Airat Arifullin
f2f3294fc3
* Wrap all APE middleware errors in apeErr that makes errors more explicit with status AccessDenied. * Use denyingRuleErr for denying status from chain router. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
348 lines
9.1 KiB
Go
348 lines
9.1 KiB
Go
package ape
|
|
|
|
import (
|
|
"context"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
|
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
|
objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
|
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/version"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
|
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
type headerProviderMock struct {
|
|
m map[oid.Address]*objectSDK.Object
|
|
}
|
|
|
|
var _ HeaderProvider = (*headerProviderMock)(nil)
|
|
|
|
func (h *headerProviderMock) addHeader(c cid.ID, o oid.ID, header *objectSDK.Object) {
|
|
var addr oid.Address
|
|
addr.SetContainer(c)
|
|
addr.SetObject(o)
|
|
h.m[addr] = header
|
|
}
|
|
|
|
func (h *headerProviderMock) GetHeader(_ context.Context, c cid.ID, o oid.ID) (*objectSDK.Object, error) {
|
|
var addr oid.Address
|
|
addr.SetContainer(c)
|
|
addr.SetObject(o)
|
|
obj, ok := h.m[addr]
|
|
if !ok {
|
|
return nil, fmt.Errorf("address not found")
|
|
}
|
|
return obj, nil
|
|
}
|
|
|
|
func newHeaderProviderMock() *headerProviderMock {
|
|
return &headerProviderMock{
|
|
m: make(map[oid.Address]*objectSDK.Object),
|
|
}
|
|
}
|
|
|
|
func newContainerIDSDK(t *testing.T, encodedCID string) cid.ID {
|
|
var cnr cid.ID
|
|
require.NoError(t, cnr.DecodeString(encodedCID))
|
|
return cnr
|
|
}
|
|
|
|
func newObjectIDSDK(t *testing.T, encodedOID *string) *oid.ID {
|
|
if encodedOID == nil {
|
|
return nil
|
|
}
|
|
obj := new(oid.ID)
|
|
require.NoError(t, obj.DecodeString(*encodedOID))
|
|
return obj
|
|
}
|
|
|
|
type headerObjectSDKParams struct {
|
|
majorVersion, minorVersion uint32
|
|
owner user.ID
|
|
epoch uint64
|
|
payloadSize uint64
|
|
typ objectSDK.Type
|
|
payloadChecksum checksum.Checksum
|
|
payloadHomomorphicHash checksum.Checksum
|
|
attributes []struct {
|
|
key string
|
|
val string
|
|
}
|
|
}
|
|
|
|
func stringPtr(s string) *string {
|
|
return &s
|
|
}
|
|
|
|
func newHeaderObjectSDK(t *testing.T, cnr cid.ID, oid *oid.ID, headerObjSDK *headerObjectSDKParams) *objectSDK.Object {
|
|
objSDK := objectSDK.New()
|
|
objSDK.SetContainerID(cnr)
|
|
if oid != nil {
|
|
objSDK.SetID(*oid)
|
|
}
|
|
if headerObjSDK == nil {
|
|
return objSDK
|
|
}
|
|
ver := new(version.Version)
|
|
ver.SetMajor(headerObjSDK.majorVersion)
|
|
ver.SetMinor(headerObjSDK.minorVersion)
|
|
objSDK.SetVersion(ver)
|
|
objSDK.SetCreationEpoch(headerObjSDK.epoch)
|
|
objSDK.SetOwnerID(headerObjSDK.owner)
|
|
objSDK.SetPayloadSize(headerObjSDK.payloadSize)
|
|
objSDK.SetType(headerObjSDK.typ)
|
|
objSDK.SetPayloadChecksum(headerObjSDK.payloadChecksum)
|
|
objSDK.SetPayloadHomomorphicHash(headerObjSDK.payloadHomomorphicHash)
|
|
|
|
var attrs []objectSDK.Attribute
|
|
for _, attr := range headerObjSDK.attributes {
|
|
attrSDK := objectSDK.NewAttribute()
|
|
attrSDK.SetKey(attr.key)
|
|
attrSDK.SetValue(attr.val)
|
|
attrs = append(attrs, *attrSDK)
|
|
}
|
|
objSDK.SetAttributes(attrs...)
|
|
|
|
return objSDK
|
|
}
|
|
|
|
type testHeader struct {
|
|
headerObjSDK *headerObjectSDKParams
|
|
|
|
// If fromHeaderProvider is set, then running test should
|
|
// consider that a header is recieved from a header provider.
|
|
fromHeaderProvider bool
|
|
|
|
// If fromHeaderProvider is set, then running test should
|
|
// consider that a header is recieved from a message header.
|
|
fromRequestResponseHeader bool
|
|
}
|
|
|
|
var (
|
|
methodsRequiredOID = []string{
|
|
nativeschema.MethodGetObject,
|
|
nativeschema.MethodHeadObject,
|
|
nativeschema.MethodRangeObject,
|
|
nativeschema.MethodHashObject,
|
|
nativeschema.MethodDeleteObject,
|
|
}
|
|
|
|
methodsOptionalOID = []string{
|
|
nativeschema.MethodSearchObject, nativeschema.MethodPutObject,
|
|
}
|
|
|
|
namespace = "test_namespace"
|
|
|
|
containerID = "73tQMTYyUkTgmvPR1HWib6pndbhSoBovbnMF7Pws8Rcy"
|
|
|
|
objectID = "BzQw5HH3feoxFDD5tCT87Y1726qzgLfxEE7wgtoRzB3R"
|
|
|
|
role = "Container"
|
|
|
|
senderKey = hex.EncodeToString([]byte{1, 0, 0, 1})
|
|
)
|
|
|
|
func TestAPECheck(t *testing.T) {
|
|
for _, test := range []struct {
|
|
name string
|
|
container string
|
|
object *string
|
|
methods []string
|
|
header testHeader
|
|
containerRules []chain.Rule
|
|
expectAPEErr bool
|
|
}{
|
|
{
|
|
name: "oid required requests are allowed",
|
|
container: containerID,
|
|
object: stringPtr(objectID),
|
|
methods: methodsRequiredOID,
|
|
},
|
|
{
|
|
name: "oid optional requests are allowed",
|
|
container: containerID,
|
|
methods: methodsOptionalOID,
|
|
},
|
|
{
|
|
name: "oid required requests are denied",
|
|
container: containerID,
|
|
object: stringPtr(objectID),
|
|
methods: methodsRequiredOID,
|
|
containerRules: []chain.Rule{
|
|
{
|
|
Status: chain.AccessDenied,
|
|
Actions: chain.Actions{Names: methodsRequiredOID},
|
|
Resources: chain.Resources{
|
|
Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObject, containerID, objectID)},
|
|
},
|
|
},
|
|
},
|
|
expectAPEErr: true,
|
|
},
|
|
{
|
|
name: "oid required requests are denied by an attribute",
|
|
container: containerID,
|
|
object: stringPtr(objectID),
|
|
methods: methodsRequiredOID,
|
|
header: testHeader{
|
|
headerObjSDK: &headerObjectSDKParams{
|
|
attributes: []struct {
|
|
key string
|
|
val string
|
|
}{
|
|
{
|
|
key: "attr1",
|
|
val: "attribute_value",
|
|
},
|
|
},
|
|
},
|
|
fromHeaderProvider: true,
|
|
},
|
|
containerRules: []chain.Rule{
|
|
{
|
|
Status: chain.AccessDenied,
|
|
Actions: chain.Actions{Names: methodsRequiredOID},
|
|
Resources: chain.Resources{
|
|
Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObject, containerID, objectID)},
|
|
},
|
|
Any: true,
|
|
Condition: []chain.Condition{
|
|
{
|
|
Op: chain.CondStringLike,
|
|
Object: chain.ObjectResource,
|
|
Key: "attr1",
|
|
Value: "attribute*",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectAPEErr: true,
|
|
},
|
|
{
|
|
name: "oid required requests are denied by sender",
|
|
container: containerID,
|
|
object: stringPtr(objectID),
|
|
methods: methodsRequiredOID,
|
|
header: testHeader{
|
|
headerObjSDK: &headerObjectSDKParams{
|
|
attributes: []struct {
|
|
key string
|
|
val string
|
|
}{
|
|
{
|
|
key: "attr1",
|
|
val: "attribute_value",
|
|
},
|
|
},
|
|
},
|
|
fromHeaderProvider: true,
|
|
},
|
|
containerRules: []chain.Rule{
|
|
{
|
|
Status: chain.AccessDenied,
|
|
Actions: chain.Actions{Names: methodsRequiredOID},
|
|
Resources: chain.Resources{
|
|
Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObject, containerID, objectID)},
|
|
},
|
|
Any: true,
|
|
Condition: []chain.Condition{
|
|
{
|
|
Op: chain.CondStringLike,
|
|
Object: chain.ObjectRequest,
|
|
Key: nativeschema.PropertyKeyActorPublicKey,
|
|
Value: senderKey,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectAPEErr: true,
|
|
},
|
|
{
|
|
name: "optional oid requests reached quota limit by an attribute",
|
|
container: containerID,
|
|
methods: methodsOptionalOID,
|
|
header: testHeader{
|
|
headerObjSDK: &headerObjectSDKParams{
|
|
payloadSize: 1000,
|
|
},
|
|
fromRequestResponseHeader: true,
|
|
},
|
|
containerRules: []chain.Rule{
|
|
{
|
|
Status: chain.QuotaLimitReached,
|
|
Actions: chain.Actions{Names: methodsOptionalOID},
|
|
Resources: chain.Resources{
|
|
Names: []string{fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, containerID)},
|
|
},
|
|
Any: true,
|
|
Condition: []chain.Condition{
|
|
{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectResource,
|
|
Key: nativeschema.PropertyKeyObjectPayloadLength,
|
|
Value: "1000",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectAPEErr: true,
|
|
},
|
|
} {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
for _, method := range test.methods {
|
|
t.Run(method, func(t *testing.T) {
|
|
headerProvider := newHeaderProviderMock()
|
|
|
|
cnr := newContainerIDSDK(t, test.container)
|
|
obj := newObjectIDSDK(t, test.object)
|
|
|
|
ls := inmemory.NewInmemoryLocalStorage()
|
|
ms := inmemory.NewInmemoryMorphRuleChainStorage()
|
|
|
|
ls.AddOverride(chain.Ingress, policyengine.ContainerTarget(test.container), &chain.Chain{
|
|
Rules: test.containerRules,
|
|
MatchType: chain.MatchTypeFirstMatch,
|
|
})
|
|
|
|
router := policyengine.NewDefaultChainRouterWithLocalOverrides(ms, ls)
|
|
|
|
checker := NewChecker(router, headerProvider)
|
|
|
|
prm := Prm{
|
|
Method: method,
|
|
Container: cnr,
|
|
Object: obj,
|
|
Role: role,
|
|
SenderKey: senderKey,
|
|
}
|
|
|
|
var headerObjSDK *objectSDK.Object
|
|
if test.header.headerObjSDK != nil {
|
|
headerObjSDK = newHeaderObjectSDK(t, cnr, obj, test.header.headerObjSDK)
|
|
if test.header.fromHeaderProvider {
|
|
require.NotNil(t, obj, "oid is required if a header is expected to be found in header provider")
|
|
headerProvider.addHeader(cnr, *obj, headerObjSDK)
|
|
} else if test.header.fromRequestResponseHeader {
|
|
prm.Header = headerObjSDK.ToV2().GetHeader()
|
|
}
|
|
}
|
|
|
|
err := checker.CheckAPE(context.Background(), prm)
|
|
if test.expectAPEErr {
|
|
require.Error(t, err)
|
|
} else {
|
|
require.NoError(t, err)
|
|
}
|
|
})
|
|
}
|
|
})
|
|
}
|
|
}
|