[#1124] cli: Improve APE rule parsing

* Make APE rule parser to read condition's kind in unambiguous using lexemes
`ResourceCondition`, `RequestCondition` instead confusing `Object.Request`, `Object.Resource`.
* Fix unit-tests.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2024-05-14 12:23:26 +03:00
parent 20baf6e112
commit 952d13cd2b
8 changed files with 151 additions and 147 deletions

View file

@ -24,7 +24,7 @@ var addRuleCmd = &cobra.Command{
Long: "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>", Long: "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",
Example: `control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --rule "allow Object.Get *" Example: `control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --rule "allow Object.Get *"
--rule "deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*" --rule "deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*"
--rule "deny:QuotaLimitReached Object.Put Object.Resource:Department=HR *" --rule "deny:QuotaLimitReached Object.Put ResourceCondition:Department=HR *"
control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --path some_chain.json control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --path some_chain.json
`, `,

View file

@ -21,7 +21,7 @@ var (
errUnknownAction = errors.New("action is not recognized") errUnknownAction = errors.New("action is not recognized")
errUnknownBinaryOperator = errors.New("binary operator is not recognized") errUnknownBinaryOperator = errors.New("binary operator is not recognized")
errUnknownCondObjectType = errors.New("condition object type is not recognized") errUnknownCondObjectType = errors.New("condition object type is not recognized")
errMixedTypesInRule = errors.New("found mixed type of actions and conditions in rule") errMixedTypesInRule = errors.New("found mixed type of actions in rule")
errNoActionsInRule = errors.New("there are no actions in rule") errNoActionsInRule = errors.New("there are no actions in rule")
errUnsupportedResourceFormat = errors.New("unsupported resource format") errUnsupportedResourceFormat = errors.New("unsupported resource format")
errFailedToParseAllAny = errors.New("any/all is not parsed") errFailedToParseAllAny = errors.New("any/all is not parsed")
@ -38,10 +38,10 @@ func PrintHumanReadableAPEChain(cmd *cobra.Command, chain *apechain.Chain) {
cmd.Println("\tConditions:") cmd.Println("\tConditions:")
for _, c := range rule.Condition { for _, c := range rule.Condition {
var ot string var ot string
switch c.Object { switch c.Kind {
case apechain.ObjectResource: case apechain.KindResource:
ot = "Resource" ot = "Resource"
case apechain.ObjectRequest: case apechain.KindRequest:
ot = "Request" ot = "Request"
default: default:
panic("unknown object type") panic("unknown object type")
@ -100,9 +100,9 @@ func ParseAPEChain(chain *apechain.Chain, rules []string) error {
// deny Object.Put * // deny Object.Put *
// deny:QuotaLimitReached Object.Put * // deny:QuotaLimitReached Object.Put *
// allow Object.Put * // allow Object.Put *
// allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA * // allow Object.Get ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
// allow Object.Get any Object.Resource:Department=HR Object.Request:Actor=ownerA * // allow Object.Get any ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
// allow Object.Get all Object.Resource:Department=HR Object.Request:Actor=ownerA * // allow Object.Get all ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
// allow Object.* * // allow Object.* *
// allow Container.* * // allow Container.* *
// //
@ -138,7 +138,9 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
return err return err
} }
var isObject *bool var objectTargeted bool
var containerTargeted bool
for i, lexeme := range lexemes[1:] { for i, lexeme := range lexemes[1:] {
anyExpr, anyErr := parseAnyAll(lexeme) anyExpr, anyErr := parseAnyAll(lexeme)
if anyErr == nil { if anyErr == nil {
@ -156,23 +158,30 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
lexemes = lexemes[i+1:] lexemes = lexemes[i+1:]
break break
} }
actionType = condition.Object == apechain.ObjectResource || condition.Object == apechain.ObjectRequest
r.Condition = append(r.Condition, *condition) r.Condition = append(r.Condition, *condition)
} else { } else {
if actionType {
objectTargeted = true
} else {
containerTargeted = true
}
if objectTargeted && containerTargeted {
// Actually, APE chain allows to define rules for several resources, for example, if
// chain target is namespace, but the parser primitevly compiles verbs,
// conditions and resources in one rule. So, for the parser, one rule relates only to
// one resource type - object or container.
return errMixedTypesInRule
}
r.Actions.Names = append(r.Actions.Names, names...) r.Actions.Names = append(r.Actions.Names, names...)
} }
if isObject == nil {
isObject = &actionType
} else if actionType != *isObject {
return errMixedTypesInRule
}
} }
r.Actions.Names = unique(r.Actions.Names) r.Actions.Names = unique(r.Actions.Names)
if len(r.Actions.Names) == 0 { if len(r.Actions.Names) == 0 {
return fmt.Errorf("%w:%w", err, errNoActionsInRule) return fmt.Errorf("%w:%w", err, errNoActionsInRule)
} }
for _, lexeme := range lexemes { for _, lexeme := range lexemes {
resource, errRes := parseResource(lexeme, *isObject) resource, errRes := parseResource(lexeme, objectTargeted)
if errRes != nil { if errRes != nil {
return fmt.Errorf("%w:%w", err, errRes) return fmt.Errorf("%w:%w", err, errRes)
} }
@ -308,32 +317,27 @@ func parseResource(lexeme string, isObj bool) (string, error) {
} }
const ( const (
ObjectResource = "object.resource" ResourceCondition = "resourcecondition"
ObjectRequest = "object.request" RequestCondition = "requestcondition"
ContainerResource = "container.resource"
ContainerRequest = "container.request"
) )
var typeToCondObject = map[string]apechain.ObjectType{ var typeToCondKindType = map[string]apechain.ConditionKindType{
ObjectResource: apechain.ObjectResource, ResourceCondition: apechain.KindResource,
ObjectRequest: apechain.ObjectRequest, RequestCondition: apechain.KindRequest,
ContainerResource: apechain.ContainerResource,
ContainerRequest: apechain.ContainerRequest,
} }
func parseCondition(lexeme string) (*apechain.Condition, error) { func parseCondition(lexeme string) (*apechain.Condition, error) {
typ, expression, found := strings.Cut(lexeme, ":") typ, expression, found := strings.Cut(lexeme, ":")
typ = strings.ToLower(typ) typ = strings.ToLower(typ)
objType, ok := typeToCondObject[typ] condKindType, ok := typeToCondKindType[typ]
if ok { if ok {
if !found { if !found {
return nil, fmt.Errorf("%w: %s", errInvalidConditionFormat, lexeme) return nil, fmt.Errorf("%w: %s", errInvalidConditionFormat, lexeme)
} }
var cond apechain.Condition var cond apechain.Condition
cond.Object = objType cond.Kind = condKindType
lhs, rhs, binExpFound := strings.Cut(expression, "!=") lhs, rhs, binExpFound := strings.Cut(expression, "!=")
if !binExpFound { if !binExpFound {

View file

@ -109,46 +109,46 @@ func TestParseAPERule(t *testing.T) {
}, },
{ {
name: "Valid allow rule with conditions", name: "Valid allow rule with conditions",
rule: "allow Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *", rule: "allow Object.Get ResourceCondition:Department=HR RequestCondition:Actor!=ownerA *",
expectRule: policyengine.Rule{ expectRule: policyengine.Rule{
Status: policyengine.Allow, Status: policyengine.Allow,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}}, Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}}, Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
Condition: []policyengine.Condition{ Condition: []policyengine.Condition{
{ {
Op: policyengine.CondStringEquals, Op: policyengine.CondStringEquals,
Object: policyengine.ObjectResource, Kind: policyengine.KindResource,
Key: "Department", Key: "Department",
Value: "HR", Value: "HR",
}, },
{ {
Op: policyengine.CondStringNotEquals, Op: policyengine.CondStringNotEquals,
Object: policyengine.ObjectRequest, Kind: policyengine.KindRequest,
Key: "Actor", Key: "Actor",
Value: "ownerA", Value: "ownerA",
}, },
}, },
}, },
}, },
{ {
name: "Valid rule for object with conditions with action detail", name: "Valid rule for object with conditions with action detail",
rule: "deny:QuotaLimitReached Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *", rule: "deny:QuotaLimitReached Object.Get ResourceCondition:Department=HR RequestCondition:Actor!=ownerA *",
expectRule: policyengine.Rule{ expectRule: policyengine.Rule{
Status: policyengine.QuotaLimitReached, Status: policyengine.QuotaLimitReached,
Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}}, Actions: policyengine.Actions{Names: []string{nativeschema.MethodGetObject}},
Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}}, Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatAllObjects}},
Condition: []policyengine.Condition{ Condition: []policyengine.Condition{
{ {
Op: policyengine.CondStringEquals, Op: policyengine.CondStringEquals,
Object: policyengine.ObjectResource, Kind: policyengine.KindResource,
Key: "Department", Key: "Department",
Value: "HR", Value: "HR",
}, },
{ {
Op: policyengine.CondStringNotEquals, Op: policyengine.CondStringNotEquals,
Object: policyengine.ObjectRequest, Kind: policyengine.KindRequest,
Key: "Actor", Key: "Actor",
Value: "ownerA", Value: "ownerA",
}, },
}, },
}, },
@ -170,12 +170,12 @@ func TestParseAPERule(t *testing.T) {
}, },
{ {
name: "Invalid rule with unknown condition binary operator", name: "Invalid rule with unknown condition binary operator",
rule: "deny Object.Put Object.Resource:Department<HR *", rule: "deny Object.Put ResourceCondition:Department<HR *",
expectErr: errUnknownBinaryOperator, expectErr: errUnknownBinaryOperator,
}, },
{ {
name: "Invalid rule with unknown condition object type", name: "Invalid rule with unknown condition object type",
rule: "deny Object.Put Object.ResourZe:Department=HR *", rule: "deny Object.Put ResourSeCondiDion:Department=HR *",
expectErr: errUnknownCondObjectType, expectErr: errUnknownCondObjectType,
}, },
{ {
@ -185,7 +185,7 @@ func TestParseAPERule(t *testing.T) {
}, },
{ {
name: "Invalid rule with no actions", name: "Invalid rule with no actions",
rule: "allow Container.Resource:A=B *", rule: "allow ResourceCondition:A=B *",
expectErr: errNoActionsInRule, expectErr: errNoActionsInRule,
}, },
{ {
@ -271,7 +271,7 @@ func TestParseAPERule(t *testing.T) {
}, },
{ {
name: "Valid rule for container with conditions with action detail", name: "Valid rule for container with conditions with action detail",
rule: "allow Container.Get Container.Resource:A=B Container.Put Container.Request:C!=D " + rule: "allow Container.Get ResourceCondition:A=B Container.Put RequestCondition:C!=D " +
"* /cnt_id", "* /cnt_id",
expectRule: policyengine.Rule{ expectRule: policyengine.Rule{
Status: policyengine.Allow, Status: policyengine.Allow,
@ -282,16 +282,16 @@ func TestParseAPERule(t *testing.T) {
}}, }},
Condition: []policyengine.Condition{ Condition: []policyengine.Condition{
{ {
Op: policyengine.CondStringEquals, Op: policyengine.CondStringEquals,
Object: policyengine.ContainerResource, Kind: policyengine.KindResource,
Key: "A", Key: "A",
Value: "B", Value: "B",
}, },
{ {
Op: policyengine.CondStringNotEquals, Op: policyengine.CondStringNotEquals,
Object: policyengine.ContainerRequest, Kind: policyengine.KindRequest,
Key: "C", Key: "C",
Value: "D", Value: "D",
}, },
}, },
}, },

2
go.mod
View file

@ -9,7 +9,7 @@ require (
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65 git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12
git.frostfs.info/TrueCloudLab/hrw v1.2.1 git.frostfs.info/TrueCloudLab/hrw v1.2.1
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240426062043-c5397286410f git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240513163744-1f6f4163d40d
git.frostfs.info/TrueCloudLab/tzhash v1.8.0 git.frostfs.info/TrueCloudLab/tzhash v1.8.0
git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02 git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02
github.com/cheggaaa/pb v1.0.29 github.com/cheggaaa/pb v1.0.29

4
go.sum
View file

@ -12,8 +12,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12/go.mod h1:e7H9nNFpx1Tj3R20Zoxy0Vo6Srlb6zV5L7ZQXqg9rn4= git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240507063414-99e02858af12/go.mod h1:e7H9nNFpx1Tj3R20Zoxy0Vo6Srlb6zV5L7ZQXqg9rn4=
git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc= git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM= git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240426062043-c5397286410f h1:z+AqVpjWIZVh91eIt+lBTK1AwWtj2EBv+YE2PJKvvuk= git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240513163744-1f6f4163d40d h1:hHk8FWbWgEnwm2I045CaBIrZBjy/o81CehIVOySA/pQ=
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240426062043-c5397286410f/go.mod h1:SgioiGhQNWqiV5qpFAXRDJF81SEFRBhtwGEiU0FViyA= git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240513163744-1f6f4163d40d/go.mod h1:SgioiGhQNWqiV5qpFAXRDJF81SEFRBhtwGEiU0FViyA=
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA= git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc= git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA= git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=

View file

@ -80,7 +80,7 @@ func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.
} }
for _, target := range targets { for _, target := range targets {
var roleCondition apechain.Condition var roleCondition apechain.Condition
roleCondition.Object = apechain.ObjectRequest roleCondition.Kind = apechain.KindRequest
roleCondition.Key = nativeschema.PropertyKeyActorRole roleCondition.Key = nativeschema.PropertyKeyActorRole
roleCondition.Value = target.Role().String() roleCondition.Value = target.Role().String()
roleCondition.Op = apechain.CondStringEquals roleCondition.Op = apechain.CondStringEquals
@ -88,7 +88,7 @@ func appendTargetsOnly(source []apechain.Rule, st apechain.Status, act apechain.
for _, binKey := range target.BinaryKeys() { for _, binKey := range target.BinaryKeys() {
var pubKeyCondition apechain.Condition var pubKeyCondition apechain.Condition
pubKeyCondition.Object = apechain.ObjectRequest pubKeyCondition.Kind = apechain.KindRequest
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
pubKeyCondition.Value = hex.EncodeToString(binKey) pubKeyCondition.Value = hex.EncodeToString(binKey)
pubKeyCondition.Op = apechain.CondStringEquals pubKeyCondition.Op = apechain.CondStringEquals
@ -112,7 +112,7 @@ func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act ape
Resources: res, Resources: res,
} }
var roleCondition apechain.Condition var roleCondition apechain.Condition
roleCondition.Object = apechain.ObjectRequest roleCondition.Kind = apechain.KindRequest
roleCondition.Key = nativeschema.PropertyKeyActorRole roleCondition.Key = nativeschema.PropertyKeyActorRole
roleCondition.Value = target.Role().String() roleCondition.Value = target.Role().String()
roleCondition.Op = apechain.CondStringEquals roleCondition.Op = apechain.CondStringEquals
@ -132,7 +132,7 @@ func appendTargetsAndFilters(source []apechain.Rule, st apechain.Status, act ape
Resources: res, Resources: res,
} }
var pubKeyCondition apechain.Condition var pubKeyCondition apechain.Condition
pubKeyCondition.Object = apechain.ObjectRequest pubKeyCondition.Kind = apechain.KindRequest
pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey pubKeyCondition.Key = nativeschema.PropertyKeyActorPublicKey
pubKeyCondition.Value = hex.EncodeToString(binKey) pubKeyCondition.Value = hex.EncodeToString(binKey)
pubKeyCondition.Op = apechain.CondStringEquals pubKeyCondition.Op = apechain.CondStringEquals
@ -155,10 +155,10 @@ func appendFilters(source []apechain.Condition, filters []eacl.Filter) ([]apecha
var cond apechain.Condition var cond apechain.Condition
var isObject bool var isObject bool
if filter.From() == eacl.HeaderFromObject { if filter.From() == eacl.HeaderFromObject {
cond.Object = apechain.ObjectResource cond.Kind = apechain.KindResource
isObject = true isObject = true
} else if filter.From() == eacl.HeaderFromRequest { } else if filter.From() == eacl.HeaderFromRequest {
cond.Object = apechain.ObjectRequest cond.Kind = apechain.KindRequest
} else { } else {
return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter from: %d", filter.From())} return nil, &ConvertEACLError{nested: fmt.Errorf("unknown filter from: %d", filter.From())}
} }

View file

@ -228,10 +228,10 @@ func testDenyGetContainerForOthers(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -328,10 +328,10 @@ func testDenyGetContainerByUserClaimTag(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, "tag-attr1"), Key: fmt.Sprintf(commonschema.PropertyKeyFormatFrostFSIDUserClaim, "tag-attr1"),
Value: "value100", Value: "value100",
Op: chain.CondStringNotEquals, Op: chain.CondStringNotEquals,
}, },
}, },
}, },
@ -426,10 +426,10 @@ func testDenyGetContainerByGroupID(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: commonschema.PropertyKeyFrostFSIDGroupID, Key: commonschema.PropertyKeyFrostFSIDGroupID,
Value: "19888", Value: "19888",
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -500,10 +500,10 @@ func testDenySetContainerEACLForIR(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleIR, Value: nativeschema.PropertyValueContainerRoleIR,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -578,10 +578,10 @@ func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleIR, Value: nativeschema.PropertyValueContainerRoleIR,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -657,10 +657,10 @@ func testDenyPutContainerForOthersSessionToken(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -712,10 +712,10 @@ func testDenyPutContainerReadNamespaceFromFrostfsID(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -796,10 +796,10 @@ func testDenyPutContainerInvalidNamespace(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -879,10 +879,10 @@ func testDenyListContainersForPK(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorPublicKey, Key: nativeschema.PropertyKeyActorPublicKey,
Value: hex.EncodeToString(pk.PublicKey().Bytes()), Value: hex.EncodeToString(pk.PublicKey().Bytes()),
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -993,10 +993,10 @@ func testDenyListContainersValidationNamespaceError(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorPublicKey, Key: nativeschema.PropertyKeyActorPublicKey,
Value: actorPK.PublicKey().String(), Value: actorPK.PublicKey().String(),
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -1195,10 +1195,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -1237,10 +1237,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -1280,10 +1280,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -1323,10 +1323,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -1366,10 +1366,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },
@ -1410,10 +1410,10 @@ func TestValidateContainerBoundedOperation(t *testing.T) {
}, },
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorRole, Key: nativeschema.PropertyKeyActorRole,
Value: nativeschema.PropertyValueContainerRoleOthers, Value: nativeschema.PropertyValueContainerRoleOthers,
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
}, },
}, },
}, },

View file

@ -312,10 +312,10 @@ func TestAPECheck(t *testing.T) {
Any: true, Any: true,
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Op: chain.CondStringLike, Op: chain.CondStringLike,
Object: chain.ObjectResource, Kind: chain.KindResource,
Key: "attr1", Key: "attr1",
Value: "attribute*", Value: "attribute*",
}, },
}, },
}, },
@ -351,10 +351,10 @@ func TestAPECheck(t *testing.T) {
Any: true, Any: true,
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Op: chain.CondStringLike, Op: chain.CondStringLike,
Object: chain.ObjectRequest, Kind: chain.KindRequest,
Key: nativeschema.PropertyKeyActorPublicKey, Key: nativeschema.PropertyKeyActorPublicKey,
Value: senderKey, Value: senderKey,
}, },
}, },
}, },
@ -381,10 +381,10 @@ func TestAPECheck(t *testing.T) {
Any: true, Any: true,
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
Object: chain.ObjectResource, Kind: chain.KindResource,
Key: nativeschema.PropertyKeyObjectPayloadLength, Key: nativeschema.PropertyKeyObjectPayloadLength,
Value: "1000", Value: "1000",
}, },
}, },
}, },
@ -503,10 +503,10 @@ func TestPutECChunk(t *testing.T) {
Any: true, Any: true,
Condition: []chain.Condition{ Condition: []chain.Condition{
{ {
Op: chain.CondStringEquals, Op: chain.CondStringEquals,
Object: chain.ObjectResource, Kind: chain.KindResource,
Key: "attr1", Key: "attr1",
Value: "value", Value: "value",
}, },
}, },
}, },