObject"
-	specialS3ActionsDeleteObjectVersion              = "s3:DeleteObjectVersion"
-)
-
-type S3Resolver interface {
-	GetUserAddress(account, user string) (string, error)
-}
-
-func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
 	if err := p.Validate(ResourceBasedPolicyType); err != nil {
 		return nil, err
 	}
@@ -91,21 +18,11 @@ func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
 	for _, statement := range p.Statement {
 		status := formStatus(statement)
 
-		actions, actionInverted := statement.action()
+		action, actionInverted := statement.action()
-		s3Actions, err := formS3ActionNames(actions)
+		ruleAction := chain.Actions{Inverted: actionInverted, Names: formS3ActionNames(action)}
-		if err != nil {
-			return nil, err
-		}
-		ruleAction := chain.Actions{Inverted: actionInverted, Names: s3Actions}
-		if len(ruleAction.Names) == 0 {
-			continue
-		}
 
-		resources, resourceInverted := statement.resource()
+		resource, resourceInverted := statement.resource()
-		if err := validateS3ResourceNames(resources); err != nil {
+		ruleResource := chain.Resources{Inverted: resourceInverted, Names: formS3ResourceNamesAndConditions(resource)}
-			return nil, err
-		}
-		ruleResource := chain.Resources{Inverted: resourceInverted, Names: resources}
 
 		groupedConditions, err := convertToS3ChainCondition(statement.Conditions, resolver)
 		if err != nil {
@@ -120,30 +37,21 @@ func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
 
 		for _, principal := range principals {
 			for _, conditions := range splitConditions {
-				var principalCondition []chain.Condition
-				if principal != Wildcard {
-					principalCondition = []chain.Condition{principalCondFn(principal)}
-				}
-
 				r := chain.Rule{
 					Status:    status,
 					Actions:   ruleAction,
 					Resources: ruleResource,
-					Condition: append(principalCondition, conditions...),
+					Condition: append([]chain.Condition{principalCondFn(principal)}, conditions...),
 				}
 				engineChain.Rules = append(engineChain.Rules, r)
 			}
 		}
 	}
 
-	if len(engineChain.Rules) == 0 {
-		return nil, ErrActionsNotApplicable
-	}
-
 	return &engineChain, nil
 }
 
-func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) ([]string, formPrincipalConditionFunc, error) {
+func getS3PrincipalsAndConditionFunc(statement Statement, resolver UserResolver) ([]string, formPrincipalConditionFunc, error) {
 	var principals []string
 	var op chain.ConditionType
 	statementPrincipal, inverted := statement.principal()
@@ -178,7 +86,7 @@ func getS3PrincipalsAndConditionFunc(statement Statement, resolver S3Resolver) (
 	}, nil
 }
 
-func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedConditions, error) {
+func convertToS3ChainCondition(c Conditions, resolver UserResolver) ([]GroupedConditions, error) {
 	return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
 		for i := range gr.Conditions {
 			if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
@@ -195,7 +103,7 @@ func convertToS3ChainCondition(c Conditions, resolver S3Resolver) ([]GroupedCond
 	})
 }
 
-func formS3Principal(principal []string, resolver S3Resolver) ([]string, error) {
+func formS3Principal(principal []string, resolver UserResolver) ([]string, error) {
 	res := make([]string, len(principal))
 
 	var err error
@@ -208,48 +116,34 @@ func formS3Principal(principal []string, resolver S3Resolver) ([]string, error)
 	return res, nil
 }
 
-func formPrincipalOwner(principal string, resolver S3Resolver) (string, error) {
+func formPrincipalOwner(principal string, resolver UserResolver) (string, error) {
 	account, user, err := parsePrincipalAsIAMUser(principal)
 	if err != nil {
 		return "", err
 	}
 
-	address, err := resolver.GetUserAddress(account, user)
+	key, err := resolver.GetUserKey(account, user)
 	if err != nil {
-		return "", fmt.Errorf("get user address: %w", err)
+		return "", fmt.Errorf("resolve user: %w", err)
 	}
 
-	return address, nil
+	return key.Address(), nil
 }
 
-func validateS3ResourceNames(names []string) error {
+func formS3ResourceNamesAndConditions(names []string) []string {
+	res := make([]string, len(names))
 	for i := range names {
-		if err := validateResource(names[i]); err != nil {
+		res[i] = strings.TrimPrefix(names[i], s3ResourcePrefix)
-			return err
-		}
 	}
 
-	return nil
+	return res
 }
 
-func formS3ActionNames(names []string) ([]string, error) {
+func formS3ActionNames(names []string) []string {
-	res := make([]string, 0, len(names))
+	res := make([]string, len(names))
-
+	for i := range names {
-	for _, action := range names {
+		res[i] = strings.TrimPrefix(names[i], s3ActionPrefix)
-		if err := validateAction(action); err != nil {
-			return nil, err
 	}
 
-		if action == Wildcard {
+	return res
-			return []string{Wildcard}, nil
-		}
-
-		if actions, ok := specialActionToS3OpMap[action]; ok {
-			res = append(res, actions...)
-		} else {
-			res = append(res, action)
-		}
-	}
-
-	return res, nil
 }

iam/converter_test.go

@@ -1,66 +1,60 @@
 package iam
 
 import (
-	"encoding/json"
 	"errors"
 	"fmt"
 	"strconv"
 	"testing"
 
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/stretchr/testify/require"
 )
 
 type mockUserResolver struct {
-	users      map[string]string
+	users   map[string]*keys.PublicKey
-	containers map[string]string
+	buckets map[string]cid.ID
-	namespace  string
 }
 
-func newMockUserResolver(accountUsers []string, buckets []string, namespace string) *mockUserResolver {
+func newMockUserResolver(t *testing.T, accountUsers []string, buckets []string) *mockUserResolver {
-	userMap := make(map[string]string, len(accountUsers))
+	userMap := make(map[string]*keys.PublicKey, len(accountUsers))
 	for _, user := range accountUsers {
-		userMap[user] = user + "/resolvedValue"
+		key, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		userMap[user] = key.PublicKey()
 	}
 
-	containerMap := make(map[string]string, len(buckets))
+	bucketMap := make(map[string]cid.ID, len(buckets))
 	for _, bkt := range buckets {
-		containerMap[bkt] = bkt + "/resolvedValues"
+		bucketMap[bkt] = cidtest.ID()
 	}
 
-	return &mockUserResolver{users: userMap, containers: containerMap, namespace: namespace}
+	return &mockUserResolver{users: userMap, buckets: bucketMap}
 }
 
-func (m *mockUserResolver) GetUserAddress(account, user string) (string, error) {
+func (m *mockUserResolver) GetUserKey(account, user string) (*keys.PublicKey, error) {
 	key, ok := m.users[account+"/"+user]
-	if !ok {
-		return "", errors.New("not found")
-	}
-
-	return key, nil
-}
-
-func (m *mockUserResolver) GetUserKey(account, user string) (string, error) {
-	key, ok := m.users[account+"/"+user]
-	if !ok {
-		return "", errors.New("not found")
-	}
-
-	return key, nil
-}
-
-func (m *mockUserResolver) GetBucketInfo(bkt string) (*BucketInfo, error) {
-	cnr, ok := m.containers[bkt]
 	if !ok {
 		return nil, errors.New("not found")
 	}
 
-	return &BucketInfo{Container: cnr, Namespace: m.namespace}, nil
+	return key, nil
+}
+
+func (m *mockUserResolver) GetBucketCID(bkt string) (cid.ID, error) {
+	cnrID, ok := m.buckets[bkt]
+	if !ok {
+		return cid.ID{}, errors.New("not found")
+	}
+
+	return cnrID, nil
 }
 
 func TestConverters(t *testing.T) {
@@ -70,11 +64,10 @@ func TestConverters(t *testing.T) {
 	principal := "arn:aws:iam::" + namespace + ":user/" + userName
 	bktName := "DOC-EXAMPLE-BUCKET"
 	objName := "object-name"
-	resource := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName)
+	resource := bktName + "/*"
-	s3GetObjectAction := "s3:GetObject"
+	action := "PutObject"
-	s3HeadObjectAction := "s3:HeadObject"
 
-	mockResolver := newMockUserResolver([]string{user}, []string{bktName}, namespace)
+	mockResolver := newMockUserResolver(t, []string{user}, []string{bktName})
 
 	t.Run("valid policy", func(t *testing.T) {
 		p := Policy{
@@ -84,8 +77,8 @@ func TestConverters(t *testing.T) {
 					AWSPrincipalType: {principal},
 				},
 				Effect:   AllowEffect,
-				Action:   []string{s3GetObjectAction},
+				Action:   []string{"s3:PutObject"},
-				Resource: []string{resource},
+				Resource: []string{"arn:aws:s3:::" + resource},
 				Conditions: map[string]Condition{
 					CondStringEquals: {
 						"s3:RequestObjectTag/Department": {"Finance"},
@@ -97,14 +90,14 @@ func TestConverters(t *testing.T) {
 		expected := &chain.Chain{Rules: []chain.Rule{
 			{
 				Status:    chain.Allow,
-				Actions:   chain.Actions{Names: []string{s3GetObjectAction, s3HeadObjectAction}},
+				Actions:   chain.Actions{Names: []string{action}},
 				Resources: chain.Resources{Names: []string{resource}},
 				Condition: []chain.Condition{
 					{
 						Op:     chain.CondStringEquals,
 						Object: chain.ObjectRequest,
 						Key:    s3.PropertyKeyOwner,
-						Value:  mockResolver.users[user],
+						Value:  mockResolver.users[user].Address(),
 					},
 					{
 						Op:     chain.CondStringEquals,
@@ -130,21 +123,21 @@ func TestConverters(t *testing.T) {
 				},
 				Effect:   AllowEffect,
 				Action:   []string{"s3:PutObject"},
-				Resource: []string{resource},
+				Resource: []string{"arn:aws:s3:::" + resource},
 			}},
 		}
 
 		expected := &chain.Chain{Rules: []chain.Rule{
 			{
 				Status:    chain.Allow,
-				Actions:   chain.Actions{Names: []string{native.MethodPutObject}},
+				Actions:   chain.Actions{Names: []string{action}},
-				Resources: chain.Resources{Names: []string{fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName])}},
+				Resources: chain.Resources{Names: []string{fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName].EncodeToString())}},
 				Condition: []chain.Condition{
 					{
 						Op:     chain.CondStringEquals,
 						Object: chain.ObjectRequest,
 						Key:    native.PropertyKeyActorPublicKey,
-						Value:  mockResolver.users[user],
+						Value:  string(mockResolver.users[user].Bytes()),
 					},
 				},
 			},
@@ -163,22 +156,22 @@ func TestConverters(t *testing.T) {
 					AWSPrincipalType: {principal},
 				},
 				Effect:      DenyEffect,
-				NotAction:   []string{s3GetObjectAction},
+				NotAction:   []string{"s3:PutObject"},
-				NotResource: []string{resource},
+				NotResource: []string{"arn:aws:s3:::" + resource},
 			}},
 		}
 
 		expected := &chain.Chain{Rules: []chain.Rule{
 			{
 				Status:    chain.AccessDenied,
-				Actions:   chain.Actions{Inverted: true, Names: []string{s3GetObjectAction, s3HeadObjectAction}},
+				Actions:   chain.Actions{Inverted: true, Names: []string{action}},
 				Resources: chain.Resources{Inverted: true, Names: []string{resource}},
 				Condition: []chain.Condition{
 					{
 						Op:     chain.CondStringNotEquals,
 						Object: chain.ObjectRequest,
 						Key:    s3.PropertyKeyOwner,
-						Value:  mockResolver.users[user],
+						Value:  mockResolver.users[user].Address(),
 					},
 				},
 			},
@@ -189,7 +182,7 @@ func TestConverters(t *testing.T) {
 		require.Equal(t, expected, s3Chain)
 	})
 
-	t.Run("valid native policy map action", func(t *testing.T) {
+	t.Run("valid policy map get action", func(t *testing.T) {
 		p := Policy{
 			Version: "2012-10-17",
 			Statement: []Statement{{
@@ -197,27 +190,24 @@ func TestConverters(t *testing.T) {
 					AWSPrincipalType: {principal},
 				},
 				Effect:      DenyEffect,
-				Action: []string{"s3:DeleteObject", "s3:DeleteBucket"},
+				NotAction:   []string{"s3:GetObject"},
-				Resource: []string{
+				NotResource: []string{"arn:aws:s3:::" + bktName + "/" + objName},
-					fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName, objName),
-					fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName),
-				},
 			}},
 		}
 
 		expected := &chain.Chain{Rules: []chain.Rule{
 			{
 				Status:  chain.AccessDenied,
-				Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodDeleteContainer}},
+				Actions: chain.Actions{Inverted: true, Names: actionToOpMap["GetObject"]},
-				Resources: chain.Resources{Names: []string{
+				Resources: chain.Resources{Inverted: true, Names: []string{
-					fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
+					fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName].EncodeToString()),
 				}},
 				Condition: []chain.Condition{
 					{
 						Op:     chain.CondStringEquals,
 						Object: chain.ObjectRequest,
 						Key:    native.PropertyKeyActorPublicKey,
-						Value:  mockResolver.users[user],
+						Value:  string(mockResolver.users[user].Bytes()),
 					},
 					{
 						Op:     chain.CondStringLike,
@@ -227,19 +217,6 @@ func TestConverters(t *testing.T) {
 					},
 				},
 			},
-			{
-				Status:  chain.AccessDenied,
-				Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodDeleteContainer}},
-				Resources: chain.Resources{Names: []string{
-					fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
-				}},
-				Condition: []chain.Condition{{
-					Op:     chain.CondStringEquals,
-					Object: chain.ObjectRequest,
-					Key:    native.PropertyKeyActorPublicKey,
-					Value:  mockResolver.users[user],
-				}},
-			},
 		}}
 
 		nativeChain, err := ConvertToNativeChain(p, mockResolver)
@@ -296,65 +273,6 @@ func TestConverters(t *testing.T) {
 		_, err := ConvertToNativeChain(p, mockResolver)
 		require.Error(t, err)
 	})
-
-	t.Run("invalid policy (missing s3 actions)", func(t *testing.T) {
-		p := Policy{
-			Version: "2012-10-17",
-			Statement: []Statement{{
-				Principal: map[PrincipalType][]string{
-					AWSPrincipalType: {principal},
-				},
-				Effect:   AllowEffect,
-				Resource: []string{"arn:aws:s3:::" + resource},
-			}},
-		}
-
-		_, err := ConvertToS3Chain(p, mockResolver)
-		require.Error(t, err)
-	})
-
-	t.Run("valid mixed iam/s3 actions", func(t *testing.T) {
-		p := Policy{
-			Statement: []Statement{{
-				Principal: map[PrincipalType][]string{AWSPrincipalType: {principal}},
-				Effect:    AllowEffect,
-				Action:    []string{"s3:DeleteObject", "iam:*"},
-				Resource:  []string{"*"},
-			}},
-		}
-
-		s3Expected := &chain.Chain{Rules: []chain.Rule{{
-			Status:    chain.Allow,
-			Actions:   chain.Actions{Names: []string{"s3:DeleteObject", "s3:DeleteMultipleObjects", "iam:*"}},
-			Resources: chain.Resources{Names: []string{"*"}},
-			Condition: []chain.Condition{{
-				Op:     chain.CondStringEquals,
-				Object: chain.ObjectRequest,
-				Key:    s3.PropertyKeyOwner,
-				Value:  mockResolver.users[user],
-			}},
-		}}}
-
-		s3Chain, err := ConvertToS3Chain(p, mockResolver)
-		require.NoError(t, err)
-		require.Equal(t, s3Expected, s3Chain)
-
-		nativeExpected := &chain.Chain{Rules: []chain.Rule{{
-			Status:    chain.Allow,
-			Actions:   chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject}},
-			Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects}},
-			Condition: []chain.Condition{{
-				Op:     chain.CondStringEquals,
-				Object: chain.ObjectRequest,
-				Key:    native.PropertyKeyActorPublicKey,
-				Value:  mockResolver.users[user],
-			}},
-		}}}
-
-		nativeChain, err := ConvertToNativeChain(p, mockResolver)
-		require.NoError(t, err)
-		require.Equal(t, nativeExpected, nativeChain)
-	})
 }
 
 func TestConvertToChainCondition(t *testing.T) {
@@ -621,10 +539,10 @@ func TestComplexNativeConditions(t *testing.T) {
 	key1, key2 := "key1", "key2"
 	val0, val1, val2 := "val0", "val1", "val2"
 
-	mockResolver := newMockUserResolver([]string{user1, user2}, []string{bktName1, bktName2, bktName3}, "")
+	mockResolver := newMockUserResolver(t, []string{user1, user2}, []string{bktName1, bktName2, bktName3})
-	nativeResource1 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName1])
+	nativeResource1 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName1].EncodeToString())
-	nativeResource2 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName2])
+	nativeResource2 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName2].EncodeToString())
-	nativeResource3 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName3])
+	nativeResource3 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.buckets[bktName3].EncodeToString())
 
 	p := Policy{
 		Version: "2012-10-17",
@@ -643,12 +561,12 @@ func TestComplexNativeConditions(t *testing.T) {
 	}
 
 	expectedStatus := chain.AccessDenied
-	expectedActions := chain.Actions{Names: supportedActionToNativeOpMap["s3:"+action]}
+	expectedActions := chain.Actions{Names: actionToOpMap[action]}
 	expectedResource1 := chain.Resources{Names: []string{nativeResource1}}
 	expectedResource23 := chain.Resources{Names: []string{nativeResource2, nativeResource3}}
 
-	user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: mockResolver.users[user1]}
+	user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: string(mockResolver.users[user1].Bytes())}
-	user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: mockResolver.users[user2]}
+	user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: string(mockResolver.users[user2].Bytes())}
 	objectName1Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectResource, Key: PropertyKeyFilePath, Value: objName1}
 	key1val0Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val0}
 	key1val1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val1}
@@ -746,7 +664,7 @@ func TestComplexNativeConditions(t *testing.T) {
 	requireChainRulesMatch(t, expected.Rules, nativeChain.Rules)
 
 	s := inmemory.NewInMemory()
-	_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), nativeChain)
+	err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), nativeChain)
 	require.NoError(t, err)
 
 	for _, tc := range []struct {
@@ -760,12 +678,12 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket resource1, all conditions matched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName2].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: "any-object-name",
 			},
 			requestMap: map[string]string{
-				native.PropertyKeyActorPublicKey: mockResolver.users[user1],
+				native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
 				key1:                             val0,
 				key2:                             val2,
 			},
@@ -774,12 +692,12 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket resource3, all conditions matched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName3], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName3].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: "any-object-name",
 			},
 			requestMap: map[string]string{
-				native.PropertyKeyActorPublicKey: mockResolver.users[user1],
+				native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
 				key1:                             val0,
 				key2:                             val2,
 			},
@@ -788,7 +706,7 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket resource, user condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName2].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: "any-object-name",
 			},
@@ -801,12 +719,12 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket resource, key2 condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName3], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName3].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: "any-object-name",
 			},
 			requestMap: map[string]string{
-				native.PropertyKeyActorPublicKey: mockResolver.users[user1],
+				native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
 				key1:                             val0,
 				key2:                             val0,
 			},
@@ -815,12 +733,12 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket resource, key1 condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName2].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: "any-object-name",
 			},
 			requestMap: map[string]string{
-				native.PropertyKeyActorPublicKey: mockResolver.users[user1],
+				native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
 				key2:                             val2,
 			},
 			status: chain.NoRuleFound,
@@ -828,12 +746,12 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket/object resource, all conditions matched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: objName1,
 			},
 			requestMap: map[string]string{
-				native.PropertyKeyActorPublicKey: mockResolver.users[user1],
+				native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
 				key1:                             val0,
 				key2:                             val2,
 			},
@@ -842,7 +760,7 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket/object resource, user condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: objName1,
 			},
@@ -856,7 +774,7 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket/object resource, key1 condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: objName1,
 			},
@@ -869,7 +787,7 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket/object resource, key2 condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: objName1,
 			},
@@ -883,12 +801,12 @@ func TestComplexNativeConditions(t *testing.T) {
 		{
 			name:     "bucket/object resource, object filepath condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
+			resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.buckets[bktName1].EncodeToString(), "some-oid"),
 			resourceMap: map[string]string{
 				PropertyKeyFilePath: "any-object-name",
 			},
 			requestMap: map[string]string{
-				native.PropertyKeyActorPublicKey: mockResolver.users[user1],
+				native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
 				key1:                             val0,
 				key2:                             val2,
 			},
@@ -902,7 +820,7 @@ func TestComplexNativeConditions(t *testing.T) {
 				PropertyKeyFilePath: objName1,
 			},
 			requestMap: map[string]string{
-				native.PropertyKeyActorPublicKey: mockResolver.users[user1],
+				native.PropertyKeyActorPublicKey: string(mockResolver.users[user1].Bytes()),
 				key1:                             val0,
 				key2:                             val2,
 			},
@@ -911,7 +829,7 @@ func TestComplexNativeConditions(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			req := testutil.NewRequest(tc.action, testutil.NewResource(tc.resource, tc.resourceMap), tc.requestMap)
-			status, _, err := s.IsAllowed("name", engine.NewRequestTargetWithNamespace("ns"), req)
+			status, _, err := s.IsAllowed("name", "ns", req)
 			require.NoError(t, err)
 			require.Equal(t, tc.status.String(), status.String())
 		})
@@ -926,16 +844,15 @@ func TestComplexS3Conditions(t *testing.T) {
 	principal2 := "arn:aws:iam::" + namespace + ":user/" + userName2
 	bktName1, bktName2, bktName3 := "bktName", "bktName2", "bktName3"
 	objName1 := "objName1"
-	resource1 := fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName1, objName1)
+	resource1 := bktName1 + "/" + objName1
-	resource2 := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName2)
+	resource2 := bktName2 + "/*"
-	resource3 := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName3)
+	resource3 := bktName3 + "/*"
-	action := "s3:DeleteObject"
+	action := "PutObject"
-	action2 := "s3:DeleteMultipleObjects"
 
 	key1, key2 := "key1", "key2"
 	val0, val1, val2 := "val0", "val1", "val2"
 
-	mockResolver := newMockUserResolver([]string{user1, user2}, []string{bktName1, bktName2, bktName3}, "")
+	mockResolver := newMockUserResolver(t, []string{user1, user2}, []string{bktName1, bktName2, bktName3})
 
 	p := Policy{
 		Version: "2012-10-17",
@@ -944,8 +861,8 @@ func TestComplexS3Conditions(t *testing.T) {
 				AWSPrincipalType: {principal1, principal2},
 			},
 			Effect:   DenyEffect,
-			Action:   []string{action},
+			Action:   []string{"s3:" + action},
-			Resource: []string{resource1, resource2, resource3},
+			Resource: []string{"arn:aws:s3:::" + resource1, "arn:aws:s3:::" + resource2, "arn:aws:s3:::" + resource3},
 			Conditions: map[string]Condition{
 				CondStringEquals: {key1: {val0, val1}},
 				CondStringLike:   {key2: {val2}},
@@ -954,11 +871,11 @@ func TestComplexS3Conditions(t *testing.T) {
 	}
 
 	expectedStatus := chain.AccessDenied
-	expectedActions := chain.Actions{Names: []string{action, action2}}
+	expectedActions := chain.Actions{Names: actionToOpMap[action]}
 	expectedResources := chain.Resources{Names: []string{resource1, resource2, resource3}}
 
-	user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user1]}
+	user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user1].Address()}
-	user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user2]}
+	user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user2].Address()}
 	key1val0Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val0}
 	key1val1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val1}
 	key2val2Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: key2, Value: val2}
@@ -1011,7 +928,7 @@ func TestComplexS3Conditions(t *testing.T) {
 	requireChainRulesMatch(t, expected.Rules, s3Chain.Rules)
 
 	s := inmemory.NewInMemory()
-	_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), s3Chain)
+	err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), s3Chain)
 	require.NoError(t, err)
 
 	for _, tc := range []struct {
@@ -1027,7 +944,7 @@ func TestComplexS3Conditions(t *testing.T) {
 			action:   action,
 			resource: resource1,
 			requestMap: map[string]string{
-				s3.PropertyKeyOwner: mockResolver.users[user1],
+				s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
 				key1:                val0,
 				key2:                val2,
 			},
@@ -1036,9 +953,9 @@ func TestComplexS3Conditions(t *testing.T) {
 		{
 			name:     "bucket resource3, all conditions matched",
 			action:   action,
-			resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName3, "some-obj"),
+			resource: bktName3 + "/some-obj",
 			requestMap: map[string]string{
-				s3.PropertyKeyOwner: mockResolver.users[user1],
+				s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
 				key1:                val0,
 				key2:                val2,
 			},
@@ -1047,7 +964,7 @@ func TestComplexS3Conditions(t *testing.T) {
 		{
 			name:     "bucket resource, user condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "some-obj"),
+			resource: bktName2 + "/some-obj",
 			requestMap: map[string]string{
 				key1: val0,
 				key2: val2,
@@ -1057,9 +974,9 @@ func TestComplexS3Conditions(t *testing.T) {
 		{
 			name:     "bucket resource, key2 condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName3, "some-obj"),
+			resource: bktName3 + "/some-obj",
 			requestMap: map[string]string{
-				s3.PropertyKeyOwner: mockResolver.users[user1],
+				s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
 				key1:                val0,
 				key2:                val0,
 			},
@@ -1068,9 +985,9 @@ func TestComplexS3Conditions(t *testing.T) {
 		{
 			name:     "bucket resource, key1 condition mismatched",
 			action:   action,
-			resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "some-obj"),
+			resource: bktName2 + "/some-obj",
 			requestMap: map[string]string{
-				s3.PropertyKeyOwner: mockResolver.users[user1],
+				s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
 				key2:                val2,
 			},
 			status: chain.NoRuleFound,
@@ -1080,7 +997,7 @@ func TestComplexS3Conditions(t *testing.T) {
 			action:   action,
 			resource: resource1,
 			requestMap: map[string]string{
-				s3.PropertyKeyOwner: mockResolver.users[user1],
+				s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
 				key1:                val0,
 				key2:                val2,
 			},
@@ -1089,9 +1006,9 @@ func TestComplexS3Conditions(t *testing.T) {
 		{
 			name:     "bucket/object resource, resource mismatched",
 			action:   action,
-			resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName1, "some-obj"),
+			resource: bktName1 + "/some-obj",
 			requestMap: map[string]string{
-				s3.PropertyKeyOwner: mockResolver.users[user1],
+				s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
 				key1:                val0,
 				key2:                val2,
 			},
@@ -1132,9 +1049,9 @@ func TestComplexS3Conditions(t *testing.T) {
 		{
 			name:     "resource mismatched",
 			action:   action,
-			resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, "some-bkt", "some-obj"),
+			resource: "some-bkt/some-obj",
 			requestMap: map[string]string{
-				s3.PropertyKeyOwner: mockResolver.users[user1],
+				s3.PropertyKeyOwner: mockResolver.users[user1].Address(),
 				key1:                val0,
 				key2:                val2,
 			},
@@ -1143,229 +1060,13 @@ func TestComplexS3Conditions(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			req := testutil.NewRequest(tc.action, testutil.NewResource(tc.resource, tc.resourceMap), tc.requestMap)
-			status, _, err := s.IsAllowed("name", engine.NewRequestTargetWithNamespace("ns"), req)
+			status, _, err := s.IsAllowed("name", "ns", req)
 			require.NoError(t, err)
 			require.Equal(t, tc.status.String(), status.String())
 		})
 	}
 }
 
-func TestS3BucketResource(t *testing.T) {
-	namespace := "ns"
-	bktName1, bktName2 := "bucket1", "bucket2"
-	chainName := chain.Name("name")
-
-	mockResolver := newMockUserResolver([]string{}, []string{}, "")
-
-	p := Policy{
-		Version: "2012-10-17",
-		Statement: []Statement{
-			{
-				Principal: map[PrincipalType][]string{Wildcard: nil},
-				Effect:    DenyEffect,
-				Action:    []string{"s3:HeadBucket"},
-				Resource:  []string{fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName1)},
-			},
-			{
-				Principal: map[PrincipalType][]string{Wildcard: nil},
-				Effect:    AllowEffect,
-				Action:    []string{"*"},
-				Resource:  []string{s3.ResourceFormatS3All},
-			},
-		},
-	}
-
-	s3Chain, err := ConvertToS3Chain(p, mockResolver)
-	require.NoError(t, err)
-
-	s := inmemory.NewInMemory()
-	_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chainName, engine.NamespaceTarget(namespace), s3Chain)
-	require.NoError(t, err)
-
-	// check we match just "bucket1" resource
-	req := testutil.NewRequest("s3:HeadBucket", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName1), nil), nil)
-	status, _, err := s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
-	require.NoError(t, err)
-	require.Equal(t, chain.AccessDenied.String(), status.String())
-
-	// check we match just "bucket2" resource
-	req = testutil.NewRequest("s3:HeadBucket", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName2), nil), nil)
-	status, _, err = s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
-	require.NoError(t, err)
-	require.Equal(t, chain.Allow.String(), status.String())
-
-	// check we also match "bucket2/object" resource
-	req = testutil.NewRequest("s3:PutObject", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "object"), nil), nil)
-	status, _, err = s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
-	require.NoError(t, err)
-	require.Equal(t, chain.Allow.String(), status.String())
-}
-
-func TestWildcardConverters(t *testing.T) {
-	policy := `{"Version":"2012-10-17","Statement":{"Effect":"Allow", "Principal": "*", "Action":"*","Resource":"*"}}`
-
-	var p Policy
-	err := json.Unmarshal([]byte(policy), &p)
-	require.NoError(t, err)
-
-	s3Expected := &chain.Chain{
-		Rules: []chain.Rule{{
-			Status:    chain.Allow,
-			Actions:   chain.Actions{Names: []string{Wildcard}},
-			Resources: chain.Resources{Names: []string{Wildcard}},
-		}},
-	}
-
-	s3Chain, err := ConvertToS3Chain(p, newMockUserResolver(nil, nil, ""))
-	require.NoError(t, err)
-	require.Equal(t, s3Expected, s3Chain)
-
-	nativeExpected := &chain.Chain{
-		Rules: []chain.Rule{{
-			Status:    chain.Allow,
-			Actions:   chain.Actions{Names: []string{Wildcard}},
-			Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects, native.ResourceFormatAllContainers}},
-		}},
-	}
-
-	nativeChain, err := ConvertToNativeChain(p, newMockUserResolver(nil, nil, ""))
-	require.NoError(t, err)
-	require.Equal(t, nativeExpected, nativeChain)
-}
-
-func TestActionParsing(t *testing.T) {
-	for _, tc := range []struct {
-		action string
-		err    bool
-	}{
-		{
-			action: "withoutPrefix",
-			err:    true,
-		},
-		{
-			action: "s3:*Object",
-			err:    true,
-		},
-		{
-			action: "*",
-		},
-		{
-			action: "s3:PutObject",
-		},
-		{
-			action: "s3:Put*",
-		},
-		{
-			action: "s3:*",
-		},
-		{
-			action: "s3:",
-		},
-		{
-			action: "iam:ListAccessKeys",
-		},
-		{
-			action: "iam:*",
-		},
-	} {
-		t.Run("", func(t *testing.T) {
-			err := validateAction(tc.action)
-			if tc.err {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-		})
-	}
-}
-
-func TestPrincipalParsing(t *testing.T) {
-	for _, tc := range []struct {
-		principal       string
-		expectedAccount string
-		expectedUser    string
-		err             bool
-	}{
-		{
-			principal: "withoutPrefix",
-			err:       true,
-		},
-		{
-			principal: "*",
-			err:       true,
-		},
-		{
-			principal: "arn:aws:iam:::dummy",
-			err:       true,
-		},
-		{
-			principal: "arn:aws:iam::",
-			err:       true,
-		},
-		{
-			principal: "arn:aws:iam:::dummy/test",
-			err:       true,
-		},
-		{
-			principal: "arn:aws:iam:::user/",
-			err:       true,
-		},
-		{
-			principal: "arn:aws:iam:::user/user/",
-			err:       true,
-		},
-		{
-			principal:    "arn:aws:iam:::user/name",
-			expectedUser: "name",
-		},
-		{
-			principal:    "arn:aws:iam:::user/path/name",
-			expectedUser: "name",
-		},
-		{
-			principal:       "arn:aws:iam::root:user/path/name",
-			expectedAccount: "root",
-			expectedUser:    "name",
-		},
-	} {
-		t.Run("", func(t *testing.T) {
-			account, user, err := parsePrincipalAsIAMUser(tc.principal)
-			if tc.err {
-				require.Error(t, err)
-				return
-			}
-
-			require.NoError(t, err)
-			require.Equal(t, tc.expectedAccount, account)
-			require.Equal(t, tc.expectedUser, user)
-		})
-	}
-}
-
-func TestResourceParsing(t *testing.T) {
-	for _, tc := range []struct {
-		resource string
-		err      bool
-	}{
-		{resource: "withoutPrefixAnd", err: true},
-		{resource: "arn:aws:s3:::*/obj", err: true},
-		{resource: "arn:aws:s3:::bkt/*"},
-		{resource: "arn:aws:s3:::bkt"},
-		{resource: "arn:aws:s3:::bkt/"},
-		{resource: "arn:aws:s3:::*"},
-		{resource: "*"},
-	} {
-		t.Run("", func(t *testing.T) {
-			err := validateResource(tc.resource)
-			if tc.err {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-		})
-	}
-}
-
 func requireChainRulesMatch(t *testing.T, expected, actual []chain.Rule) {
 	require.Equal(t, len(expected), len(actual), "length of chain rules differ")
 

iam/policy_test.go

@@ -2,14 +2,8 @@ package iam
 
 import (
 	"encoding/json"
-	"fmt"
 	"testing"
 
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
-	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/stretchr/testify/require"
 )
 
@@ -434,70 +428,3 @@ func TestValidatePolicies(t *testing.T) {
 		})
 	}
 }
-
-func TestProcessDenyFirst(t *testing.T) {
-	identityBasedPolicyStr := `
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-			"Principal": {
-				"AWS": [ "arn:aws:iam::root:user/user-name" ]
-			},
-            "Action": ["s3:PutObject" ],
-            "Resource": "arn:aws:s3:::*"
-        }
-    ]
-}
-`
-
-	resourceBasedPolicyStr := `
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Deny",
-            "Principal": "*",
-            "Action": "s3:*",
-            "Resource": [ "arn:aws:s3:::test-bucket/*" ]
-        }
-    ]
-}
-`
-
-	var identityPolicy Policy
-	err := json.Unmarshal([]byte(identityBasedPolicyStr), &identityPolicy)
-	require.NoError(t, err)
-
-	var resourcePolicy Policy
-	err = json.Unmarshal([]byte(resourceBasedPolicyStr), &resourcePolicy)
-	require.NoError(t, err)
-
-	mockResolver := newMockUserResolver([]string{"root/user-name"}, []string{"test-bucket"}, "")
-
-	identityNativePolicy, err := ConvertToNativeChain(identityPolicy, mockResolver)
-	require.NoError(t, err)
-	identityNativePolicy.MatchType = chain.MatchTypeFirstMatch
-
-	resourceNativePolicy, err := ConvertToNativeChain(resourcePolicy, mockResolver)
-	require.NoError(t, err)
-
-	s := inmemory.NewInMemory()
-
-	target := engine.NamespaceTarget("ns")
-
-	_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, target, identityNativePolicy)
-	require.NoError(t, err)
-
-	_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, target, resourceNativePolicy)
-	require.NoError(t, err)
-
-	resource := testutil.NewResource(fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers["test-bucket"]), nil)
-	request := testutil.NewRequest("PutObject", resource, map[string]string{native.PropertyKeyActorPublicKey: mockResolver.users["root/user-name"]})
-
-	status, found, err := s.IsAllowed(chain.Ingress, engine.NewRequestTarget("ns", ""), request)
-	require.NoError(t, err)
-	require.True(t, found)
-	require.Equal(t, chain.AccessDenied, status)
-}

pkg/chain/chain.go

@@ -1,38 +1,25 @@
 package chain
 
 import (
+	"encoding/json"
 	"fmt"
 	"strings"
 
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
 	"git.frostfs.info/TrueCloudLab/policy-engine/util"
-	"golang.org/x/exp/slices"
 )
 
 // ID is the ID of rule chain.
-type ID []byte
+type ID string
 
-// MatchType is the match type for chain rules.
-type MatchType uint8
-
-const (
-	// MatchTypeDenyPriority rejects the request if any `Deny` is specified.
-	MatchTypeDenyPriority MatchType = 0
-	// MatchTypeFirstMatch returns the first rule action matched to the request.
-	MatchTypeFirstMatch MatchType = 1
-)
-
-//easyjson:json
 type Chain struct {
 	ID ID
 
 	Rules []Rule
-
-	MatchType MatchType
 }
 
 func (c *Chain) Bytes() []byte {
-	data, err := c.MarshalBinary()
+	data, err := json.Marshal(c)
 	if err != nil {
 		panic(err)
 	}
@@ -40,7 +27,7 @@ func (c *Chain) Bytes() []byte {
 }
 
 func (c *Chain) DecodeBytes(b []byte) error {
-	return c.UnmarshalBinary(b)
+	return json.Unmarshal(b, c)
 }
 
 type Rule struct {
@@ -77,8 +64,6 @@ type ObjectType byte
 const (
 	ObjectResource ObjectType = iota
 	ObjectRequest
-	ContainerResource
-	ContainerRequest
 )
 
 type ConditionType byte
@@ -106,48 +91,45 @@ const (
 	CondNumericLessThanEquals
 	CondNumericGreaterThan
 	CondNumericGreaterThanEquals
-
-	CondSliceContains
 )
 
-var condToStr = []struct {
-	ct  ConditionType
-	str string
-}{
-	{CondStringEquals, "StringEquals"},
-	{CondStringNotEquals, "StringNotEquals"},
-	{CondStringEqualsIgnoreCase, "StringEqualsIgnoreCase"},
-	{CondStringNotEqualsIgnoreCase, "StringNotEqualsIgnoreCase"},
-	{CondStringLike, "StringLike"},
-	{CondStringNotLike, "StringNotLike"},
-	{CondStringLessThan, "StringLessThan"},
-	{CondStringLessThanEquals, "StringLessThanEquals"},
-	{CondStringGreaterThan, "StringGreaterThan"},
-	{CondStringGreaterThanEquals, "StringGreaterThanEquals"},
-	{CondNumericEquals, "NumericEquals"},
-	{CondNumericNotEquals, "NumericNotEquals"},
-	{CondNumericLessThan, "NumericLessThan"},
-	{CondNumericLessThanEquals, "NumericLessThanEquals"},
-	{CondNumericGreaterThan, "NumericGreaterThan"},
-	{CondNumericGreaterThanEquals, "NumericGreaterThanEquals"},
-	{CondSliceContains, "SliceContains"},
-}
-
 func (c ConditionType) String() string {
-	for _, v := range condToStr {
+	switch c {
-		if v.ct == c {
+	case CondStringEquals:
-			return v.str
+		return "StringEquals"
-		}
+	case CondStringNotEquals:
-	}
+		return "StringNotEquals"
+	case CondStringEqualsIgnoreCase:
+		return "StringEqualsIgnoreCase"
+	case CondStringNotEqualsIgnoreCase:
+		return "StringNotEqualsIgnoreCase"
+	case CondStringLike:
+		return "StringLike"
+	case CondStringNotLike:
+		return "StringNotLike"
+	case CondStringLessThan:
+		return "StringLessThan"
+	case CondStringLessThanEquals:
+		return "StringLessThanEquals"
+	case CondStringGreaterThan:
+		return "StringGreaterThan"
+	case CondStringGreaterThanEquals:
+		return "StringGreaterThanEquals"
+	case CondNumericEquals:
+		return "NumericEquals"
+	case CondNumericNotEquals:
+		return "NumericNotEquals"
+	case CondNumericLessThan:
+		return "NumericLessThan"
+	case CondNumericLessThanEquals:
+		return "NumericLessThanEquals"
+	case CondNumericGreaterThan:
+		return "NumericGreaterThan"
+	case CondNumericGreaterThanEquals:
+		return "NumericGreaterThanEquals"
+	default:
 		return "unknown condition type"
 	}
-
-const condSliceContainsDelimiter = "\x00"
-
-// FormCondSliceContainsValue builds value for ObjectResource or ObjectRequest property
-// that can be matched by CondSliceContains condition.
-func FormCondSliceContainsValue(values []string) string {
-	return strings.Join(values, condSliceContainsDelimiter)
 }
 
 func (c *Condition) Match(req resource.Request) bool {
@@ -184,8 +166,6 @@ func (c *Condition) Match(req resource.Request) bool {
 		return val > c.Value
 	case CondStringGreaterThanEquals:
 		return val >= c.Value
-	case CondSliceContains:
-		return slices.Contains(strings.Split(val, condSliceContainsDelimiter), c.Value)
 	}
 }
 
@@ -234,17 +214,6 @@ func (r *Rule) matchAll(obj resource.Request) (status Status, matched bool) {
 }
 
 func (c *Chain) Match(req resource.Request) (status Status, matched bool) {
-	switch c.MatchType {
-	case MatchTypeDenyPriority:
-		return c.denyPriority(req)
-	case MatchTypeFirstMatch:
-		return c.firstMatch(req)
-	default:
-		panic(fmt.Sprintf("unknown MatchType %d", c.MatchType))
-	}
-}
-
-func (c *Chain) firstMatch(req resource.Request) (status Status, matched bool) {
 	for i := range c.Rules {
 		status, matched := c.Rules[i].Match(req)
 		if matched {
@@ -253,21 +222,3 @@ func (c *Chain) firstMatch(req resource.Request) (status Status, matched bool) {
 	}
 	return NoRuleFound, false
 }
-
-func (c *Chain) denyPriority(req resource.Request) (status Status, matched bool) {
-	var allowFound bool
-	for i := range c.Rules {
-		status, matched := c.Rules[i].Match(req)
-		if !matched {
-			continue
-		}
-		if status != Allow {
-			return status, true
-		}
-		allowFound = true
-	}
-	if allowFound {
-		return Allow, true
-	}
-	return NoRuleFound, false
-}

pkg/chain/chain_names.go

@@ -7,7 +7,4 @@ const (
 	// Ingress represents chains applied when crossing user/storage network boundary.
 	// It is not applied when talking between nodes.
 	Ingress Name = "ingress"
-
-	// S3 represents chains applied when crossing user/s3 network boundary.
-	S3 Name = "s3"
 )

pkg/chain/chain_test.go

@@ -3,28 +3,11 @@ package chain
 import (
 	"testing"
 
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
-	"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
-	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/stretchr/testify/require"
 )
 
-func TestChainIDSerialization(t *testing.T) {
-	chainIDBytes := []byte{93, 236, 80, 138, 168, 3, 144, 92, 173, 141, 16, 42, 249, 90, 97, 109, 211, 169, 54, 163}
-
-	chain1 := &Chain{ID: ID(chainIDBytes)}
-	data := chain1.Bytes()
-
-	var chain2 Chain
-	err := chain2.DecodeBytes(data)
-	require.NoError(t, err)
-
-	require.Equal(t, chain1.ID, chain2.ID)
-}
-
 func TestEncodeDecode(t *testing.T) {
 	expected := Chain{
-		MatchType: MatchTypeFirstMatch,
 		Rules: []Rule{
 			{
 				Status: Allow,
@@ -48,104 +31,3 @@ func TestEncodeDecode(t *testing.T) {
 	require.NoError(t, actual.DecodeBytes(data))
 	require.Equal(t, expected, actual)
 }
-
-func TestReturnFirstMatch(t *testing.T) {
-	ch := Chain{
-		Rules: []Rule{
-			{
-				Status: Allow,
-				Actions: Actions{Names: []string{
-					native.MethodPutObject,
-				}},
-				Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
-				Condition: []Condition{},
-			},
-			{
-				Status: AccessDenied,
-				Actions: Actions{Names: []string{
-					native.MethodPutObject,
-				}},
-				Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
-				Condition: []Condition{},
-			},
-		},
-	}
-
-	resource := testutil.NewResource(native.ResourceFormatRootContainers, nil)
-	request := testutil.NewRequest(native.MethodPutObject, resource, nil)
-
-	t.Run("default match", func(t *testing.T) {
-		st, found := ch.Match(request)
-		require.True(t, found)
-		require.Equal(t, AccessDenied, st)
-	})
-
-	t.Run("return first match", func(t *testing.T) {
-		ch.MatchType = MatchTypeFirstMatch
-		st, found := ch.Match(request)
-		require.True(t, found)
-		require.Equal(t, Allow, st)
-	})
-}
-
-func TestCondSliceContainsMatch(t *testing.T) {
-	propKey := common.PropertyKeyFrostFSIDGroupID
-	groupID := "1"
-
-	ch := Chain{Rules: []Rule{{
-		Status:    Allow,
-		Actions:   Actions{Names: []string{native.MethodPutObject}},
-		Resources: Resources{Names: []string{native.ResourceFormatRootContainers}},
-		Condition: []Condition{{
-			Op:     CondSliceContains,
-			Object: ObjectRequest,
-			Key:    propKey,
-			Value:  groupID,
-		}},
-	}}}
-
-	for _, tc := range []struct {
-		name   string
-		value  string
-		status Status
-	}{
-		{
-			name:   "simple value",
-			value:  groupID,
-			status: Allow,
-		},
-		{
-			name:   "simple value by func",
-			value:  FormCondSliceContainsValue([]string{groupID}),
-			status: Allow,
-		},
-		{
-			name:   "multiple values by func",
-			value:  FormCondSliceContainsValue([]string{groupID, "2", "3"}),
-			status: Allow,
-		},
-		{
-			name:   "simple mismatched",
-			value:  "3",
-			status: NoRuleFound,
-		},
-		{
-			name:   "multiple mismatched",
-			value:  FormCondSliceContainsValue([]string{"11", "12"}),
-			status: NoRuleFound,
-		},
-		{
-			name:   "comma correct handling mismatched",
-			value:  "1,11",
-			status: NoRuleFound,
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			resource := testutil.NewResource(native.ResourceFormatRootContainers, nil)
-			request := testutil.NewRequest(native.MethodPutObject, resource, map[string]string{propKey: tc.value})
-
-			st, _ := ch.Match(request)
-			require.Equal(t, tc.status.String(), st.String())
-		})
-	}
-}

pkg/chain/marshal_binary.go

@@ -1,257 +0,0 @@
-package chain
-
-import (
-	"encoding"
-	"fmt"
-
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/marshal"
-)
-
-const (
-	ChainMarshalVersion uint8 = 0 // increase if breaking change
-)
-
-var (
-	_ encoding.BinaryMarshaler   = (*Chain)(nil)
-	_ encoding.BinaryUnmarshaler = (*Chain)(nil)
-)
-
-func (c *Chain) MarshalBinary() ([]byte, error) {
-	s := marshal.UInt8Size // Marshaller version
-	s += marshal.UInt8Size // Chain version
-	s += marshal.SliceSize(c.ID, func(byte) int { return marshal.ByteSize })
-	s += marshal.SliceSize(c.Rules, ruleSize)
-	s += marshal.UInt8Size // MatchType
-
-	buf := make([]byte, s)
-	var offset int
-	var err error
-	offset, err = marshal.UInt8Marshal(buf, offset, marshal.Version)
-	if err != nil {
-		return nil, err
-	}
-	offset, err = marshal.UInt8Marshal(buf, offset, ChainMarshalVersion)
-	if err != nil {
-		return nil, err
-	}
-	offset, err = marshal.SliceMarshal(buf, offset, c.ID, marshal.ByteMarshal)
-	if err != nil {
-		return nil, err
-	}
-	offset, err = marshal.SliceMarshal(buf, offset, c.Rules, marshalRule)
-	if err != nil {
-		return nil, err
-	}
-	offset, err = marshal.UInt8Marshal(buf, offset, uint8(c.MatchType))
-	if err != nil {
-		return nil, err
-	}
-
-	if err := marshal.VerifyMarshal(buf, offset); err != nil {
-		return nil, err
-	}
-	return buf, nil
-}
-
-func (c *Chain) UnmarshalBinary(data []byte) error {
-	var offset int
-
-	marshallerVersion, offset, err := marshal.UInt8Unmarshal(data, offset)
-	if err != nil {
-		return err
-	}
-	if marshallerVersion != marshal.Version {
-		return fmt.Errorf("unsupported marshaller version %d", marshallerVersion)
-	}
-
-	chainVersion, offset, err := marshal.UInt8Unmarshal(data, offset)
-	if err != nil {
-		return err
-	}
-	if chainVersion != ChainMarshalVersion {
-		return fmt.Errorf("unsupported chain version %d", chainVersion)
-	}
-
-	idBytes, offset, err := marshal.SliceUnmarshal(data, offset, marshal.ByteUnmarshal)
-	if err != nil {
-		return err
-	}
-	c.ID = ID(idBytes)
-
-	c.Rules, offset, err = marshal.SliceUnmarshal(data, offset, unmarshalRule)
-	if err != nil {
-		return err
-	}
-
-	matchTypeV, offset, err := marshal.UInt8Unmarshal(data, offset)
-	if err != nil {
-		return err
-	}
-	c.MatchType = MatchType(matchTypeV)
-
-	return marshal.VerifyUnmarshal(data, offset)
-}
-
-func ruleSize(r Rule) int {
-	s := marshal.ByteSize // Status
-	s += actionsSize(r.Actions)
-	s += resourcesSize(r.Resources)
-	s += marshal.BoolSize // Any
-	s += marshal.SliceSize(r.Condition, conditionSize)
-	return s
-}
-
-func marshalRule(buf []byte, offset int, r Rule) (int, error) {
-	offset, err := marshal.ByteMarshal(buf, offset, byte(r.Status))
-	if err != nil {
-		return 0, err
-	}
-	offset, err = marshalActions(buf, offset, r.Actions)
-	if err != nil {
-		return 0, err
-	}
-	offset, err = marshalResources(buf, offset, r.Resources)
-	if err != nil {
-		return 0, err
-	}
-	offset, err = marshal.BoolMarshal(buf, offset, r.Any)
-	if err != nil {
-		return 0, err
-	}
-	return marshal.SliceMarshal(buf, offset, r.Condition, marshalCondition)
-}
-
-func unmarshalRule(buf []byte, offset int) (Rule, int, error) {
-	var r Rule
-	statusV, offset, err := marshal.ByteUnmarshal(buf, offset)
-	if err != nil {
-		return Rule{}, 0, err
-	}
-	r.Status = Status(statusV)
-
-	r.Actions, offset, err = unmarshalActions(buf, offset)
-	if err != nil {
-		return Rule{}, 0, err
-	}
-
-	r.Resources, offset, err = unmarshalResources(buf, offset)
-	if err != nil {
-		return Rule{}, 0, err
-	}
-
-	r.Any, offset, err = marshal.BoolUnmarshal(buf, offset)
-	if err != nil {
-		return Rule{}, 0, err
-	}
-
-	r.Condition, offset, err = marshal.SliceUnmarshal(buf, offset, unmarshalCondition)
-	if err != nil {
-		return Rule{}, 0, err
-	}
-
-	return r, offset, nil
-}
-
-func actionsSize(a Actions) int {
-	return marshal.BoolSize + // Inverted
-		marshal.SliceSize(a.Names, marshal.StringSize)
-}
-
-func marshalActions(buf []byte, offset int, a Actions) (int, error) {
-	offset, err := marshal.BoolMarshal(buf, offset, a.Inverted)
-	if err != nil {
-		return 0, err
-	}
-	return marshal.SliceMarshal(buf, offset, a.Names, marshal.StringMarshal)
-}
-
-func unmarshalActions(buf []byte, offset int) (Actions, int, error) {
-	var a Actions
-	var err error
-	a.Inverted, offset, err = marshal.BoolUnmarshal(buf, offset)
-	if err != nil {
-		return Actions{}, 0, err
-	}
-	a.Names, offset, err = marshal.SliceUnmarshal(buf, offset, marshal.StringUnmarshal)
-	if err != nil {
-		return Actions{}, 0, err
-	}
-	return a, offset, nil
-}
-
-func resourcesSize(r Resources) int {
-	return marshal.BoolSize + // Inverted
-		marshal.SliceSize(r.Names, marshal.StringSize)
-}
-
-func marshalResources(buf []byte, offset int, r Resources) (int, error) {
-	offset, err := marshal.BoolMarshal(buf, offset, r.Inverted)
-	if err != nil {
-		return 0, err
-	}
-	return marshal.SliceMarshal(buf, offset, r.Names, marshal.StringMarshal)
-}
-
-func unmarshalResources(buf []byte, offset int) (Resources, int, error) {
-	var r Resources
-	var err error
-	r.Inverted, offset, err = marshal.BoolUnmarshal(buf, offset)
-	if err != nil {
-		return Resources{}, 0, err
-	}
-	r.Names, offset, err = marshal.SliceUnmarshal(buf, offset, marshal.StringUnmarshal)
-	if err != nil {
-		return Resources{}, 0, err
-	}
-	return r, offset, nil
-}
-
-func conditionSize(c Condition) int {
-	return marshal.ByteSize + // Op
-		marshal.ByteSize + // Object
-		marshal.StringSize(c.Key) +
-		marshal.StringSize(c.Value)
-}
-
-func marshalCondition(buf []byte, offset int, c Condition) (int, error) {
-	offset, err := marshal.ByteMarshal(buf, offset, byte(c.Op))
-	if err != nil {
-		return 0, err
-	}
-	offset, err = marshal.ByteMarshal(buf, offset, byte(c.Object))
-	if err != nil {
-		return 0, err
-	}
-	offset, err = marshal.StringMarshal(buf, offset, c.Key)
-	if err != nil {
-		return 0, err
-	}
-	return marshal.StringMarshal(buf, offset, c.Value)
-}
-
-func unmarshalCondition(buf []byte, offset int) (Condition, int, error) {
-	var c Condition
-	opV, offset, err := marshal.ByteUnmarshal(buf, offset)
-	if err != nil {
-		return Condition{}, 0, err
-	}
-	c.Op = ConditionType(opV)
-
-	obV, offset, err := marshal.ByteUnmarshal(buf, offset)
-	if err != nil {
-		return Condition{}, 0, err
-	}
-	c.Object = ObjectType(obV)
-
-	c.Key, offset, err = marshal.StringUnmarshal(buf, offset)
-	if err != nil {
-		return Condition{}, 0, err
-	}
-
-	c.Value, offset, err = marshal.StringUnmarshal(buf, offset)
-	if err != nil {
-		return Condition{}, 0, err
-	}
-
-	return c, offset, nil
-}

pkg/chain/marshal_binary_test.go

@@ -1,272 +0,0 @@
-package chain
-
-import (
-	"fmt"
-	"testing"
-
-	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/require"
-)
-
-func TestChainMarshalling(t *testing.T) {
-	t.Parallel()
-	for _, id := range generateTestIDs() {
-		for _, rules := range generateTestRules() {
-			for _, matchType := range generateTestMatchTypes() {
-				performMarshalTest(t, id, rules, matchType)
-			}
-		}
-	}
-}
-
-func TestInvalidChainData(t *testing.T) {
-	var ch Chain
-	require.Error(t, ch.UnmarshalBinary(nil))
-	require.Error(t, ch.UnmarshalBinary([]byte{}))
-	require.Error(t, ch.UnmarshalBinary([]byte{1, 2, 3}))
-	require.Error(t, ch.UnmarshalBinary([]byte("\x00\x00:aws:iam::namespace:group/so\x82\x82\x82\x82\x82\x82u\x82")))
-}
-
-func FuzzUnmarshal(f *testing.F) {
-	for _, id := range generateTestIDs() {
-		for _, rules := range generateTestRules() {
-			for _, matchType := range generateTestMatchTypes() {
-
-				chain := Chain{
-					ID:        id,
-					Rules:     rules,
-					MatchType: matchType,
-				}
-				data, err := chain.MarshalBinary()
-				require.NoError(f, err)
-				f.Add(data)
-			}
-		}
-	}
-
-	f.Fuzz(func(t *testing.T, data []byte) {
-		var ch Chain
-		require.NotPanics(t, func() {
-			_ = ch.UnmarshalBinary(data)
-		})
-	})
-}
-
-func performMarshalTest(t *testing.T, id ID, r []Rule, mt MatchType) {
-	chain := Chain{
-		ID:        id,
-		Rules:     r,
-		MatchType: mt,
-	}
-	data, err := chain.MarshalBinary()
-	require.NoError(t, err)
-
-	var unmarshalledChain Chain
-	require.NoError(t, unmarshalledChain.UnmarshalBinary(data))
-
-	require.Equal(t, chain, unmarshalledChain)
-}
-
-func generateTestIDs() []ID {
-	return []ID{
-		ID(""),
-		ID(uuid.New().String()),
-		ID("*::/"),
-		ID("avada kedavra"),
-		ID("arn:aws:iam::namespace:group/some_group"),
-		ID("$Object:homomorphicHash"),
-		ID("native:container/ns/9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
-	}
-}
-
-func generateTestRules() [][]Rule {
-	result := [][]Rule{
-		nil,
-		{},
-		{},
-	}
-
-	for _, st := range generateTestStatuses() {
-		for _, act := range generateTestActions() {
-			for _, res := range generateTestResources() {
-				for _, cond := range generateTestConditions() {
-					result[2] = append(result[2], Rule{
-						Status:    st,
-						Actions:   act,
-						Resources: res,
-						Condition: cond,
-						Any:       true,
-					})
-					result[2] = append(result[2], Rule{
-						Status:    st,
-						Actions:   act,
-						Resources: res,
-						Condition: cond,
-					})
-				}
-			}
-		}
-	}
-
-	return result
-}
-
-func generateTestStatuses() []Status {
-	return []Status{
-		Allow,
-		NoRuleFound,
-		AccessDenied,
-		QuotaLimitReached,
-	}
-}
-
-func generateTestActions() []Actions {
-	return []Actions{
-		{
-			Inverted: true,
-			Names:    nil,
-		},
-		{
-			Names: nil,
-		},
-		{
-			Inverted: true,
-			Names:    []string{},
-		},
-		{
-			Names: []string{},
-		},
-		{
-			Inverted: true,
-			Names:    []string{native.MethodPutObject},
-		},
-		{
-			Names: []string{native.MethodPutObject},
-		},
-		{
-			Inverted: true,
-			Names:    []string{native.MethodPutObject, native.MethodDeleteContainer, native.MethodDeleteObject},
-		},
-		{
-			Names: []string{native.MethodPutObject, native.MethodDeleteContainer, native.MethodDeleteObject},
-		},
-	}
-}
-
-func generateTestResources() []Resources {
-	return []Resources{
-		{
-			Inverted: true,
-			Names:    nil,
-		},
-		{
-			Names: nil,
-		},
-		{
-			Inverted: true,
-			Names:    []string{},
-		},
-		{
-			Names: []string{},
-		},
-		{
-			Inverted: true,
-			Names:    []string{native.ResourceFormatAllObjects},
-		},
-		{
-			Names: []string{native.ResourceFormatAllObjects},
-		},
-		{
-			Inverted: true,
-			Names: []string{
-				native.ResourceFormatAllObjects,
-				fmt.Sprintf(native.ResourceFormatRootContainer, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
-			},
-		},
-		{
-			Names: []string{
-				native.ResourceFormatAllObjects,
-				fmt.Sprintf(native.ResourceFormatRootContainer, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J"),
-			},
-		},
-	}
-}
-
-func generateTestConditions() [][]Condition {
-	result := [][]Condition{
-		nil,
-		{},
-		{},
-	}
-
-	for _, ct := range generateTestConditionTypes() {
-		for _, ot := range generateObjectTypes() {
-			result[2] = append(result[2], Condition{
-				Op:     ct,
-				Object: ot,
-				Key:    "",
-				Value:  "",
-			})
-
-			result[2] = append(result[2], Condition{
-				Op:     ct,
-				Object: ot,
-				Key:    "key",
-				Value:  "",
-			})
-
-			result[2] = append(result[2], Condition{
-				Op:     ct,
-				Object: ot,
-				Key:    "",
-				Value:  "value",
-			})
-
-			result[2] = append(result[2], Condition{
-				Op:     ct,
-				Object: ot,
-				Key:    "key",
-				Value:  "value",
-			})
-		}
-	}
-
-	return result
-}
-
-func generateTestConditionTypes() []ConditionType {
-	return []ConditionType{
-		CondStringEquals,
-		CondStringNotEquals,
-		CondStringEqualsIgnoreCase,
-		CondStringNotEqualsIgnoreCase,
-		CondStringLike,
-		CondStringNotLike,
-		CondStringLessThan,
-		CondStringLessThanEquals,
-		CondStringGreaterThan,
-		CondStringGreaterThanEquals,
-		CondNumericEquals,
-		CondNumericNotEquals,
-		CondNumericLessThan,
-		CondNumericLessThanEquals,
-		CondNumericGreaterThan,
-		CondNumericGreaterThanEquals,
-		CondSliceContains,
-	}
-}
-
-func generateObjectTypes() []ObjectType {
-	return []ObjectType{
-		ObjectResource,
-		ObjectRequest,
-	}
-}
-
-func generateTestMatchTypes() []MatchType {
-	return []MatchType{
-		MatchTypeDenyPriority,
-		MatchTypeFirstMatch,
-	}
-}

pkg/chain/marshal_json.go

@@ -1,145 +0,0 @@
-package chain
-
-import (
-	"fmt"
-	"strconv"
-
-	jlexer "github.com/mailru/easyjson/jlexer"
-	jwriter "github.com/mailru/easyjson/jwriter"
-)
-
-// Run `make generate`` if types added or changed
-
-var matchTypeToJSONValue = []struct {
-	mt  MatchType
-	str string
-}{
-	{MatchTypeDenyPriority, "DenyPriority"},
-	{MatchTypeFirstMatch, "FirstMatch"},
-}
-
-var statusToJSONValue = []struct {
-	s   Status
-	str string
-}{
-	{Allow, "Allow"},
-	{NoRuleFound, "NoRuleFound"},
-	{AccessDenied, "AccessDenied"},
-	{QuotaLimitReached, "QuotaLimitReached"},
-}
-
-var objectTypeToJSONValue = []struct {
-	t   ObjectType
-	str string
-}{
-	{ObjectRequest, "Request"},
-	{ObjectResource, "Resource"},
-}
-
-func (mt MatchType) MarshalEasyJSON(w *jwriter.Writer) {
-	for _, p := range matchTypeToJSONValue {
-		if p.mt == mt {
-			w.String(p.str)
-			return
-		}
-	}
-	w.String(strconv.FormatUint(uint64(mt), 10))
-}
-
-func (mt *MatchType) UnmarshalEasyJSON(l *jlexer.Lexer) {
-	str := l.String()
-	for _, p := range matchTypeToJSONValue {
-		if p.str == str {
-			*mt = p.mt
-			return
-		}
-	}
-
-	v, err := strconv.ParseUint(str, 10, 8)
-	if err != nil {
-		l.AddError(fmt.Errorf("failed to parse match type: %w", err))
-		return
-	}
-	*mt = MatchType(v)
-}
-
-func (st Status) MarshalEasyJSON(w *jwriter.Writer) {
-	for _, p := range statusToJSONValue {
-		if p.s == st {
-			w.String(p.str)
-			return
-		}
-	}
-	w.String(strconv.FormatUint(uint64(st), 10))
-}
-
-func (st *Status) UnmarshalEasyJSON(l *jlexer.Lexer) {
-	str := l.String()
-	for _, p := range statusToJSONValue {
-		if p.str == str {
-			*st = p.s
-			return
-		}
-	}
-
-	v, err := strconv.ParseUint(str, 10, 8)
-	if err != nil {
-		l.AddError(fmt.Errorf("failed to parse status: %w", err))
-		return
-	}
-	*st = Status(v)
-}
-
-func (ot ObjectType) MarshalEasyJSON(w *jwriter.Writer) {
-	for _, p := range objectTypeToJSONValue {
-		if p.t == ot {
-			w.String(p.str)
-			return
-		}
-	}
-	w.String(strconv.FormatUint(uint64(ot), 10))
-}
-
-func (ot *ObjectType) UnmarshalEasyJSON(l *jlexer.Lexer) {
-	str := l.String()
-	for _, p := range objectTypeToJSONValue {
-		if p.str == str {
-			*ot = p.t
-			return
-		}
-	}
-
-	v, err := strconv.ParseUint(str, 10, 8)
-	if err != nil {
-		l.AddError(fmt.Errorf("failed to parse object type: %w", err))
-		return
-	}
-	*ot = ObjectType(v)
-}
-
-func (ct ConditionType) MarshalEasyJSON(w *jwriter.Writer) {
-	for _, p := range condToStr {
-		if p.ct == ct {
-			w.String(p.str)
-			return
-		}
-	}
-	w.String(strconv.FormatUint(uint64(ct), 10))
-}
-
-func (ct *ConditionType) UnmarshalEasyJSON(l *jlexer.Lexer) {
-	str := l.String()
-	for _, p := range condToStr {
-		if p.str == str {
-			*ct = p.ct
-			return
-		}
-	}
-
-	v, err := strconv.ParseUint(str, 10, 8)
-	if err != nil {
-		l.AddError(fmt.Errorf("failed to parse condition type: %w", err))
-		return
-	}
-	*ct = ConditionType(v)
-}

pkg/chain/marshal_json_test.go

@@ -1,121 +0,0 @@
-package chain
-
-import (
-	"fmt"
-	"os"
-	"testing"
-
-	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
-	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
-	"github.com/stretchr/testify/require"
-)
-
-func TestID(t *testing.T) {
-	key, err := keys.NewPrivateKeyFromWIF("L5eVx6HcHaFpQpvjQ3fy29uKDZ8rQ34bfMVx4XfZMm52EqafpNMg") // s3-gw key
-	require.NoError(t, err)
-
-	chain1 := &Chain{ID: ID(key.PublicKey().GetScriptHash().BytesBE())}
-	data := chain1.Bytes()
-
-	var chain2 Chain
-	require.NoError(t, chain2.DecodeBytes(data))
-
-	require.Equal(t, chain1.ID, chain2.ID)
-
-	data, err = chain1.MarshalJSON()
-	require.NoError(t, err)
-
-	require.NoError(t, chain2.UnmarshalJSON(data))
-
-	require.Equal(t, chain1.ID, chain2.ID)
-}
-
-func TestMatchTypeJson(t *testing.T) {
-	for _, mt := range []MatchType{MatchTypeDenyPriority, MatchTypeFirstMatch, MatchType(100)} {
-		var chain Chain
-		chain.MatchType = mt
-
-		data, err := chain.MarshalJSON()
-		require.NoError(t, err)
-		if mt == MatchTypeDenyPriority {
-			require.Equal(t, []byte("{\"ID\":null,\"Rules\":null,\"MatchType\":\"DenyPriority\"}"), data)
-		} else if mt == MatchTypeFirstMatch {
-			require.Equal(t, []byte("{\"ID\":null,\"Rules\":null,\"MatchType\":\"FirstMatch\"}"), data)
-		} else {
-			require.Equal(t, []byte(fmt.Sprintf("{\"ID\":null,\"Rules\":null,\"MatchType\":\"%d\"}", mt)), data)
-		}
-
-		var parsed Chain
-		require.NoError(t, parsed.UnmarshalJSON(data))
-		require.Equal(t, chain, parsed)
-
-		require.Error(t, parsed.UnmarshalJSON([]byte("{\"ID\":\"\",\"Rules\":null,\"MatchType\":\"NotValid\"}")))
-	}
-}
-
-func TestJsonEnums(t *testing.T) {
-	chain := Chain{
-		ID:        []byte("2cca5ae7-cee8-428d-b45f-567fb1d03f01"), // will be encoded to base64
-		MatchType: MatchTypeFirstMatch,
-		Rules: []Rule{
-			{
-				Status: AccessDenied,
-				Actions: Actions{
-					Names: []string{native.MethodDeleteObject, native.MethodGetContainer},
-				},
-				Resources: Resources{
-					Names: []string{native.ResourceFormatAllObjects},
-				},
-				Condition: []Condition{
-					{
-						Op:     CondStringEquals,
-						Object: ObjectRequest,
-						Key:    native.PropertyKeyActorRole,
-						Value:  native.PropertyValueContainerRoleOthers,
-					},
-				},
-			},
-			{
-				Status: QuotaLimitReached,
-				Actions: Actions{
-					Inverted: true,
-					Names:    []string{native.MethodPutObject},
-				},
-				Resources: Resources{
-					Names: []string{fmt.Sprintf(native.ResourceFormatRootContainerObjects, "9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J")},
-				},
-				Any: true,
-				Condition: []Condition{
-					{
-						Op:     CondStringNotLike,
-						Object: ObjectResource,
-						Key:    native.PropertyKeyObjectType,
-						Value:  "regular",
-					},
-				},
-			},
-			{
-				Status: Status(100),
-				Condition: []Condition{
-					{
-						Op:     ConditionType(255),
-						Object: ObjectType(128),
-					},
-				},
-			},
-		},
-	}
-
-	data, err := chain.MarshalJSON()
-	require.NoError(t, err)
-
-	var parsed Chain
-	require.NoError(t, parsed.UnmarshalJSON(data))
-	require.Equal(t, chain, parsed)
-
-	expected, err := os.ReadFile("./testdata/test_status_json.json")
-	require.NoError(t, err)
-
-	require.NoError(t, parsed.UnmarshalJSON(expected))
-	require.Equal(t, chain, parsed)
-}

pkg/chain/testdata/test_status_json.json

@@ -1,75 +0,0 @@
-{
-    "ID": "MmNjYTVhZTctY2VlOC00MjhkLWI0NWYtNTY3ZmIxZDAzZjAx",
-    "Rules": [
-        {
-            "Status": "AccessDenied",
-            "Actions": {
-                "Inverted": false,
-                "Names": [
-                    "DeleteObject",
-                    "GetContainer"
-                ]
-            },
-            "Resources": {
-                "Inverted": false,
-                "Names": [
-                    "native:object/*"
-                ]
-            },
-            "Any": false,
-            "Condition": [
-                {
-                    "Op": "StringEquals",
-                    "Object": "Request",
-                    "Key": "$Actor:role",
-                    "Value": "others"
-                }
-            ]
-        },
-        {
-            "Status": "QuotaLimitReached",
-            "Actions": {
-                "Inverted": true,
-                "Names": [
-                    "PutObject"
-                ]
-            },
-            "Resources": {
-                "Inverted": false,
-                "Names": [
-                    "native:object//9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J/*"
-                ]
-            },
-            "Any": true,
-            "Condition": [
-                {
-                    "Op": "StringNotLike",
-                    "Object": "Resource",
-                    "Key": "$Object:objectType",
-                    "Value": "regular"
-                }
-            ]
-        },
-        {
-            "Status": "100",
-            "Actions": {
-                "Inverted": false,
-                "Names": null
-            },
-            "Resources": {
-                "Inverted": false,
-                "Names": null
-            },
-            "Any": false,
-            "Condition": [
-                {
-                    "Op": "255",
-                    "Object": "128",
-                    "Key": "",
-                    "Value": ""
-                }
-            ]
-        }
-    ],
-    "MatchType": "FirstMatch"
-}

pkg/engine/chain_router.go

@@ -6,111 +6,96 @@ import (
 )
 
 type defaultChainRouter struct {
-	morph MorphRuleChainStorageReader
+	morph MorphRuleChainStorage
 
 	local LocalOverrideStorage
 }
 
-func NewDefaultChainRouter(morph MorphRuleChainStorageReader) ChainRouter {
+func NewDefaultChainRouter(morph MorphRuleChainStorage) ChainRouter {
 	return &defaultChainRouter{
 		morph: morph,
 	}
 }
 
-func NewDefaultChainRouterWithLocalOverrides(morph MorphRuleChainStorageReader, local LocalOverrideStorage) ChainRouter {
+func NewDefaultChainRouterWithLocalOverrides(morph MorphRuleChainStorage, local LocalOverrideStorage) ChainRouter {
 	return &defaultChainRouter{
 		morph: morph,
 		local: local,
 	}
 }
 
-func (dr *defaultChainRouter) IsAllowed(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+func (dr *defaultChainRouter) IsAllowed(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	status, ruleFound, err = dr.checkLocal(name, rt, r)
+	if dr.local != nil {
+		var localRuleFound bool
+		status, localRuleFound, err = dr.checkLocalOverrides(name, r)
 		if err != nil {
 			return chain.NoRuleFound, false, err
-	} else if ruleFound {
+		} else if localRuleFound {
-		// The local overrides have the highest priority and thus
+			ruleFound = true
-		// morph rules are not considered if a local one is found.
+			return
+		}
+	}
+
+	var namespaceRuleFound bool
+	status, namespaceRuleFound, err = dr.checkNamespaceChains(name, namespace, r)
+	if err != nil {
+		return
+	} else if namespaceRuleFound && status != chain.Allow {
+		ruleFound = true
 		return
 	}
 
-	status, ruleFound, err = dr.checkMorph(name, rt, r)
+	var cnrRuleFound bool
+	status, cnrRuleFound, err = dr.checkContainerChains(name, r.Resource().Name(), r)
+	if err != nil {
 		return
-}
+	} else if cnrRuleFound && status != chain.Allow {
-
+		ruleFound = true
-func (dr *defaultChainRouter) checkLocal(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	if dr.local == nil {
 		return
 	}
-	var ruleFounds []bool
-	for _, target := range rt.Targets() {
-		status, ruleFound, err = dr.matchLocalOverrides(name, target, r)
-		if err != nil || ruleFound && status != chain.Allow {
-			return
-		}
-		ruleFounds = append(ruleFounds, ruleFound)
-	}
 
 	status = chain.NoRuleFound
-	for _, ruleFound = range ruleFounds {
+	if ruleFound = namespaceRuleFound || cnrRuleFound; ruleFound {
-		if ruleFound {
 		status = chain.Allow
-			break
-		}
 	}
 	return
 }
 
-func (dr *defaultChainRouter) checkMorph(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+func (dr *defaultChainRouter) checkLocalOverrides(name chain.Name, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	var ruleFounds []bool
+	localOverrides, err := dr.local.ListOverrides(name, r.Resource().Name())
-	for _, target := range rt.Targets() {
-		status, ruleFound, err = dr.matchMorphRuleChains(name, target, r)
-		if err != nil || ruleFound && status != chain.Allow {
-			return
-		}
-		ruleFounds = append(ruleFounds, ruleFound)
-	}
-
-	status = chain.NoRuleFound
-	for _, ruleFound = range ruleFounds {
-		if ruleFound {
-			status = chain.Allow
-			break
-		}
-	}
-	return
-}
-
-func (dr *defaultChainRouter) matchLocalOverrides(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	localOverrides, err := dr.local.ListOverrides(name, target)
 	if err != nil {
 		return
 	}
-	status, ruleFound = dr.getStatusFromChains(localOverrides, r)
+	for _, c := range localOverrides {
+		if status, ruleFound = c.Match(r); ruleFound && status != chain.Allow {
+			return
+		}
+	}
 	return
 }
 
-func (dr *defaultChainRouter) matchMorphRuleChains(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+func (dr *defaultChainRouter) checkNamespaceChains(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	namespaceChains, err := dr.morph.ListMorphRuleChains(name, target)
+	namespaceChains, err := dr.morph.ListMorphRuleChains(name, NamespaceTarget(namespace))
 	if err != nil {
-		return chain.NoRuleFound, false, err
+		return
+	}
+	for _, c := range namespaceChains {
+		if status, ruleFound = c.Match(r); ruleFound {
+			return
+		}
 	}
-	status, ruleFound = dr.getStatusFromChains(namespaceChains, r)
 	return
 }
 
-func (dr *defaultChainRouter) getStatusFromChains(chains []*chain.Chain, r resource.Request) (chain.Status, bool) {
+func (dr *defaultChainRouter) checkContainerChains(name chain.Name, container string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	var allow bool
+	containerChains, err := dr.morph.ListMorphRuleChains(name, ContainerTarget(container))
-	for _, c := range chains {
+	if err != nil {
-		if status, found := c.Match(r); found {
+		return
-			if status != chain.Allow {
-				return status, true
 	}
-			allow = true
+	for _, c := range containerChains {
+		if status, ruleFound = c.Match(r); ruleFound {
+			return
 		}
 	}
-	if allow {
+	return
-		return chain.Allow, true
-	}
-	return chain.NoRuleFound, false
 }

pkg/engine/inmemory/inmemory.go

@@ -43,6 +43,6 @@ func (im *inmemory) MorphRuleChainStorage() engine.MorphRuleChainStorage {
 	return im.morph
 }
 
-func (im *inmemory) IsAllowed(name chain.Name, rt engine.RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) {
+func (im *inmemory) IsAllowed(name chain.Name, namespace string, r resource.Request) (status chain.Status, ruleFound bool, err error) {
-	return im.router.IsAllowed(name, rt, r)
+	return im.router.IsAllowed(name, namespace, r)
 }

pkg/engine/inmemory/inmemory_test.go

@@ -29,7 +29,7 @@ func TestInmemory(t *testing.T) {
 		"Actor":    actor1,
 	})
 
-	status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTargetWithNamespace(namespace), reqGood)
+	status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqGood)
 	require.Equal(t, chain.NoRuleFound, status)
 	require.False(t, ok)
 
@@ -103,7 +103,7 @@ func TestInmemory(t *testing.T) {
 			"SourceIP": "10.122.1.20",
 			"Actor":    actor1,
 		})
-		status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadIP)
+		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadIP)
 		require.Equal(t, chain.AccessDenied, status)
 		require.True(t, ok)
 	})
@@ -113,7 +113,7 @@ func TestInmemory(t *testing.T) {
 			"SourceIP": "10.1.1.13",
 			"Actor":    actor2,
 		})
-		status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadActor)
+		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadActor)
 		require.Equal(t, chain.AccessDenied, status)
 		require.True(t, ok)
 	})
@@ -121,14 +121,14 @@ func TestInmemory(t *testing.T) {
 		objGood := resourcetest.NewResource("native::object::abc/id1", map[string]string{"Department": "HR"})
 		objBadAttr := resourcetest.NewResource("native::object::abc/id2", map[string]string{"Department": "Support"})
 
-		status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), resourcetest.NewRequest("native::object::get", objGood, map[string]string{
+		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, resourcetest.NewRequest("native::object::get", objGood, map[string]string{
 			"SourceIP": "10.1.1.14",
 			"Actor":    actor2,
 		}))
 		require.Equal(t, chain.Allow, status)
 		require.True(t, ok)
 
-		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), resourcetest.NewRequest("native::object::get", objBadAttr, map[string]string{
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace, resourcetest.NewRequest("native::object::get", objBadAttr, map[string]string{
 			"SourceIP": "10.1.1.14",
 			"Actor":    actor2,
 		}))
@@ -141,33 +141,33 @@ func TestInmemory(t *testing.T) {
 			"SourceIP": "10.1.1.12",
 			"Actor":    actor1,
 		})
-		status, ok, _ := s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqBadOperation)
+		status, ok, _ := s.IsAllowed(chain.Ingress, namespace, reqBadOperation)
 		require.Equal(t, chain.AccessDenied, status)
 		require.True(t, ok)
 	})
 	t.Run("inverted rules", func(t *testing.T) {
 		req := resourcetest.NewRequest("native::object::put", resourcetest.NewResource(object, nil), nil)
-		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
 		require.Equal(t, chain.NoRuleFound, status)
 		require.False(t, ok)
 
 		req = resourcetest.NewRequest("native::object::put", resourcetest.NewResource("native::object::cba/def", nil), nil)
-		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
 		require.Equal(t, chain.AccessDenied, status)
 		require.True(t, ok)
 
 		req = resourcetest.NewRequest("native::object::get", resourcetest.NewResource("native::object::cba/def", nil), nil)
-		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace2, container), req)
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace2, req)
 		require.Equal(t, chain.NoRuleFound, status)
 		require.False(t, ok)
 	})
 	t.Run("good", func(t *testing.T) {
-		status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
+		status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
 		require.Equal(t, chain.NoRuleFound, status)
 		require.False(t, ok)
 
 		t.Run("quota on a different container", func(t *testing.T) {
-			s.LocalStorage().AddOverride(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
+			s.LocalStorage().AddOverride(chain.Ingress, container, &chain.Chain{
 				Rules: []chain.Rule{{
 					Status:    chain.QuotaLimitReached,
 					Actions:   chain.Actions{Names: []string{"native::object::put"}},
@@ -175,14 +175,14 @@ func TestInmemory(t *testing.T) {
 				}},
 			})
 
-			status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
+			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
 			require.Equal(t, chain.NoRuleFound, status)
 			require.False(t, ok)
 		})
 
 		var quotaRuleChainID chain.ID
 		t.Run("quota on the request container", func(t *testing.T) {
-			quotaRuleChainID, _ = s.LocalStorage().AddOverride(chain.Ingress, engine.ContainerTarget(container), &chain.Chain{
+			quotaRuleChainID, _ = s.LocalStorage().AddOverride(chain.Ingress, container, &chain.Chain{
 				Rules: []chain.Rule{{
 					Status:    chain.QuotaLimitReached,
 					Actions:   chain.Actions{Names: []string{"native::object::put"}},
@@ -190,15 +190,15 @@ func TestInmemory(t *testing.T) {
 				}},
 			})
 
-			status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
+			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
 			require.Equal(t, chain.QuotaLimitReached, status)
 			require.True(t, ok)
 		})
 		t.Run("removed quota on the request container", func(t *testing.T) {
-			err := s.LocalStorage().RemoveOverride(chain.Ingress, engine.ContainerTarget(container), quotaRuleChainID)
+			err := s.LocalStorage().RemoveOverride(chain.Ingress, container, quotaRuleChainID)
 			require.NoError(t, err)
 
-			status, ok, _ = s.IsAllowed(chain.Ingress, engine.NewRequestTarget(namespace, container), reqGood)
+			status, ok, _ = s.IsAllowed(chain.Ingress, namespace, reqGood)
 			require.Equal(t, chain.NoRuleFound, status)
 			require.False(t, ok)
 		})

pkg/engine/inmemory/local_storage.go

@@ -1,136 +1,101 @@
 package inmemory
 
 import (
-	"bytes"
 	"fmt"
 	"math/rand"
 	"strings"
-	"sync"
 
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	"git.frostfs.info/TrueCloudLab/policy-engine/util"
 )
 
-type targetToChain map[engine.Target][]*chain.Chain
+type targetToChain map[string][]*chain.Chain
 
 type inmemoryLocalStorage struct {
-	usedChainID          map[string]struct{}
+	usedChainID          map[chain.ID]struct{}
 	nameToResourceChains map[chain.Name]targetToChain
-	guard                *sync.RWMutex
 }
 
 func NewInmemoryLocalStorage() engine.LocalOverrideStorage {
 	return &inmemoryLocalStorage{
-		usedChainID:          map[string]struct{}{},
+		usedChainID:          map[chain.ID]struct{}{},
 		nameToResourceChains: make(map[chain.Name]targetToChain),
-		guard:                &sync.RWMutex{},
 	}
 }
 
-func (s *inmemoryLocalStorage) generateChainID(name chain.Name, target engine.Target) chain.ID {
+func (s *inmemoryLocalStorage) generateChainID(name chain.Name, resource string) chain.ID {
 	var id chain.ID
 	for {
 		suffix := rand.Uint32() % 100
-		sid := fmt.Sprintf("%s:%s/%d", name, target.Name, suffix)
+		sid := fmt.Sprintf("%s:%s/%d", name, resource, suffix)
 		sid = strings.ReplaceAll(sid, "*", "")
 		sid = strings.ReplaceAll(sid, "/", ":")
 		sid = strings.ReplaceAll(sid, "::", ":")
-		_, ok := s.usedChainID[sid]
+		id = chain.ID(sid)
+		_, ok := s.usedChainID[id]
 		if ok {
 			continue
 		}
-		s.usedChainID[sid] = struct{}{}
+		s.usedChainID[id] = struct{}{}
-
-		id = chain.ID(sid)
 		break
 	}
 	return id
 }
 
-func (s *inmemoryLocalStorage) AddOverride(name chain.Name, target engine.Target, c *chain.Chain) (chain.ID, error) {
+func (s *inmemoryLocalStorage) AddOverride(name chain.Name, resource string, c *chain.Chain) (chain.ID, error) {
-	s.guard.Lock()
-	defer s.guard.Unlock()
-
 	// AddOverride assigns generated chain ID if it has not been assigned.
-	if len(c.ID) == 0 {
+	if c.ID == "" {
-		c.ID = s.generateChainID(name, target)
+		c.ID = s.generateChainID(name, resource)
 	}
 	if s.nameToResourceChains[name] == nil {
 		s.nameToResourceChains[name] = make(targetToChain)
 	}
 	rc := s.nameToResourceChains[name]
-	for i := range rc[target] {
+	rc[resource] = append(rc[resource], c)
-		if bytes.Equal(rc[target][i].ID, c.ID) {
-			rc[target][i] = c
-			return c.ID, nil
-		}
-	}
-	rc[target] = append(rc[target], c)
 	return c.ID, nil
 }
 
-func (s *inmemoryLocalStorage) GetOverride(name chain.Name, target engine.Target, chainID chain.ID) (*chain.Chain, error) {
+func (s *inmemoryLocalStorage) GetOverride(name chain.Name, resource string, chainID chain.ID) (*chain.Chain, error) {
-	s.guard.RLock()
-	defer s.guard.RUnlock()
-
 	if _, ok := s.nameToResourceChains[name]; !ok {
 		return nil, engine.ErrChainNameNotFound
 	}
-	if target.Name == "" {
+	chains, ok := s.nameToResourceChains[name][resource]
-		target.Name = "root"
-	}
-	chains, ok := s.nameToResourceChains[name][target]
 	if !ok {
 		return nil, engine.ErrResourceNotFound
 	}
 	for _, c := range chains {
-		if bytes.Equal(c.ID, chainID) {
+		if c.ID == chainID {
 			return c, nil
 		}
 	}
 	return nil, engine.ErrChainNotFound
 }
 
-func (s *inmemoryLocalStorage) RemoveOverride(name chain.Name, target engine.Target, chainID chain.ID) error {
+func (s *inmemoryLocalStorage) RemoveOverride(name chain.Name, resource string, chainID chain.ID) error {
-	s.guard.Lock()
-	defer s.guard.Unlock()
-
 	if _, ok := s.nameToResourceChains[name]; !ok {
 		return engine.ErrChainNameNotFound
 	}
-	if target.Name == "" {
+	chains, ok := s.nameToResourceChains[name][resource]
-		target.Name = "root"
-	}
-	chains, ok := s.nameToResourceChains[name][target]
 	if !ok {
 		return engine.ErrResourceNotFound
 	}
 	for i, c := range chains {
-		if bytes.Equal(c.ID, chainID) {
+		if c.ID == chainID {
-			s.nameToResourceChains[name][target] = append(chains[:i], chains[i+1:]...)
+			s.nameToResourceChains[name][resource] = append(chains[:i], chains[i+1:]...)
 			return nil
 		}
 	}
 	return engine.ErrChainNotFound
 }
 
-func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
+func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, resource string) ([]*chain.Chain, error) {
-	s.guard.RLock()
-	defer s.guard.RUnlock()
-
 	rcs, ok := s.nameToResourceChains[name]
 	if !ok {
 		return []*chain.Chain{}, nil
 	}
-	if target.Name == "" {
+	for container, chains := range rcs {
-		target.Name = "root"
+		if !util.GlobMatch(resource, container) {
-	}
-	for t, chains := range rcs {
-		if t.Type != target.Type {
-			continue
-		}
-		if !util.GlobMatch(target.Name, t.Name) {
 			continue
 		}
 		return chains, nil
@@ -139,20 +104,6 @@ func (s *inmemoryLocalStorage) ListOverrides(name chain.Name, target engine.Targ
 }
 
 func (s *inmemoryLocalStorage) DropAllOverrides(name chain.Name) error {
-	s.guard.Lock()
-	defer s.guard.Unlock()
-
 	s.nameToResourceChains[name] = make(targetToChain)
 	return nil
 }
-
-func (s *inmemoryLocalStorage) ListOverrideDefinedTargets(name chain.Name) ([]engine.Target, error) {
-	s.guard.RLock()
-	defer s.guard.RUnlock()
-	ttc := s.nameToResourceChains[name]
-	var keys []engine.Target
-	for k := range ttc {
-		keys = append(keys, k)
-	}
-	return keys, nil
-}

pkg/engine/inmemory/local_storage_test.go

@@ -9,13 +9,11 @@ import (
 )
 
 const (
-	container       = "native:::object/ExYw/*"
+	resrc           = "native:::object/ExYw/*"
 	chainID         = "ingress:ExYw"
 	nonExistChainId = "ingress:LxGyWyL"
 )
 
-var resrc = engine.ContainerTarget(container)
-
 func testInmemLocalStorage() *inmemoryLocalStorage {
 	return NewInmemoryLocalStorage().(*inmemoryLocalStorage)
 }
@@ -184,9 +182,6 @@ func TestListOverrides(t *testing.T) {
 		inmem.AddOverride(chain.Ingress, resrc, addChain)
 		l, _ := inmem.ListOverrides(chain.Ingress, resrc)
 		require.Len(t, l, 1)
-		targets, err := inmem.ListOverrideDefinedTargets(chain.Ingress)
-		require.NoError(t, err)
-		require.Equal(t, []engine.Target{resrc}, targets)
 	})
 
 	t.Run("list after drop", func(t *testing.T) {
@@ -211,12 +206,12 @@ func TestGenerateID(t *testing.T) {
 }
 
 func hasDuplicates(ids []chain.ID) bool {
-	seen := make(map[string]bool)
+	seen := make(map[chain.ID]bool)
 	for _, id := range ids {
-		if seen[string(id)] {
+		if seen[id] {
 			return true
 		}
-		seen[string(id)] = true
+		seen[id] = true
 	}
 	return false
 }

pkg/engine/inmemory/morph_storage.go

@@ -3,7 +3,6 @@ package inmemory
 import (
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
-	"github.com/nspcc-dev/neo-go/pkg/util"
 )
 
 type inmemoryMorphRuleChainStorage struct {
@@ -18,45 +17,36 @@ func NewInmemoryMorphRuleChainStorage() engine.MorphRuleChainStorage {
 	}
 }
 
-func (s *inmemoryMorphRuleChainStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (_ util.Uint256, _ uint32, err error) {
+func (s *inmemoryMorphRuleChainStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (err error) {
 	switch target.Type {
 	case engine.Namespace:
-		_, err = s.nameToNamespaceChains.AddOverride(name, target, c)
+		_, err = s.nameToNamespaceChains.AddOverride(name, target.Name, c)
 	case engine.Container:
-		_, err = s.nameToContainerChains.AddOverride(name, target, c)
+		_, err = s.nameToContainerChains.AddOverride(name, target.Name, c)
 	default:
 		err = engine.ErrUnknownTarget
 	}
 	return
 }
 
-func (s *inmemoryMorphRuleChainStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) (_ util.Uint256, _ uint32, err error) {
+func (s *inmemoryMorphRuleChainStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) error {
 	switch target.Type {
 	case engine.Namespace:
-		err = s.nameToNamespaceChains.RemoveOverride(name, target, chainID)
+		return s.nameToNamespaceChains.RemoveOverride(name, target.Name, chainID)
 	case engine.Container:
-		err = s.nameToContainerChains.RemoveOverride(name, target, chainID)
+		return s.nameToContainerChains.RemoveOverride(name, target.Name, chainID)
 	default:
-		err = engine.ErrUnknownTarget
+		return engine.ErrUnknownTarget
 	}
-	return
 }
 
 func (s *inmemoryMorphRuleChainStorage) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
 	switch target.Type {
 	case engine.Namespace:
-		return s.nameToNamespaceChains.ListOverrides(name, target)
+		return s.nameToNamespaceChains.ListOverrides(name, target.Name)
 	case engine.Container:
-		return s.nameToContainerChains.ListOverrides(name, target)
+		return s.nameToContainerChains.ListOverrides(name, target.Name)
 	default:
 	}
 	return nil, engine.ErrUnknownTarget
 }
-
-func (s *inmemoryMorphRuleChainStorage) GetAdmin() (util.Uint160, error) {
-	panic("not implemented")
-}
-
-func (s *inmemoryMorphRuleChainStorage) SetAdmin(_ util.Uint160) (util.Uint256, uint32, error) {
-	panic("not implemented")
-}

pkg/engine/interface.go

@@ -3,29 +3,26 @@ package engine
 import (
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource"
-	"github.com/nspcc-dev/neo-go/pkg/util"
 )
 
 type ChainRouter interface {
 	// IsAllowed returns status for the operation after all checks.
 	// The second return value signifies whether a matching rule was found.
-	IsAllowed(name chain.Name, reqTarget RequestTarget, r resource.Request) (status chain.Status, found bool, err error)
+	IsAllowed(name chain.Name, target string, r resource.Request) (status chain.Status, found bool, err error)
 }
 
 // LocalOverrideStorage is the interface to manage local overrides defined
 // for a node. Local overrides have a higher priority than chains got from morph storage.
 type LocalOverrideStorage interface {
-	AddOverride(name chain.Name, target Target, c *chain.Chain) (chain.ID, error)
+	AddOverride(name chain.Name, resource string, c *chain.Chain) (chain.ID, error)
 
-	GetOverride(name chain.Name, target Target, chainID chain.ID) (*chain.Chain, error)
+	GetOverride(name chain.Name, resource string, chainID chain.ID) (*chain.Chain, error)
 
-	RemoveOverride(name chain.Name, target Target, chainID chain.ID) error
+	RemoveOverride(name chain.Name, resource string, chainID chain.ID) error
 
-	ListOverrides(name chain.Name, target Target) ([]*chain.Chain, error)
+	ListOverrides(name chain.Name, resource string) ([]*chain.Chain, error)
 
 	DropAllOverrides(name chain.Name) error
-
-	ListOverrideDefinedTargets(name chain.Name) ([]Target, error)
 }
 
 type TargetType rune
@@ -40,45 +37,6 @@ type Target struct {
 	Name string
 }
 
-// RequestTarget combines several targets on which the request is performed.
-type RequestTarget struct {
-	Namespace *Target
-	Container *Target
-}
-
-func NewRequestTargetWithNamespace(namespace string) RequestTarget {
-	nt := NamespaceTarget(namespace)
-	return RequestTarget{
-		Namespace: &nt,
-	}
-}
-
-func NewRequestTargetWithContainer(container string) RequestTarget {
-	ct := ContainerTarget(container)
-	return RequestTarget{
-		Container: &ct,
-	}
-}
-
-func NewRequestTarget(namespace, container string) RequestTarget {
-	nt := NamespaceTarget(namespace)
-	ct := ContainerTarget(container)
-	return RequestTarget{
-		Namespace: &nt,
-		Container: &ct,
-	}
-}
-
-func (rt *RequestTarget) Targets() (targets []Target) {
-	if rt.Namespace != nil {
-		targets = append(targets, *rt.Namespace)
-	}
-	if rt.Container != nil {
-		targets = append(targets, *rt.Container)
-	}
-	return
-}
-
 func NamespaceTarget(namespace string) Target {
 	return Target{
 		Type: Namespace,
@@ -93,27 +51,14 @@ func ContainerTarget(container string) Target {
 	}
 }
 
-// MorphRuleChainStorageReader is the interface that provides read-only methods to receive
+// MorphRuleChainStorage is the interface to manage chains from the chain storage.
-// data like chains, target or admin from a chain storage.
-type MorphRuleChainStorageReader interface {
-	// ListMorphRuleChains just lists deserialized chains.
-	ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
-
-	GetAdmin() (util.Uint160, error)
-}
-
-// MorphRuleChainStorage is the interface to read and manage data within a chain storage.
 // Basically, this implies that the storage manages rules stored in policy contract.
 type MorphRuleChainStorage interface {
-	MorphRuleChainStorageReader
+	AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) error
 
-	// AddMorphRuleChain adds a chain rule to the policy contract and returns transaction hash, VUB and error.
+	RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) error
-	AddMorphRuleChain(name chain.Name, target Target, c *chain.Chain) (util.Uint256, uint32, error)
 
-	// RemoveMorphRuleChain removes a chain rule to the policy contract and returns transaction hash, VUB and error.
+	ListMorphRuleChains(name chain.Name, target Target) ([]*chain.Chain, error)
-	RemoveMorphRuleChain(name chain.Name, target Target, chainID chain.ID) (util.Uint256, uint32, error)
-
-	SetAdmin(addr util.Uint160) (util.Uint256, uint32, error)
 }
 
 // Engine is the interface that provides methods to check request permissions checking

pkg/marshal/marshal.go

@@ -1,267 +0,0 @@
-package marshal
-
-import (
-	"encoding/binary"
-	"fmt"
-)
-
-const (
-	Version byte = 0 // increase if breaking change
-
-	ByteSize  int = 1
-	UInt8Size int = ByteSize
-	BoolSize  int = ByteSize
-
-	nilSlice     int64 = -1
-	nilSliceSize int   = 1
-
-	byteTrue  uint8 = 1
-	byteFalse uint8 = 0
-
-	// maxSliceLen taken from https://github.com/neo-project/neo/blob/38218bbee5bbe8b33cd8f9453465a19381c9a547/src/Neo/IO/Helper.cs#L77
-	maxSliceLen = 0x1000000
-)
-
-type MarshallerError struct {
-	errMsg string
-	offset int
-}
-
-func (e *MarshallerError) Error() string {
-	if e == nil {
-		return ""
-	}
-	if e.offset < 0 {
-		return e.errMsg
-	}
-	return fmt.Sprintf("%s (offset: %d)", e.errMsg, e.offset)
-}
-
-func errBufTooSmall(t string, marshal bool, offset int) error {
-	action := "unmarshal"
-	if marshal {
-		action = "marshal"
-	}
-	return &MarshallerError{
-		errMsg: fmt.Sprintf("not enough bytes left to %s value of type '%s'", action, t),
-		offset: offset,
-	}
-}
-
-func VerifyMarshal(buf []byte, lastOffset int) error {
-	if len(buf) != lastOffset {
-		return &MarshallerError{
-			errMsg: "actual data size differs from expected",
-			offset: -1,
-		}
-	}
-	return nil
-}
-
-func VerifyUnmarshal(buf []byte, lastOffset int) error {
-	if len(buf) != lastOffset {
-		return &MarshallerError{
-			errMsg: "unmarshalled bytes left",
-		}
-	}
-	return nil
-}
-
-func SliceSize[T any](slice []T, sizeOf func(T) int) int {
-	if slice == nil {
-		return nilSliceSize
-	}
-	s := Int64Size(int64(len(slice)))
-	for _, v := range slice {
-		s += sizeOf(v)
-	}
-	return s
-}
-
-func SliceMarshal[T any](buf []byte, offset int, slice []T, marshalT func([]byte, int, T) (int, error)) (int, error) {
-	if slice == nil {
-		return Int64Marshal(buf, offset, nilSlice)
-	}
-	if len(slice) > maxSliceLen {
-		return 0, &MarshallerError{
-			errMsg: fmt.Sprintf("slice size if too big: '%d'", len(slice)),
-			offset: offset,
-		}
-	}
-	offset, err := Int64Marshal(buf, offset, int64(len(slice)))
-	if err != nil {
-		return 0, err
-	}
-	for _, v := range slice {
-		offset, err = marshalT(buf, offset, v)
-		if err != nil {
-			return 0, err
-		}
-	}
-	return offset, nil
-}
-
-func SliceUnmarshal[T any](buf []byte, offset int, unmarshalT func(buf []byte, offset int) (T, int, error)) ([]T, int, error) {
-	size, offset, err := Int64Unmarshal(buf, offset)
-	if err != nil {
-		return nil, 0, err
-	}
-	if size == nilSlice {
-		return nil, offset, nil
-	}
-	if size > maxSliceLen {
-		return nil, 0, &MarshallerError{
-			errMsg: fmt.Sprintf("slice size if too big: '%d'", size),
-			offset: offset,
-		}
-	}
-	if size < 0 {
-		return nil, 0, &MarshallerError{
-			errMsg: fmt.Sprintf("invalid slice size: '%d'", size),
-			offset: offset,
-		}
-	}
-	result := make([]T, size)
-	for idx := 0; idx < len(result); idx++ {
-		result[idx], offset, err = unmarshalT(buf, offset)
-		if err != nil {
-			return nil, 0, err
-		}
-	}
-	return result, offset, nil
-}
-
-func Int64Size(v int64) int {
-	// https://cs.opensource.google/go/go/+/master:src/encoding/binary/varint.go;l=92;drc=dac9b9ddbd5160c5f4552410f5f8281bd5eed38c
-	// and
-	// https://cs.opensource.google/go/go/+/master:src/encoding/binary/varint.go;l=41;drc=dac9b9ddbd5160c5f4552410f5f8281bd5eed38c
-	ux := uint64(v) << 1
-	if v < 0 {
-		ux = ^ux
-	}
-	s := 0
-	for ux >= 0x80 {
-		s++
-		ux >>= 7
-	}
-	return s + 1
-}
-
-func Int64Marshal(buf []byte, offset int, v int64) (int, error) {
-	if len(buf)-offset < Int64Size(v) {
-		return 0, errBufTooSmall("int64", true, offset)
-	}
-	return offset + binary.PutVarint(buf[offset:], v), nil
-}
-
-func Int64Unmarshal(buf []byte, offset int) (int64, int, error) {
-	v, read := binary.Varint(buf[offset:])
-	if read == 0 {
-		return 0, 0, errBufTooSmall("int64", false, offset)
-	}
-	if read < 0 {
-		return 0, 0, &MarshallerError{
-			errMsg: "int64 unmarshal overflow",
-			offset: offset,
-		}
-	}
-	return v, offset + read, nil
-}
-
-func StringSize(s string) int {
-	return Int64Size(int64(len(s))) + len(s)
-}
-
-func StringMarshal(buf []byte, offset int, s string) (int, error) {
-	if len(s) > maxSliceLen {
-		return 0, &MarshallerError{
-			errMsg: fmt.Sprintf("string is too long: '%d'", len(s)),
-			offset: offset,
-		}
-	}
-	if len(buf)-offset < Int64Size(int64(len(s)))+len(s) {
-		return 0, errBufTooSmall("string", true, offset)
-	}
-
-	offset, err := Int64Marshal(buf, offset, int64(len(s)))
-	if err != nil {
-		return 0, err
-	}
-	if s == "" {
-		return offset, nil
-	}
-	return offset + copy(buf[offset:], s), nil
-}
-
-func StringUnmarshal(buf []byte, offset int) (string, int, error) {
-	size, offset, err := Int64Unmarshal(buf, offset)
-	if err != nil {
-		return "", 0, err
-	}
-	if size == 0 {
-		return "", offset, nil
-	}
-	if size > maxSliceLen {
-		return "", 0, &MarshallerError{
-			errMsg: fmt.Sprintf("string is too long: '%d'", size),
-			offset: offset,
-		}
-	}
-	if size < 0 {
-		return "", 0, &MarshallerError{
-			errMsg: fmt.Sprintf("invalid string size: '%d'", size),
-			offset: offset,
-		}
-	}
-	if len(buf)-offset < int(size) {
-		return "", 0, errBufTooSmall("string", false, offset)
-	}
-	return string(buf[offset : offset+int(size)]), offset + int(size), nil
-}
-
-func UInt8Marshal(buf []byte, offset int, value uint8) (int, error) {
-	if len(buf)-offset < 1 {
-		return 0, errBufTooSmall("uint8", true, offset)
-	}
-	buf[offset] = value
-	return offset + 1, nil
-}
-
-func UInt8Unmarshal(buf []byte, offset int) (uint8, int, error) {
-	if len(buf)-offset < 1 {
-		return 0, 0, errBufTooSmall("uint8", false, offset)
-	}
-	return buf[offset], offset + 1, nil
-}
-
-func ByteMarshal(buf []byte, offset int, value byte) (int, error) {
-	return UInt8Marshal(buf, offset, value)
-}
-
-func ByteUnmarshal(buf []byte, offset int) (byte, int, error) {
-	return UInt8Unmarshal(buf, offset)
-}
-
-func BoolMarshal(buf []byte, offset int, value bool) (int, error) {
-	if value {
-		return UInt8Marshal(buf, offset, byteTrue)
-	}
-	return UInt8Marshal(buf, offset, byteFalse)
-}
-
-func BoolUnmarshal(buf []byte, offset int) (bool, int, error) {
-	v, offset, err := UInt8Unmarshal(buf, offset)
-	if err != nil {
-		return false, 0, err
-	}
-	if v == byteTrue {
-		return true, offset, nil
-	}
-	if v == byteFalse {
-		return false, offset, nil
-	}
-	return false, 0, &MarshallerError{
-		errMsg: fmt.Sprintf("invalid marshalled value for bool: %d", v),
-		offset: offset - BoolSize,
-	}
-}

pkg/marshal/marshal_test.go

@@ -1,313 +0,0 @@
-package marshal
-
-import (
-	"encoding/binary"
-	"math"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestMarshalling(t *testing.T) {
-	t.Parallel()
-	t.Run("slice", func(t *testing.T) {
-		t.Parallel()
-		t.Run("nil slice", func(t *testing.T) {
-			t.Parallel()
-
-			var int64s []int64
-			expectedSize := SliceSize(int64s, Int64Size)
-			require.Equal(t, 1, expectedSize)
-			buf := make([]byte, expectedSize)
-			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-
-			result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
-			require.NoError(t, err)
-			require.NoError(t, VerifyUnmarshal(buf, offset))
-			require.Nil(t, result)
-		})
-
-		t.Run("empty slice", func(t *testing.T) {
-			t.Parallel()
-
-			int64s := make([]int64, 0)
-			expectedSize := SliceSize(int64s, Int64Size)
-			require.Equal(t, 1, expectedSize)
-			buf := make([]byte, expectedSize)
-			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-
-			result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
-			require.NoError(t, err)
-			require.NoError(t, VerifyUnmarshal(buf, offset))
-			require.NotNil(t, result)
-			require.Len(t, result, 0)
-		})
-
-		t.Run("non empty slice", func(t *testing.T) {
-			t.Parallel()
-
-			int64s := make([]int64, 100)
-			for i := range int64s {
-				int64s[i] = int64(i)
-			}
-			expectedSize := SliceSize(int64s, Int64Size)
-			buf := make([]byte, expectedSize)
-			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-
-			result, offset, err := SliceUnmarshal(buf, 0, Int64Unmarshal)
-			require.NoError(t, err)
-			require.NoError(t, VerifyUnmarshal(buf, offset))
-			require.Equal(t, int64s, result)
-		})
-
-		t.Run("corrupted slice size", func(t *testing.T) {
-			t.Parallel()
-
-			int64s := make([]int64, 100)
-			for i := range int64s {
-				int64s[i] = int64(i)
-			}
-			expectedSize := SliceSize(int64s, Int64Size)
-			buf := make([]byte, expectedSize)
-			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-
-			for i := 0; i < binary.MaxVarintLen64; i++ {
-				buf[i] = 129
-			}
-
-			_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
-			var mErr *MarshallerError
-			require.ErrorAs(t, err, &mErr)
-
-			for i := 0; i < binary.MaxVarintLen64; i++ {
-				buf[i] = 127
-			}
-			_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
-			require.ErrorAs(t, err, &mErr)
-		})
-
-		t.Run("corrupted slice item", func(t *testing.T) {
-			t.Parallel()
-
-			int64s := make([]int64, 100)
-			for i := range int64s {
-				int64s[i] = int64(i)
-			}
-			expectedSize := SliceSize(int64s, Int64Size)
-			buf := make([]byte, expectedSize)
-			offset, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-
-			for i := 2; i < binary.MaxVarintLen64+2; i++ {
-				buf[i] = 129
-			}
-
-			_, _, err = SliceUnmarshal(buf, 0, Int64Unmarshal)
-			var mErr *MarshallerError
-			require.ErrorAs(t, err, &mErr)
-		})
-
-		t.Run("small buffer", func(t *testing.T) {
-			t.Parallel()
-
-			int64s := make([]int64, 100)
-			for i := range int64s {
-				int64s[i] = int64(i)
-			}
-			buf := make([]byte, 1)
-			_, err := SliceMarshal(buf, 0, int64s, Int64Marshal)
-			var mErr *MarshallerError
-			require.ErrorAs(t, err, &mErr)
-
-			buf = make([]byte, 10)
-			_, err = SliceMarshal(buf, 0, int64s, Int64Marshal)
-			require.ErrorAs(t, err, &mErr)
-		})
-	})
-
-	t.Run("int64", func(t *testing.T) {
-		t.Parallel()
-
-		t.Run("success", func(t *testing.T) {
-			t.Parallel()
-
-			require.Equal(t, 1, Int64Size(0))
-			require.Equal(t, binary.MaxVarintLen64, Int64Size(math.MaxInt64))
-			require.Equal(t, binary.MaxVarintLen64, Int64Size(math.MinInt64))
-
-			for _, v := range []int64{0, math.MinInt64, math.MaxInt64} {
-				size := Int64Size(v)
-				buf := make([]byte, size)
-				offset, err := Int64Marshal(buf, 0, v)
-				require.NoError(t, err)
-				require.NoError(t, VerifyMarshal(buf, offset))
-
-				uv, offset, err := Int64Unmarshal(buf, 0)
-				require.NoError(t, err)
-				require.NoError(t, VerifyUnmarshal(buf, offset))
-				require.Equal(t, v, uv)
-			}
-		})
-
-		t.Run("invalid buffer", func(t *testing.T) {
-			t.Parallel()
-
-			var mErr *MarshallerError
-
-			_, err := Int64Marshal([]byte{}, 0, 100500)
-			require.ErrorAs(t, err, &mErr)
-
-			_, _, err = Int64Unmarshal(nil, 0)
-			require.ErrorAs(t, err, &mErr)
-		})
-
-		t.Run("overflow", func(t *testing.T) {
-			t.Parallel()
-
-			var mErr *MarshallerError
-
-			var v int64 = math.MaxInt64
-			buf := make([]byte, Int64Size(v))
-			_, err := Int64Marshal(buf, 0, v)
-			require.NoError(t, err)
-
-			buf[9] = 2
-
-			_, _, err = Int64Unmarshal(buf, 0)
-			require.ErrorAs(t, err, &mErr)
-		})
-	})
-
-	t.Run("string", func(t *testing.T) {
-		t.Parallel()
-
-		t.Run("success", func(t *testing.T) {
-			t.Parallel()
-			for _, v := range []string{
-				"", "arn:aws:iam::namespace:group/some_group", "$Object:homomorphicHash",
-				"native:container/ns/9LPLUFZpEmfidG4n44vi2cjXKXSqWT492tCvLJiJ8W1J",
-			} {
-				size := StringSize(v)
-				buf := make([]byte, size)
-				offset, err := StringMarshal(buf, 0, v)
-				require.NoError(t, err)
-				require.NoError(t, VerifyMarshal(buf, offset))
-
-				uv, offset, err := StringUnmarshal(buf, 0)
-				require.NoError(t, err)
-				require.NoError(t, VerifyUnmarshal(buf, offset))
-				require.Equal(t, v, uv)
-			}
-		})
-
-		t.Run("invalid buffer", func(t *testing.T) {
-			t.Parallel()
-
-			str := "avada kedavra"
-
-			var mErr *MarshallerError
-			_, err := StringMarshal(nil, 0, str)
-			require.ErrorAs(t, err, &mErr)
-
-			_, _, err = StringUnmarshal(nil, 0)
-			require.ErrorAs(t, err, &mErr)
-
-			buf := make([]byte, StringSize(str))
-			offset, err := StringMarshal(buf, 0, str)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-			buf = buf[:len(buf)-1]
-			_, _, err = StringUnmarshal(buf, 0)
-			require.ErrorAs(t, err, &mErr)
-		})
-	})
-
-	t.Run("uint8, byte", func(t *testing.T) {
-		t.Parallel()
-
-		for _, v := range []byte{0, 8, 16, 32, 64, 128, 255} {
-			buf := make([]byte, ByteSize)
-			offset, err := ByteMarshal(buf, 0, v)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-
-			ub, offset, err := ByteUnmarshal(buf, 0)
-			require.NoError(t, err)
-			require.NoError(t, VerifyUnmarshal(buf, offset))
-			require.Equal(t, v, ub)
-
-			buf = make([]byte, UInt8Size)
-			offset, err = UInt8Marshal(buf, 0, v)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-
-			uu, offset, err := UInt8Unmarshal(buf, 0)
-			require.NoError(t, err)
-			require.NoError(t, VerifyUnmarshal(buf, offset))
-			require.Equal(t, v, uu)
-		}
-	})
-
-	t.Run("bool", func(t *testing.T) {
-		t.Parallel()
-
-		t.Run("success", func(t *testing.T) {
-			t.Parallel()
-			for _, v := range []bool{false, true} {
-				buf := make([]byte, BoolSize)
-				offset, err := BoolMarshal(buf, 0, v)
-				require.NoError(t, err)
-				require.NoError(t, VerifyMarshal(buf, offset))
-
-				ub, offset, err := BoolUnmarshal(buf, 0)
-				require.NoError(t, err)
-				require.NoError(t, VerifyUnmarshal(buf, offset))
-				require.Equal(t, v, ub)
-			}
-		})
-
-		t.Run("invalid value", func(t *testing.T) {
-			t.Parallel()
-			buf := make([]byte, BoolSize)
-			offset, err := BoolMarshal(buf, 0, true)
-			require.NoError(t, err)
-			require.NoError(t, VerifyMarshal(buf, offset))
-
-			buf[0] = 2
-
-			_, _, err = BoolUnmarshal(buf, 0)
-			var mErr *MarshallerError
-			require.ErrorAs(t, err, &mErr)
-		})
-
-		t.Run("invalid buffer", func(t *testing.T) {
-			t.Parallel()
-			var mErr *MarshallerError
-
-			_, err := BoolMarshal(nil, 0, true)
-			require.ErrorAs(t, err, &mErr)
-
-			buf := append(make([]byte, BoolSize), 100)
-			offset, err := BoolMarshal(buf, 0, true)
-			require.NoError(t, err)
-			require.ErrorAs(t, VerifyMarshal(buf, offset), &mErr)
-
-			v, offset, err := BoolUnmarshal(buf, 0)
-			require.NoError(t, err)
-			require.True(t, v)
-			require.ErrorAs(t, VerifyUnmarshal(buf, offset), &mErr)
-
-			_, _, err = BoolUnmarshal(nil, 0)
-			require.ErrorAs(t, err, &mErr)
-		})
-	})
-}

pkg/morph/policy/policy_contract_storage.go

@@ -1,184 +0,0 @@
-package policy
-
-import (
-	"errors"
-	"fmt"
-	"math/big"
-	"strings"
-
-	"git.frostfs.info/TrueCloudLab/frostfs-contract/policy"
-	client "git.frostfs.info/TrueCloudLab/frostfs-contract/rpcclient/policy"
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
-	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
-	"github.com/nspcc-dev/neo-go/pkg/util"
-	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
-	"github.com/nspcc-dev/neo-go/pkg/wallet"
-)
-
-var (
-	ErrEmptyChainID = errors.New("chain id is not set")
-
-	ErrEngineTargetTypeUnsupported = errors.New("this target type is not supported yet")
-)
-
-// ContractStorage is the interface to manage chain rules within Policy contract.
-type ContractStorage struct {
-	contractInterface *client.Contract
-}
-
-var _ engine.MorphRuleChainStorage = (*ContractStorage)(nil)
-
-// ContractStorageReader is the interface to read data from Policy contract.
-type ContractStorageReader struct {
-	contractReaderInterface *client.ContractReader
-}
-
-var _ engine.MorphRuleChainStorageReader = (*ContractStorageReader)(nil)
-
-func NewContractStorage(actor client.Actor, contract util.Uint160) *ContractStorage {
-	return &ContractStorage{
-		contractInterface: client.New(actor, contract),
-	}
-}
-
-func NewContractStorageWithSimpleActor(rpcActor actor.RPCActor, acc *wallet.Account, contract util.Uint160) (*ContractStorage, error) {
-	act, err := actor.NewSimple(rpcActor, acc)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create simple actor: %w", err)
-	}
-	return NewContractStorage(act, contract), nil
-}
-
-func (s *ContractStorage) AddMorphRuleChain(name chain.Name, target engine.Target, c *chain.Chain) (txHash util.Uint256, vub uint32, err error) {
-	if len(c.ID) == 0 {
-		err = ErrEmptyChainID
-		return
-	}
-
-	var kind policy.Kind
-	kind, err = policyKind(target.Type)
-	if err != nil {
-		return
-	}
-	fullName := prefixedChainName(name, c.ID)
-
-	txHash, vub, err = s.contractInterface.AddChain(big.NewInt(int64(kind)), target.Name, fullName, c.Bytes())
-	return
-}
-
-func (s *ContractStorage) RemoveMorphRuleChain(name chain.Name, target engine.Target, chainID chain.ID) (txHash util.Uint256, vub uint32, err error) {
-	if len(chainID) == 0 {
-		err = ErrEmptyChainID
-		return
-	}
-
-	var kind policy.Kind
-	kind, err = policyKind(target.Type)
-	if err != nil {
-		return
-	}
-	fullName := prefixedChainName(name, chainID)
-
-	txHash, vub, err = s.contractInterface.RemoveChain(big.NewInt(int64(kind)), target.Name, fullName)
-	return
-}
-
-func (s *ContractStorage) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
-	kind, err := policyKind(target.Type)
-	if err != nil {
-		return nil, err
-	}
-
-	items, err := s.contractInterface.ListChainsByPrefix(big.NewInt(int64(kind)), target.Name, []byte(name))
-	if err != nil {
-		return nil, err
-	}
-
-	var chains []*chain.Chain
-	for _, item := range items {
-		serialized, err := bytesFromStackItem(item)
-		if err != nil {
-			return nil, err
-		}
-		c := new(chain.Chain)
-		if err := c.DecodeBytes(serialized); err != nil {
-			return nil, err
-		}
-		chains = append(chains, c)
-	}
-
-	return chains, nil
-}
-
-func (s *ContractStorage) GetAdmin() (util.Uint160, error) {
-	return s.contractInterface.GetAdmin()
-}
-
-func (s *ContractStorage) SetAdmin(addr util.Uint160) (util.Uint256, uint32, error) {
-	return s.contractInterface.SetAdmin(addr)
-}
-
-func NewContractStorageReader(inv client.Invoker, contract util.Uint160) *ContractStorageReader {
-	return &ContractStorageReader{
-		contractReaderInterface: client.NewReader(inv, contract),
-	}
-}
-
-func (s *ContractStorageReader) ListMorphRuleChains(name chain.Name, target engine.Target) ([]*chain.Chain, error) {
-	kind, err := policyKind(target.Type)
-	if err != nil {
-		return nil, err
-	}
-
-	items, err := s.contractReaderInterface.ListChainsByPrefix(big.NewInt(int64(kind)), target.Name, []byte(name))
-	if err != nil {
-		return nil, err
-	}
-
-	var chains []*chain.Chain
-	for _, item := range items {
-		serialized, err := bytesFromStackItem(item)
-		if err != nil {
-			return nil, err
-		}
-		c := new(chain.Chain)
-		if err := c.DecodeBytes(serialized); err != nil {
-			return nil, err
-		}
-		chains = append(chains, c)
-	}
-
-	return chains, nil
-}
-
-func (s *ContractStorageReader) GetAdmin() (util.Uint160, error) {
-	return s.contractReaderInterface.GetAdmin()
-}
-
-func bytesFromStackItem(param stackitem.Item) ([]byte, error) {
-	switch param.Type() {
-	case stackitem.BufferT, stackitem.ByteArrayT, stackitem.IntegerT:
-		return param.TryBytes()
-	case stackitem.AnyT:
-		if param.Value() == nil {
-			return nil, nil
-		}
-		fallthrough
-	default:
-		return nil, fmt.Errorf("chain/client: %s is not a byte array type", param.Type())
-	}
-}
-
-func prefixedChainName(name chain.Name, chainID chain.ID) []byte {
-	return []byte(strings.ToLower(fmt.Sprintf("%s:%s", name, chainID)))
-}
-
-func policyKind(typ engine.TargetType) (policy.Kind, error) {
-	if typ == engine.Namespace {
-		return policy.Namespace, nil
-	} else if typ == engine.Container {
-		return policy.Container, nil
-	}
-	return policy.Kind(0), ErrEngineTargetTypeUnsupported
-}

schema/common/consts.go

@@ -1,5 +0,0 @@
-package common
-
-const (
-	PropertyKeyFrostFSIDGroupID = "frostfsid:groupID"
-)

schema/native/consts.go

@@ -9,16 +9,6 @@ const (
 	MethodRangeObject  = "RangeObject"
 	MethodHashObject   = "HashObject"
 
-	MethodPutContainer     = "PutContainer"
-	MethodDeleteContainer  = "DeleteContainer"
-	MethodGetContainer     = "GetContainer"
-	MethodListContainers   = "ListContainers"
-	MethodSetContainerEACL = "SetContainerEACL"
-	MethodGetContainerEACL = "GetContainerEACL"
-
-	ObjectPrefix    = "native:object"
-	ContainerPrefix = "native:container"
-
 	ResourceFormatNamespaceObjects          = "native:object/%s/*"
 	ResourceFormatNamespaceContainerObjects = "native:object/%s/%s/*"
 	ResourceFormatNamespaceContainerObject  = "native:object/%s/%s/%s"
@@ -39,7 +29,6 @@ const (
 
 	PropertyKeyActorPublicKey        = "$Actor:publicKey"
 	PropertyKeyActorRole             = "$Actor:role"
-
 	PropertyKeyObjectVersion         = "$Object:version"
 	PropertyKeyObjectID              = "$Object:objectID"
 	PropertyKeyObjectContainerID     = "$Object:containerID"
@@ -49,11 +38,4 @@ const (
 	PropertyKeyObjectPayloadHash     = "$Object:payloadHash"
 	PropertyKeyObjectType            = "$Object:objectType"
 	PropertyKeyObjectHomomorphicHash = "$Object:homomorphicHash"
-
-	PropertyKeyContainerOwnerID = "$Container:ownerID"
-
-	PropertyValueContainerRoleOwner     = "owner"
-	PropertyValueContainerRoleIR        = "ir"
-	PropertyValueContainerRoleContainer = "container"
-	PropertyValueContainerRoleOthers    = "others"
 )

schema/native/util/validation.go

@@ -1,45 +0,0 @@
-package util
-
-import (
-	"strings"
-
-	"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
-)
-
-var nativePatterns = []string{
-	native.ResourceFormatNamespaceObjects, native.ResourceFormatNamespaceContainerObjects,
-	native.ResourceFormatNamespaceContainerObject, native.ResourceFormatRootObjects,
-	native.ResourceFormatRootContainerObjects, native.ResourceFormatRootContainerObject,
-	native.ResourceFormatAllObjects, native.ResourceFormatNamespaceContainer,
-	native.ResourceFormatNamespaceContainers, native.ResourceFormatRootContainer,
-	native.ResourceFormatRootContainers, native.ResourceFormatAllContainers,
-}
-
-func match(resource, pattern string) bool {
-	rTokens := strings.Split(resource, "/")
-	pToken := strings.Split(pattern, "/")
-
-	if len(rTokens) != len(pToken) {
-		return false
-	}
-
-	for i := range rTokens {
-		if pToken[i] == "%s" {
-			continue
-		}
-		if pToken[i] != rTokens[i] {
-			return false
-		}
-	}
-
-	return true
-}
-
-func IsNativeResourceNameValid(resource string) bool {
-	for _, pattern := range nativePatterns {
-		if match(resource, pattern) {
-			return true
-		}
-	}
-	return false
-}

schema/native/util/validation_test.go

@@ -1,97 +0,0 @@
-package util
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-var tests = []struct {
-	name     string
-	expected bool
-	resource string
-}{
-	{
-		name:     "ResourceFormatNamespaceObjects",
-		expected: true,
-		resource: "native:object/RootNamespace/*",
-	},
-	{
-		name:     "ResourceFormatNamespaceContainerObjects",
-		expected: true,
-		resource: "native:object/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/*",
-	},
-	{
-		name:     "ResourceFormatNamespaceContainerObject",
-		expected: true,
-		resource: "native:object/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/AeZa5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB4E",
-	},
-	{
-		name:     "ResourceFormatRootObjects",
-		expected: true,
-		resource: "native:object//*",
-	},
-	{
-		name:     "ResourceFormatRootContainerObjects",
-		expected: true,
-		resource: "native:object//BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/*",
-	},
-	{
-		name:     "ResourceFormatRootContainerObject",
-		expected: true,
-		resource: "native:object//BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R/AeZa5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB4E",
-	},
-	{
-		name:     "ResourceFormatAllObjects",
-		expected: true,
-		resource: "native:object/*",
-	},
-	{
-		name:     "ResourceFormatNamespaceContainer",
-		expected: true,
-		resource: "native:container/RootNamespace/BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R",
-	},
-	{
-		name:     "ResourceFormatNamespaceContainers",
-		expected: true,
-		resource: "native:container/RootNamespace/*",
-	},
-	{
-		name:     "ResourceFormatRootContainers",
-		expected: true,
-		resource: "native:container//*",
-	},
-	{
-		name:     "ResourceFormatAllContainers",
-		expected: true,
-		resource: "native:container/*",
-	},
-	{
-		name:     "Invalid resource 1",
-		expected: false,
-		resource: "native:::container/*",
-	},
-	{
-		name:     "Invalid resource 2",
-		expected: false,
-		resource: "native:container/RootNamespace/w5HH3feoxFDD5tCTtoRzB3R/Bz726qzgLfxEE7wgtoRzB3R/RootNamespace",
-	},
-}
-
-func TestIsNativeResourceNameValid(t *testing.T) {
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			require.Equal(t, test.expected, IsNativeResourceNameValid(test.resource))
-		})
-	}
-}
-
-func BenchmarkIsNativeResourceNameValid(b *testing.B) {
-	for _, test := range tests {
-		b.Run(test.name, func(b *testing.B) {
-			for i := 0; i < b.N; i++ {
-				_ = IsNativeResourceNameValid(test.resource)
-			}
-		})
-	}
-}

schema/s3/consts.go

@@ -6,12 +6,4 @@ const (
 	PropertyKeyDelimiter = "s3:delimiter"
 	PropertyKeyPrefix    = "s3:prefix"
 	PropertyKeyVersionID = "s3:VersionId"
-
-	ResourceFormatS3All           = "arn:aws:s3:::*"
-	ResourceFormatS3Bucket        = "arn:aws:s3:::%s"
-	ResourceFormatS3BucketObjects = "arn:aws:s3:::%s/*"
-	ResourceFormatS3BucketObject  = "arn:aws:s3:::%s/%s"
-
-	ResourceFormatIAMNamespaceUser  = "arn:aws:iam::%s:user/%s"
-	ResourceFormatIAMNamespaceGroup = "arn:aws:iam::%s:group/%s"
 )