[#387] api: Add tests for middleware

Signed-off-by: Roman Loginov <r.loginov@yadro.com>
2024-05-16 08:16:27 +03:00 · 2024-05-16 08:16:27 +03:00 · 02121ba548
parent 1b1c51494f
commit 02121ba548
2 changed files with 159 additions and 49 deletions
--- a/api/router_mock_test.go
+++ b/api/router_mock_test.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"encoding/xml"
+	"fmt"
 	"io"
 	"net/http"
 	"testing"
@ -32,12 +33,22 @@ func (p *poolStatisticMock) Statistic() pool.Statistic {
 }

 type centerMock struct {
-	t     *testing.T
-	anon  bool
-	attrs []object.Attribute
+	t            *testing.T
+	anon         bool
+	noAuthHeader bool
+	isError      bool
+	attrs        []object.Attribute
 }

 func (c *centerMock) Authenticate(*http.Request) (*middleware.Box, error) {
+	if c.noAuthHeader {
+		return nil, middleware.ErrNoAuthorizationHeader
+	}
+
+	if c.isError {
+		return nil, fmt.Errorf("some error")
+	}
+
 	var token *bearer.Token

 	if !c.anon {
@ -86,14 +97,23 @@ func (r *middlewareSettingsMock) ACLEnabled() bool {
 }

 type frostFSIDMock struct {
-	tags map[string]string
+	tags            map[string]string
+	validateError   bool
+	userGroupsError bool
 }

 func (f *frostFSIDMock) ValidatePublicKey(*keys.PublicKey) error {
+	if f.validateError {
+		return fmt.Errorf("some error")
+	}
+
 	return nil
 }

 func (f *frostFSIDMock) GetUserGroupIDsAndClaims(util.Uint160) ([]string, map[string]string, error) {
+	if f.userGroupsError {
+		return nil, nil, fmt.Errorf("some error")
+	}
 	return []string{}, f.tags, nil
 }

@ -105,17 +125,21 @@ func (m *xmlMock) NewXMLDecoder(r io.Reader) *xml.Decoder {
 }

 type resourceTaggingMock struct {
-	bucketTags map[string]string
-	objectTags map[string]string
-	noSuchKey  bool
+	bucketTags      map[string]string
+	objectTags      map[string]string
+	noSuchObjectKey bool
+	noSuchBucketKey bool
 }

 func (m *resourceTaggingMock) GetBucketTagging(context.Context, *data.BucketInfo) (map[string]string, error) {
+	if m.noSuchBucketKey {
+		return nil, apiErrors.GetAPIError(apiErrors.ErrNoSuchKey)
+	}
 	return m.bucketTags, nil
 }

 func (m *resourceTaggingMock) GetObjectTagging(context.Context, *data.GetObjectTaggingParams) (string, map[string]string, error) {
-	if m.noSuchKey {
+	if m.noSuchObjectKey {
 		return "", nil, apiErrors.GetAPIError(apiErrors.ErrNoSuchKey)
 	}
 	return "", m.objectTags, nil
@ -215,9 +239,13 @@ func (h *handlerMock) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 	h.writeResponse(w, res)
 }

-func (h *handlerMock) DeleteObjectHandler(http.ResponseWriter, *http.Request) {
-	//TODO implement me
-	panic("implement me")
+func (h *handlerMock) DeleteObjectHandler(w http.ResponseWriter, r *http.Request) {
+	res := &handlerResult{
+		Method:  middleware.DeleteObjectOperation,
+		ReqInfo: middleware.GetReqInfo(r.Context()),
+	}
+
+	h.writeResponse(w, res)
 }

 func (h *handlerMock) GetBucketLocationHandler(http.ResponseWriter, *http.Request) {
--- a/api/router_test.go
+++ b/api/router_test.go
@ -43,7 +43,7 @@ func (m *routerMock) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	m.router.ServeHTTP(w, r)
 }

-func prepareRouter(t *testing.T) *routerMock {
+func prepareRouter(t *testing.T, center *centerMock, frostFSID *frostFSIDMock, frostFSIDValidation bool) *routerMock {
 	middlewareSettings := &middlewareSettingsMock{}
 	policyChecker := inmemory.NewInMemoryLocalOverrides()

@ -61,16 +61,17 @@ func prepareRouter(t *testing.T) *routerMock {
 			Limit:          10,
 			BacklogTimeout: 30 * time.Second,
 		},
-		Handler:            &handlerMock{t: t, cfg: middlewareSettings, buckets: map[string]*data.BucketInfo{}},
-		Center:             &centerMock{t: t},
-		Log:                logger,
-		Metrics:            metrics.NewAppMetrics(metricsConfig),
-		MiddlewareSettings: middlewareSettings,
-		PolicyChecker:      policyChecker,
-		Domains:            []string{"domain1", "domain2"},
-		FrostfsID:          &frostFSIDMock{},
-		XMLDecoder:         &xmlMock{},
-		Tagging:            &resourceTaggingMock{},
+		Handler:             &handlerMock{t: t, cfg: middlewareSettings, buckets: map[string]*data.BucketInfo{}},
+		Center:              center,
+		Log:                 logger,
+		Metrics:             metrics.NewAppMetrics(metricsConfig),
+		MiddlewareSettings:  middlewareSettings,
+		PolicyChecker:       policyChecker,
+		Domains:             []string{"domain1", "domain2"},
+		FrostfsID:           frostFSID,
+		FrostFSIDValidation: frostFSIDValidation,
+		XMLDecoder:          &xmlMock{},
+		Tagging:             &resourceTaggingMock{},
 	}
 	return &routerMock{
 		t:                  t,
@ -82,7 +83,7 @@ func prepareRouter(t *testing.T) *routerMock {
 }

 func TestRouterUploadPart(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 	createBucket(chiRouter, "", "dkirillov")

@ -99,7 +100,7 @@ func TestRouterUploadPart(t *testing.T) {
 }

 func TestRouterListMultipartUploads(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 	createBucket(chiRouter, "", "test-bucket")

@ -115,7 +116,7 @@ func TestRouterListMultipartUploads(t *testing.T) {
 }

 func TestRouterObjectWithSlashes(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 	ns, bktName, objName := "", "dkirillov", "/fix/object"

@ -125,7 +126,7 @@ func TestRouterObjectWithSlashes(t *testing.T) {
 }

 func TestRouterObjectEscaping(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 	ns, bktName := "", "dkirillov"
 	createBucket(chiRouter, ns, bktName)
@ -169,7 +170,7 @@ func TestRouterObjectEscaping(t *testing.T) {
 }

 func TestPolicyChecker(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)
 	ns1, bktName1, objName1 := "", "bucket", "object"
 	ns2, bktName2, objName2 := "custom-ns", "other-bucket", "object"

@ -191,16 +192,28 @@ func TestPolicyChecker(t *testing.T) {

 	// check we can access 'bucket' in default namespace
 	putObject(chiRouter, ns1, bktName1, objName1, nil)
+	deleteObject(chiRouter, ns1, bktName1, objName1, nil)

 	// check we can access 'other-bucket' in custom namespace
 	putObject(chiRouter, ns2, bktName2, objName2, nil)
+	deleteObject(chiRouter, ns2, bktName2, objName2, nil)

 	// check we cannot access 'bucket' in custom namespace
 	putObjectErr(chiRouter, ns2, bktName1, objName2, nil, apiErrors.ErrAccessDenied)
+	deleteObjectErr(chiRouter, ns2, bktName1, objName2, nil, apiErrors.ErrAccessDenied)
+}
+
+func TestPolicyCheckerError(t *testing.T) {
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)
+	ns1, bktName1, objName1 := "", "bucket", "object"
+	putObjectErr(chiRouter, ns1, bktName1, objName1, nil, apiErrors.ErrNoSuchBucket)
+
+	chiRouter = prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{userGroupsError: true}, false)
+	putObjectErr(chiRouter, ns1, bktName1, objName1, nil, apiErrors.ErrInternalError)
 }

 func TestPolicyCheckerReqTypeDetermination(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)
 	bktName, objName := "bucket", "object"
 	createBucket(chiRouter, "", bktName)

@ -246,7 +259,7 @@ func TestPolicyCheckerReqTypeDetermination(t *testing.T) {
 }

 func TestDefaultBehaviorPolicyChecker(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)
 	ns, bktName := "", "bucket"

 	// check we can access bucket if rules not found
@ -258,7 +271,7 @@ func TestDefaultBehaviorPolicyChecker(t *testing.T) {
 }

 func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {
-	router := prepareRouter(t)
+	router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)
 	ns, bktName := "", "bucket"
 	router.middlewareSettings.denyByDefault = true

@ -275,7 +288,7 @@ func TestDefaultPolicyCheckerWithUserTags(t *testing.T) {

 func TestACLAPE(t *testing.T) {
 	t.Run("acl disabled, ape deny by default", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, objName := "", "bucket", "object"
 		bktNameOld, bktNameNew := "old-bucket", "new-bucket"
@ -301,7 +314,7 @@ func TestACLAPE(t *testing.T) {
 	})

 	t.Run("acl disabled, ape allow by default", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, objName := "", "bucket", "object"
 		bktNameOld, bktNameNew := "old-bucket", "new-bucket"
@ -327,7 +340,7 @@ func TestACLAPE(t *testing.T) {
 	})

 	t.Run("acl enabled, ape deny by default", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, objName := "", "bucket", "object"
 		bktNameOld, bktNameNew := "old-bucket", "new-bucket"
@ -348,7 +361,7 @@ func TestACLAPE(t *testing.T) {
 	})

 	t.Run("acl enabled, ape allow by default", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, objName := "", "bucket", "object"
 		bktNameOld, bktNameNew := "old-bucket", "new-bucket"
@ -371,7 +384,7 @@ func TestACLAPE(t *testing.T) {

 func TestRequestParametersCheck(t *testing.T) {
 	t.Run("prefix parameter, allow specific value", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, prefix := "", "bucket", "prefix"
 		router.middlewareSettings.denyByDefault = true
@ -393,7 +406,7 @@ func TestRequestParametersCheck(t *testing.T) {
 	})

 	t.Run("delimiter parameter, prohibit specific value", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, delimiter := "", "bucket", "delimiter"
 		router.middlewareSettings.denyByDefault = true
@ -415,7 +428,7 @@ func TestRequestParametersCheck(t *testing.T) {
 	})

 	t.Run("max-keys parameter, allow specific value", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, maxKeys := "", "bucket", 10
 		router.middlewareSettings.denyByDefault = true
@ -438,7 +451,7 @@ func TestRequestParametersCheck(t *testing.T) {
 	})

 	t.Run("max-keys parameter, allow range of values", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, maxKeys := "", "bucket", 10
 		router.middlewareSettings.denyByDefault = true
@ -460,7 +473,7 @@ func TestRequestParametersCheck(t *testing.T) {
 	})

 	t.Run("max-keys parameter, prohibit specific value", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, maxKeys := "", "bucket", 10
 		router.middlewareSettings.denyByDefault = true
@ -484,7 +497,7 @@ func TestRequestParametersCheck(t *testing.T) {

 func TestRequestTagsCheck(t *testing.T) {
 	t.Run("put bucket tagging", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, tagKey, tagValue := "", "bucket", "tag", "value"
 		router.middlewareSettings.denyByDefault = true
@ -507,10 +520,13 @@ func TestRequestTagsCheck(t *testing.T) {
 		tagging, err = xml.Marshal(data.Tagging{TagSet: []data.Tag{{Key: "key", Value: tagValue}}})
 		require.NoError(t, err)
 		putBucketTaggingErr(router, ns, bktName, tagging, apiErrors.ErrAccessDenied)
+
+		tagging = nil
+		putBucketTaggingErr(router, ns, bktName, tagging, apiErrors.ErrMalformedXML)
 	})

 	t.Run("put object with tag", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, objName, tagKey, tagValue := "", "bucket", "object", "tag", "value"
 		router.middlewareSettings.denyByDefault = true
@ -534,7 +550,7 @@ func TestRequestTagsCheck(t *testing.T) {

 func TestResourceTagsCheck(t *testing.T) {
 	t.Run("bucket tagging", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, tagKey, tagValue := "", "bucket", "tag", "value"
 		router.middlewareSettings.denyByDefault = true
@ -558,7 +574,7 @@ func TestResourceTagsCheck(t *testing.T) {
 	})

 	t.Run("object tagging", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 		ns, bktName, objName, tagKey, tagValue := "", "bucket", "object", "tag", "value"
 		router.middlewareSettings.denyByDefault = true
@ -583,19 +599,23 @@ func TestResourceTagsCheck(t *testing.T) {
 	})

 	t.Run("non-existent resources", func(t *testing.T) {
-		router := prepareRouter(t)
+		router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)
 		ns, bktName, objName := "", "bucket", "object"

 		listObjectsV1Err(router, ns, bktName, "", "", "", apiErrors.ErrNoSuchBucket)

-		router.cfg.Tagging.(*resourceTaggingMock).noSuchKey = true
+		router.cfg.Tagging.(*resourceTaggingMock).noSuchBucketKey = true
+		createBucket(router, ns, bktName)
+		getBucketErr(router, ns, bktName, apiErrors.ErrNoSuchKey)
+
+		router.cfg.Tagging.(*resourceTaggingMock).noSuchObjectKey = true
 		createBucket(router, ns, bktName)
 		getObjectErr(router, ns, bktName, objName, apiErrors.ErrNoSuchKey)
 	})
 }

 func TestAccessBoxAttributesCheck(t *testing.T) {
-	router := prepareRouter(t)
+	router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 	ns, bktName, attrKey, attrValue := "", "bucket", "key", "true"
 	router.middlewareSettings.denyByDefault = true
@ -618,7 +638,7 @@ func TestAccessBoxAttributesCheck(t *testing.T) {
 }

 func TestSourceIPCheck(t *testing.T) {
-	router := prepareRouter(t)
+	router := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 	ns, bktName, hdr := "", "bucket", "Source-Ip"
 	router.middlewareSettings.denyByDefault = true
@ -719,6 +739,18 @@ func listBucketsBase(router *routerMock, namespace string) *httptest.ResponseRec
 	return w
 }

+func getBucketErr(router *routerMock, namespace, bktName string, errCode apiErrors.ErrorCode) {
+	w := getBucketBase(router, namespace, bktName)
+	assertAPIError(router.t, w, errCode)
+}
+
+func getBucketBase(router *routerMock, namespace, bktName string) *httptest.ResponseRecorder {
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/"+bktName, nil)
+	r.Header.Set(FrostfsNamespaceHeader, namespace)
+	router.ServeHTTP(w, r)
+	return w
+}
+
 func putObject(router *routerMock, namespace, bktName, objName string, tag *data.Tag) handlerResult {
 	w := putObjectBase(router, namespace, bktName, objName, tag)
 	resp := readResponse(router.t, w)
@ -744,6 +776,31 @@ func putObjectBase(router *routerMock, namespace, bktName, objName string, tag *
 	return w
 }

+func deleteObject(router *routerMock, namespace, bktName, objName string, tag *data.Tag) handlerResult {
+	w := deleteObjectBase(router, namespace, bktName, objName, tag)
+	resp := readResponse(router.t, w)
+	require.Equal(router.t, s3middleware.DeleteObjectOperation, resp.Method)
+	return resp
+}
+
+func deleteObjectErr(router *routerMock, namespace, bktName, objName string, tag *data.Tag, errCode apiErrors.ErrorCode) {
+	w := deleteObjectBase(router, namespace, bktName, objName, tag)
+	assertAPIError(router.t, w, errCode)
+}
+
+func deleteObjectBase(router *routerMock, namespace, bktName, objName string, tag *data.Tag) *httptest.ResponseRecorder {
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodDelete, "/"+bktName+"/"+objName, nil)
+	if tag != nil {
+		queries := url.Values{
+			tag.Key: []string{tag.Value},
+		}
+		r.Header.Set(AmzTagging, queries.Encode())
+	}
+	r.Header.Set(FrostfsNamespaceHeader, namespace)
+	router.ServeHTTP(w, r)
+	return w
+}
+
 func putBucketTagging(router *routerMock, namespace, bktName string, tagging []byte) handlerResult {
 	w := putBucketTaggingBase(router, namespace, bktName, tagging)
 	resp := readResponse(router.t, w)
@ -819,7 +876,7 @@ func listObjectsV1Base(router *routerMock, namespace, bktName, prefix, delimiter
 }

 func TestOwnerIDRetrieving(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 	ns, bktName, objName := "", "test-bucket", "test-object"

@ -834,7 +891,7 @@ func TestOwnerIDRetrieving(t *testing.T) {
 }

 func TestBillingMetrics(t *testing.T) {
-	chiRouter := prepareRouter(t)
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)

 	ns, bktName, objName := "", "test-bucket", "test-object"

@ -853,6 +910,31 @@ func TestBillingMetrics(t *testing.T) {
 	require.Equal(t, "anon", dump.Requests[0].User)
 }

+func TestAuthenticate(t *testing.T) {
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, false)
+	createBucket(chiRouter, "", "bkt-1")
+
+	chiRouter = prepareRouter(t, &centerMock{t: t, noAuthHeader: true}, &frostFSIDMock{}, false)
+	createBucket(chiRouter, "", "bkt-2")
+
+	chiRouter = prepareRouter(t, &centerMock{t: t, isError: true}, &frostFSIDMock{}, false)
+	createBucketErr(chiRouter, "", "bkt-3", nil, apiErrors.ErrAccessDenied)
+}
+
+func TestFrostFSIDValidation(t *testing.T) {
+	// successful frostFSID validation
+	chiRouter := prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{}, true)
+	createBucket(chiRouter, "", "bkt-1")
+
+	// anon request, skip frostFSID validation
+	chiRouter = prepareRouter(t, &centerMock{t: t, anon: true}, &frostFSIDMock{}, true)
+	createBucket(chiRouter, "", "bkt-2")
+
+	// frostFSID validation failed
+	chiRouter = prepareRouter(t, &centerMock{t: t}, &frostFSIDMock{validateError: true}, true)
+	createBucketErr(chiRouter, "", "bkt-3", nil, apiErrors.ErrInternalError)
+}
+
 func readResponse(t *testing.T, w *httptest.ResponseRecorder) handlerResult {
 	var res handlerResult