From 662f6e73a747418fade766c1f4f0dda38cedcf76 Mon Sep 17 00:00:00 2001 From: Ekaterina Chernitsyna Date: Wed, 4 Dec 2024 01:46:31 +0300 Subject: [PATCH] [#334] add allow local ape tests --- pytest_tests/testsuites/ape/test_ape.py | 324 ++++++++++++++++++++++++ 1 file changed, 324 insertions(+) diff --git a/pytest_tests/testsuites/ape/test_ape.py b/pytest_tests/testsuites/ape/test_ape.py index 464e2ff..b997bc4 100644 --- a/pytest_tests/testsuites/ape/test_ape.py +++ b/pytest_tests/testsuites/ape/test_ape.py @@ -112,6 +112,54 @@ def remove_rule_ape_in_morph(cluster: Cluster) -> None: parallel(morph_on_node, cluster.cluster_nodes, id_chains_for_remove) +def pre_create_container_object_cli( + default_user: User, + remote_frostfs_cli_first_node: FrostfsCli, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + shell: Shell, + cluster: Cluster, +): + + test_file = generate_file(simple_object_size.value) + + with reporter.step("Create a container on the first node"): + cid = ( + frostfs_cli.container.create( + rpc_endpoint=cluster.storage_nodes[0].get_rpc_endpoint(), + policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK", + name="dcl1", + await_mode=True, + basic_acl="0", + ) + .stdout.split(" ")[1] + .strip() + .split("\n")[0] + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_cli_first_node.control.add_rule( + endpoint=cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowPutObject", + rule=f"allow Object.Put *", + ) + + with reporter.step("Put objects in container on the first node"): + oid = put_object(default_user.wallet, test_file, cid, shell, cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_cli_first_node.control.remove_rule( + endpoint=cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowPutObject", + ) + + return cid, oid + + def pre_create_container_object_adm( default_user: User, remote_frostfs_adm_first_node: FrostfsAdm, @@ -1646,3 +1694,279 @@ class TestApeLocalOverride(ClusterTestBase): with reporter.step("Check delete object in container on the first node"): with expect_not_raises(): delete_object(default_user.wallet, cid, oid_1, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + @allure.title("LocalOverride: Allow to GetObject in root tenant") + def test_local_override_allow_to_get_object_root( + self, + default_user: User, + remote_frostfs_cli_first_node: FrostfsCli, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + cid, oid = pre_create_container_object_cli( + default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a container rule for the first node"): + remote_frostfs_cli_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowGetObject", + rule=f"allow Object.Get *", + ) + + with reporter.step("Check get object in container on the first node"): + with expect_not_raises(): + get_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("[NEGATIVE] Check get object in container on the second node"): + with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.GET_OBJECT.value)): + get_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_cli_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowGetObject", + ) + + @allure.title("LocalOverride: Allow to PutObject in root tenant") + def test_local_override_allow_to_put_object_root( + self, + default_user: User, + remote_frostfs_cli_first_node: FrostfsCli, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + test_file = generate_file(simple_object_size.value) + + with reporter.step("Create a container on the first node"): + cid = ( + frostfs_cli.container.create( + rpc_endpoint=self.cluster.storage_nodes[0].get_rpc_endpoint(), + policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK", + name="dcl1", + await_mode=True, + basic_acl="0", + ) + .stdout.split(" ")[1] + .strip() + .split("\n")[0] + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_cli_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowPutObject", + rule=f"allow Object.Put *", + ) + + with reporter.step("Check put object in container on the first node"): + with expect_not_raises(): + put_object(default_user.wallet, test_file, cid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("[NEGATIVE] Check get object in container on the second node"): + with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.PUT_OBJECT.value)): + put_object(default_user.wallet, test_file, cid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_cli_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowPutObject", + ) + + @allure.title("LocalOverride: Allow to HeadObject in root tenant") + def test_local_override_allow_to_head_object_root( + self, + default_user: User, + remote_frostfs_cli_first_node: FrostfsCli, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + + cid, oid = pre_create_container_object_cli( + default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a container rule for the first node"): + remote_frostfs_cli_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowHeadObject", + rule=f"allow Object.Head *", + ) + + with reporter.step("Check head object in container on the first node"): + with expect_not_raises(): + head_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("[NEGATIVE] Check head object in container on the second node"): + with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.HEAD_OBJECT.value)): + head_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_cli_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowHeadObject", + ) + + @allure.title("LocalOverride: Allow to SearchObject in root tenant") + def test_local_override_allow_to_search_object_root( + self, + default_user: User, + remote_frostfs_cli_first_node: FrostfsCli, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + + cid, oid = pre_create_container_object_cli( + default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a container rule for the first node"): + remote_frostfs_cli_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowSearchObject", + rule=f"allow Object.Search *", + ) + + with reporter.step("Check search object in container on the first node"): + with expect_not_raises(): + search_object(default_user.wallet, cid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("[NEGATIVE] Check search object from container on the second node"): + with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.SEARCH_OBJECT.value)): + search_object(default_user.wallet, cid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_cli_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowSearchObject", + ) + + @allure.title("LocalOverride: Allow to RangeObject in root tenant") + def test_local_override_allow_to_range_object_root( + self, + default_user: User, + remote_frostfs_cli_first_node: FrostfsCli, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + + cid, oid = pre_create_container_object_cli( + default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a container rule for the first node"): + remote_frostfs_cli_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowRangeObject", + rule=f"allow Object.Range *", + ) + + with reporter.step("Check get range object in container on the first node"): + with expect_not_raises(): + get_range(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("[NEGATIVE] Check range object in container on the second node"): + with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.RANGE_OBJECT.value)): + get_range(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_cli_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowRangeObject", + ) + + @allure.title("LocalOverride: Allow to HashObject in root tenant") + def test_local_override_allow_to_hash_object_root( + self, + default_user: User, + remote_frostfs_cli_first_node: FrostfsCli, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + + cid, oid = pre_create_container_object_cli( + default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a container rule for the first node"): + remote_frostfs_cli_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowHashObject", + rule=f"allow Object.Hash *", + ) + + with reporter.step("Check get range hash object in container on the first node"): + with expect_not_raises(): + get_range_hash(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("[NEGATIVE] Check get range hash object in container on the second node"): + with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.HASH_OBJECT.value)): + get_range_hash(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_cli_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowHashObject", + ) + + @allure.title("LocalOverride: Allow to DeleteObject in root tenant") + def test_local_override_allow_to_delete_object_root( + self, + default_user: User, + remote_frostfs_cli_first_node: FrostfsCli, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + + cid, oid = pre_create_container_object_cli( + default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a container rule for the first node"): + remote_frostfs_cli_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowDeleteObject", + rule=f"allow Object.Head Object.Delete *", + ) + + with reporter.step("[NEGATIVE] Check delete object from container on the second node"): + with pytest.raises(RuntimeError, match=OBJECT_ACCESS_DENIED): + delete_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Check delete object in container on the first node"): + with expect_not_raises(): + delete_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_cli_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=f"{cid}", + chain_id="allowDeleteObject", + )