sidetag: extend is_sidetag_owner for untag ops

Related: https://pagure.io/koji/issue/3848

docs/source/plugins.rst

@@ -122,8 +122,12 @@ Example for `/etc/koji-hub/hub.conf`:
         match action block && is_sidetag_owner :: allow
         all :: deny
 
-There are two special policy tests `is_sidetag` and `is_sidetag_owner` with
+There are two special policy tests ``is_sidetag`` and ``is_sidetag_owner`` with
-expectable behaviour.
+expectable behaviour. ``is_sidetag_owner`` can handle optional
+``tag``/``fromtag``/``both`` keywords which specify data to be tested. Default
+is testing ``tag`` in policy data, ``fromtag`` can test  this field (e.g. in
+``untagBuild`` case) and ``both`` fails if any of the involved tags is not owned
+by sidetag owner.
 
 Now Sidetag Koji plugin should be installed.  To verify that, run
 `koji list-api` command -- it should now display `createSideTag`

plugins/hub/sidetag_hub.py

@@ -65,9 +65,27 @@ class SidetagOwnerTest(koji.policy.MatchTest):
     name = 'is_sidetag_owner'
 
     def run(self, data):
+        values = self.str.split()[1:]
+        if len(values) > 1:
+            raise koji.GenericError("Just one argument is allowed for this test.")
+        elif values:
+            value = values[0]
+            if value not in ('tag', 'fromtag', 'both'):
+                raise koji.GenericError("Policy test is_sidetag_owner has only "
+                                        f"/tag/fromtag/both options (got {value})")
+            if value == 'both':
+                values = ['tag', 'fromtag']
+        else:
+            values = ['tag']
+
         user = policy_get_user(data)
-        tag = get_tag(data['tag'])
+        for value in values:
-        return is_sidetag_owner(tag, user)
+            if value not in data:
+                return False
+            tag = get_tag(value)
+            if not tag or not is_sidetag_owner(tag, user):
+                return False
+        return True
 
 
 # API calls