[#367] Add check of AccessBox attributes

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>

api/router_test.go

@@ -17,6 +17,7 @@ import (
 	apiErrors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	s3middleware "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/metrics"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	engineiam "git.frostfs.info/TrueCloudLab/policy-engine/iam"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
@@ -576,6 +577,29 @@ func TestResourceTagsCheck(t *testing.T) {
 	})
 }
 
+func TestAccessBoxAttributesCheck(t *testing.T) {
+	router := prepareRouter(t)
+
+	ns, bktName, attrKey, attrValue := "", "bucket", "key", "true"
+	router.middlewareSettings.denyByDefault = true
+
+	allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
+	createBucket(router, ns, bktName)
+
+	// Add policy and check
+	allowOperations(router, ns, []string{"s3:ListBucket"}, engineiam.Conditions{
+		engineiam.CondBool: engineiam.Condition{fmt.Sprintf(s3.PropertyKeyFormatAccessBoxAttr, attrKey): []string{attrValue}},
+	})
+
+	listObjectsV1Err(router, ns, bktName, "", "", "", apiErrors.ErrAccessDenied)
+
+	var attr object.Attribute
+	attr.SetKey(attrKey)
+	attr.SetValue(attrValue)
+	router.cfg.Center.(*centerMock).attrs = []object.Attribute{attr}
+	listObjectsV1(router, ns, bktName, "", "", "")
+}
+
 func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
 	addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
 }