acl: Support access rules for absent attributes

cthulhu-rider · cthulhu-rider · commit 5c8514de1726 · 2024-02-02T13:52:39.000+04:00
Previously, protocol did not clearly support access rules based on attribute absence. Using `STRING_EQUAL` op with empty value was an insufficiently clear notation of a missing attribute since it could cause a collision with attributes with an empty value (there are no such things now, but they may be possible in the future). `MatchType` enumeration is extended with `NOT_PRESENT` value. Being set in the `EACLRecord.Filter`, this operator will limit access rule to the objects without. The op is prohibited for system attributes so as not to create deliberately false (for known attributes) or undefined behavior (for unsupported ones). Closes #256. Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
diff --git a/acl/types.proto b/acl/types.proto
@@ -33,6 +33,9 @@ enum MatchType {
 
   // Return true if strings are different
   STRING_NOT_EQUAL = 2;
+
+  // Absence of attribute
+  NOT_PRESENT = 3;
 }
 
 // Request's operation type to match if the rule is applicable to a particular
@@ -102,9 +105,13 @@ message EACLRecord {
 
   // Filter to check particular properties of the request or the object.
   //
+  // The `value` field must be empty if `match_type` is an unary operator
+  // (e.g. `NOT_PRESENT`).
+  //
   // By default `key` field refers to the corresponding object's `Attribute`.
   // Some Object's header fields can also be accessed by adding `$Object:`
-  // prefix to the name. Here is the list of fields available via this prefix:
+  // prefix to the name. For such attributes, field 'match_type' must not be
+  // 'NOT_PRESENT'. Here is the list of fields available via this prefix:
   //
   // * $Object:version \
   //   version
diff --git a/proto-docs/acl.md b/proto-docs/acl.md
@@ -95,9 +95,13 @@ Describes a single eACL rule.
 ### Message EACLRecord.Filter
 Filter to check particular properties of the request or the object.
 
+The `value` field must be empty if `match_type` is an unary operator
+(e.g. `NOT_PRESENT`).
+
 By default `key` field refers to the corresponding object's `Attribute`.
 Some Object's header fields can also be accessed by adding `$Object:`
-prefix to the name. Here is the list of fields available via this prefix:
+prefix to the name. For such attributes, field 'match_type' must not be
+'NOT_PRESENT'. Here is the list of fields available via this prefix:
 
 * $Object:version \
   version
@@ -202,6 +206,7 @@ MatchType is an enumeration of match types.
 | MATCH_TYPE_UNSPECIFIED | 0 | Unspecified match type, default value. |
 | STRING_EQUAL | 1 | Return true if strings are equal |
 | STRING_NOT_EQUAL | 2 | Return true if strings are different |
+| NOT_PRESENT | 3 | Absence of attribute |
 
 
 
