[#919] ape: Improve error messages in ape service

* Wrap all APE middleware errors in apeErr that makes errors more explicit with status AccessDenied. * Use denyingRuleErr for denying status from chain router. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-01-18 14:35:52 +03:00 · 2024-01-18 14:35:52 +03:00 · f2f3294fc3
commit f2f3294fc3
parent f526f49995
4 changed files with 32 additions and 28 deletions
--- a/pkg/services/object/ape/checker_test.go
+++ b/pkg/services/object/ape/checker_test.go
@ -308,7 +308,8 @@ func TestAPECheck(t *testing.T) {
 					ms := inmemory.NewInmemoryMorphRuleChainStorage()

 					ls.AddOverride(chain.Ingress, policyengine.ContainerTarget(test.container), &chain.Chain{
-						Rules: test.containerRules,
+						Rules:     test.containerRules,
+						MatchType: chain.MatchTypeFirstMatch,
 					})

 					router := policyengine.NewDefaultChainRouterWithLocalOverrides(ms, ls)
@ -336,8 +337,7 @@ func TestAPECheck(t *testing.T) {

 					err := checker.CheckAPE(context.Background(), prm)
 					if test.expectAPEErr {
-						aErr := apeErr(method, chain.AccessDenied)
-						require.ErrorAs(t, err, &aErr)
+						require.Error(t, err)
 					} else {
 						require.NoError(t, err)
 					}