[#770] cli: Add methods to work with APE rules via control svc

* Add methods to frostfs-cli
* Implement rpc in control service

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>

cmd/frostfs-cli/modules/util/ape_test.go

@@ -0,0 +1,129 @@
+package util
+
+import (
+	"testing"
+
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseAPERule(t *testing.T) {
+	tests := [...]struct {
+		name       string
+		rule       string
+		expectErr  error
+		expectRule policyengine.Rule
+	}{
+		{
+			name: "Valid allow rule",
+			rule: "allow Object.Put *",
+			expectRule: policyengine.Rule{
+				Status:    policyengine.Allow,
+				Action:    []string{"native:PutObject"},
+				Resource:  []string{"native:::object/*"},
+				Condition: []policyengine.Condition{},
+			},
+		},
+		{
+			name: "Valid deny rule",
+			rule: "deny Object.Put *",
+			expectRule: policyengine.Rule{
+				Status:    policyengine.AccessDenied,
+				Action:    []string{"native:PutObject"},
+				Resource:  []string{"native:::object/*"},
+				Condition: []policyengine.Condition{},
+			},
+		},
+		{
+			name: "Valid deny rule with action detail",
+			rule: "deny:QuotaLimitReached Object.Put *",
+			expectRule: policyengine.Rule{
+				Status:    policyengine.QuotaLimitReached,
+				Action:    []string{"native:PutObject"},
+				Resource:  []string{"native:::object/*"},
+				Condition: []policyengine.Condition{},
+			},
+		},
+		{
+			name: "Valid allow rule with conditions",
+			rule: "allow Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
+			expectRule: policyengine.Rule{
+				Status:   policyengine.Allow,
+				Action:   []string{"native:GetObject"},
+				Resource: []string{"native:::object/*"},
+				Condition: []policyengine.Condition{
+					{
+						Op:     policyengine.CondStringEquals,
+						Object: policyengine.ObjectResource,
+						Key:    "Department",
+						Value:  "HR",
+					},
+					{
+						Op:     policyengine.CondStringNotEquals,
+						Object: policyengine.ObjectRequest,
+						Key:    "Actor",
+						Value:  "ownerA",
+					},
+				},
+			},
+		},
+		{
+			name: "Valid rule with conditions with action detail",
+			rule: "deny:QuotaLimitReached Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
+			expectRule: policyengine.Rule{
+				Status:   policyengine.QuotaLimitReached,
+				Action:   []string{"native:GetObject"},
+				Resource: []string{"native:::object/*"},
+				Condition: []policyengine.Condition{
+					{
+						Op:     policyengine.CondStringEquals,
+						Object: policyengine.ObjectResource,
+						Key:    "Department",
+						Value:  "HR",
+					},
+					{
+						Op:     policyengine.CondStringNotEquals,
+						Object: policyengine.ObjectRequest,
+						Key:    "Actor",
+						Value:  "ownerA",
+					},
+				},
+			},
+		},
+		{
+			name:      "Invalid rule with unknown action",
+			rule:      "permit Object.Put *",
+			expectErr: errUnknownAction,
+		},
+		{
+			name:      "Invalid rule with unknown operation",
+			rule:      "allow Object.PutOut *",
+			expectErr: errUnknownOperation,
+		},
+		{
+			name:      "Invalid rule with unknown action detail",
+			rule:      "deny:UnknownActionDetail Object.Put *",
+			expectErr: errUnknownActionDetail,
+		},
+		{
+			name:      "Invalid rule with unknown condition binary operator",
+			rule:      "deny Object.Put Object.Resource:Department<HR *",
+			expectErr: errUnknownBinaryOperator,
+		},
+		{
+			name:      "Invalid rule with unknown condition object type",
+			rule:      "deny Object.Put Object.ResourZe:Department=HR *",
+			expectErr: errUnknownCondObjectType,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			r := new(policyengine.Rule)
+			err := ParseAPERule(r, test.rule)
+			require.ErrorIs(t, err, test.expectErr)
+			if test.expectErr == nil {
+				require.Equal(t, test.expectRule, *r)
+			}
+		})
+	}
+}