From 5c8514de172647d2332de044ad43ffa2dc4b0ce3 Mon Sep 17 00:00:00 2001
From: Leonard Lyubich <leonard@morphbits.io>
Date: Fri, 2 Feb 2024 13:22:33 +0400
Subject: [PATCH 1/2] acl: Support access rules for absent attributes

Previously, protocol did not clearly support access rules based on
attribute absence. Using `STRING_EQUAL` op with empty value was an
insufficiently clear notation of a missing attribute since it could
cause a collision with attributes with an empty value (there are no such
things now, but they may be possible in the future).

`MatchType` enumeration is extended with `NOT_PRESENT` value. Being set
in the `EACLRecord.Filter`, this operator will limit access rule to the
objects without. The op is prohibited for system attributes so as not to
create deliberately false (for known attributes) or undefined behavior
(for unsupported ones).

Closes #256.

Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
---
 acl/types.proto   | 9 ++++++++-
 proto-docs/acl.md | 7 ++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/acl/types.proto b/acl/types.proto
index 2bf5f23..eefa508 100644
--- a/acl/types.proto
+++ b/acl/types.proto
@@ -33,6 +33,9 @@ enum MatchType {
 
   // Return true if strings are different
   STRING_NOT_EQUAL = 2;
+
+  // Absence of attribute
+  NOT_PRESENT = 3;
 }
 
 // Request's operation type to match if the rule is applicable to a particular
@@ -102,9 +105,13 @@ message EACLRecord {
 
   // Filter to check particular properties of the request or the object.
   //
+  // The `value` field must be empty if `match_type` is an unary operator
+  // (e.g. `NOT_PRESENT`).
+  //
   // By default `key` field refers to the corresponding object's `Attribute`.
   // Some Object's header fields can also be accessed by adding `$Object:`
-  // prefix to the name. Here is the list of fields available via this prefix:
+  // prefix to the name. For such attributes, field 'match_type' must not be
+  // 'NOT_PRESENT'. Here is the list of fields available via this prefix:
   //
   // * $Object:version \
   //   version
diff --git a/proto-docs/acl.md b/proto-docs/acl.md
index 09762a1..b7f9c65 100644
--- a/proto-docs/acl.md
+++ b/proto-docs/acl.md
@@ -95,9 +95,13 @@ Describes a single eACL rule.
 ### Message EACLRecord.Filter
 Filter to check particular properties of the request or the object.
 
+The `value` field must be empty if `match_type` is an unary operator
+(e.g. `NOT_PRESENT`).
+
 By default `key` field refers to the corresponding object's `Attribute`.
 Some Object's header fields can also be accessed by adding `$Object:`
-prefix to the name. Here is the list of fields available via this prefix:
+prefix to the name. For such attributes, field 'match_type' must not be
+'NOT_PRESENT'. Here is the list of fields available via this prefix:
 
 * $Object:version \
   version
@@ -202,6 +206,7 @@ MatchType is an enumeration of match types.
 | MATCH_TYPE_UNSPECIFIED | 0 | Unspecified match type, default value. |
 | STRING_EQUAL | 1 | Return true if strings are equal |
 | STRING_NOT_EQUAL | 2 | Return true if strings are different |
+| NOT_PRESENT | 3 | Absence of attribute |
 
 
 

From 541cd3cd8d030b5670e7e247122395dfabaadeac Mon Sep 17 00:00:00 2001
From: Leonard Lyubich <leonard@morphbits.io>
Date: Fri, 2 Feb 2024 13:34:47 +0400
Subject: [PATCH 2/2] object: Support numeric comparisons in access rules

Previously, protocol did not support numeric comparisons in access rules
except `==` and `!=`. This may be needed for system attributes such as
payload size or creation epoch, and for user ones if required by the
client application.

New values of `MatchType` enumeration are added: `>`, `>=`, `<`, `<=`.
Being set in the `EACLRecord.Filter`, these operators will allow user to
apply access rules with any decimal attributes. While only base-10
numbers are allowed, additional bases may be supported in the future
without new enumerations.

Closes #255.
Refs #265.

Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
---
 acl/types.proto   | 18 +++++++++++++++++-
 proto-docs/acl.md | 10 +++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/acl/types.proto b/acl/types.proto
index eefa508..e359c94 100644
--- a/acl/types.proto
+++ b/acl/types.proto
@@ -36,6 +36,18 @@ enum MatchType {
 
   // Absence of attribute
   NOT_PRESENT = 3;
+
+  // Numeric 'greater than'
+  NUM_GT = 4;
+
+  // Numeric 'greater or equal than'
+  NUM_GE = 5;
+
+  // Numeric 'less than'
+  NUM_LT = 6;
+
+  // Numeric 'less or equal than'
+  NUM_LE = 7;
 }
 
 // Request's operation type to match if the rule is applicable to a particular
@@ -106,7 +118,8 @@ message EACLRecord {
   // Filter to check particular properties of the request or the object.
   //
   // The `value` field must be empty if `match_type` is an unary operator
-  // (e.g. `NOT_PRESENT`).
+  // (e.g. `NOT_PRESENT`). If `match_type` field is numeric (e.g. `NUM_GT`),
+  // the `value` field must be a base-10 integer.
   //
   // By default `key` field refers to the corresponding object's `Attribute`.
   // Some Object's header fields can also be accessed by adding `$Object:`
@@ -132,6 +145,9 @@ message EACLRecord {
   // * $Object:homomorphicHash \
   //   homomorphic_hash
   //
+  // Numeric `match_type` field can only be used with `$Object:creationEpoch`
+  // and `$Object:payloadLength` system attributes.
+  //
   // Please note, that if request or response does not have object's headers of
   // full object (Range, RangeHash, Search, Delete), it will not be possible to
   // filter by object header fields or user attributes. From the well-known list
diff --git a/proto-docs/acl.md b/proto-docs/acl.md
index b7f9c65..42326ea 100644
--- a/proto-docs/acl.md
+++ b/proto-docs/acl.md
@@ -96,7 +96,8 @@ Describes a single eACL rule.
 Filter to check particular properties of the request or the object.
 
 The `value` field must be empty if `match_type` is an unary operator
-(e.g. `NOT_PRESENT`).
+(e.g. `NOT_PRESENT`). If `match_type` field is numeric (e.g. `NUM_GT`),
+the `value` field must be a base-10 integer.
 
 By default `key` field refers to the corresponding object's `Attribute`.
 Some Object's header fields can also be accessed by adding `$Object:`
@@ -122,6 +123,9 @@ prefix to the name. For such attributes, field 'match_type' must not be
 * $Object:homomorphicHash \
   homomorphic_hash
 
+Numeric `match_type` field can only be used with `$Object:creationEpoch`
+and `$Object:payloadLength` system attributes.
+
 Please note, that if request or response does not have object's headers of
 full object (Range, RangeHash, Search, Delete), it will not be possible to
 filter by object header fields or user attributes. From the well-known list
@@ -207,6 +211,10 @@ MatchType is an enumeration of match types.
 | STRING_EQUAL | 1 | Return true if strings are equal |
 | STRING_NOT_EQUAL | 2 | Return true if strings are different |
 | NOT_PRESENT | 3 | Absence of attribute |
+| NUM_GT | 4 | Numeric 'greater than' |
+| NUM_GE | 5 | Numeric 'greater or equal than' |
+| NUM_LT | 6 | Numeric 'less than' |
+| NUM_LE | 7 | Numeric 'less or equal than' |