frostfs-node/pkg/core/object/fmt_test.go
Dmitrii Stepanov ab2614ec2d [#528] objectcore: Validate token issuer
Add token issuer against object owner validation.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-08-29 10:10:10 +03:00

286 lines
7 KiB
Go

package object
import (
"context"
"crypto/ecdsa"
"strconv"
"testing"
objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
sessiontest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session/test"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
"github.com/google/uuid"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/stretchr/testify/require"
)
func blankValidObject(key *ecdsa.PrivateKey) *objectSDK.Object {
var idOwner user.ID
user.IDFromKey(&idOwner, key.PublicKey)
obj := objectSDK.New()
obj.SetContainerID(cidtest.ID())
obj.SetOwnerID(&idOwner)
return obj
}
type testNetState struct {
epoch uint64
}
func (s testNetState) CurrentEpoch() uint64 {
return s.epoch
}
type testLockSource struct {
m map[oid.Address]bool
}
func (t testLockSource) IsLocked(_ context.Context, address oid.Address) (bool, error) {
return t.m[address], nil
}
func TestFormatValidator_Validate(t *testing.T) {
const curEpoch = 13
ls := testLockSource{
m: make(map[oid.Address]bool),
}
v := NewFormatValidator(
WithNetState(testNetState{
epoch: curEpoch,
}),
WithLockSource(ls),
)
ownerKey, err := keys.NewPrivateKey()
require.NoError(t, err)
t.Run("nil input", func(t *testing.T) {
require.Error(t, v.Validate(context.Background(), nil, true))
})
t.Run("nil identifier", func(t *testing.T) {
obj := objectSDK.New()
require.ErrorIs(t, v.Validate(context.Background(), obj, false), errNilID)
})
t.Run("nil container identifier", func(t *testing.T) {
obj := objectSDK.New()
obj.SetID(oidtest.ID())
require.ErrorIs(t, v.Validate(context.Background(), obj, true), errNilCID)
})
t.Run("unsigned object", func(t *testing.T) {
obj := objectSDK.New()
obj.SetContainerID(cidtest.ID())
obj.SetID(oidtest.ID())
require.Error(t, v.Validate(context.Background(), obj, false))
})
t.Run("correct w/ session token", func(t *testing.T) {
var idOwner user.ID
user.IDFromKey(&idOwner, ownerKey.PrivateKey.PublicKey)
tok := sessiontest.Object()
err := tok.Sign(ownerKey.PrivateKey)
require.NoError(t, err)
obj := objectSDK.New()
obj.SetContainerID(cidtest.ID())
obj.SetSessionToken(tok)
obj.SetOwnerID(&idOwner)
require.NoError(t, objectSDK.SetIDWithSignature(ownerKey.PrivateKey, obj))
require.NoError(t, v.Validate(context.Background(), obj, false))
})
t.Run("invalid w/ session token", func(t *testing.T) {
var idOwner user.ID
user.IDFromKey(&idOwner, ownerKey.PrivateKey.PublicKey)
var randomUserID user.ID
randPrivKey, err := keys.NewPrivateKey()
require.NoError(t, err)
user.IDFromKey(&randomUserID, randPrivKey.PrivateKey.PublicKey)
tok := sessiontest.Object()
fsPubKey := frostfsecdsa.PublicKey(*ownerKey.PublicKey())
tok.SetID(uuid.New())
tok.SetAuthKey(&fsPubKey)
tok.SetExp(100500)
tok.SetIat(1)
tok.SetNbf(1)
err = tok.Sign(ownerKey.PrivateKey)
require.NoError(t, err)
obj := objectSDK.New()
obj.SetContainerID(cidtest.ID())
obj.SetSessionToken(tok)
obj.SetOwnerID(&randomUserID)
require.NoError(t, objectSDK.SetIDWithSignature(ownerKey.PrivateKey, obj))
require.Error(t, v.Validate(context.Background(), obj, false)) //invalid owner
})
t.Run("correct w/o session token", func(t *testing.T) {
obj := blankValidObject(&ownerKey.PrivateKey)
require.NoError(t, objectSDK.SetIDWithSignature(ownerKey.PrivateKey, obj))
require.NoError(t, v.Validate(context.Background(), obj, false))
})
t.Run("tombstone content", func(t *testing.T) {
obj := objectSDK.New()
obj.SetType(objectSDK.TypeTombstone)
obj.SetContainerID(cidtest.ID())
_, err := v.ValidateContent(obj)
require.Error(t, err) // no tombstone content
content := objectSDK.NewTombstone()
content.SetMembers([]oid.ID{oidtest.ID()})
data, err := content.Marshal()
require.NoError(t, err)
obj.SetPayload(data)
_, err = v.ValidateContent(obj)
require.Error(t, err) // no members in tombstone
content.SetMembers([]oid.ID{oidtest.ID()})
data, err = content.Marshal()
require.NoError(t, err)
obj.SetPayload(data)
_, err = v.ValidateContent(obj)
require.Error(t, err) // no expiration epoch in tombstone
var expirationAttribute objectSDK.Attribute
expirationAttribute.SetKey(objectV2.SysAttributeExpEpoch)
expirationAttribute.SetValue(strconv.Itoa(10))
obj.SetAttributes(expirationAttribute)
_, err = v.ValidateContent(obj)
require.Error(t, err) // different expiration values
id := oidtest.ID()
content.SetExpirationEpoch(10)
content.SetMembers([]oid.ID{id})
data, err = content.Marshal()
require.NoError(t, err)
obj.SetPayload(data)
contentGot, err := v.ValidateContent(obj)
require.NoError(t, err) // all good
require.EqualValues(t, []oid.ID{id}, contentGot.Objects())
require.Equal(t, objectSDK.TypeTombstone, contentGot.Type())
})
t.Run("expiration", func(t *testing.T) {
fn := func(val string) *objectSDK.Object {
obj := blankValidObject(&ownerKey.PrivateKey)
var a objectSDK.Attribute
a.SetKey(objectV2.SysAttributeExpEpoch)
a.SetValue(val)
obj.SetAttributes(a)
require.NoError(t, objectSDK.SetIDWithSignature(ownerKey.PrivateKey, obj))
return obj
}
t.Run("invalid attribute value", func(t *testing.T) {
val := "text"
err := v.Validate(context.Background(), fn(val), false)
require.Error(t, err)
})
t.Run("expired object", func(t *testing.T) {
val := strconv.FormatUint(curEpoch-1, 10)
obj := fn(val)
t.Run("non-locked", func(t *testing.T) {
err := v.Validate(context.Background(), obj, false)
require.ErrorIs(t, err, errExpired)
})
t.Run("locked", func(t *testing.T) {
var addr oid.Address
oID, _ := obj.ID()
cID, _ := obj.ContainerID()
addr.SetContainer(cID)
addr.SetObject(oID)
ls.m[addr] = true
err := v.Validate(context.Background(), obj, false)
require.NoError(t, err)
})
})
t.Run("alive object", func(t *testing.T) {
val := strconv.FormatUint(curEpoch, 10)
err := v.Validate(context.Background(), fn(val), true)
require.NoError(t, err)
})
})
t.Run("attributes", func(t *testing.T) {
t.Run("duplication", func(t *testing.T) {
obj := blankValidObject(&ownerKey.PrivateKey)
var a1 objectSDK.Attribute
a1.SetKey("key1")
a1.SetValue("val1")
var a2 objectSDK.Attribute
a2.SetKey("key2")
a2.SetValue("val2")
obj.SetAttributes(a1, a2)
err := v.checkAttributes(obj)
require.NoError(t, err)
a2.SetKey(a1.Key())
obj.SetAttributes(a1, a2)
err = v.checkAttributes(obj)
require.Equal(t, errDuplAttr, err)
})
t.Run("empty value", func(t *testing.T) {
obj := blankValidObject(&ownerKey.PrivateKey)
var a objectSDK.Attribute
a.SetKey("key")
obj.SetAttributes(a)
err := v.checkAttributes(obj)
require.Equal(t, errEmptyAttrVal, err)
})
})
}